The Winners and Losers of the Empire Market Shutdown
Empire Market was launched on the dark web in January 2018. By filling the void left by the shutdown of Alphabay and Hansa marketplaces in mid-2017, it grew into one of the largest dark web markets.
Empire Market quickly became a major dark web platform on which illicit goods and services were traded. A massive distributed denial-of-service (DDoS) attack caused downtine on Empire Market this summer, generating countless dark web discussions about its fate.
About three weeks ago, dark web’s Empire Market finally shut down. Initial reactions on criminal underground forums were split: some claimed the police had shut it down, while others suggested market administrators had stolen their members’ funds. The latest reports suggest administrators exit scammed with an estimated US$30 million.
Dark web market participants rarely pay their vendors directly. Instead, they deposit their funds with the market administrators until they receive their goods or services. If the vendors never deliver on their promises, the administrators return the funds to the buyer. Deposits can accumulate quickly on dark web markets. Unless markets adopt multi-party deposits, the administrators are the sole controllers of deposits. They can withdraw, launder, and disappear with the funds at any time, a theft known as exit scam
Security teams that were monitoring malicious actors on Empire Market will need to shift their attention to new dark web markets. Given the wealth of markets currently operating, where are they most likely to find the malicious actors they were tracking? We present our investigation into the activities of alternative dark web markets below. This blog post will enable security teams to maintain their coverage of malicious actors and, even perhaps, identify new and unknown malicious actors.
Alternative dark web markets
By monitoring multiple dark web indexes and forums, we identified 7 large markets that facilitate the sale of Canadian fraud-related goods and services: Yellow Brick Market, Deep Sea Market, Dark Market, ToRReZ Market, Canadian HeadQuarters, Versus Project and White House Market. We excluded the illicit drug-focused Monopoly Market and Tor Market. We also excluded Square Market which is in long-term maintenance.
Where are malicious actors moving to?
The figure below shows the total number of listings advertising fraud-related goods and services on dark web marketplaces. Our analysis is limited to fraud (ex. stolen credit cards, bank account credentials), malware/hacking (ex. ransomware malware, remote access trojans) and fake documents (ex. passports, driver’s licenses). We excluded other types of illicit goods (ex. Illicit drugs) from our analysis.
Our investigation shows that Canadian HeadQuarters is at the time of writing the largest dark web market dedicated to fraud. This finding is not surprising, as the market presents itself as a fraud dedicated market with listings divided into fraud, services, hosting and metals. It is surprising, however, that a Canadian market would present an overall higher number of ads in any category than international markets.
Over the past three weeks, a number of publications and cybersecurity companies have analyzed dark web marketplaces to determine which one might take Empire Market’s place. Initial reports suggested that White House Market and Icarus were leading the race to replace Empire Market. Understanding who the winners and losers are after a market shut down however takes time. Indeed, just a few days ago, Icarus Market went offline. One of its administrators claims that his partner stole all of the market’s deposits as well as encryption keys and left him with no ability to run the marketplace. He is apparently planning to open a new market in the near future.
After all this turmoil, we are starting to see that Canadian HeadQuarters has retained its place and role in the sale of fraud-related goods and services targeting Canadian financial institutions. The marketplace now has the largest number of fraud-related listings and orders of magnitude more listings targeting Canadian financial institutions. It also is the most prolific in leaked databases directly affecting Canadians.
All other dark web markets pose at this point a limited threat to Canadian financial institutions. The White House Market stands out at this point as the second most serious threat to Canadian financial institutions.
The limited number of listings could point out the fact that there are still many Empire Market vendors who need to transition to a preferred marketplace. These vendors may be waiting for markets to mature to determine which is the next dominant market and the best one to host their operations on.
The dark net is going through an unstable time caused by law enforcement surveillance, exit scams and distributed denial of service (DDoS). While we detected a number of illicit marketplaces security teams should investigate, it is likely that some of these markets will soon close only to see new markets emerging.
Flare Systems helps companies reduce digital risk and fraud by actively monitoring the dark, deep, and clear web, to deliver real-time actionable threat intelligence. Its technology reduces noise and enables security teams to focus only on the markets and the threats that are most serious to them. To learn more about how Flare Systems can help, contact us for a demo.