Following the takedown of AlphaBay and Hansa last year, online criminals are increasingly using messaging programs like Telegram, according to recently released research.
Dark web marketplaces AlphaBay and Hansa were both taken down as part of ‘Operation Bayonet’, a multinational law enforcement operation which culminated in July 2017. Multiple other marketplaces were also shut down as part of the operation, though AlphaBay was the largest, with Hansa not far behind.
“This is likely one of the most important criminal investigations of the year – taking down the largest dark net marketplace in history,” said Attorney General Jeff Sessions. “Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity using the dark net. The dark net is not a place to hide.”
According to information publicly available on AlphaBay prior to its takedown, the site claimed to serve over 200,000 users and 40,000 vendors. Around the time of the takedown, there were over 250,000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100,000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms and fraudulent services.
Digital Shadows’ research, published almost one year on from the closure of the websites, finds that the online marketplace model has declined, but cybercrime itself has not. The company claims that while anglophone marketplaces such as Dream and Olympus have failed to fill the gap left by AlphaBay and Hansa, Russian-speaking cybercrime in particular has been “largely undisrupted”.
“Historically, when popular marketplaces disappear, another leader emerges. The effects of law enforcement action are therefore relatively short-lived, becoming a game of ‘whack-a-mole’ where cybercriminals are always one step ahead,” said Rick Holland, CISO and VP Strategy at Digital Shadows. “But this hasn’t happened in this case (for now) and instead they have dispersed to alternative platforms and techniques to transact online.”
The research also points out that remaining marketplaces, sites and forums used by cybercriminals are implementing new security protocols, including blockchain DNS, user vetting and site restrictions, domain concealment, and migration of elements – or all – of the site’s function to chat and P2P networks.
Part of the reason the decentralised marketplace model has been struggling is due to concerns about law enforcement and potential consequences for site users engaged in illegal activity, so though sites had been adopting new measures prior to the takedowns, they have since become a particular priority.
However, the most significant change change the research uncovers is the shift towards P2P networks and chat channels, of which Telegram is the most popular. Digital Shadows observed more than 5,000 Telegram links shared across criminal forums and dark web sites, 1,667 of which were invite links to new groups. Alternative sites are also being used, particularly Discord, Skype, Jabber, and IRC.
These primarily work by vendors posting advertisements for their products and services within a channel, as they would on a marketplace or forum – interested buyers can then contact the seller directly via a private chat message and arrange purchase and payment independently.
Digital Shadows notes that the adoption of blockchain by Joker’s Stash, OpenBazaar, The Money Team and Tralfamadore has had a less significant impact on user registrations – the shift to a more diffuse model seems likely to continue. However, the reliance on third-party platforms may be a cause for concern, as Digital Shadows points out Sentry MBA’s difficulties with its Discord server being deleted. Additionally, several countries – including Russia and Saudi Arabia – have attempted to block or restrict the use of Telegram, though with limited success.