Cybercrime and Dark Web Research / Death and Decay: How Cybercriminal Platforms Meet Their End

Death and Decay: How Cybercriminal Platforms Meet Their End

Death and Decay: How Cybercriminal Platforms Meet Their End
Photon Research Team
Read More From Photon Research Team
May 26, 2021 | 12 Min Read

At Digital Shadows, we’re constantly monitoring the status of cybercriminal locations on the clear, deep, and dark web. It’s a dynamic, ever-changing scene characterized by instability and distrust. Nothing lasts forever and nothing is too big to fail. While monitoring the rise and fall of specific marketplaces, forums, and AVCs, we have observed two main trends when sites meet their maker: platforms’ disappearances are sudden and exciting or more of a gradual fizzling out. In this blog, we’ll examine the different ways in which cybercriminal sites have come to an end and provide examples for each.

Sudden deaths of cybercriminal platforms

One day it’s there and the next it’s gone. Law enforcement takedowns, massive DDoS attacks, and exit scams have proved to be the final chapter for many a hitherto successful dark web location. Exit scams—where users are not aware of the impending demise of a platform and administrators make off with any deposits left on a site—can be planned or unplanned. 

Law enforcement takedown

A site administration team’s poor operational security practices, insider betrayal, multi-jurisdictional police cooperation, or a combination of all three have led to many successful law enforcement takedowns in recent years. 

In January 2021, a German law enforcement agency captured the popular dark web marketplace DarkMarket, replacing the site’s homepage with a notification of the seizure. This was a significant bust: As recently as December 2020, an announcement on the Reddit-style forum Dread reported that DarkMarket had hit the milestone of half a million users, signifying its popularity across the cybercriminal underground and its status as one of the “go-to” marketplaces. It had grown rapidly after refugees from a competitor marketplace, Empire, flocked to the site after the latter conducted an exit scam in August 2020

When a site goes down in this manner, its chances of renewed success in the future are slim. All user trust generally disappears, and any attempted reincarnation will likely be viewed as the dreaded law-enforcement-controlled honeypot. We saw this when security services took down the hacking forum Hell in July 2015. A few months later, the forum was back online under the branding Hell Reloaded. However, rumors that the forum was a honeypot soon spread because the registration process was opened to the public and the original site founder was notably absent. Hell Reloaded later went offline, likely as a result of the increased suspicions surrounding it and a notable lack of traction with users.

Figure 1. Notice of seizure on cybercriminal marketplace DarkMarket
Figure 1. Notice of seizure on cybercriminal marketplace DarkMarket

Attacks from competitor platforms

In addition to worrying about law enforcement, cybercriminal platform administrators also have to contend with fierce competition. Turf wars are not uncommon, and Photon has observed several instances of cybercriminal sites attracting attacks from jealous counterparts…

For example, until 2017, Russian Anonymous Marketplace (RAMP) was one of the most successful cybercriminal markets. It was profitable, had considerable market share, and there were no indications that Western law enforcement agencies were targeting it. However, in a case of biting off more than it could chew, RAMP attempted a hostile takeover of rival marketplace HYDRA, which had seen significant growth in the previous few years. This scheme was unsuccessful: HYDRA responded with a series of DDoS attacks that caused RAMP to experience frequent shutdowns, financial losses, and internal spats. Ultimately, RAMP’s user base migrated to HYDRA.  

The unplanned exit scam

Pressure from law enforcement or attacks from competitors have led some administration teams to make a spur-of-the-moment decision to exit the cybercriminal platform scene of their own accord. This was likely the case with Empire marketplace, which was plagued by DDoS attacks in the months leading up to its closure despite having implemented a new anti-DDoS protection mechanism. Empire remained online by paying off its attacker(s), but it seems that the administrators’ patience and money eventually ran out. The site went offline in August 2020 and the administrators disappeared, taking all user deposits with them.

Figure 2. Message on Dread alleging Empire was experiencing an ongoing DDoS attack before its demise
Figure 2. Message on Dread alleging Empire was experiencing an ongoing DDoS attack before its demise

The planned exit scam

In an industry centered around stealing money from others, it’s hardly surprising that some platform administrators set up cybercriminal sites with the intention of one day absconding with the funds of the very users they catered to. The triggers for conducting an exit scam probably vary. Some platform administrators may have a pre-planned date on which they will exit or a specific amount of user deposits that will prompt the start of the exit. Alternatively, site owners might wait until they are on the radar of law enforcement officials. Following a planned exit scam, the administration team might choose to set up another site under a different name and repeat the whole process again. After all, the users of these sites must ultimately put their trust in the unknown, as they can never really be sure that a site won’t pull the rug from under them at some point. Cybercriminal platforms will always have a level of inherent risk that is acceptable for their patrons. 

The planned exit scam is almost certainly what happened with the English-language platform Apollon, whose owners exited in January 2020 while simultaneously carrying out extensive DDoS campaigns against several prominent English-language forums and marketplaces. Other now-defunct sites that likely planned to exit, or at least always kept it as a reserve option should things not work out, were BitBazaar (June 2020), Nightmare Market (August 2019), and Olympus (September 2018). 

A responsible exit: a gradual end for cybercriminal platforms

In a responsible exit, a site’s administration team announces the platform’s imminent closure and outlines measures for dismantling the site. This happened with Market.MS, which declared in December 2019 that it would be going offline due to “a lack of financial profits” after “years of losses.” The site said it would no longer be accepting new deposits and that it would safely erase user data on its servers. It outlined a payment schedule for member refunds and provided a point of contact for future problems. 

Figure 3. Market.MS representative announces the platform’s closure.
Figure 3. Market.MS representative announces the platform’s closure.

Another example of the responsible exit is Joker’s Stash, a prominent automated vending cart (AVC) that closed down in February 2021. It might have been a case of quitting while ahead: In December 2020 a law enforcement seizure notice appeared on Joker’s Stash’s blockchain domains, and in January 2021 the administration team gave users a month’s advance notice that the site would be closing entirely so that its creator could embark upon a “well deserved retirement”. Regardless, Joker’s Stash allowed users to spend their remaining funds before shutting up shop. As part of the closure announcement, Joker’s Stash’s administrator stressed “WE WILL NEVER EVER OPEN AGAIN”, adding “Do NOT trust possible future imposters.”

Figure 4. Announcement of Joker’s Stash’s impending closure
Figure 4. Announcement of Joker’s Stash’s impending closure

The rebirth: phoenix cybercriminal platforms

The above examples are obsolete platforms that will likely never return. There are, however, a few instances of platform necromancy, when a seemingly dead forum has been brought back to life. Perhaps the most famous example of this is the Russian-language forum XSS, formerly known as DamageLab. DamageLab, in its original incarnation, closed when its administrator had a run-in with law enforcement. Now run by a former administrator of the prominent Russian-language cybercriminal forum Exploit, XSS is highly regarded within the cybercriminal scene and features discussions and commercial activity covering many different types of illicit activity. It has high levels of user trust, is well moderated, and rarely goes offline. 

An example in the English-language scene is KickAss forum, which was taken offline intentionally in January 2019 following the increased media and law enforcement attention that the actions of the ransomware collective TheDarkOverlord brought to the platform. Before its demise, it was seen as the number one hacking forum in the English-language cybercriminal community. It rose from its grave in December 2020, and though currently successful, many former users initially expressed skepticism that it may have been a honey pot of some kind. At the time of writing, no evidence has emerged to support these claims.

Figure 5. KickAss forum representative on Dread announcing its return
Figure 5. KickAss forum representative on Dread announcing its return 

These instances of successful rebirth are few and far between. For every XSS or KickAss 2, there is a Torigon, Silk Road 2.0, Dark0deReborn, all of which failed to gain traction after coming back online. It seems that the skepticism barrier is very difficult to overcome, with XSS one of the only reborn forums to have escaped being tarnished by the suspected-honeypot brush.

The slow decay: cybercriminal platforms that faded

These sites that went down in a blaze of glory involving law enforcement, competitors, and nefarious scams all had one thing in common at the time of their demise: high user base and activity levels. The drama resulted from them going out at their peak. But what about those sites that go out not with a bang but with a whimper? Those that gradually fade away into nothingness or become shells of their former selves? 

Gradual abandonment

Like many real-world businesses, cybercriminal platforms can see a gradual reduction in customers. This might result from smaller but constant attacks from competitors. Rather than one big DDoS attack that kills the site in a short space of time, repeated outages due to smaller attacks may inconvenience users to the point where they no longer see the site as reliable. Customers then “jump ship” to other sites as the fading platform sinks into oblivion.

The once-prominent Russian-language forum HPC reported repeated small-scale DDoS attacks over a number of years that kept taking the platform offline. Over time users began to migrate to more reliable sites. The final nail in the coffin for HPC was when the administrator announced in 2017 that they were placing the site up for sale; almost all traffic ceased after that. Users and moderators alike probably became unsure of the forum’s future and moved on pastures new. HPC is still online today but sees very little activity – most new content comes from novice users who are unaware that the site has been abandoned or from legacy members looking for nostalgia.

Figure 6. HPC forum administrator announces one of many DDoS attacks on the forum

Another reason for users to abandon a platform is the appearance of a better alternative. VLMI, a once-popular Russian-language hacking forum, saw a significant drop-off in trade and user discussion after XSS (DamageLab 2.0) came back online. Engagement between VLMI’s administrators and members is scarce and the site is poorly moderated overall. In contrast, XSS is well moderated, highly respected by its members, and frequently hosts user-engagement campaigns, such as articles contests

Abandoned platforms and bot takeover

When platforms lose traffic to other sites but remain online, genuine interaction between users disappears and the site is left in a state of abandonment. The lights are on, but nobody’s home. Two things can happen next.

If the administrators and moderators abandon a site, bots and scammers can take over. The site continues to receive activity but there is no genuine interaction between users, and new content is typically nonsensical. The once-popular Russian-language cybercriminal forum Tenec, for instance, appears to have been abandoned by genuine users and completely taken over by bots. At first glance, it looks like a healthy forum, with multiple new threads added each day that garner responses from numerous users. However, on closer inspection, all new content appears to be copied from non-criminal sites. All responses come from the same seven or eight accounts, who post meaningless content. 

Figure 7. Example on Tenec of a nonsensical bot response to a thread that had been quiet for five years.
Figure 7. Example on Tenec of a nonsensical bot response to a thread that had been quiet for five years.

Alternatively, if bots don’t take over an abandoned site, it can become a sort of “ghost town.” Legacy users return for nostalgia, remembering the “good old days” when the platform was once a bubbling hive of activity. HPC forum, for instance, still exists as a repository of knowledge, but new posts are few and far between. Sometimes forum team members attempt to keep the site going by posting newer content, but once users have largely abandoned a site, making updates is merely an exercise in futility.

Figure 8. HPC forum member reminisces about their formative years on the platform
Figure 8. HPC forum member reminisces about their formative years on the platform 

Disappearance without a trace

Some sites—particularly those that were never that popular to begin with—just seem to vanish. All of a sudden, users attempting to visit the site are met with the generic message that the domain is for sale. Perhaps the risk vs. reward trade-off wasn’t worth it for the administration. Maybe the site was never profitable. Whatever the reason, the team has just decided to move on to some other project. Such was the fate of COP SU, which described itself as “the oldest carding forum for newbies and many more” and in 2018 had over 28,000 users. It appeared to be doing well, with no indication of any internal or external problems. However, those looking to visit the platform in 2021 are met with a generic “this site is for sale” message. 

Figure 9. The domain of the once-active Russian-language forum COP.SU is now for sale
Figure 9. The domain of the once-active Russian-language forum COP.SU is now for sale

Overall, users of even the most popular and successful platforms must simply accept the fact that their cybercriminal haven is more than likely to go down at some point – there are very few that have stood the test of time. The best they can hope for is a few warning signs in the build-up, giving them time to withdraw any deposits before the rug is pulled from underneath them. 

At Digital Shadows, we maintain a presence on many different forums, marketplaces, and AVCs to ensure that we are always up to date on the latest trends across the cybercriminal landscape, including possible indications that a site is about to exit the scene. If you’d like to keep up to date with the state of the dark web and cybercriminal underworld, get a demo of SearchLight here. Alternatively, you can access a constantly-updated threat intelligence library providing insight across open, deep, and dark web sources cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Get a free, seven-day test drive of SearchLight here.