The lim­ited im­pact of Al­phaBay and Hansa’s demise

Kuwait Times - - TECHNOLOGY - By Rick Hol­land

The law en­force­ment op­er­a­tions that took down the Al­phaBay and Hansa mar­ket­places were meant to strike a siz­able blow to the on­line trade of il­le­gal goods and ser­vices. Fre­quenters of these ser­vices might now think twice be­fore plac­ing their trust in these un­reg­u­lated plat­forms, and there may well be fur­ther ar­rests to fol­low as in­ves­ti­ga­tions and anal­y­sis into the ma­te­ri­als seized in these raids run their course.

How­ever, when a drug en­force­ment op­er­a­tion com­pletes a ma­jor bust or ar­rests a large num­ber of in­di­vid­u­als, there is of­ten al­ways an­other group, or new re­cruits, ready to fill the void. Sim­i­larly, our anal­y­sis of the broader cy­ber­crim­i­nal ecosys­tem sug­gests that the im­pact of the Al­phaBay and Hansa clo­sures will be some­what short-lived, for at least three rea­sons:


With Al­phaBay and Hansa out of the pic­ture, sell­ers and users will flock to other mar­ket­places to con­tinue trad­ing as be­fore. This has been ev­i­dent al­ready, with former Al­phaBay and Hansa users ad­ver­tis­ing on es­tab­lished fo­rums such as Dream Mar­ket, TradeRoute, House of Lions and Wall Street Mar­ket, which we fo­cused on in our pre­vi­ous blog.

Mar­ket­place take­downs are not a new phe­nom­e­non. When Silk Road, once the largest and most pop­u­lar dark web mar­ket­place, was dis­rupted by the Fed­eral Bureau of In­ves­ti­ga­tion (FBI) in 2013, this only pre­cip­i­tated the growth of other, al­ter­na­tive plat­forms. Al­phaBay grew from Silk Road’s clo­sure and even­tu­ally took on the man­tle of the most pop­u­lar dark web mar­ket. Sub­se­quent rein­car­na­tions of Silk Road in the form of Silk Road 2.0 and Silk Road 3.0 ex­em­plify how the cy­cle will likely con­tinue for the fore­see­able fu­ture. We have seen al­ter­na­tives emerge as a re­sult of mar­ket­place exit scams as well. In 2015, ad­min­is­tra­tors from the Evo­lu­tion Mar­ket­place stole an es­ti­mated 40,000 BTC. Dream Mar­ket was once of the ben­e­fi­cia­ries of that exit scam. Just as Jeff Goldblum’s Juras­sic Park char­ac­ter, Doc­tor Ian Mal­colm says, “Life uh, finds a way,” cy­ber­crime finds a way as well. Com­merce must flow; buy­ers and sell­ers need to be con­nected.


Yes, Al­phaBay and Hansa were two of the most pop­u­lar English-lan­guage dark web mar­ket­places. And yes, they had ded­i­cated sec­tions for fraud-re­lated goods (stolen pay­ment card in­for­ma­tion, coun­ter­feit doc­u­ments, and com­pro­mised bank ac­counts), as well as mal­ware and hack­ing tools (the RIG and Bleed­ing life ex­ploit kits were pre­vi­ously ad­ver­tised on Al­phaBay). How­ever, from an in­for­ma­tion se­cu­rity per­spec­tive, we should re­mem­ber that most of the prod­ucts ad­ver­tised on these plat­forms were for drugs, weapons, and dig­i­tal goods such as me­dia ac­counts and ser­vice sub­scrip­tions.

Our re­search shows that there are other fo­rums specif­i­cally ded­i­cated to hack­ing and se­cu­rity, which of­ten act as a plat­form for trade. Sites like CrimeNet, HPC, and Ex­ploit[.]in con­tain many ex­am­ples of threat ac­tors of­fer­ing prod­ucts such as ran­somware vari­ants, ex­ploit kits, com­pro­mised ac­counts and pay­ment card data. These sites work on a di­rect trans­fer sys­tem where ven­dors and cus­tomers will com­mu­ni­cate di­rectly to ar­range pay­ment, of­ten through mes­sag­ing ser­vices such as Jab­ber. Of­ten sell­ers will ad­ver­tise their prod­ucts on these fo­rums, and then di­rect users to dark web sites to then ar­range pay­ment. Where stolen data­bases have ap­peared on sites like Hansa, we as­sessed it to be highly likely that these datasets were pre­vi­ously traded widely through other crim­i­nal net­works and then listed on these mar­ket­places only once their value had been ex­hausted.

Pay­ment card fraud is a good ex­am­ple of why we should not fo­cus too heav­ily on mar­ket­places. There are count­less card­ing and Au­to­mated Vend­ing Cart (AVC) sites ded­i­cated to pay­ment card fraud. These types of sites of­ten pro­vide tu­to­ri­als and cour­ses for novice fraud­sters, as we high­light in our re­cent whitepa­per. With new card­ing and AVC sites emerg­ing ev­ery day, this type of ac­tiv­ity will con­tinue un­abated de­spite the Al­phaBay and Hansa take­downs.


Many card­ing, AVC and hack­ing sites are not ac­tu­ally found on the dark web, in­clud­ing HPC, CrimeNet and Ex­ploit, which we men­tioned above. More­over, cer­tain types of cy­ber­crime do not need the “anonymity” pro­vided by ser­vices such as Tor, or the ad­ver­tis­ing and trans­ac­tional func­tions ful­filled by the mar­ket­place model. Plenty of cy­ber­crime oc­curs on the open and deep web.

Ex­tor­tion ac­tiv­ity by the dark­over­lord, a threat ac­tor we have cited pre­vi­ously, il­lus­trates this point. When the dark­over­lord first came to our at­ten­tion in June 2016, the ac­tor re­lied heav­ily on dark web sites such as the Real Deal to ad­ver­tise stolen datasets. Yet, since the clo­sure of the Real Deal in Novem­ber 2016, the dark­over­lord has re­mained ac­tive and has made use of clear web sites such as Paste­bin and Twit­ter to con­duct ex­tor­tion based ac­tiv­ity. In June 2017, the dark­over­lord re­leased eight episodes of an un-aired Amer­i­can Broad­cast com­pany (ABC) show, post­ing a mes­sage to Paste­bin that in­cluded a link to the tor­rent web­site The Pi­rate Bay. Three days later, the dark­over­lord pub­lished over 6,000 med­i­cal records that al­legedly be­longed to a clinic in Cal­i­for­nia. The doc­u­ments were up­loaded to the shar­ing site mega[.]nz after the clinic pur­port­edly failed to re­spond to the ran­som de­mands.

While the Al­phaBay and Hansa take­downs will likely pro­vide sig­nif­i­cant in­tel­li­gence gains, there will al­ways be sup­ply and de­mand for il­licit goods and ser­vices. Dig­i­tal Shad­ows will con­tinue mon­i­tor­ing the de­vel­op­ment of the cy­ber­crim­i­nal ecosys­tem, par­tic­u­larly in these turbulent times. Mar­ket­places were never seen as the go-to shop for rare ex­ploits or sen­si­tive datasets, and we ex­pect the more so­phis­ti­cated sell­ers to con­tinue us­ing more niche fo­rums or pri­vate com­mu­ni­ca­tion chan­nels to flog their wares. More­over, with other forms of cy­ber­crime oc­cur­ring out­side of the dark web, or­ga­ni­za­tions and in­di­vid­u­als would be wrong to as­sume that the risk of a cy­ber-at­tack has now been sig­nif­i­cantly re­duced. *Rick Hol­land is VP Strat­egy at Dig­i­tal Shad­ows

Rick Hol­land, Vice Pres­i­dent, Strat­egy, Dig­i­tal Shad­ows

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.