The Underworld Economy

Imagine a world in which you could simply click onto a website to buy drugs, weapons, fake IDs, malicious software and ‘how to’ guides for building AK47s. In just a button press, you could own just about any illegal item you can think of. In the realm of the dark markets, this world, or underworld, is very much a reality.

Starting in 2017, law enforcement agencies around the world, helped by cybersecurity companies from the private sector, such as Bitdefender, undertook a series of elaborate operations against criminality on dark web, taking two dark markets within two years. One dismantled market, Hansa, was the third-largest criminal marketplace on the Dark Web.

But what exactly is a dark market, where do they come from and how do the authorities even begin to dismantle them? This article dives deep into ‘dark markets’ and how Silkkitie and Hansa were taken down.

Define: Dark Markets

In the simplest terms, dark markets are places where people can buy or sell illegal goods. However, unlike most online markets, dark markets are hidden services, made anonymous by internet privacy software — Tor.

The infrastructure supporting these illegal offerings is hosted using the Tor Hidden Service protocol. While Tor provides free and anonymous communication by means of an overlay network routing scheme (also known as “onion routing”) that bounces traffic through multiple relays to hide the initiator’s IP address, the Tor Hidden Service protocol extends this obfuscation by hiding the network servers’ IP address as well. This way, both the initiator of the connection and the server’s IP address are unknown to each other, yet they still manage to exchange information and find each other.

These hidden services also have an added benefit: they support encryption by means of public-key cryptography (or asymmetric cryptography) applied at the application layer. Basically, cryptographic algorithms generate a pair of keys – one public and one private – for encrypting and decrypting messages sent via insecure channels. Naturally, the public key can be shared and used by anyone to encrypt messages, but decryption can only be carried out by the person who owns the private key. This private key needs to be kept safe or it defeats the purpose of sending and receiving encrypted messages. As a result, Tor allows encrypted traffic to be randomly bounced around the relay network, ensuring anonymity and privacy to both parties engaged in the communication.

This ‘cloak of anonymity’ tool allows users to publish their service without revealing their identity (IP address), while protecting the identity of customers. As such, Tor — initially designed to protect the anonymity of users such as government authorities, corporations and whistleblowers, as well as their freedom to communicate confidentially — became gold dust for criminals.

What’s more, it doesn’t take a genius to access these dark markets. It’s not quite as simple as Googling them, but once the user has the web address, they simply create an account and password and can begin browsing the products on offer in minutes.

Of course, not all merchants grant this type of easy access to their goods. When it comes to accessing explicit content in all its forms, new users have to provide original content before being allowed on some marketplaces. This way, these platforms are populated by a large number of individuals that both produce and consume explicit content. For example, some forums and video-sharing platforms that offer access to child pornography usually require newcomers to share similarly explicit content that’s unique – and hence, potentially produced by the visitor requesting access to the platform – before being allowed access.

Other merchants keep their shops completely closed off to outsiders, allowing access to newcomers only by invitation from reputable and well-established members. This recommendation-based system is somewhat similar to how real-life criminal gangs operate. For instance, since “.onion” domains cannot be indexed by search engines, certain supplier websites can only be reached by either receiving the link from an existing customer or directly from the vendor after an elaborate screening process in which your “credentials” are vouched for and scrutinized.

I these dark markets operate, a single person serves as the main administrator. Below that person sits an elaborate network of staff members. They tend to be people who are reputable vendors. They are responsible for managing any dispute between vendors and buyers on the service, but the administrator often acts alone.

The variety of illicit goods on offer could be virtually endless. Drugs, guns, fake IDs, ransomware, malware, firearms, pornography, grenades… anything goes. But, unlike the traditional process of buying products where the consumer pays directly to the seller, dark markets use an escrow — another layer to ensure anonymity. In short, an escrow is a middle man between transactions, there to regulate and hold the payment secure. Only once all terms of the agreement between both parties have been met and overseen by the escrow, is the payment released.

While these marketplaces do house a wide range of products, they also offer full-stack services. For example, while credit card information is valuable, not everyone that has that information knows how to use it. However, credit card vendors might also put buying customers in contact with individuals operating credit card cloning and ATM withdrawal schemes, completing the criminal circle. The same thing goes for customers who purchase illegal drugs, as vendors could potentially not only negotiate prices based on purchased quantity, but also provide access to other drug distribution networks and vendors.

As a system built inherently on anonymity and run by users who go to extreme lengths to ensure their identity is not compromised, taking a dark market down is no mean feat, but it’s certainly not impossible.

Hansa and AlphaBay: one takeover, two takedowns

Traditionally, taking down a dark market is very much a ‘whack-a-mole’ scenario. Authorities will track down the administrator, take the site offline and replace it with a dramatic ‘This site has been seized’ page. After temporarily facing disruption, buyers and sellers simply flee to the next dark market they know of and continue their business.

The same happened when the infamous Silk Road market for distribution of illegal merchandise was taken offline. Estimated to have had over $1.2 billion in sales throughout its existence, Silk Road came to a halt when law enforcement took its operator – a 29-year-old former physics and engineering student from Austin, Texas named Ross Ulbricht – into custody. After it was taken offline, Silk Road users turned to other marketplaces, such as AlphaBay and Hansa.

However, during the summer of 2017, a very different and far more disruptive approach was taken by the FBI, the DEA, the Dutch National Police and Europol, with technical evidence assistance from Bitdefender, to shut down the Hansa dark market. Consisting of 3,600 dealers offering more than 24,000 drug product listings, including MDMA, heroin and cocaine, as well as smaller trade in fraud tools and counterfeit documents, at its height, Hansa was the third-largest criminal market on the Dark Web.

In fact, authorities not only managed to shut down the market but they achieved what many would consider impossible. They arrested the administrators and took over the running of Hansa.

In the months prior to the Hansa takedown, Bitdefender discovered a potential location of the real server hosting the hidden service and notified the appropriate authorities for confirmation and further investigation. 

After making copies of each server’s entire drive, including records of every conversation that took place on the messaging system and every transaction performed in Hansa’s history, authorities sifted through the content to discover a major slip-up. Deep in the conversations, dating back to the years before, were the full names of both administrators and the home address of one of them. With the exact location of the administrators pinpointed, the authorities found themselves in a highly advantageous position. Rather than merely shutting down Hansa, they now had the opportunity to arrest the administrators and take complete control of Hansa themselves, completely unbeknownst to the market users.

Simultaneous to the discovery of Hansa’s servers and its takeover, the FBI informed Dutch authorities that they had also located the server of, what was at the time, the world’s most popular dark-web drug market — AlphaBay — in the Netherlands. Authorities realized that after AlphaBay was shut down, it’s users would migrate en masse to Hansa in search of a new trading platform. In fact, in the immediate aftermath of AlphaBay’s shutdown, the number of new Hansa members soared eight-fold. At one point the influx had become so large that for 10 days Dutch police had to shut down new registrations.

While the Dutch authorities had control over Hansa and the refugees from AlphaBay flooded in, they carried out continuous aggressive surveillance of Hansa market users. They altered a feature designed to automatically encrypt messages with user’s PGP keys so that they could secretly log the full text of each message before encrypting it, which in most cases allowed them to capture buyers’ home addresses as they sent information to sellers. They also rewrote the site’s code to enable them to log every user’s password. In addition, they tweaked the function so that copies of all images were first recorded with metadata intact. This allowed them to pull geolocation data from photos that sellers had of their illegal wares. They even tricked Hansa’s sellers into downloading and opening a beacon file on their computers that revealed their IP address.

Up to this point, there had been much speculation as to what had actually happened to AlphaBay. Many suspected it had been taken down in an exit scam by the administrators. But on July 20th, about a month after the takeover of Hansa, all was revealed. The US Attorney General broke the news that AlphaBay had been seized in a combined effort by international law enforcement agencies. Then, the second bombshell hit. Hansa, the market AlphaBay users had been flooding to, had not only been seized but had been under surveillance by Dutch police for over a month.

The collaboration between Bitdefender, Europol, the FBI and the US Department of Justice was one of the most sophisticated takedown operations ever seen in the face of online criminal activities. As a result of the Hansa takeover, authorities obtained at least some form of data on 420,000 users, including at least 10,00 home addresses. Dozens of Hansa’s top vendors were arrested and 1,200 bitcoins were seized — the equivalent of about $12 million dollars.

By shutting down AlphaBay and secretly seizing Hansa, authorities not only came away with a tremendous fall out but caused an immense amount of disruption and distrust within some of the largest underground economies.


In addition to the triumph of Hansa in 2017, authorities this year took down one of the oldest and internationally best-known Tor trade sites selling narcotics — Silkkitie, an operation where Bitdefender also provided technical advice to Europol’s European Cybercrime Centre.

Operating on Tor since 2013, Silkkitie, also known as the Valhalla Marketplace, was seized earlier this year in a collaboration by Finnish Customs, French National Police, Europol and Bitdefender.

In taking down Silkkitie, law enforcement authorities not only put a stop to a dark market that had been selling narcotics and other illicit goods for several years, but it is reported that Finnish customs also carried out a significant bitcoin seizure.

However, as happened with AlphaBay and Hansa, merchants and narcotics traders moved towards other platforms Silkkitie went offline, such as the Wall Street Market. Again, in a coordinated effort, law enforcement took down this marketplace, which had more than 63,000 sale offers placed, more than 150,000 accounts, and over 5,400 registered sellers. Those running the Wall Street Market are estimated to have received commissions of between 2 percent and 6 percent of the sale value of each product. Following the successful law enforcement operation, more than $550,000 in cash was confiscated along with Bitcoin and Monero cryptocurrencies valued at a six-digit figure.

Despite the best efforts of private companies and international law enforcement, it is highly unlikely that dark markets or the dark web will completely cease to exist. In much the same way that you can create as many laws as you want within a society but illegal activity will still take place.

However, these takedowns do show that the combined efforts and cooperation from cybersecurity professionals and international law enforcement are a huge step in the right direction. They are highly effective in installing distrust within the dark markets community and at the very least are minimizing the growth of this underworld economy.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Liviu Arsene. Read the original post at: