Seize and Desist? The State of Cybercrime Cybercrime in the Post-AlphaBay Post-AlphaBay and Hansa Age Age
Authors: Rick Holland, Rafael Amado, Michael Marriott Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
1
Table of Contents
Table of Contents Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 A Fork in the Road: The three possible routes in 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Missed Opportunity: Existing markets are failing to capture market share . . . . . . . . . . . . . . . . . . . . . .5 Barriers to Entry: The limited emergence of viable new markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Hidden costs to running a marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Getting it right takes time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Adapt or Fail: Increased adoption of alternative techniques and technologies . . . . . . . . . . . . . . . . . . .8
Blockchain: Steady but not explosive growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 New measures to improving site security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Trading Channels: Alternative communication networks gaining traction . . . . . . . . . . . . . . . . . . . . . . . 11 Out of Sight, But Not Out of Mind: Risks remain for businesses and consumers . . . . . . . . . . . . . . . . 13
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
2
Executive Summary When law enforcement announced the seizure of AlphaBay in July 2017, the United States Attorney General Jeff Sessions described the operation as: “one of the most important criminal investigations of the year…because of this operation, the American people are safer – safer from the threat of identity fraud and malware, and safer from deadly drugs.” 1
The timing and coordination of the law enforcement operation, known as Operation Bayonet, was a clear success and has contributed to multiple subsequent arrests.2 Almost one year later, the marketplace model appears to be in decline, but the risks to businesses and consumers have not subsided. Instead, this paper demonstrates that cybercriminals have taken to incorporating new processes, technologies, and communication methods to continue their ac tivities. • AlphaBay left a gap, albeit not as large as we may have assumed. Despite boasting over 40,000 vendors
and an estimated $1 billion in trade, AlphaBay was just one player within a much b roader ecosystem. Russian-speaking cybercrime, in particular, has been largely undisrupted. • Existing marketplaces have failed to capitalize on the gaps. Within the English-speaking underground, the
Dream and Olympus markets have fallen short of satisfying the demands that AlphaBay once c atered to. • There are barriers to entry for new markets. Despite the residual demand for the services AlphaBay
provided, there are significant barriers to entry for people wanting to set up their own marketplaces. While it is relatively easy to set up a marketplace, there are challenges with fostering trust amongst users, as well as hidden monthly running costs. • Blockchain experiences steady growth. Well-known criminal sites, such as Joker‘s Stash, have adopted
blockchain hosting. Another market using this decentralized technology, OpenBazaar, has experienced a growth of four thousand new users in the last four months. Adoption of this technology is still in its infancy, but this is one to look out for in future. • Cybercriminals have increasingly shifted towards peer-to-peer networks and chat channels. Over the
last six months, we’ve observed over 5,000 Telegram links shared across criminal forums and dark web sites, of which 1,667 were invite links to new groups. To a lesser extent, Discord is also being embraced by cybercriminals, with 743 invites observed across criminal forums and dark web sites across the last six months. This retrenchment away from the centralized marketplace in favor of a more diffuse model has been an ongoing trend that pre-dates Operation Bayonet. • Risks remain for organizations and consumers beyond the marketplace. There are four areas of concern
that are still present in the cybercriminal ecosystem despite the demise of AlphaBay and Hansa: 1) payment card fraud, 2) account takeover, 3) counterfeits, and 4) insider threats.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
3
A Fork in the Road The three possible routes in 2017 For the English-speaking community, the seizure of AlphaBay and Hansa in Operation Bayonet meant tens of thousands of vendors and buyers had to look elsewhere to continue conducting their business. At the time of AlphaBay’s disappearance in early July 2017 - when conflicting rumors of exit scams, site technical problems, and law enforcement action crippled online discussion boards - we assessed that the post-AlphaBay future could take one of three forms3: 1. An older, established market would replace AlphaBay. Historically, when popular marketplaces
disappear, users simply migrate to other well-known sites. The effects of law enforcement action are therefore relatively short-lived, becoming a game of “whack-a-mole” where cybercriminals are always one step ahead. 2. A new marketplace would emerge from AlphaBay’s ashes. Some users were so fond of their former
haunt that they tried to form a new iteration of the site called GammaBay. Others suggested forming a new site altogether. However, creating and maintaining a new marketplace is fraught with difficulties. Fostering trust among a cybercriminal community that has grown increasingly nervous and skeptical of law enforcement honeypot sites is a major challenge. Another barrier is the cost associated with building and operating an online marketplace. Buyers and sellers are discerning, and sites like AlphaBay and Hansa need dedicated administrators, support personnel, and technical knowledge to deliver the level of service required to be successful. 3. Users would abandon the marketplace model and look for alternative solutions. Conducting online
transactions on underground marketplaces has always entailed a high degree of risk. Site owners often perform exit scams and steal funds from customers, sellers sometimes renege on their promises, and the threat of law enforcement always looms large. The AlphaBay and Hansa takedown revelations served to further disillusion a large section of the cybercriminal community. This strengthened calls for new technologies and processes, including increasing security and anonymity through the direct peer-to-peer (P2P) communication already favored on more specialized forums, or enforcing more stringent vetting procedures for new members. Some even entertained ideas of a more radical, fully-decentralized marketplace model, manifested in sites such as OpenBazaar. Almost one year since the AlphaBay and Hansa takedowns, no single marketplace has risen to the top, at least among the English-speaking community. Mistrust and fear are rife, and this has, in part, prevented a new marketplace (the second scenario) from flourishing. While some users have pined for the decentralized marketplace model, the cybercriminal community has instead focused its efforts on decentralizing by conducting transactions across a variety of chat and messaging networks, while also adapting their technologies and processes to increase the security, reliability, and trust of existing sites. This retrenchment away from the centralized marketplace in favor of a more diffuse model has been an ongoing trend that pre-dates Operation Bayonet. With no major alternative to AlphaBay and Hansa, increasing numbers of users are turning to these alternative platforms.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
4
Missed Opportunity Existing markets are failing to capture market share At first it seemed to be business as usual; former AlphaBay vendors quickly began advertising their products on other markets such as Hansa and Dream. The conversation quickly turned to which of these two sites would assume AlphaBay’s mantle. However, Operation Bayonet’s clever use of Hansa to lure and capture AlphaBay “refugees” made the online community very jittery. Rumors soon began flying about other potential law enforcement-controlled dark web sites. Dream Market was a particular concern. Users were alarmed at the suspiciously low amount of downtime experienced by the site, and many suspected it was in the hands of the police (Figure 1).
Figure 1: A post on reddit from 20 July 2017 claiming Dream Market was being operated by law enforcement
Although Dream Market may have seemed to be the natural successor to AlphaBay and Hansa, a combination of poor user experience, uncommunicative administrators, and fear of law enforcement means the site has failed to capture market share. Claims by users that their funds have disappeared, and the memory of Operation Bayonet, have diminished trust in the site. As one user stated, while Dream is still live, it’s more of a “zombie” market: “the body is alive, but the brain is dead and gone” (Figure 2).
Figure 2: A post on the Olympus dark web market’s forum section Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
5
Missed Opportunity Existing markets are failing to capture market share Olympus marketplace Since February 2018, a relatively new site known as “Olympus” showed real promise of cementing itself as the most popular dark web market (Figure 3). Its pleasing pastel color scheme, easy to navigate user interface, and implementation of Monero cryptocurrency payments meant it developed a strong reputation. Trust, however, is a fragile thing, and a miscalculation by the Olympus administrator saw the site’s reputation crumble in an instant. On April 23, 2018 Olympus’ administrator claimed they were in the process of hack ing Dread (Figure 4). Dread is – or at least was – a reddit-style community run by a user (HugBunter) who was infamous for pointing out security flaws in other dark web marketplaces.4
Figure 3: A screenshot of the Olympus market
Figure 4: A post on Olympus market’s forum section
This was not a “hack” in the traditional sense. Instead, the Olympus administrator allegedly acquired access to the Dread servers from an insider. What was significant about this incident was that the user community of Dread rallied behind HugBunter, with the consensus being that Olympus was in the wrong and Dread was the innocent victim. In the end, the moderators of Olympus issued an apology to the Dread administrators for their actions. Tellingly, Olympus was aware of the damage it had caused to its own reputation, stating that it “will hire a good P R within the next few days.” Just as with legitimate businesses, a positive public image is important to drive revenue. At the time of writing, Olympus was no longer accessible, and another potential successor to AlphaBay and Hansa seems to have bitten the dust.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
6
Barriers to Entry The limited emergence of viable new markets The Olympus saga is a timely reminder of how trust can make or break a marketplace. Prospective customers fear exit scams, law enforcement stings, and unreliable vendors. Therefore, overcoming trust is a significant barrier to any new player in the marketplace game. But it’s not the only hurdle. Figure 5: A post on Nethingoez from May 2018
Hidden costs to running a marketplace At the time of AlphaBay’s seizure, there were 40,000 vendors on the site. The beauty of their eBay-style model was that many vendors who were unable to run and manage their stores could list their items for free. AlphaBay would take a 2-4% commission on these transactions in return. With an estimated $1 billion in trade across their vast userbase, this was enough revenue to pay staff; cover web development; bulletproof hosting; distributed denial of service (DDoS)
Getting it right takes time With the burdens of trust and profitability clear, it often takes time for viable markets to establish themselves. One market that looks well placed to overcome these burdens is market[.] ms. This site (Figure 6), run by founders of the prestigious exploit[.]in forum, has been in development since 2015. The exploit forum already has the reputation and the trust among the cybercriminal community to make it a success. However, the current beta mode has a relatively small userbase ( just 451 members and 79 items for sale), and is still not fully developed.
5
protection; run a bug bounty program; and have a healthy profit remaining.
This shows that a successful marketplace cannot be created overnight.
For those looking to create their own marketplace, these features and services are all readily available online, but they come at a cost both in terms of time and money. Even setting up and running a relatively rudimentary dark web market does not guarantee profit or success. The following taxonomy illustrates the set-up, monthly, and annual costs of a basic dark web marketplace, based on the price of services widely advertised online. This financial burden is often borne out across criminal forums, with administrators seeking new ways to drive profitability. Users, like in Figure 5, are creating new membership packages to keep their sites operational and avoid going under. Running a marketplace is not as straightforward as some may assume.
Figure 6: The market[.]ms marketplace Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
7
Adapt or Fail Increased adoption of alternative techniques and technologies With dark web markets struggling to fill the void left by AlphaBay and the high barriers to entry for establishing new marketplaces, the trend has been for users to retreat back to more specialized forums. Even before Operation Bayonet, there have been other forums specifically dedicated to hacking and security, which often ac t as a platform for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as ransomware variants, exploit kits, compromised accounts, and payment card data. These sites work on a direct transfer system where vendors and customers will communicate directly to arrange payment, often through messaging services such as Jabber. Sellers advertise their products on these forums, and then direct users to dark web sites or private channels to arrange payment. Since the takedowns of AlphaBay and Hansa, administrators of these forums have been incorporating alternative technologies and processes for added security and trust among users. These four are blockchain DNS, user vetting and site restrictions, domain concealment, and migration to chat and peer-to-peer networks.
Blockchain DNS
User vetting and site access restrictions
Domain concealment
Migration to chat and P2P networks
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
8
Adapt or Fail Increased adoption of alternative techniques and technologies Blockchain: Steady but not explosive growth
More than simply combatting law enforcement action, Blockchain technology has allowed users to imagine alternative models for decentralized marketplaces – the
In July 2017 the Joker’s Stash (Figure 7), a popular Automated Vending Cart (AVC) site offering stolen payment card details, shifted from a Tor domain to a decentralized Blockchain domain name system (DNS). As well as a .onion domain, Joker’s Stash now hosted a .bazar domain that required users to install a Blockchain DNS browser extension or add-on. The site was not the first to implement decentralized DNS – a group called The Money Team also created a .bazar domain in January
site known as Tralfamadore being a notable example already in operation. Blockchain serves as the back-end for Trafalmadore, storing the necessary databases and code to support front-end user interfaces. All transactions are made using cryptocurrency and recorded as smart contracts on the blockchain. This addresses problems with user trust; if all transactions are permanently and immutably recorded, vendors who attempt to scam other users can be more easily identified.6
2016.
Despite this promising model, Tralfamadore has failed to attract a significant user uptake. A similar story occurred with another blockchain market, OpenBazaar, where its userbase has increased steadily but not spectacularly in 2018 (Figure 8). While it’s too early to burst the blockchain bubble, its adoption has been limited outside of a few AVCs such as Joker’s Stash and has not been the solution many were seeking. Figure 7: A screenshot of Joker’s Stash
Stolen account stores and AVCs have been experimenting with peer-to-peer DNS technology as a way of hiding their malicious activity and bullet-proofing their offerings. As Blockchain domains do not have a central authority, and registrations contain a unique encrypted hash of each user rather than an individual’s name or address, it is much harder for law enforcement to take down criminal sites. Figure 8: OpenBazaar growth of items for sale and users, February-June 2018
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
9
Adapt or Fail Increased adoption of alternative techniques and technologies New measures to improving site security There have been changes to processes too, with criminals having to find ways to balance the advantages of promoting and publicizing a store with retaining good operational security. One way of achieving this is to advertise the store without revealing the domain. A recent example of this is the Genesis Market,8 an emerging criminal market that provides more effective ways to impersonate a victim’s browser activity, focusing on individual bots rather than huge botnets, and monetizing them in a completely different way. This store only shares the site’s URL with prospects via private message. Another challenge for site operators is how to vet and limit your userbase to ensure only reputable and genuine users have access. Operation Bayonet has made forum users hyper-sensitive to the threat of law enforcement posing as sellers. One increasingly popular form of site regulation within these communities has been the creation of a forum lifecycle. This is a process of limiting new users’ access to a forum through mechanisms such as posting limits and area access restrictions. For the latter, newer users might require a certain level of positive feedback from other members to progress to certain areas of the site. Alternatively, they may need to pay for a premium subscription, or have multiple invitations or referrals from established members. In addition to reducing the likelihood of potentially subversive users from infiltrating the site, these mechanisms also have a strategic objective: by establishing a hierarchy, older, more established users can post more, and hence sell more to maintain their ‘top vendor’ status.
Trading Channels: Alternative communication networks gaining traction One of the most noteworthy shifts since Operation Bayonet has been that cybercriminals have largely reverted to chat networks to conduct their trade. Often sellers will advertise their service or p roduct on a particular forum, but rather than communicate directly with sellers on the forum or through its private messaging service, buyers are encouraging interested parties to reach out to them directly on alternative chat networks and messaging platforms. The primary channels are Telegram, Discord, Skype, Jabber, and IRC. With buyers and sellers spread widely across an increasingly decentralized community, the belief is that it will be more difficult for law enforcement operations such as Operation Bayonet to succeed again, which was facilitated by having users congregated into a single, central location such as a marketplace.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
10
Adapt or Fail Increased adoption of alternative techniques and technologies Telegram We’ve observed a notable increase in the use of
One such example is the OL1MP marketplace (Figure 10),
Telegram, with over 5,000 Telegram links shared across
a Telegram-based marketplace that provides cashing out
criminal forums and dark web sites over the past six
services. Cashing out is a way to monetize stolen payment
months. Of these, 1,667 were invite links to new groups.
card information. Users can easily select the type of good
These covered a range of services, including cashing out,
or service, like drugs or vacations, they wish to purchase
carding, and crypto currency fraud.
with their stolen cards.8
Within these Telegram channels, sellers post advertise-
OL1MP ties in this automated effort with a human touch.
ments of their products and services as they would
As with most marketplaces, reviews are important for
normally do on a marketplace or forum (Figure 9). Buyers
attracting new customers. In fact, extra discounts are
can then contact the seller directly in a private chat
available for those individuals who post pictures and
message and conduct the transaction using cryptocur-
positive comments from their carded vacations.
rencies or electronic payment services.
Figure 9: Two examples of Telegram channels used to buy and sell compromised accounts and payment cards
Figure 10: The OL1MP Telegram market, with options “About the project, Escrow, Dope Shops, Services, Holidays, Taxi”
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
11
Adapt or Fail Increased adoption of alternative techniques and technologies Discord The sentry[.]mba forum has also joined this move to new platforms. This forum was a popular site for users looking to purchase proxies and configuration files for Sentry MBA, a popular credential stuffing tool favored by cybercriminals. For several months, the site made use of a new Discord channel, providing a better user interface and automated bots to make transactions easier. Discord channels have not had quite the same pickup as Telegram – we observed 743 invite links across criminal forums and dark web sites over the last six months. There are added challenges for cybercriminal sites looking to use Discord: in March 2018, Sentry MBA had their Discord server deleted (Figure 11), forcing them to set up a new server that only became operational in late May 2018
Figure 12: Sentry.MBA forum’s latest Discord channel released
(Figure 12).
Figure 11: A tweet by Sentry MBA demonstrating the difculties of using Discord for criminal purposes.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
12
Out of Sight, But Not Out of Mind Risks remain for businesses and consumers As it stands, the marketplace model appears to be in decline, but it would be naive to ass ume that law enforcement efforts such as Operation Bayonet have drastically reduced cybercriminal risks to both businesses and consumers. Instead, as recent developments have shown, cybercriminals have taken to incorporating new processes, technologies and communication methods to continue their operations. Cybercrime will find a way. To better understand the risks to businesses and consumers, it’s important to consider the types of data and services advertised within dark web markets and forums, and how cybercriminals are adapting so that they can continue making profit. Aside from offering drugs and weapons, cybercriminal marketplaces also facilitated the trade of payment card data, counterfeits, compromised accounts, and insider threat information. With the shift towards new processes, technologies, and communication methods, cybercriminals have increasingly taken to using specialist sites and forums (for example AVCs, carding, and hacking forums) to advertise their ser vices, before conducting transactions on private communication channels. Moreover, we’ve noticed an increase in cybercriminals using Telegram and Discord channels as standalone platforms to advertise their products, connect buyers and sellers, and facilitate payment. For businesses and consumers, preventing your data from circulating within the cybercriminal ecosystem is a major challenge. The increased security mechanisms and technologies now add fur ther hurdles. Nevertheless, here are four general tips that can help reduce the chances of your data falling into unsavory hands: Know where your most sensitive data resides, and then understand how a cybercriminal would monetize that data. With this baseline understanding, you can move on to the following steps: 1. Monitor the open, deep, and dark web for mentions of your business, brand, or personal information. 2. Increase your monitoring to cover peer-to-peer platforms and messaging channels that are increasingly being used by cybercriminals. 3. Use unique and strong passwords on your most sensitive or personal accounts, and enable multifactor authentication to prevent account takeovers. 4. Don’t forget about third parties. Contractors and suppliers with privileged access to your sensitive information are also a weak point. Monitor and secure your supply chain networks in the same way you would your own employees and assets.
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
13
End Notes
1. https://www.justice.gov/opa/pr/alphabay-largest-online-dark-market-shut-down 2. http://www.bbc.co.uk/news/uk-43965622 3. https://www.digitalshadows.com/blog-and-research/cybercrime-nds-a-way-the-limited-impact-of-alphabay-and-hansasdemise/ 4. https://www.digitalshadows.com/blog-and-research/the-other-side-of-the-counter-ddos-social-engineering-spambotsand-insider-risks-to-criminal-locations/ 5. https://www.cyberscoop.com/alphabay-bug-private-messages-darkweb/ 6. https://www.digitalshadows.com/blog-and-research/the-future-of-marketplaces-forecasting-the-decentralized-model/ 7. https://www.digitalshadows.com/blog-and-research/genesis-botnet-the-market-claiming-to-sell-bots-that-bypass-ngerprinting-controls/ 8. https://www.digitalshadows.com/blog-and-research/ol1mp-a-telegram-bot-making-carding-made-easy-this-holiday-season/
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
14
About Digital Shadows Digital Shadows provides insight into an organization’s external digital risks and the threat actors targeting them. Digital Shadows SearchLight™ service combines scalable data analytics with human analysts to monitor for cyber threats, data leakage, and reputation risks. Digital Shadows continually monitors the Internet across the visible, deep and dark web, as well as other online sources to create an up-to-the minute view of an organization and provide it with tailored threat intelligence. The company is jointly headquartered in London and San Francisco. For more information, visit www.digitalshadows.com.
London
San Francisco
Columbus Building, Level 6, 7 Westferry Circus, London, E14 4HD
332 Pine St. Suite 600, San Francisco, CA 94104 +1 (888) 889 4143
+44 (0) 203 393 7001
[email protected]
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age www.digitalshadows.com ·
15