Editor's Note: This column is the second of a three-part series on crime and technology. Part one examined how criminals use secure communication platforms. In part two, we explore the illicit uses of online marketplaces. Criminals have always relied on markets to do business, but thanks to the internet, those markets are no longer bound to the physical world. While online criminal marketplaces have proven to be particularly successful in the retail drug trade, their ability to support cybercriminal hacking groups could prove to be far more disruptive. 

Nakhon Kasem was a popular market in central Bangkok with vendors offering an array of novelties ranging from furniture to musical instruments. The shops were a jumble of storefronts, pushcarts and vendors selling their wares from tarps laid out on the street. In the 20th century, it had a reputation for selling stolen goods, earning it the nickname “Thieves Market.” The chaos of the communal marketplace made it difficult to determine who was legitimate and who was not, much less the provenance of the goods they were selling. 

The concept of fencing stolen goods — in which a merchant knowingly purchases stolen goods from criminals and sells them as legitimate — in a bustling market is not unique to Nakhon Kasem. For millennia, marketplaces have provided legitimate and illegitimate vendors access to buyers. In addition to local farmers and craftsmen, local thieves and criminals also benefited from both the coming together of buyers and sellers to peddle their illicit wares, as well as a target-rich environment to illicitly acquire more. The meandering alleyways and hidden rooms behind legitimate storefronts provided the secrecy and privacy required for criminal transactions. 

As marketplaces have become more formalized over the years, the larger and more reputation-conscious companies that increasingly control them have cracked down on fencing and theft through due diligence, quality control and cooperation with police. Markets like Nakhon Kasem, which had a reputation for supporting criminal activity, attracted law enforcement scrutiny that eventually squeezed out the criminal actors. Recently, a large Thai company bought the land that Nakhon Kasem occupies and is renovating the area, forcing out the old tenants to make room for more modern outlets of commerce. As modern shopping centers rise, the byzantine networks of informal marketplaces decline — at least in most developed economies. However, the supply of and demand for criminal goods and services are as strong today as it was 1,000 years ago. As physical marketplaces disappear, modern criminals have developed their own secret alleyways and private rooms online. Accessible to those who have put in the effort to find and access them, and are willing to take the associated risks, online criminal marketplaces are the 21st century’s version of Nakhon Kasem.

How Criminals Use Online Marketplaces

Criminals have used the internet to engage in illegal activity since its inception. The anonymity of the internet has inspired criminal activity, and its ability to connect people simultaneously around the world makes it the most efficient marketplace that humanity has ever seen. However, like Nakhon Kasem, online criminal success early in the digital era attracted scrutiny. Police services began cracking down on brazen online criminal activity that made no attempt at concealment. Like the modern shopping centers that dominate commerce in the developed world, web service providers that underpin online commerce self-policed criminal activity, forcing criminals to the fringes of the internet where they had to sacrifice market access for operational security. 

In the early 21st century, increasing concern over privacy online inspired the creation of the software Tor, which anonymizes web traffic through its own volunteer network. Much like encrypted messaging services, the authors of Tor did not set out to facilitate criminal activities. In fact, they were working as researchers for the U.S. Navy and intelligence community when they developed the software in the mid-1990s. However, the privacy and anonymity Tor provided was a boon to criminal actors, who took advantage of the software after its public launch in 2006. By the 2010s, criminal marketplaces were using Tor software to conceal the activity of their vendors and buyers, essentially establishing a backroom where sellers and buyers could convene, harnessing the market accessibility of the internet while maintaining operational security. 

One of the first successful online criminal marketplaces to use Tor was Silk Road, which came online in 2011. Similar to today’s legal online marketplaces like Amazon, buyers who logged onto Silk Road could search for various products and visit vendors’ pages. Customers could also leave reviews in order to direct traffic towards reputable sellers and away from scammers. Vendors would then send the purchased items through the mail in innocuous-looking packages, completing the sale. Between 2011-2012, researchers estimate that Silk Road was facilitating $1.2 million in sales per month — mostly in drug sales, but also drug paraphernalia, illicit pornography and tools to carry out cyberattacks. While buyers and sellers clearly had success, the administrators of Silk Road were earning close to $100,000 per month in commission, illustrating the financial benefits (and incentives) of maintaining illicit online marketplaces. 
 

While Tor software provided the environment for online criminal marketplaces to operate, another technological breakthrough made it possible to monetize that privacy: cryptocurrency. Bitcoin, one of the first successful practical applications of cryptocurrency, became available to the public in 2009. It provided an alternative financial network that complimented the privacy of Tor by allowing buyers and sellers on Silk Road to complete financial transactions outside of the standard credit card or cash transfer services, which were more likely to notice and report illicit activity. We will address how criminal actors have adopted new financial technologies in part three of this series, but suffice to say that the shift in illicit exchanges from credit cards and cash to cryptocurrency further supported privacy and secrecy within online criminal marketplaces. 

Silk Road’s successful integration of Tor and cryptocurrency created a model that hundreds of additional marketplaces have since imitated and built upon over the past decade. The European Monitoring Centre for Drugs and Drug Addiction, an agency of the European Union,  documented 110 major online criminal marketplaces between 2010 and 2019. But thousands of smaller sites have also come and gone over that same time period. One such market, Cannazon, embraced the comparison to legitimate online marketplaces, naming itself after a portmanteau of cannabis and Amazon. While drugs remain the most popular commodities on major markets, the offerings have expanded to include stolen login credentials, credit card numbers and other personally identifiable information (PII) that criminals can use to commit fraud or conduct disruptive cyberattacks. The marketplaces also offer software — such as ransomware tools and packages to exploit conventional software vulnerabilities — that criminals can use to support their cybercriminal activities, or “hacker for hire” services to attack assigned targets for a fee. 

Markets have also grown larger and more sophisticated in attracting customers. Whereas Silk Road had only a few hundred sellers and around 100,000 buyers, the Wall Street Market (another online criminal marketplace) had an estimated 5,400 sellers and over one million buyers prior to its takedown in 2019. In January 2021, German authorities accused the administrators behind the DarkMarket criminal marketplace of facilitating $170 million in sales over the course of 320,000 transactions. Just like Silk Road’s administrators, more recent online criminal marketplace promoters were also able to profit from the business. In March 2021, the administrator behind the website Deep Dot Web pleaded guilty to money laundering. The website operated on the conventional, more easily accessible public internet and provided information on various markets and how people could use them. Authorities accused him of receiving a commission from online criminal marketplaces for every successful referral, earning him $8.4 million over the course of eight years. However, other services appear to have quickly replaced Deep Dot Web by listing statistics on various markets, as well as potential risks associated with doing business on those markets and how to access them.    

How Online Marketplaces Make Criminals Vulnerable to Detection

But with great success comes increased scrutiny. Similar to how encrypted messaging platforms popular with criminals attracted increased police interest as outlined in part one of this series, the growth of online criminal marketplaces also made them vulnerable. Like encrypted messaging services, the servers that host online criminal marketplaces have been a weak point for their administrators. Silk Road came to an end in October 2013, when the Federal Bureau of Investigation (FBI) shut down its servers, seized the website and arrested Ross Ulbricht, the primary administrator of the service. Since then, hundreds of other online criminal marketplaces have met a similar fate:

• In 2019, authorities in Europe shut down servers and raided addresses linked to the Wall Street and Valhalla marketplaces, shutting down two of the biggest online criminal marketplaces active at the time. 
• In early 2021, German authorities led an operation to shut down DarkMarket, which for a time relied on servers operated out of a former NATO bomb bunker in southwest Germany. 
• In 2021, the FBI arrested 12 individuals and seized the website for Slilpp, an online marketplace for stolen login credentials. 

Nonetheless, shutting down Silk Road and arresting its founder was not enough to stop the illicit activity. Within a few weeks, the administrators who had worked with Ulbricht on the first iteration of Silk Road had organized and opened Silk Road 2.0. After spending the better part of a year tracking and shutting down Silk Road, the FBI’s operation amounted to just a few weeks of disruption to criminal activity.

Since the shutdown of Silk Road, police have taken an increasingly broader approach to online criminal marketplaces by shutting down websites and the servers that support them, as well as arresting both website administrators and major sellers and buyers on the targeted platform. In 2014, Operation Onymous shut down nine marketplaces simultaneously and arrested scores of administrators who kept the sites running, not just the figureheads. By shutting down multiple sites simultaneously, it prevented buyers and sellers from simply migrating to another market and resuming operations as usual. Even so, new markets still emerged to take their place and, while the disruption was arguably longer lasting, it was clear that buyers and sellers were continuing to do business.

By 2016 and 2017, instead of simply shutting down dark markets, police were gaining access to them and collecting evidence that assisted in making hundreds of arrests of prominent buyers and sellers. Infiltrating marketplaces rather than simply shutting them down provided significantly more evidence to arrest participants lower down the value chain. It also introduced doubt into the marketplaces. Buyers and sellers could never really be sure if they were dealing with a member of law enforcement who was collecting evidence to support their eventual arrest. 

Police crackdowns are not the only reason that online criminal marketplaces collapse, but they have undermined confidence and stability within these markets, making them more prone to internal fissures. Paranoia within a marketplace can quickly spell its demise. If there are any indications that police have infiltrated a market and are monitoring it, buyers and sellers alike will abandon the marketplace to avoid being caught. As a result, most marketplaces have a short lifespan of just a few months. Only a select few have made it more than a year. In turn, the ephemeral nature of markets’ success makes them more vulnerable to scams by sellers who want to maximize profits on a given platform before moving on to the next. The tactic is known as an exit scam, when sellers take orders and payments but do not provide their promised goods or services. They can get away with it for two-to-three weeks before bad reviews scare buyers away, but have the potential to be more effective than exit scammers on legitimate online marketplaces because criminal buyers have no recourse to alert law enforcement once they’ve been scammed. Pervasive exit scams, completely unrelated to any police activity, have been the cause of multiple marketplace failures, forcing sellers and buyers to migrate to the next market and demonstrating one of the inherent weaknesses of online criminal marketplaces, regardless of law enforcement scrutiny.

• In 2019, DreamMarket collapsed after police arrested several big sellers, creating paranoia within the market that led buyers and sellers alike to abandon it over fears that police had compromised it. 
• In 2020, EmpireMarket collapsed due to exit scams. 

The unregulated nature of online criminal networks also means they are vulnerable to the same cyberattacks that plague legitimate companies. Some criminal marketplace administrators will help accelerate the collapse of rival markets in order to attract more buyers to their own. Distributed denial-of-service (DDoS) attacks or other disruptive attacks frequently halt or delay transactions on marketplaces to the extent that users grow wary and abandon them. Third-party criminal actors may also simply target criminal marketplaces with their own financially motivated scams and cyberattacks in order to exploit the profits generated by millions of dollars in sales. Ross Ulbricht, the founder of the original Silk Road, reportedly paid extortionists $50,000 a week not to conduct crippling DDoS attacks on the marketplace and keep it open. 

Criminal marketplaces have also attempted to emulate “bug bounty” programs that legitimate companies use to incentivize reporting cyber vulnerabilities in an online service rather than using them to attack the company. In 2017, the online criminal marketplace Hansa (named after the commercial and defensive agreement between medieval northern European cities) offered 10 Bitcoin (approximately $10,000 at the time) as a reward for anyone who could reveal and report cyber vulnerabilities on its platform in an effort to defend against criminal raiders.  

What Lies Ahead

The future of online criminal marketplaces is likely to include a combination of more of the same cat-and-mouse game between marketplace administrators and police, as well as shifts in how marketplaces operate and what they sell. 

One of the largest, most successful online criminal marketplaces still operating is known as Hydra, which similarly offers buyers a wide variety of illicit drugs as well as hacking tools, cybercriminal services, stolen credentials and other PII that cybercriminals can exploit for profit. It eclipsed past revenue records in 2020, facilitating an estimated $1.37 billion in transactions — a tremendous increase from the estimated $9.4 million in transactions it handled from 2015-2016. It has proven to be exceptionally resilient to law enforcement efforts by, as the reference to the mythical creature that its name suggests, regrowing two new heads every time one is removed. The marketplace has been shut down multiple times but continues to operate by using backup platforms and adopting new practices. Among other things, it has come up with internal systems to discourage exit scams and other exploitative practices by, for example, requiring sellers to successfully fulfill a set number of orders before receiving payments (to establish credibility) and maintaining a safety deposit that could be used to compensate buyers in the event of a scam or arrest. In a way, these mechanisms protect consumers using the illicit marketplace, providing a degree of regulation and lawfulness in a notoriously chaotic line of business. 

One reason for Hydra’s exceptionalism in staying online may be because its operations are based in Russia, where authorities have a higher tolerance for online criminal activity as long as it serves the interest of the state. Russia has shut down certain online criminal marketplaces hosted in its borders, including the Russian Anonymous Marketplace in 2017 and BuyBest in 2020, both of which focused on drug sales. But the Kremlin generally only takes action when these sites threaten its priorities and/or Russian citizens. Given the toll the drug epidemic has taken on Russian demographics (Russia’s rate of 10 lethal drug overdoses per 100,000 people per year is among the highest in Europe), Moscow has little tolerance for the drug trade, which likely helps explain why it took action against these sites. By contrast, Hydra’s importance as a marketplace for cybercriminal tools such as ransomware and DDoS software — which support disruptive and costly attacks against mainly Western companies, government offices, critical infrastructure operators and other organizations — could ultimately benefit the Russian government more than the marketplace’s drug sales hurt it. In the future, other online criminal marketplaces may seek to mimic Hydra’s success and shift more of their operations to Russia and other countries that enable a more permissive environment for their illicit activities.

Another way that online criminal marketplaces are adapting to increased police efforts against them is by focusing more on the sale of cybercriminal tools and services, stolen credentials and PII, rather than the retail drug trade. While online criminal marketplaces provide anonymity and privacy, drug sales ultimately take place in the physical world, with sellers having to arrange the shipment of illegal products to buyers. This makes them vulnerable to detection, interception and arrest, which can compromise the whole marketplace if participants decide to cooperate with the police. Meanwhile, the sale of cybercriminal tools and services such as DDoS software, ransomware kits, files full of login credentials and PII can all be bought, sold and transferred electronically, with no need to venture into the riskier physical world. A 2020 TrendMicro report assessed that cybercrime services offered on criminal marketplaces are worth $1.5 trillion annually. The sheer size of the market indicates just how popular such tools and services are, and the greater potential earnings in selling them rather than dealing in goods that require riskier physical interaction. Not only are cybercriminal tools and services more operationally secure, but they are also more lucrative.

A larger and more stable marketplace supporting cybercriminal tools and services benefits “hacker for hire” groups like REvil, which was behind the recent attacks on JBS and Kaseya. Groups like REvil are probably already at work on their next projects, likely relying on marketplaces such as Hydra to connect with customers and further monetize their hacking capabilities and tools. Reliability and trust are in short supply in the criminal world, but those who provide business continuity in such a turbulent market are bound for riches. 

As mentioned, cryptocurrency and blockchain technology helped the latest generation of criminals exploit online marketplaces. But those technologies have also introduced liabilities to illicit transactions. In the third and final part of this series, we will explore how new forms of currency have facilitated criminal activities — and how police have used the technology to their advantage.

Next: New Currencies to Facilitate Criminal Activities