Raids and take-downs have become standard on the Darknet as agents across the world continue to step up enforcement. While these take-downs are generally digital perp walks meant to remind the public that agents are doing their job, we have to ask, are they actually solving the problem?
Moreover, does the Darknet, specifically Tor, really matter in the grand scheme of things? No. Darknet marketplaces only provide a layer of protection. In fact, most of the items you find listed on any given Darknet marketplace can also find on normal Clearnet markets and forums. In reality, Darknet take-downs are only temporarily impacting, but do not prevent overall illicit activity.
For example, when you look at the sale of stolen data online you will find several major vendors that have sold databases throughout a variety of darknet marketplaces over the years. But databases containing PII and credentials are also sold on well-known Clearnet sites like Exploit, which is indexed by major search engines and has not been taken down to this day.
When you look at attack services such as DDoS-as-a-Service, you will find that it was never a major player in Darknet marketplace, but during the rise of Mirai, a few vendors were found offering attack services with the newly publicized botnet. While vendors never fully adopted the use of hidden service, a few vendors sell overpriced DDoS services on Darknet marketplaces today. This is because most of the bot herders own and operate stresser services on Clearnet websites.
While Operation Power Off, a series of take-downs targeting the DDoS-as-a-Service industry, has been a major success in limiting the number of DDoS attacks, the powerful and customizable source code for IoT botnets like Mirai is still highly available. Because of this, the DDoS-as-a-Service market has become so over saturated that you can find entry-level vendors selling botnet spots with low bot counts on Instagram.
More users with source code, more problems, no matter how many stresser services are taken down.
A Growing Criminal Landscape
In all, the digital marketplace, both on the clear and darknet, have allowed the criminal landscape to grow beyond street dealers with limited options and includes several new ways to make profit while not actually touching the products or services offered.
At the beginning of May, DeepDotWeb, a Clearnet site that listed current Darknet marketplaces and covered news related to the Darknet was raided and seized by law enforcement for referral linking. Most recently, news just broke that BestMixer, a multi-million-dollar cryptocurrency tumbler used to launder cryptocurrency was also raided.
As the tactics and techniques change, new avenues of profit will always open up.
At this point, it’s clear the landscape has changed dramatically over the last decade, and law enforcement is targeting the new ecosystem—but with limited success, in my opinion. Like low-level hackers, law enforcement is going for the low hanging fruit, and while it provides for great headlines and temporary impacts, it doesn’t truly solve anything and only creates more problems down range.
I’ll leave you with an article titled, Libertas Market is Available Via I2P.
The use of hidden services (Tor) is only the beginning of the digital underground marketplace. Admin and vendors will continue to seek different methods to avoid law enforcement as long as demands and profits are high.
In other words, don’t fall into a false sense of security; the Darknet isn’t going anywhere anytime soon.
Download “Hackers Almanac” to learn more.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.