BLOG

Dark Web Vendors: Who They Are and Who They Serve

9 minute read

Dark web vendors play a vital role in the illicit digital economy, supplying hackers, spammers, and fraudsters with the information, tools, and resources they need (at a price, of course) to defraud their victims or launch damaging cyber attacks.

In our blog this week, we’re taking a deep dive into dark web vendors and their role in the underground economy. We’ll also explore how you can safeguard your organization against cyber threats by proactively monitoring illicit vendors and their activity on the dark web.

What are Dark Web Vendors?

Dark web vendors are merchants who sell illicit goods and services in underground marketplaces hosted on the dark web.

Dark web vendors (and the marketplaces where they operate) take advantage of the encryption and anonymity provided by hidden darknets like The Onion Router (TOR), I2P, and ZeroNet to hide their illicit activities from law enforcement and escape accountability for their actions. 

They may also conduct transactions using cryptocurrency to make their earnings more difficult to trace and further obfuscate their identities.

Every Dark Web Vendor is Different

Some dark web vendors are genuine programming or cybersecurity experts who make a fortune selling packaged malware and exploits that enable less sophisticated operators to launch powerful cyber attacks against enterprise targets.

Some are full-fledged criminal enterprises that ship illicit drugs and banned chemicals to their clients from secret production facilities around the world, or engage in fraud and cyber crime on a global scale.

Other dark web vendors are simply low-level fraudsters and opportunists, selling things like phone-verified Paypal and Cash App accounts or sharing their Netflix login information for a one-time fee.

Anyone Can Become a Dark Web Vendor

In just a few minutes, anyone can download the Tor browser, navigate to a dark web marketplace, create a vendor account, and start listing illicit goods or services for sales on the dark web. 

However, some marketplaces require vendors to apply via referral, provide proof of reputation from another market, purchase a vendor license, or provide a cash deposit. These barriers are designed to ensure that only trustworthy and reliable vendors are permitted to operate.

What Do Dark Web Vendors Sell?

Vendors on the dark web sell many different kinds of illicit goods and services. Let’s break down the seven product categories that you’ll find on any dark web marketplace.

Fraud Tools and Data

In 2020 alone, American consumers lost more than $56 billion to credit card fraud and identity theft scams. With fraud driving massive profits for scammers and cyber criminals, a large underground economy has emerged to supply the most daring, aggressive, and organized fraudsters with the tools and data they need to keep their scams running.

Dark web vendors sell stolen personal identifying information (PII), stolen credit card numbers with verification codes, fraudulent bank accounts, and fraud software. Credit card skimmers, RFID readers, and cloning devices are also sold.

Hacking, Spam, and Phishing Tools

Dark web vendors sell software tools, utilities, and scripts that allow threat actors with minimal technical knowledge to launch effective cyber attacks. 

Illicit goods for sale in this category can include zero-day software vulnerabilities, exploit kits, hacking tools and scripts, spam and phishing tools, RDPs, and access to secure databases. Some dark web vendors sell scraped email lists that cyber criminals may wish to target with phishing or spam emails.

Malware and Ransomware Kits

Dark web marketplaces make it easy for digital threat actors to get their hands on malicious programs that can be used to carry out a variety of attacks. Dark web vendors are selling pretty much every kind of malware you can imagine, including:

  • Botnets that can be used for spam or DDoS attacks,
  • Remote Access Trojans (RATs) that can give the attacker remote access to your computer,
  • Keyloggers used to spy on your activities and eventually infiltrate or takeover your accounts,
  • Rootkits that give the attacker sustained, privileged access to your computer,
  • Banking Trojans that attempt to steal your credentials when you access your financial institution’s online banking portal, and
  • Proxy Malware that hijacks your computer and turns it into a proxy server.

Illicit Services

Some dark web vendors earn cash by monetizing their own services. Vendors may offer to deploy cyber attacks against a specific target, steal data from a specific company or database, or create a customized fraud or malware program.

Information and Guides

Dark web vendors sell detailed guides that teach other scammers how to steal money and commit fraud, often by using products and services that the vendor provides. Common topics for guides and tutorials include hacking, credit card scams, deploying malware and ransomware attacks, social engineering, and digital anonymity.

Counterfeit Goods

We’ve seen dark web vendors listing everything from pirated eBooks and software to counterfeit electronics and fake gold bars.

Drugs and Chemicals

Drug dealers are rampant on dark web marketplaces, operating on a scale that indicates a strong relationship with global organized crime. Dark web vendors traffic in all types of drugs, 

How Do Dark Web Marketplaces Work?

Up until this point, we’ve been focused on dark web vendors and the role they play in the underground dark web economy. But we haven’t really talked about dark web marketplaces.

Every dark web marketplace is an organized criminal enterprise that profits on the exchange of illicit goods and services. 

These marketplaces are operated by sophisticated groups that use cutting-edge security techniques to conceal their identities and hide the locations of their servers, making it virtually impossible for law enforcement agencies to disrupt their activities. Some even claim to have a killswitch that will automatically wipe their servers if their operations are ever compromised by law enforcement.

Dark Web Marketplaces Enable Anonymous Transactions

Dark web marketplaces make it possible for vendors to complete transactions without revealing their identity to the customer. 

For digital products, this means providing the customer with a download link that doesn’t connect back to the vendor. For physical products like drugs or counterfeit goods, the vendor will often mail them to the customer’s preferred address and take payment via Bitcoin or through the marketplace escrow service.

Dark web marketplaces play an important role in facilitating illicit transactions. Some marketplaces provide an escrow service for participants in a transaction in exchange for a fee. Others designate certain trusted individuals to help facilitate transactions by acting as guarantors. 

Almost all dark web marketplaces have implemented some sort of review system or trust rating for vendors, making it easy to keep track of which dark web vendors are honest and reliable.

Three Dark Web Marketplaces You Should Know

Silk Road

Launched in 2011, Silk Road was the first modern darknet market that operated on Tor as a hidden service. 

In the two years it was open, Silk Road provided goods and services to nearly 150,000 buyers, with all transactions done in bitcoin. Silk Road was shut down by the FBI in October 2013 and the site’s founder, Robert Ulbricht, is in prison serving a life sentence for computer hacking, money laundering, and conspiracy to traffic narcotics.

AlphaBay

The darknet market known as AlphaBay was launched in September 2014 by a Canadian citizen named Alexandre Cazes. 

After three years of operation and hundreds of millions of dollars in annual sales, AlphaBay’s main server was seized in Lithuania and its founder arrested in Thailand in July of 2017. This happened after Cazes unintentionally doxxed himself by publishing including his personal email address in the header information of the AlphaBay welcome email.

Four years later, an original AlphaBay administrator and alleged co-founder known only as DeSnake re-opened the AlphaBay marketplace and continues to operate it today.

Empire Market

Empire Market was launched in January 2018, filling a void in the underground marketplace that was created by the AlphaBay shutdown just months prior. Though Empire Market was initially successful, its glory days were short-lived. 

Beginning in 2019, the marketplace was victimized daily by DDoS attacks that slowed down its servers and damaged the customer experience, resulting in significant lost revenue. Sources claim that the administrators of Empire Market were paying an extortionist between $10,000 and $15,00 per week, just to refrain from constantly DDoSing their servers. 

Then, in August of 2020, Empire Market just disappeared. The owners, who had apparently gotten sick of constantly mitigating DDoS attacks, transferred the $13 million worth of customer cash in Empire’s escrow to their own accounts and shut down the site – a move widely known as an Exit Scam.

Empire’s Exit Scam reveals an important truth about dark web marketplaces: that even though the underground economy is built on trust, there’s still no honor amongst thieves.

Connecting Dark Web Vendors and The Need for Dark Web Intelligence

There are two reasons why threat intelligence teams should be paying closer attention to the actions and behaviors of dark web vendors:

  1. Cyber attacks may be discussed by digital threat actors and dark web vendors on clandestine forums before they go live. Enterprises that are tuned in to those channels have the opportunity to respond proactively to emerging threats instead of being caught by surprise.
  1. Evidence of cyber attacks and data breaches often appears on the dark web. If a digital threat actor breaches your database and steals a trove of PII, there’s a good chance that some or all of that data will eventually appear for sale on the dark web. Again, enterprises that are paying attention will have the opportunity to detect that evidence and take immediate steps to remediate the breach and mitigate further damage.

Enterprise cyber security teams can invest in AI-driven dark web monitoring solutions to monitor the dark web for threat indicators at scale and safeguard their organization, brands, and employees against digital threats that emerge in dark web marketplaces.

Detect and Disrupt Cyber Threats with Dark Web Monitoring

Dark web monitoring is the AI-powered capability to monitor dark web marketplaces and paste sites at scale and detect unauthorized sharing or fraudulent monetization of customer data, account credentials, and PII. Combined with human intelligence, the dark web is a valuable source of threat intelligence. 

Monitoring the dark web can help enterprise security teams anticipate and counteract upcoming cyber attacks, or detect evidence of prior attacks and take action to minimize the damage and prevent further distribution of stolen data.

Dark web monitoring can protect your organization against:

  • Data leaks, including sensitive data, PII, compromised credentials, application source codes, trade secrets, and intellectual property,
  • Cyber attack campaigns that are planned and operationalized in the dark web, and
  • Sales and marketing of stolen credit cards, account information, and PIN numbers.

ZeroFox combines AI-powered dark web monitoring and human intelligence provided by our DarkOps team. ​​ZeroFox’s dark web operatives are embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, combining open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Learn more about ZeroFox’s dark web intelligence offerings here

See ZeroFox in action