Dark web shakedown indicates cybercrime alert

Weeks after law enforcement agencies shut down three dark web marketplaces, a dark web surveillance firm warns the months ahead will prove vital in the anti-fraud fight as criminals learn and alter behaviour.

“The playing field changes in a few different ways,” says Ian Gray, director of intelligence of Americas at Flashpoint. “Whenever there’s a large shutdown, there’s usually a period of uncertainty and doubt in the cybercrime community. Criminals are concerned that everyone is law enforcement,” he says.

Earlier this month, the dark web marketplaces, Valhalla – also known as Silkkitie – and Wall Street Market were shut down in a global sting operation featuring French, Dutch, Finnish and German authorities and supported by Europol.

According to the release, Valhalla is one of the oldest marketplaces, operating on the Tor network since 2013, while Wall Street Market was the second largest dark web market allowing the trading of “drugs, stolen data, fake documents and malicious software” for bitcoin or the Monero cryptocurrencies.

While the shutdown should limit access to fraudulent data and malware, new marketplaces will quickly fill the gap and become more resilient, warns Gray.

“New services and platforms come up, and the same doubts are there, but they go away over time,” says Gray, “threat actors will likely continue to look at the takedown notices, the criminal complaint, key indictments, and try and see where the threat actors slipped up and perhaps use that to launch their own new marketplace.”

Gray points out that the administrators of the most recently shutdown sites had cross-contaminated cryptocurrency wallets across different marketplaces, allowing law enforcement to identify their true IP address and servers.

The next year will be testing times from cybercriminals as the dust settles and lesser known markets become familiar and trusted, all the while ensuring their online aliases remain anonymous yet verifiable to fellow criminals looking to trade.

“In some ways, it’s becoming easier [to identify fraudsters],” says Gray. “If a lot of these shutdown marketplaces have unencrypted logs, which a lot maintain, they might be able to track identities and aliases over time.

“People want to verify themselves on these anonymous networks, which they do by having common acquaintances, people vouching for them using similar indicators, and usually a consistent alias,” he says.

Gray believes cybercriminals will migrate towards decentralised and open-sourced technologies to ensure their online aliases remain secure and untraceable, while cryptocurrencies and encrypted forums offer a degree of trust and verifiability.

“If they feel safe when using a technology, be that a decentralised platforms or newer privacy cryptocurrency, that will almost inform where threat actors will move,” says Gray. “Threat actors are thinking about the cheapest and easiest way. If it promises privacy, security and a certain amount of convenience they’ll use it.”

Quantum computing, a technology that banks have recently began to show interest in, is tipped to change the cybersecurity game as it would be able to break current encryption.

Asked if there were a risk cybercriminals would harness quantum technology to satisfy their need for anonymity yet verifiability, Gray says that cybercriminals are “pretty far off” based on how complicated the technology is to understand. Gray does however think that if quantum computing is available on the legitimate market, it could also be used in the dark markets.

“Technology doesn’t evolve piecemeal as a whole but rather there’ll be new products and new competitors in the private sector that will be adopting this technology for their own resources in larger technology companies.

“Those legitimate platforms might also be used for fraud. If it’s easy and scalable and threat actors feel secure, and law enforcement have difficulty breaking it, threat actors will likely use it,” he says.


Related reading