DarkMarket’s seizure: the decline of the marketplace?

DarkMarket’s seizure: the decline of the marketplace?
Photon Research Team
Read More From Photon Research Team
February 2, 2021 | 6 Min Read

Once upon a time, a high-profile dark web marketplace seizure or exit scam would have been big news in the cybercriminal community. When Empire marketplace went down we saw widespread expressions of shock, fear, and speculation. But is the strength of reaction to such events beginning to diminish? 

The recent alleged seizure of the carding AVC Joker’s Stash’s Blockchain DNS domains didn’t generate as much discussion as we might have expected. And, a few weeks on from the takedown of the “largest darknet marketplace”, DarkMarket, the ripples in the cybercriminal underground are barely discernible. Taking this as our starting point, in this blog we’ll dive into the cybercriminal community’s reaction to the recent seizure of DarkMarket and ask why this news has not had the impact some might have expected.

What happened to DarkMarket?

DarkMarket launched in June 2019 and increased in prominence throughout 2020, especially after the exit scam of the former number one marketplace Empire in August 2020. After the demise of a significant marketplace, so-called “refugees” of the platform usually seek to transition their buying and selling activities to an alternative service. In this instance, DarkMarket would have been one of many criminal marketplaces capitalizing on Empire’s downfall and looking to increase its user base. 

It seemed to have worked. As recently as December 2020, an announcement on the reddit-style forum Dread highlighted that DarkMarket had hit the milestone of half a million users, signifying its popularity across the criminal underground and status as one of the “go-to” marketplaces. After DarkMarket’s seizure in January 2021, reporting suggested the marketplace had 2,400 active vendors and had facilitated over 320,000 transactions. Conservative estimates calculated that around USD 170 million had changed hands on the site throughout its tenure.

Back in early January 2021, German law enforcement agencies announced the successful arrest of a man believed to be the administrator of the English-language cybercriminal marketplace DarkMarket. This represented the culmination of months of coordinated efforts between Europol and several other nations and also resulted in the seizure of over 20 servers located in Moldova and Ukraine alleged to have hosted the marketplace’s infrastructure.

Why was DarkMarket the crowd favorite?

While its transaction figures sound impressive, the reality is that DarkMarket was often excluded from cybercriminals’ discussions about marketplace preferences or recommendations because of their relaxed security practices. So how did DarkMarket garner such a high number of users? In short, user-friendliness and ease of access to an array of vendors and goods.

Even if a marketplace is as secure as Fort Knox, if it doesn’t have a high number of quality goods or offer user-friendly payment methods then the masses will not take to it. This dilemma appears to be dividing the criminal landscape: is it worth forgoing ease of use and a limited audience in favour of a secure and anonymous marketplace? Or is it better to stick with the formula that, despite resulting in numerous law enforcement actions and regular exit scams, offers access to a much wider user base and a simpler transaction process?

Figure 1: Dread user recommending “secure” marketplace White House Market

Why was DarkMarket’s fall not a massive shock?

A Crowded Sector

Although we have observed various discussions on the fallout of DarkMarket’s seizure, the initial reaction to the announcement has largely been underwhelming. Media headlines about the takedown of the dark web’s “largest illegal marketplace” suggest the news should have had a bigger impact. But the reality is that the marketplace sector is extremely crowded. There were various platforms actively competing with DarkMarket for the top spot. And with DarkMarket now no longer a threat, there is a pool of candidates offering discounts and free vendor bonds for refugees looking for a new “home”. Crucially, another law enforcement seizure only strengthens the more secure marketplaces’ argument that the cybercriminal community leave behind the platforms they are accustomed to.

Dread user recommending a more secure marketplace
Figure 2: Dread user recommending a more secure marketplace

Post-Empire Diversification

Empire’s exit scam may have pushed buyers and sellers to reject marketplaces altogether and seek alternative technologies such as cybercriminal forums or messaging applications like Telegram and Discord. Digital Shadows repeatedly reported on the potential of these alternative technologies to become contenders to the marketplace model. However, they are ultimately problematic due to the efforts required to build a decent customer base ,which is much easier to establish on large, reputable criminal marketplaces, and the increased likelihood of scams if reliable escrow processes are not implemented (usually a default option on marketplaces). 

The recent disruption we’ve seen in the marketplace scene may have encouraged vendors to diversify their activity, splitting their sales between different marketplaces. That way, if one goes down, their bottom-line remains largely unaffected. The impact of DarkMarket’s closure might have been reduced if cybercriminals have slowly been building resilience against such eventual shutdowns and exits with alternative marketplaces and technologies.

What was the role of Tor and DDoS attacks?

In recent months, DDoS activity affecting the entire Tor network had impacted DarkMarket, among others. The administrator of Dread even initiated a thread accusing marketplace owners of organizing such attacks against their competitors or even performing retaliatory attacks. The administrator said that DDoS attacks on the Tor network would not only harm the intended target but also damage the whole of the cybercriminal community. DDoS activity between cybercriminals is not uncommon, but the fact that DarkMarket was already being targeted and struggling to remain online before its seizure may have dulled the impact of the takedown as the community was used to it being offline for long periods. 

Dread administrator condemning marketplace-marketplace DDoS attacks
Figure 3: Dread administrator condemning marketplace-marketplace DDoS attacks

What does it all mean?

Despite these recent dark web market problems that the cybercriminal community is experiencing, it’s unlikely that the marketplace model will go anywhere anytime soon. It may be the case that the golden era of the marketplace is over, and threat actors who are jaded by the news of yet another marketplace’s departure from the scene will continue to react in muted ways. But we’re also entering an exciting new era in the sense that, up until now, the marketplace model has always had a recognized leader for other sites to emulate and compete with. These days, the scene is now a crowded arena with business flourishing and no obvious front runner. Perhaps this situation will encourage diversification and innovation that could breathe new life into the marketplace scene and ensure its survival for months and years to come. 

Digital Shadows will continue to watch developments in the marketplace landscape closely, looking for any indications as to which way the wind might be blowing. Digital Shadows’ SearchLight service features a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. If you’d like to access the library for yourself, you can sign up for a free seven-day test drive of SearchLight here.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us