Summer is generally a relatively quiet time in the cybercriminal underground. It seems that, just like the rest of us, cybercriminals also need to take time off to recharge their batteries. However, the summer sleepiness has been unsettled by suggestions that the administrators of the largest and most trusted English-language cybercriminal marketplace, Empire, have conducted an exit scam and made off with members’ funds. This marks the latest in a long line of exit scams among dark web marketplaces — Digital Shadows (now ReliaQuest) blogged about Nightmare in August 2019, Apollon in March 2020, and BitBazaar just this month. Empire’s demise is sure to significantly impact the already fragile levels of trust in the English-language scene. 

Empire Market
Empire branding

Overview of Empire

Founded in 2018 following the demise of the infamous marketplaces AlphaBay and Hansa, Empire grew to become arguably the premier marketplace in the English-language cybercriminal underground. According to DarknetStats, Empire had 55,100 listings in August 2020 and its estimated weekly business volume was around $6.5 million. 

Like other dark web marketplaces, Empire offered its users an efficient way to trade goods and services. The site’s easy-to-use functionalities allowed vendors to create advertisements quickly and offered buyers ways to rate and leave reviews of sellers following transactions. Empire facilitated streamlined transactions using automated cryptocurrency payment processes and also provided an escrow system to ensure the security of deals. This escrow system ensured that funds would only be transferred from buyer to seller once the buyer had confirmed the suitability of the delivered goods or services, helping mitigate the threat of fraudulent adverts, and also provided ways for disgruntled buyers to complain when things turned sour.  

Common listings on Empire marketplace included:

  • Drugs
  • Software and malware
  • Digital goods, e.g. e-books and software licence keys
  • Databases, including those obtained from breaches reported in the media 
  • Counterfeit goods, e.g. fake passports and driving licences
  • Guides and tutorials
  • Carded items, i.e. goods purchases using stolen credit card details
  • Fraud items, e.g. bank accounts and dumps
  • Security and hosting services, e.g. VPN subscriptions and bulletproof hosting servers

Marketplace exit scams

Dark web marketplaces typically require their users to deposit funds into the platform to transfer payments from buyers to vendors during transactions via the marketplace’s escrow service. Although it may seem like a leap of faith to trust a third-party platform with significant deposits, this system reduces the risk of either a buyer or seller falling victim to a scam and is widespread within the cybercriminal scene. 

Should a marketplace’s administration team wish to take control of these funds, there are two options:

  1. Leave the site up and running but disable marketplace withdrawal services
  2. Make the platform completely inaccessible for account holders

The administrators can then siphon deposited funds off into their cryptocurrency wallets and make off with the money. 

Successful vendors engaging in a large number of transactions per day often have large sums deposited in cybercriminal marketplaces; one Empire user complained that they had $22,000 tied up in the site. Members of an established marketplace like Empire would be even more likely to leave significant funds in the marketplace, rather than making regular withdrawals, as the trust and credibility such marketplaces have built up reduces users’ fear of losing access to their money.  

Timeline of events 

Empire marketplace became inaccessible on 19 Aug 2020, an outage that the cybercriminal community initially ascribed to another instance of one of the DDoS attacks that continually plague the English-language underground scene. However, after three days of inaccessibility, rumors of an exit scam began to swirl on cybercriminal forums. The story primarily played out on the Reddit-style dark web community forum Dread.

20 Aug 2020

A moderator of Empire’s subdread (a dedicated space on Dread forum that third-party platforms can use to advertise and provide updates) posted that Empire’s administration team was indeed battling an “ongoing DDoS attack” and was trying to get the marketplace back online. They added, “We are the #1 market and it is your trust that has allowed us to get here. Trust is earned over time. When dozens of admins were scamming in 2018 and 2019, we were the only market to stay loyal to you. This is who we are. Our character has not changed. Many want to see us fall but we are not going anywhere.”

DDOS Update
Subdread moderator’s message alleging Empire was experiencing an ongoing DDoS attack

21 Aug 2020 

The moderator posted a follow-up response warning Dread users against spreading false narratives about the ongoing downtime and causing unnecessary alarm. At this point, rumors of an exit scam gained even more traction, as urging the community not to spread fear, uncertainty, and doubt is a typical response when a site’s administrators are trying to pull a fast one. We observed a similar tactic during Apollon’s exit scam. Various Empire vendors expressed frustration at their inability to access the platform and withdraw their funds, with many complaining that they had deposited considerable sums of money into the site.  

Subdread moderators message
Subdread moderator’s message urging Dread users not to spread rumors of an exit scam

24 Aug 2020

After calls for reassurance from the Dread community, the head moderator of Empire’s subdread posted: “if the market is still down in a couple of days I’ll make a post about the whole situation then, it’s early days and maybe the admins will bring it back”. This tantalizingly cryptic message suggested that something else was going on in the background in addition to the DDoS event but provided no concrete details. What’s more, the moderator’s message was not signed with a PGP key (an encryption mechanism used to prove a post’s legitimacy), generating even more suspicion and apprehension.

Empire’s downtime
Subdread head moderator’s message promising more information about Empire’s downtime

25 Aug 2020

A now-deleted Dread user (highly likely the head moderator of Empire’s subdread) posted that although Empire had implemented new anti-DDoS protection mechanisms four months earlier, the threat actor who had “brutally” plagued the site with DDoS attacks for “a long time” had overcome these new measures. According to this post, Empire had only managed to keep itself online by paying the threat actor responsible for the DDoS attacks to cease their activity. However, a fresh and powerful DDoS attack by another threat actor reportedly caused the Empire team to call it quits and perform an exit scam. The moderator explained, “I doubt they would want to pay multiple DDOSers and at the same time it wouldn’t work paying one DDOSer if another is holding the market down.” The moderator also ascribed blame to the Tor browser, asserting that “if the Tor staff team had fixed the problems in Tor that makes [sic] an attack like this possible,” then the administrators may have stuck by the site for longer. 

Interestingly, the moderator also opined that the Empire administrators had not planned an exit scam before the latest DDoS attack, explaining that with planned exits, marketplaces usually disable withdrawals while continuing to accept deposits for weeks before their closure. The moderator reasoned that the recent fixes made to the Bitcoin withdrawal process indicated the lack of a pre-existing exit plan scam: “If it was a planned exit i don’t think they would have put in any work fixing BTC withdrawals that close to the end.”

26 Aug 2020

The subdread moderator who had previously defended the marketplace’s downtime on 20 and 21 Aug 2020 posted on Dread that they were “crushed and ashamed by my admin’s apparent decision to disappear with your funds,” adding that they had believed the Empire administration team’s version of events until the “very end”. 

Empire Exit Scam
Subread moderator’s post expressing despair at apparent exit scam

Significance of Empire’s potential exit scam

While this rumored exit scam may at first appear to be just the latest in a long line of such events, it’s hard to overstate the impact that this particular instance will have on the cybercriminal community. In this tumultuous environment, with English-language marketplaces disappearing left, right, and center, Empire had become a bastion of steadfastness — a beacon of credibility to which all other dark web marketplaces were compared.

If confirmed, Empire’s exit scam will have even more of an impact on the cybercriminal community because the funds involved are likely to be much higher than with other similar cases: Threat actors had been more willing to deposit larger sums into Empire than into its competitors because of the trust and image of reliability that Empire had built up. 

A proven exit scam would shatter the fragile trust that the cybercriminal community had learned to place in this platform; the disappearance of a site like Empire will likely result in levels of suspicion and mistrust within the dark web scene shooting up. We will probably return to levels of fear, uncertainty, and doubt not seen since the wake of the Hansa and AlphaBay disruption. New marketplaces that spring up to replace Empire–have no doubt, new platforms will soon appear–will likely face an even greater battle to prove their credibility, and may not grow as quickly as Empire initially did. 

Other potential developments resulting from Empire’s demise could include:

  • A return to cybercriminal forums. As Digital Shadows (now ReliaQuest) has argued on multiple occasions, cybercriminal forums–the original cybercrime technology–have never lost their popularity, despite the appearance of alternative technologies such as marketplaces, automated vending cart (AVC) sites, and private communication platforms. However, the loss of another dark web marketplace and any sluggishness in new sites appearing to take Empire’s place may lead to cybercriminals turning to forums as a more secure and reliable way to transact. Generally, these sites do not require all funds for deals to be deposited into their systems. However, they still offer escrow services to ensure the security of payments.
  • A turn to private communication channels. Instead of transferring their business to cybercriminal forums, threat actors may instead move to messaging software. We have already observed one instance of this: As early as 24 Aug 2020, when the Empire exit scam saga was still in its early days, one Dread user and Empire vendor announced that they would be selling directly on the messaging application Wickr until they were able to return to using Empire. Many former Empire vendors will likely follow suit and begin using platforms like Telegram, Discord, and Jabber for their illicit activity. These applications aren’t without their disadvantages, though; there are concerns about some of these platforms’ security, and vendors find it hard to get their message across as effectively as they can on a marketplace or forum.
Trade on Wickr until Empire’s return
Empire vendor announcing intention to trade on Wickr until Empire’s return
  • Innovations in marketplace technology. It is unlikely that cybercriminals will eschew marketplaces altogether. They offer so many advantages in terms of ease of use, reach, and security during transactions. The continued existence of such platforms despite a long history of exit scams shows that many cybercriminals will stick with markets through thick and thin, even with the risks to their deposited funds. Any new marketplaces that appear in the wake of Empire’s demise–or even existing marketplaces that step up to take Empire’s crown–will likely look for new ways to differentiate themselves from Empire. We may see this in their marketing material, or sites could try and develop innovative, new features that ostensibly secure vendors’ funds against exit scams.