Understanding the Dark Web Economy

7 minute read

The underground dark web economy got its name for a reason — it is a fully-fledged business operation of cybercriminals selling and trading illicit data and products much like any other economy. It’s also incredibly active. In 2020, ZeroFox threat researchers published nearly 1,500 internal reports on notable findings across this cybercriminal ecosystem of forums, marketplaces, data leak sites, encrypted chat platforms and discussion boards. Since the turn of the millennium, the rapid advancement and circulation of computing technologies have given rise to an unprecedented number of interconnected individuals. In turn, this has also driven an increase in opportunity for cyber threat activity ranging from sophisticated nation-state hacking and cybercrime-as-a-service models to compromised account takeovers and phishing scams.

As the dark web economy shifts with supply and demand, cybercriminals compete for customers and the spotlight. It’s even become common for threat actors to spread false information or leverage manipulation tactics to intimidate the competition.

Competition in the Underground Dark Web Economy

ZeroFox monitors activity in numerous underground communities, including forums, marketplaces and encrypted chat networks. These communities offer a place for threat actors to buy and sell resources and form connections with other actors entirely under the guise of anonymity. However, as these communities accumulate more members, competition increases — and threat actors manipulate, spread misinformation and expose members to thwart competition. Typically, when a threat actor joins these communities, they strive to earn the trust of other members. This may include engaging with other threat actors or selling tools and resources. 

Anonymity and security play a significant role in these illicit networks, and reputation is vital for gaining the trust of legitimate actors and removing untrustworthy members — such as scammers, security researchers and law enforcement officials. Some forums have Guarantors to help threat actors buy and sell tools and services. The guarantor acts as a liaison to ensure the integrity of the transaction between seller and buyer. The guarantor’s reputation allows for smooth business relationships between threat actors and keeps underground communities thriving so long as members adhere to the website’s privacy and security rules. The image below is a screenshot of a threat actor providing tips on avoiding scammers in encrypted chat networks.

Tips on avoiding scammers in encrypted chat networks
Source: ZeroFox Research

On the other hand, some threat actors expose community members to decrease competition and remove actors who pose a threat to the community. Threat actors are aware that law enforcement officers and security researchers have a presence in underground networks. While security researchers primarily visit these networks to collect intelligence, law enforcement efforts may lead to takedowns and threat actor arrests. “Doxxing” is frequent in underground communities; some actors will post personal details on an actor or group, such as their name and location. Not only does the actor or group get exposed, but it also may be an opportunity for law enforcement to arrest actors. Doxxing also extends to researchers, law enforcement or journalists. Operational security becomes imperative in these communities to preserve one’s identity, especially as some threat actors attempt to cut down the competition via doxxing. Much like other legitimate economies, the dark web economy is individualistic, with an “every man for himself” mentality often displayed. 

Double Extortion Ransomware 

Another tactic we found used to a greater degree on the dark web economy is ransomware. Specifically, double extortion ransomware schemes occur when ransomware teams threaten to leak their victims’ stolen information if ransom demands go unpaid. The team ransoms the encrypted files and the data obtained during the infection. These tactics became successful in 2020 due to victims’ fear of having their sensitive information publicly exposed and potentially sold to threat actors and have continued to flourish in 2021. Q1 2021 metrics revealed that Conti ransomware was responsible for nearly 23 percent of known double extortion activity over the quarter, followed by Avaddon, Sodinokibi/REvil, and DoppelPaymer ransomware. The image below displays a chart of the overall volume of double extortion victims categorized by ransomware groups. 

Overall volume of double extortion victims by group
Source: ZeroFox Research

Creative Delivery Tools for Distribution on the Dark Web Economy

In order to stay competitive in this underground community, ZeroFox found that threat actors leveraged both new and creative delivery techniques. These tactics were used to spread threats to intended targets across the dark web economy. A new technique that emerged involved threat actors using Morse code to deliver phishing URLs to their victims. Due to its history of successful attacks, threat actors increased their use of RDP exploits this quarter to attack employees working from home. ZeroFox also identified a new Cash App-themed phishing kit operated by the 16Shop kit distribution network, which successfully launched in February 2021 due to the popularity of Cash App.

Morse Code Phishing URL

Phishing threat actors are becoming more sophisticated with their delivery methods, using simple and evasive ways to deliver threats to targets. In Q1 2021, threat actors distributed phishing emails containing obfuscated code that delivered phishing URLs in Morse code. Morse code is a type of encoding used in telecommunications where dots and dashes represent characters. In the context of these phishing emails, threat actors spread HTML files, resembling a Microsoft Excel spreadsheet, that used JavaScript to map plaintext characters to corresponding Morse code characters. The image below is an example of a Morse code HTML file.

The code structure in this example evades detection effectively. However, the actual phishing email is quite simplistic — the threat actors use a subject line referring to an invoice payment and include the recipient’s company name but do not include a message body. This fact highlights that this phishing scam is a targeted attack, despite its simplistic look and feel. Clicking the attached file calls the decodeMorse() function, which converts the encoded string to hexadecimal and then into JavaScript tags to inject into the HTML. This then renders a fake Excel Online spreadsheet where the threat actors steal the recipient’s Microsoft credentials. 

16Shop Cash App Phishing Kit

Phishing distribution networks offer services whereby threat actors can easily and quickly deploy phishing websites by purchasing a customizable kit folder. 16Shop is one kit creator that offers detection avoidance techniques, such as the ability to encrypt messages that kit buyers can use in phishing emails. 16Shop kits are robust and sophisticated, and although they target a small number of brands, the scale of these targets allows them to compromise numerous victims and their banking details. This quarter, ZeroFox Research discovered advertisements for the addition of Cash App-themed kits in February 2021. Cash App, a mobile payment service, grew in popularity during 2020 and eventually became an appealing target for threat actors. The Cash App kit reflects the standard sophistication of 16Shop kits, but little else distinguishes it from other 16Shop kits. 

RDP Exploits and Remote Working Environments

Within the first half of 2021, RDP exploits remained a persistent threat as attackers increased the volume of brute force RDP attacks on targets. This followed a similar trend identified in 2020, where RDP exploits surged due to COVID-19 and the transition to remote employment. Threat actors used RDP exploits to target individuals working from home using unsecured networks for business operations. Using RDP exploits, threat actors intrude into target networks using legitimate login credentials rather than deploying malware to obtain sensitive information. A misconfigured RDP can lead to attackers exploiting unsecured networks, stealing sensitive information, and possibly deploying ransomware to inflict further damage to the system.


Cybercriminals seek illicit marketplaces with a reputation for serving their needs in a manner that is operationally secure and trustworthy, much like business deals are conducted in traditional economies. Many of these forums even leverage codes of conduct and other means to drive certain behaviors. Even still, nefarious activity occurs on the dark web every day, posing a real risk to security teams and businesses. Understanding how this underground dark web economy works is critical for a strong security posture. Learn more about the facts of the dark web in our latest research report.

See ZeroFox in action