In the world of “what could have been,” the cybercriminal marketplace market[.]ms would be a leader in the cybercriminal underground. Market[.]ms offered threat actors streamlined, automated trading of a range of illicit goods, including malware, stolen accounts, and fraudulent documents. Instead, on December 3, 2019, the news that market[.]ms had closed due to a lack of profit rocked the cybercriminal community. One former user bemoaned its departure, saying, “What a shame, the service was decent and the best of its kind.”

In June 2018, Digital Shadows blogged about the appearance of market[.]ms. Back then, several factors suggested that the site was destined for success:

  • Founders’ illustrious reputation
  • Apparent financial resources
  • Focus on security features
  • Cautious advertising, avoiding unwanted attention
  • Refusal to trade drugs

The closure announcement was largely unexpected. Market[.]ms lowered commissions for using the site’s escrow service, depositing money, and withdrawing funds in July 2019 (which could indicate a platform struggling financially). In September 2019, market[.]ms introduced a Tor domain (adding to the burden of resources to be paid for and maintained but in no way suggesting an imminent closure).

While it may be challenging to assess what went wrong for market[.]ms conclusively, this blog examines some potential reasons behind its demise, as well as looking at the extraordinary professionalism market[.]ms displayed throughout its journey.

 

marketMS homepage

Market[.]ms homepage at the time of its official launch

 

Market.ms: Where it all began

Current and former members of the forum team at Exploit, arguably the most high-profile Russian-language cybercriminal forum, established market[.]ms in a pre-alpha working stage in January 2015. Its founders included Exploit’s former administrator, who now runs the increasingly prestigious cybercriminal forum XSS (the market[.]ms URL now redirects to the XSS homepage). Several stages of development followed:

  • December 2016: development of Bitcoin server
  • March 2017: project launch among a subset of testers from the Exploit and Antichat cybercriminal forums to test site vulnerabilities and correct bugs
  • August 2017: the establishment of support service, the addition of English translations

The site opened officially in February 2018, accompanied by advertisements on prominent cybercriminal platforms.

 

MarketMS advertisement on exploit

Market[.]ms advertisement on Exploit

How did market.ms sell itself?

The website described itself as an “automated safe trading platform” and promoted its high security levels, simple interface, and escrow-guaranteed trading to distinguish itself from competitors.

A May 2018 mass broadcast Jabber message on the exploit[.]im server described market[.]ms as “a marketplace for a new generation” and highlighted its unusual model that offered three different transaction types:

  1. Advertisements: Similar to an advertising post on a forum. Goods on offer in such advertisements could not be bought on market[.]ms: All transactions had to take place on a platform other than the marketplace.
  2. Instant deals: A fully automated deal in which the seller added the goods into the system, advertised the product, and then the buyer purchased and downloaded the goods. However, this system did not provide any guarantees and required the buyer to operate on a trust basis as market[.]ms did not verify goods offered in instant deals.
  3. Escrow deals: Offers arbitration feature in addition to the advantages of the instant deals. Buyers would have 72 hours after purchasing to confirm the transaction or challenge the quality of their goods and receive a refund for substandard offerings. The money would not be credited to the seller until three days after the purchase date.

 

MarketMS messaging launch

Market[.]ms messaging about transaction types at the time of its official launch

 

Much of market[.]ms’s advertising material focused on its security features:

  • Maximum anonymity: The site required minimal registrant details and hosted data on an encrypted server.
  • Financial safety: The site worked exclusively in Bitcoin, and the exchange rate was recalculated several times per day. Funds were distributed in a ratio of 70/30 in cold/hot wallets, respectively.
  • Limited victim base: The site forbade its users from targeting entities in Russia and former Soviet Union countries. This is a tactic Russian-language cybercriminal platforms often employ in the belief it makes the resource a less attractive target for attention from Russian law enforcement agencies.

 

Market.ms professional closure announcement

On December 3, 2019, the user who had promoted market[.]ms on Exploit posted in their long-standing Exploit thread dedicated to market[.]ms to announce that the site had closed. Their post stated that the reason for the closure was “a lack of financial profits.” They explained that the site had experienced “years of losses,” never once making a profit, and had existed only on “personal donations.”

 

MarketMS closure announcement

Announcement of market[.]ms closure

 

One noteworthy aspect of this announcement was the professional manner in which market[.]ms’s administrators intended to close the site down. The Exploit post detailed several steps that would be taken to ensure the marketplace would shut down with as little harm or inconvenience to its users as possible:

  • The site would no longer be accepting new deposits: Cybercriminals scamming other cybercriminals is not uncommon. It is conceivable that a failing market[.]ms could have accepted new funds that the site knew it could not pay back.
  • Data on the site’s servers would be erased safely: Data belonging to cybercriminals (e.g., contact details, passwords, transaction history) would be extremely valuable to both threat actors and law enforcement agencies. Ensuring that the data is disposed of properly means that a leaked dataset of market[.]ms member information cannot become a commodity on other cybercriminal sites.
  • Payment schedule for member refunds: The Exploit post suggested that all members of the site (presumably those with deposits) would receive automatic refund payments. Users with unresolved financial issues could request manual refunds for seven days after the date of the post.
  • Providing a point of contact for future problems: Encouraging members to contact market[.]ms’s support account via the Telegram or Jabber messaging services shows market[.]ms’s willingness to help its members extricate themselves smoothly from the site.

The professional way in which market[.]ms exited the scene echoed its beginnings, with the site existing in a development stage for years before being released publicly.

 

MarketMS good listing

Market[.]ms goods listing

 

Could this have been anticipated?

The signals regarding market[.]ms’s condition were mixed; this case emphasizes the fickle nature of cybercriminal platforms and the difficulty in predicting the development of the scene.

On the one hand, market[.]ms had an excellent pedigree and showed no signs of an imminent exit.

  • Its founder—the former Exploit and current XSS administrator—is a well-known and respected figure within the Russian-language cybercriminal community. Given their years of experience in the scene, it would be expected that they had identified a gap in the market when launching the site and were responding to the clamoring of threat actors demanding this type of automated marketplace. Current Exploit and XSS members would have the blessing of this esteemed figure to incorporate a competitor platform into their trading (something that is usually discouraged on cybercriminal forums).
  • The process of developing the site was painstakingly slow and seemed geared towards the long-term. The site was in development for longer than it was active. Because of the resources dedicated to the project’s development—both time-wise and financially—no one could have anticipated that it would close so quickly.
  • The site seemed open to making changes based on user feedback. The site’s representative on Exploit frequently asked for users’ ideas for future additions to the site and strove to address any complaints that threatened to lose market[.]ms custom.
  • The September 2019 introduction of a Tor domain seemed to suggest that market[.]ms was again investing in its future, adding another pillar to the raft of security measures the site prided itself on.

On the other hand, subtle signals have been discernible for some time.

  • Digital Shadows has long used market[.]ms as an example for its analysts of a site that looks good on paper but has failed to challenge the status quo. Our recent whitepaper discussed the dominance of the cybercriminal forum, noting how recent new additions to the scene have failed to stem forums’ ever-increasing membership numbers.

 

The Modern Cybercriminal Forum

 

  • While Mmarket[.]ms’s membership numbers showed considerable growth, the number of completed deals was disappointing. In May 2018, shortly after the site was promoted on Exploit, market[.]ms had 432 users and 78 products; users had conducted seven successful deals, one through escrow. By August 2019, the site had grown to 4,261 users and 792 products, with 61 successful deals, 23 through escrow. While the growth in user base and listings is significant in such a short space of time, the rate of 54 deals in the past 18 months is relatively low compared to other well-known platforms.
  • Market[.]ms’s model had a vital flaw in charging users to use its escrow services but not to place an advertisement. The format of market[.]ms meant that the site only made money from deals conducted solely within the site, or from users withdrawing money. Cybercriminals who were more interested in profit than security may have eschewed the site’s escrow services to avoid paying the required commission. Market[.]ms’s July 2019 reduction in commission rates was highly likely introduced to encourage users to switch from conducting off-site transactions to conducting them in-house and signaled that finances might have been tight.
  • Market[.]ms failed to make an impact in the English-language scene, despite prioritizing the inclusion of English-language translations on the site. It has barely featured in discussions on English-language cybercriminal forums, which have typically promoted Empire and Apollon in response to questions about reputable marketplaces. While the Russian-language scene is large enough to support resources independently, making a splash in the English scene may have acted as an insurance policy for market[.]ms in case of a lack of attention from the Russian-speaking scene.

While it may be impossible to read the tea-leaves of the cybercriminal scene accurately enough to foresee such high-profile disappearances, market[.]ms’s closure highlights the continued unpredictability of the cybercriminal scene. It is yet another example of a failed marketplace (marketplaces have failed to establish themselves since the disappearance of DreamMarket and Wall St earlier this year). It emphasizes the unchanging nature of the Russian-language cybercriminal scene, in which a site with the best possible credentials cannot take a share of the market.