A Look Into the Thriving Dark Web Criminal Market
The recent Equifax breach highlights the vulnerability of our personal data online, and serves as a reminder that there’s an active, thriving, global criminal market for that sort of information.
In this episode of the Recorded Future podcast we return to the dark web, with Recorded Future’s Director of Advanced Collection, Andrei Barysevich, as our guide. He’ll separate fact from fiction, and help us gain a better understanding of the mysterious and increasingly volatile world of the online criminal underground. What sorts of information and services are actually available for purchase in these markets, how does law enforcement respond, and what are the challenges of gathering threat intelligence in an environment where trust and anonymity are the coins of the realm?
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 30 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
The recent Equifax breach highlighted the vulnerability of our personal data online and served as a reminder that there’s an active, thriving, global criminal market for that sort of information. In this episode of the Recorded Future podcast we return to the dark web with Recorded Future’s Director of Advanced Collection, Andrei Barysevich, as our guide.
He’ll separate fact from fiction, and help us gain a better understanding of the mysterious and increasingly volatile world of the online criminal underground. Stay with us.
I’d like to highlight that the term “dark web” and “deep web” is somewhat of an artificial name. If we go back, let’s say, five years ago, the term didn’t exist, really. For the most part, it’s been created and then proliferated by marketing teams around the world, quite often by security companies or antivirus companies, and media also liked it. From my point of view, especially since I’ve been in this field for well over a decade, I actually like to call it a criminal underground. The reason is, I’d like to stay away from the infrastructure criminals are using, but rather, focus on the talk of the activities which they can talk over there. Over there, essentially, it could be a chatroom on Telegram Messenger.
It could also be a discussion board, right, but one that requires a secret password and username. Sometimes, you have to get vetted by current members to get accepted to a chatroom or a forum. Very often, you actually have to pay quite a hefty entrance fee. In many cases, the entrance fee would be anywhere between 50 dollars, upwards of a thousand dollars, maybe two thousand. One unique place we found about a year ago required every new member to deposit well over 100,000 U.S. dollars. Can you imagine that? Dave Bittner:
The number is staggering. It’s understandable — nowadays, the criminal underground, or like you mentioned, the dark web, has been profiled pretty much on a daily basis. Almost anyone in the world, at least at some point, has heard of the dark web, and some people are really interested in researching it. Some people are looking for it deliberately to become a cybercriminal, maybe to learn new trade crop and to expand their knowledge, and maybe to find partners. Criminals also know that a lot of security researchers like myself, police, law enforcement agencies, and security agencies are also snooping around and looking for cases and investigating people.
For obvious reasons, let’s say, if someone created a community with highly sensitive data being sold, you don’t want that information being available to anyone except for willing and capable buyers. Obviously, if you require a very significant upfront deposit to become a member, it helps you to filter people who you don’t really want to see there.
Again, just starting with some of the basics, I think a lot of people have a direct association between the dark web and Tor. Can you kind of take us through what their relationship is there?
Yup. The Tor is fairly new technology. I think it became quite popular in the past, I would say, maybe five years. It actually provides an extra layer of security to anyone using it. What’s most important is you don’t really have to do much on your side to get the security. I mean, if you’re a user and you want to be almost entirely sophisticated, meaning that you don’t want to leave any digital footprints on the internet, you don’t want anyone to collect your IP addresses or user agent information. All you have to do is just download the Tor browser, and it will essentially relay your browsing activities through several random internet knots.
Criminals also figured out that if they set up a website on Tor network, they will be able to protect themselves quite efficiently — obviously, from law enforcement — but also, they’ll be able to protect themselves from competitors, in case their competitors decide to do, for example, DDoS attacks on them. Tor essentially allows anyone to have almost unlimited invisibility on the internet. It’s quite powerful. It’s very simple technology, but it’s very powerful. I’m not sure if a lot of our listeners know, but Tor has been created by the U.S. government a while ago. If I’m not mistaken, it was actually developed by the Navy for research purposes.
Then it was shared with the public, and unfortunately, nowadays, criminals also decided that it’s a very useful tool for them as well. That’s one of the reasons why we associate Tor with criminal activities. However, a lot of legitimate users are also using Tor.
It’s kind of like BitTorrent where it has legitimate uses. It’s an interesting bit of technology, but because of the types of people who have adopted it to do illegal things, that’s sort of the reputation that it had thrust upon it.
What kinds of things are going on in the criminal underground or the dark web? What kinds of things are being bought and sold there? Andrei Barysevich:
Well, pretty much anything. If we actually go back to, I would say, the first days of organized criminal activity on the internet, that would be roughly 20 years ago, it all started with fairly straightforward businesses and activities. It always revolved around compromised credit cards, compromised bank accounts, fraudulent purchases of goods from various e-commerce websites, but then it actually evolved. We now see — and it’s been going on for quite a while now — we see a lot of people selling drugs on dark web. We saw people selling firearms. We have never seen, actually, anyone offering assassinations, for example. I mean, we’ve heard about it. We’ve heard rumors that you can essentially hire a killer on the internet, right?
Pay with bitcoins and get away with murder. However, in all my years of research activities, I have never ever seen someone offering such a service. Aside from these, you can purchase or order any service, any type of goods you might need during any type of fraudulent activity, be it fake documents for passwords or a driver’s license. You can buy medical records. You can buy medical information, credit card information. You can also, for example, obtain information on any particular person, right? You can actually buy it. Just to give you an example, for three dollars, a social security information, as well as date of birth and all of the residential addresses literally on anyone in this country — it only costs you three dollars to get full background information on anyone.
Some vendors offer full credit reports, and they can actually go even further. For an extra 50 dollars, for example, they will add a credit report for a person with a desired credit score. Let’s say, a fraudster is planning to apply for a line of credit, right? It’s very important to have a credit report with a 750 credit score, or above that. You can actually reach out to several vendors and they will match you with a credit profile based on your criterias, and it will cost you maybe 100 to 150 dollars altogether. Pretty much anything you can imagine, you may find on the dark web or the criminal underground.
Now, what is the currency? How do you buy and sell things? How are people exchanging money? Andrei Barysevich:
Well, nowadays, Bitcoin has become a de facto, the only currency acceptable across any cybercriminal community. If we go back three years from now, for example, among Russian-speaking criminals webmoney, which is a Russian-based … not even a cryptocurrency, but electronic payment system. Dark web money was the most popular system to make payments. Liberty Reserve was also incredibly popular until it was shut down by the U.S. law enforcement about two years ago, if I’m not wrong. Then, criminals kind of fully realized the potential of Bitcoin, which essentially allows anyone to have anonymity, right? It has some transparency, because now you can see every single transaction on every wallet, but it allows you to remain anonymous.
We can actually see how much money criminals are making once we figure out what’s in their wallet, right? Anyone, pretty much, can go on the internet on websites such as Blockchain and see how much money they actually keep on their wallet, and numbers are staggering. We’ve been researching one of the criminal groups responsible for almost every major data breach, credit card data breach. We’ve actually looked at how much money they make and the numbers are just mind-boggling, to be honest with you. In any month they would make anywhere between 20 and 50 million dollars.
Is there any sort of geographic concentration of the people who are taking advantage of this? Are the bad people clustered in any particular areas? Andrei Barysevich:
Yup. Historically, Eastern European criminals were at the forefront of cybercrime. They were the first inventors. They were the first people to realize the whole potential for a cybercrime, but nowadays, almost any country or any language criminals are speaking is used on the dark web, meaning that they do cluster around their geographical region. Nigerians, right? Nigerians are infamous for wire fraud, for phishing campaigns. It’s estimated that Nigerian groups are responsible for more than 2 billion dollars in losses for wire fraud and executive fraud.
Just to clarify, an executive fraud is when someone pretends to be a manager or CEO of the company, and then reaches out to an accounting department and directs them to send a wire transfer, quite often in millions of dollars to some outside account on a fake invoice. This type of attack is so popular among Nigerians, right, that we estimate that the majority of it is actually accomplished by them. Eastern Europeans are still the most active group around credit card theft and theft from compromised bank accounts, as well as attacks on ATM machines and SWIFT attacks. One of the most recent and high-profile SWIFT attacks was conducted last year when 86 million dollars was stolen from a Bangladesh bank.
Although there are some rumors, or at least, prevailing theory that behind that particular attack was North Korean state actors, we know that Russians almost immediately took the same approach, and then they began attacking dozens of banks around the world, including in Russia, which is not very often. It’s a taboo for Russian actors to attack targets on Russian soil, and not because of some loyalty or whatnot, but solely because they are afraid of prosecution, because they know that once you steal money from local entities, law enforcement will actually do their job, and they do it quite well in Russia, believe it or not. A lot of times, people get arrested for these crimes. Dave Bittner:
Let’s dig into that some. What is the presence of law enforcement, and do you have any sense for how often people get away with it, and how often are people getting arrested?
From my experience, for the most part, people tend to actually get away with the crime — I mean, the crime they committed, and that’s unfortunate. One of the reasons is because law enforcement only can do so much. Unfortunately, law enforcement … I mean not unfortunately, but I guess, fortunately, law enforcement has to abide by law, right? They have legal framework. They have rules and regulations when they conduct investigations, and criminals do not. Criminals have all the freedom they want. They can do whatever they want to do. They have to stay lucky until they’re not, but unfortunately, from past experience, most of them will never get caught. Dave Bittner:
Now, my understanding is there’s a lot of volatility in these web forums, that they go up and down. In fact, right now, aren’t we in a period where many of the forums have been taken down?
That’s true. We’ve seen HANSA Market and AlphaBay being taken down in the past couple of months. That was a huge win for the international law enforcement community. The biggest cryptocurrency exchanger, BTC, was also taken down, I think two months ago. Believe it or not, criminals actually lost hundreds of millions of dollars because they kept almost all of their reserves and operational funds in BTC wallets. However, we’ve seen several other smaller marketplaces and forums if not being taken down, at least disappearing without a trace. No one ever stepped forward acknowledging that it was actually a takedown operation by law enforcement, or whether it was a scam when MicroPlace’s operators took members’ money and just left.
It’s a mystery, actually, why forums disappear. We tend to think that when there was no money stolen, we think that it was actually a quiet operation by law enforcement. In some cases, we saw criminals deciding to actually shut down a forum or marketplace because they were afraid for their security when they knew that, okay, well, if AlphaBay was taken, if HANSA Market was taken down by Europol, well, maybe I’m next. Does it actually make sense for me to maintain this forum anymore? I mean, do I actually make so much money that it makes sense for me to take all this risk? And some people say, well, no. I would rather sleep well at home than in some jail cell. Dave Bittner:
Now, from your point of view, from a company like Recorded Future, when you’re gathering threat intelligence, what are the specific challenges that you face when trying to gather information in this environment?
The first and foremost challenge is to be able to maintain persistent presence on these forums, right? Because once you pass valuable intelligence to a potential victim, right, you immediately put yourself, and your allies, in jeopardy because there are only so many people involved in, or who knew about a certain type of criminal operation, or a sale of a certain type of data, for example, being offered on a criminal forum. Once you take this information from a bad guy pretending to be a buyer, for example, and pass this knowledge, pass this intelligence to a victim, and they begin to remediate the problem, you immediately put yourself in the position where a criminal might spot that it was you who actually has the information.
Then you burn. Then your credentials are burned, your access is burned, and now you have to begin from scratch. It always comes to a point where you have to be very careful. You have to calculate, what’s the risk here, right? How far I’m able to go before I get burned? Dave Bittner:
Yeah, and I guess because you all are not law enforcement, is there any risk of just sort of being in a bad neighborhood and being, I don’t know, guilty by association? Andrei Barysevich:
Well, from the legal perspective, we do our best not to cross the line where we might get accused of committing a crime or being guilty by association. However, we’ve seen cases when people got hurt or certain methods were used against them when criminals figured out who they are. One of them was Brian Krebs. When criminals learned about him, they decided to send him a kilo of cocaine. They actually did this fundraising for a couple of weeks. They got enough money to buy cocaine, then they sent the cocaine to his home, called the police, waited until … Then the SWAT team appeared and then there was a lot of unnecessary, unpleasant things happening in his life because of this thing. Yes, after all, the person who was the main organizer of this operation was actually caught in Europe, and then he was extradited to the U.S. and recently he was indicted and went … Actually, not indicted, but he went to jail for, I think, six years. Nonetheless, before that, a researcher had to go through all of this trouble when he opened the door, and suddenly, you have a SWAT team at your doorstep. Now, you have to do all of this explaining for why there’s a kilogram of heroin in your home. Dave Bittner:
Right. Yes, Brian had a bad day.
Yeah. What do you wish people knew about the criminal underground and the dark web that they don’t know? Are there any misperceptions that people have that you’d like to shine a light on?
Well, probably one. From my experience, a lot of times, people think that the dark web is some sort of Wikipedia of the criminal world, right? It’s a single place where, once you get accepted, once you find a secret door, you can find literally anything and everything simply by typing a query and saying, “Hey, I’d like to see who sells Equifax stolen data,” and right away you get to a seller. You know exactly what type of data they have, how much it costs, who sold it, who bought it, and so on, and what not. However, the shadowy criminal world is so much more than that. It’s comprised of infinite resources, infinite platforms, and hundreds of people. It’s so vast sometimes. No matter how much time you spend there, you still open and find new things everyday.
Even with all of the technology we have, it’s still incredibly time consuming to really find tangible and valuable intelligence. Just to give you a number, on a usual day we collect roughly 200,000 new stories, new posts created on the criminal underground. The number is just staggering, and it keeps growing. Despite that, we’ve seen marketplaces and forums going down and disappearing, right — even more will appear shortly after that. It seems that the problem is not going away. It’s staying with us. It’s up to us as regular citizens to defend our own data. We need to understand that criminals are not people somewhere on the other side of the world. It could be your neighbor.
It could be someone who you actually know, but you have no idea that instead of a regular job, a person, maybe, is doing identity theft for a living. We have to be smart everyday in how we use our passwords, how we use our data, how we need to understand that we should not be sharing personal information easily. We should be asking and questioning a company when our personal information is requested, why they need it. Is there really a good reason for them to have this data? Because when I hear someone telling me, “Don’t worry. Your data is safe and secure,” all I can say is, “Well, look around. I mean, look at the Equifax, look at Yahoo. They also thought that my data was secure, until it was not.”
Our thanks to Andrei Barysevich for once again joining us.
To learn more about the dark web, you can read Recorded Future’s blog post, “Going Deep and Dark: Mining Threat Intelligence From the Hidden Web,” or simply search “dark web” in the blog section of the Recorded Future website.
Before you go, don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive top results for trending technical indications that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
You can also find more intelligence analysis at recordedfuture.com/blog.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.