No Honor Among Thieves on Dark Web Marketplaces

ZeroFox monitors a myriad of illicit sources across the internet, many of which are called home by cybercriminals and threat actor groups alike. Many of these dark web marketplaces, forums and encrypted chat channels offer safe spaces for these actors to distribute, sell and trade illicit data and products, all of whom are under the assumption that the site owners keep it’s users anonymous and secure. However, as this economy fluctuates due to supply and demand, so does competition, and as criminals try to carve out their space within these markets, it’s becoming common practice for threat actors to manipulate, spread false information, and even out their fellow criminals in order to remove the competition.

Reputation Is Key on Dark Web Marketplaces

Trust is a key factor for everyday internet users. These users rely on websites, internet infrastructure, hosts, organizations and governments to maintain the security and privacy of their data. The assumption that these users trust the legitimacy of the platforms, both technically and lawfully, is an integral part of our internet ecosystem. Cybercriminals who buy, sell or trade illicit services or goods have similar assumptions with the marketplaces they interact with, but they play a riskier game because they are most likely breaking the law.

Cybercriminals seek dark web marketplaces that have a reputation for serving their needs in an operationally secure manner. Reputation becomes a vital measurement both for the marketplace they frequent as well as the other actors they engage with. Similar to the clear web, consumer marketplaces, criminal marketplaces and forums employ reputation systems to help crowdsource trust relationship ratings, which can highlight good faith actors and to outcast scammers or untrustworthy members.

In RaidForums, for example, users can upvote or downvote reputations on other profiles based on the quality of the interaction with the user. Forum members can also purchase various statuses, which elevates the purchasers reputation and gives other “perks” on the forum. This is one way forums can generate revenue, as well as showing other users that if someone is willing to pay for a status on an underground forum, then they are more trustworthy.

Many of these forums and marketplaces publish codes of conduct and terms of service. These help drive the behavior of the forum and allow administrators to execute bans or warnings if a user tries to abuse the forum or other users. Exploit, a Russian-based forum for cybercrime, has a code of conduct on their website that originated in 2007.

Administrators are an integral part of the trust of a forum as well. Many forums have a Guarantor or escrow service. A Guarantor is a trusted middleman for buying and selling goods and services with other users. For example, if someone wants to purchase access to a network, or buy a credit card database, or a “base”, from another user, they can use the guarantor service to ensure the integrity of the transaction. Forums have various ways to initiate a Guarantor transaction, but the basic flow is as follows:

• Buyer sends a transaction request to Guarantor, with name of Buyer and Seller
• Guarantor acknowledges the request and obtains details to verify the goods or service
• Buyer sends cryptocurrency to Guarantor, who holds onto it and confirms with Seller that they received the money
• Seller sends Buyer goods or service, Buyer verifies then tells Guarantor to release funds
• Guarantor releases funds to Seller with a fee
• Buyer/Seller leave reputation on each other profiles, sometimes asking Guarantor to close the thread

There are other variations of this model where the Guarantor handles the goods and services verification, but in the end, a trusted Guarantor brokers the transaction and earns the trust of the buyer and seller in the forum.

Codes of conduct, reputation systems and community policing demonstrate a warped, cyber-infused form of the Prisoner’s Dilemma on these forums. By working together towards a common goal, forum owners and their members create a thriving community that can create wealth and opportunity as long as everyone plays by the rules. 

In less formalized environments which facilitate these transactions, such as those found in Telegram channels, buyers and sellers will often rely on one another to leave messages informing others of the success they have had with their services. This can take the form of simple messages vouching for a user, or even screenshots and photos from a successful transaction. Bots and channels are used to track known scammers.

Threat Model for Dark Web Marketplaces

The threat model that these dark web marketplaces focuses on finding and removing scammers, but users and marketplaces are even more wary of law enforcement or security researchers being undercover and interacting with them. Security researchers collect dark web intelligence from interactions on the marketplaces and provide useful findings to victims to defend themselves. The biggest worry for cybercriminals, though, is law enforcement. Law enforcement has executed dozens of marketplace seizures throughout the years, and seizures from these domains can lead to arrests of its members, provide valuable insight on marketplace operations, and give additional evidence for potential cases on the users of these marketplaces.

In recent years, this threat model has shifted to include competitors of markets or users. By providing dark web intelligence on administrators, moderators and users, actors can take out their competition by forcing them to “go dark” after being revealed, or the intelligence can provide enough evidence for arrests and seizures. 

Doxxing

There have been numerous cases of doxxing in the underground scene. Doxxing is when researchers and cybercriminals post personal details of a person or a group of people behind an alias. The release of these details, if reliable, can lead to a number of problems for an actor. Law enforcement can ascertain the identity of the actor which can lead to an arrest. The reputation of an actor can plummet due to other actors not wanting to do business with the doxxed victim. Lastly, in some cases, it can lead to personal harm such as bullying, additional doxxing, or physical consequences such as SWATting. 

The act of doxxing itself can take many forms, from anonymous social media tip offs to journalists, blog posts detailing the discovery of an actor's identity, or even submissions to sites dedicated to doxxing.

Operational security is a key consideration for many threat actors operating on these dark web marketplaces. Criminals have to walk a fine line between being visible enough to be reputable, so users know what services they should be considered for, and obscure enough so other activities and accounts, whether related or not, cannot be attributed to them without intention for it to do so.

As a vendor's popularity increases, so does the likelihood that competing actors will begin investigating them in order to cause reputational harm, or expose their identity, hoping to force them out of the market.

Threat actors are also commonly identified through examination of their earlier work or offerings within these ecosystems. When starting out, many eager criminals may include information within their work or posts directing visitors to social media accounts, or use aliases which they have used previously within personal accounts elsewhere. These lapses in operational security can lead other threat actors to reveal their identity even if these accounts have been taken offline due to the popularity of internet archival tools and OSINT sources.

For example, a popular phishing kit author under the alias of SPOX recently stopped all operations after being identified by a security researcher who collected and examined early phishing kits attributed to this author. He revealed that some kits included a comment mentioning the threat actor's birth name, and from other artifacts revealed during analysis located the identity of SPOX. Shortly after the researcher's post, SPOX closed down their online marketplace for buying these phishing kits and removed their online presence.

Data Breaches on Dark Web Marketplaces

Many criminal dark web marketplaces are also subject to other criminal hacking or site compromise to gain data on users and administrators. This breached data is then often circulated to cause reputational harm to the operators of the market.

OGUsers is a well-known forum dedicated to the buying and selling of compromised social media accounts, where users can gain access to accounts with desirable handles, or request that the account be “obtained” for them. Some users of the forum have also been linked and arrested due to SIM swapping and vishing attacks in order to compromise accounts. OGUsers has experienced multiple breaches over its existence as rival groups and hacker forums have targeted the site in order to end its operations. In early 2020, a hacker under the alias of Numero Uno compromised the website and extracted the complete user database, containing over 200,000 registered users. This data was made available on rival websites in order to severely damage the reputation of OGUsers. 

Later on in December 2020, after the site remained active, another hacker obtained the user database and proceeded to offer users of the forum an opportunity to pay to have their details removed from the database which was to eventually be released to the public. 

These breaches had the desired impact of reducing the reputation and trustworthiness of the forum to its users. This impact was two-fold as several prolific vendors who operated on the forum were subsequently identified and arrested by law enforcement for their involvement with criminal activity linked to OGUsers.

From January to March of 2021, multiple high-tier cybercrime forums were also breached. Verified, Exploit and Maza all were victims of an attack that resulted in the degradation of operational security for their administrators and members. Verified and Exploit administrators both disclosed the attack on their forums. Maza was compromised and the front page of their forum was defaced and had a link to a PDF which contained a database dump of all the users of the forum.

Conclusion

Outside of the benefits for competing threat actors to identify their competition publicly, security researchers and law enforcement rely on infighting by members on dark web marketplaces in order to collect relevant dark web threat intelligence. This includes leaked information and documents that prove the real identity of a user behind an alias or evidence built up over time from separate leaks and breached data.

It is common for high value members of this criminal underground to doxx other high value members in order to spook the competition and drive more customer interactions their way, which is a valuable resource for both the criminals and the agencies trying to bring a stop to these actions. The reliability of this data however can vary, and should be examined critically as misinformation or false allegations can often be made about threat actors in order to try and pressure them out of the market, or effectively “crowd source” operations against them. 

Want to learn more about how threat actors operate on the dark web? Read ZeroFox's latest threat research report, Fact vs Fear: The Dark Web Trends Security Teams Need to Focus On to gain insight on dark web threats and how security teams can benefit from dark web intelligence.