Street in old town at night showing rise and fall of dark web marketplaces

Honor Among Thieves: Dark Web Marketplaces Rise and Fall on Unspoken Digital “Pirate’s Code”

Even as they deal in stolen credit card numbers and illegal drugs, the patrons of dark web marketplaces expect these underground retail outlets to abide by certain general terms of fair play. New research from threat intelligence firm Digital Shadows indicates that these markets endure based largely on perceptions of honest dealing that are comparable to the standards expected from legitimate retail sites.

Of course, at the back of these markets are career criminals seeking to extract as much profit from the situation as possible. There is a constant tension between maintaining this reputation while simultaneously trying to get away with manipulative or even outright customer-hostile measures. These markets thus have life cycles that are often measured in mere months, as subterfuge is detected by users and the platform falls apart only to see the cycle begin again with the next hungry young set of operators.

Rules to govern a digital pirate port by

The Digital Shadows study focuses on dark web market BitBazaar as a recent example of this phenomenon.

BitBazaar launched in mid-2019 and quickly became popular due to a number of “customer friendly” features not commonly found in similar platforms: a walletless market with escrow auctions, an integrated forum for reputation tracking, and support for multiple international currency types. It also received a boost by launching into a vacuum created by the demise of the previous category leaders, Apollon and Berlusconi Market. Berlusconi Market had been seized by federal authorities, while Apollon had conducted an “exit scam” in which the owners quietly close up shop and run off with the funds that vendors have on deposit. BitBazaar also boosted its reputation by maintaining a presence on some of the dark web equivalents of social media sites and public forums for customer service purposes, such as Envoy and Dread.

After about a year of operations, BitBazaar started showing its own troubling signs. In May 2020 Dread administrators banned the market’s subdread due to an accusation of massive subscriber manipulation. Dread claimed that BitBazaar staff was artificially inflating the subscriber count of its dedicated subdread by using fake accounts.

The Dread accusations were followed by a general drop in business on BitBazaar and reports from some clients that they were not being allowed to withdraw their money from the marketplace. All of this snowballed in June into rumors spread across multiple forums that a BitBazaar exit scam was imminent. The dark web market leader went offline in mid-June and has yet to return.

This illustrates the tenuous situation in which underground markets like BitBazaar thrive or die. A sign of marketing malfeasance on one third-party forum started a cascade that led to the death of the platform roughly a month later.

As Digital Shadows points out, the next contender has already stepped up to fill the void. Dark web buyers appear to be flocking to the new Neptune Market, which is following a customer service-focused pattern similar to that of its predecessor. It has implemented its own dedicated subdread for customer interaction as well as Telegram and Jabber order notifications and independent third-party security testing.

Digital Shadows also points out that this is simply an illustrative anecdote, not a landmark event for these sorts of deep web sites. The cycle of platforms rising on the strength of perceived new features and improved customer service, only to inevitably fall amidst an exit scam after some transgression, has been going on for years.

Building a better pirate haven (and taking them down)

The paper identifies various factors that are in demand among cyber criminals, and they pretty much mirror security best practices for legitimate retail sites. According to the Digital Shadows Photon Research team, among the other factors that tend to win over dark web support are incorporation of access security features like CAPTCHA and PGP, a dedicated admin team that responds to customer and vendor concerns around the clock, redundancy measures to keep the site up during DDoS attacks (which are sometimes initiated by law enforcement), and a marketing presence on other well-regarded dark web forums and sites.

It also identifies measures that law enforcement agencies can take to find and destroy these sites, which deal mostly in the sale of illicit drugs and the transfer of digital information stolen in various data breaches. The Photon Research team suggests that past successful takedowns have tended to focus on identifying and scooping up the administration team. If the admins successfully perpetrate exit scams and get out of a dying site unscathed, odds are that they will simply set up a new site under new assumed identities in the near future.

The Photon Research team indicates that these admins often make some sort of simple mistake in the juggling of their various accounts and wallets, or accidentally leave something in the code of these darknet market sites that can be traced back to a real-world identity.