WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Summer is generally a relatively quiet time in the cybercriminal underground. It seems that, just like the rest of us, cybercriminals also need to take time off to recharge their batteries. However, the summer sleepiness has been unsettled by suggestions that the administrators of the largest and most trusted English-language cybercriminal marketplace, Empire, have conducted an exit scam and made off with members’ funds. This marks the latest in a long line of exit scams among dark web marketplaces — Digital Shadows (now ReliaQuest) blogged about Nightmare in August 2019, Apollon in March 2020, and BitBazaar just this month. Empire’s demise is sure to significantly impact the already fragile levels of trust in the English-language scene.
Overview of Empire
Founded in 2018 following the demise of the infamous marketplaces AlphaBay and Hansa, Empire grew to become arguably the premier marketplace in the English-language cybercriminal underground. According to DarknetStats, Empire had 55,100 listings in August 2020 and its estimated weekly business volume was around $6.5 million.
Like other dark web marketplaces, Empire offered its users an efficient way to trade goods and services. The site’s easy-to-use functionalities allowed vendors to create advertisements quickly and offered buyers ways to rate and leave reviews of sellers following transactions. Empire facilitated streamlined transactions using automated cryptocurrency payment processes and also provided an escrow system to ensure the security of deals. This escrow system ensured that funds would only be transferred from buyer to seller once the buyer had confirmed the suitability of the delivered goods or services, helping mitigate the threat of fraudulent adverts, and also provided ways for disgruntled buyers to complain when things turned sour.
Common listings on Empire marketplace included:
Marketplace exit scams
Dark web marketplaces typically require their users to deposit funds into the platform to transfer payments from buyers to vendors during transactions via the marketplace’s escrow service. Although it may seem like a leap of faith to trust a third-party platform with significant deposits, this system reduces the risk of either a buyer or seller falling victim to a scam and is widespread within the cybercriminal scene.
Should a marketplace’s administration team wish to take control of these funds, there are two options:
The administrators can then siphon deposited funds off into their cryptocurrency wallets and make off with the money.
Successful vendors engaging in a large number of transactions per day often have large sums deposited in cybercriminal marketplaces; one Empire user complained that they had $22,000 tied up in the site. Members of an established marketplace like Empire would be even more likely to leave significant funds in the marketplace, rather than making regular withdrawals, as the trust and credibility such marketplaces have built up reduces users’ fear of losing access to their money.
Timeline of events
Empire marketplace became inaccessible on 19 Aug 2020, an outage that the cybercriminal community initially ascribed to another instance of one of the DDoS attacks that continually plague the English-language underground scene. However, after three days of inaccessibility, rumors of an exit scam began to swirl on cybercriminal forums. The story primarily played out on the Reddit-style dark web community forum Dread.
20 Aug 2020
A moderator of Empire’s subdread (a dedicated space on Dread forum that third-party platforms can use to advertise and provide updates) posted that Empire’s administration team was indeed battling an “ongoing DDoS attack” and was trying to get the marketplace back online. They added, “We are the #1 market and it is your trust that has allowed us to get here. Trust is earned over time. When dozens of admins were scamming in 2018 and 2019, we were the only market to stay loyal to you. This is who we are. Our character has not changed. Many want to see us fall but we are not going anywhere.”
21 Aug 2020
The moderator posted a follow-up response warning Dread users against spreading false narratives about the ongoing downtime and causing unnecessary alarm. At this point, rumors of an exit scam gained even more traction, as urging the community not to spread fear, uncertainty, and doubt is a typical response when a site’s administrators are trying to pull a fast one. We observed a similar tactic during Apollon’s exit scam. Various Empire vendors expressed frustration at their inability to access the platform and withdraw their funds, with many complaining that they had deposited considerable sums of money into the site.
24 Aug 2020
After calls for reassurance from the Dread community, the head moderator of Empire’s subdread posted: “if the market is still down in a couple of days I’ll make a post about the whole situation then, it’s early days and maybe the admins will bring it back”. This tantalizingly cryptic message suggested that something else was going on in the background in addition to the DDoS event but provided no concrete details. What’s more, the moderator’s message was not signed with a PGP key (an encryption mechanism used to prove a post’s legitimacy), generating even more suspicion and apprehension.
25 Aug 2020
A now-deleted Dread user (highly likely the head moderator of Empire’s subdread) posted that although Empire had implemented new anti-DDoS protection mechanisms four months earlier, the threat actor who had “brutally” plagued the site with DDoS attacks for “a long time” had overcome these new measures. According to this post, Empire had only managed to keep itself online by paying the threat actor responsible for the DDoS attacks to cease their activity. However, a fresh and powerful DDoS attack by another threat actor reportedly caused the Empire team to call it quits and perform an exit scam. The moderator explained, “I doubt they would want to pay multiple DDOSers and at the same time it wouldn’t work paying one DDOSer if another is holding the market down.” The moderator also ascribed blame to the Tor browser, asserting that “if the Tor staff team had fixed the problems in Tor that makes [sic] an attack like this possible,” then the administrators may have stuck by the site for longer.
Interestingly, the moderator also opined that the Empire administrators had not planned an exit scam before the latest DDoS attack, explaining that with planned exits, marketplaces usually disable withdrawals while continuing to accept deposits for weeks before their closure. The moderator reasoned that the recent fixes made to the Bitcoin withdrawal process indicated the lack of a pre-existing exit plan scam: “If it was a planned exit i don’t think they would have put in any work fixing BTC withdrawals that close to the end.”
26 Aug 2020
The subdread moderator who had previously defended the marketplace’s downtime on 20 and 21 Aug 2020 posted on Dread that they were “crushed and ashamed by my admin’s apparent decision to disappear with your funds,” adding that they had believed the Empire administration team’s version of events until the “very end”.
Significance of Empire’s potential exit scam
While this rumored exit scam may at first appear to be just the latest in a long line of such events, it’s hard to overstate the impact that this particular instance will have on the cybercriminal community. In this tumultuous environment, with English-language marketplaces disappearing left, right, and center, Empire had become a bastion of steadfastness — a beacon of credibility to which all other dark web marketplaces were compared.
If confirmed, Empire’s exit scam will have even more of an impact on the cybercriminal community because the funds involved are likely to be much higher than with other similar cases: Threat actors had been more willing to deposit larger sums into Empire than into its competitors because of the trust and image of reliability that Empire had built up.
A proven exit scam would shatter the fragile trust that the cybercriminal community had learned to place in this platform; the disappearance of a site like Empire will likely result in levels of suspicion and mistrust within the dark web scene shooting up. We will probably return to levels of fear, uncertainty, and doubt not seen since the wake of the Hansa and AlphaBay disruption. New marketplaces that spring up to replace Empire–have no doubt, new platforms will soon appear–will likely face an even greater battle to prove their credibility, and may not grow as quickly as Empire initially did.
Other potential developments resulting from Empire’s demise could include: