ArticlePublisher preview available

A Market in Dream: the Rapid Development of Anonymous Cybercrime

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

In this paper we have conducted a comprehensive measurement and analysis on the Dream market, an anonymous online market that uses cryptocurrency as transaction currency. We first collect data between October 30th 2018 and March 1st 2019. Then we use decision tree-based approach to classify goods. Following we analyze the category of goods sold in the market, the shipping place of vendors. By analyzing more than 1,970,303 items, we find the goods sold in Dream Market are mainly drugs and digital goods. We estimate the total sales of all vendors, and find that an average monthly income is 14millionduringthemeasurementperiod,whichmeansthatthemarketcommissionincomeismorethan14 million during the measurement period, which means that the market commission income is more than 560,000 per month. Based on these data, we use transaction cost theory to analyze the transaction attributes of illegal transactions, which shows that anonymous online market can reduce transaction cost of illegal transactions. We finally discuss the results analyzed and the intervention policy, as well as recent DDoS attacks and future trends of illegal transactions in anonymous online market.
This content is subject to copyright. Terms and conditions apply.
https://doi.org/10.1007/s11036-019-01440-2
A Market in Dream: the Rapid Development of Anonymous
Cybercrime
Gengqian Zhou1·Jianwei Zhuge1·Yunqian Fan2·Kun Du1·Shuqiang Lu1
©Springer Science+Business Media, LLC, part of Springer Nature 2020
Abstract
In this paper we have conducted a comprehensive measurement and analysis on the Dream market, an anonymous online
market that uses cryptocurrency as transaction currency. We first collect data between October 30th 2018 and March 1st
2019. Then we use decision tree-based approach to classify goods. Following we analyze the category of goods sold in the
market, the shipping place of vendors. By analyzing more than 1,970,303 items, we find the goods sold in Dream Market are
mainly drugs and digital goods. We estimate the total sales of all vendors, and find that an average monthly income is $14
million during the measurement period, which means that the market commission income is more than $560,000 per month.
Based on these data, we use transaction cost theory to analyze the transaction attributes of illegal transactions, which shows
that anonymous online market can reduce transaction cost of illegal transactions. We finally discuss the results analyzed and
the intervention policy, as well as recent DDoS attacks and future trends of illegal transactions in anonymous online market.
Keywords Anonymous online market ·Illegal transactions ·Cybercrime
1 Introduction
Anonymous network initially served as an approach for
browsing Internet anonymously, protecting user privacy.
With the development of anonymous network, more and
more users can access it by related tools such as Tor
browser [11] easily. Anonymous online markets that based
Jianwei Zhuge
zhugejw@cernet.edu.cn
Gengqian Zhou
zhougq17@mails.tsinghua.edu.cn
Yunqian Fan
fyq18@pku.edu.cn
Kun Du
dk15@mails.tsinghua.edu.cn
Shuqiang Lu
lusq18@mails.tsinghua.edu.cn
1Institute for Network Sciences and Cyberspace, Beijing
National Research Center for Information Science and
Technology (BNRist), Tsinghua University, Beijing, China
2School of Software and Electronics, Peking University,
Beijing, China
on it allow buyers and vendors to hide their identity, making
it difficult for law enforcement to tracking them. As a result,
many prohibited goods such as drugs and privacy data, have
become the main business in anonymous online market.
Since the rise of Silk Road in 2011,1market size and
volume of the anonymous market have been growing. In
2012, the largest anonymous online market items volume
was around 24,400 [10]. By 2015, AlphaBay replaced
Silk Road and became the largest market. In July 2017,
AlphaBay had more than 369,000 products and 400,000
users [1].
Nowadays, three major large anonymous online markets
are Dream Market, Wall Street2and Silk Road 3.13. Among
them, the amount of items daily in Dream Market is around
170,000, which is much more than Wall Street’s 10,000. In
many dark market forums, Dream Market’s score is much
higher than the other two [4].
In this paper, we attempt to provide a scientific analysis
of Dream Market and anonymous cybercrime by collecting
and analyzing a set of data for approximately four months
(from October 30th, 2018 to March 1st, 2019). We think our
research has mainly four contributions.
1https://en.wikipedia.org/wiki/Silk Road (marketplace)
2http://wallst4qihu6lvsa.onion/
3http://silkroad7rn2puhj.onion/
Mobile NetworksandApplications (2020) 25:259–270
February
2020
Published online: 1
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... The first darkweb marketplace surfaced in 2010, known as The Farmer's Market, followed by Silk Road, both serving as meeting places and selling platforms for users interested in acquiring illegal narcotics [17]. More recently however, there has been an increasing demand for products and services which can be utilized to compromise the privacy and security of digital systems and their users [2,33]. These products and services, which in this paper we will be referring to as Cyber-Crime Related Products (CCRPs), include stolen user account information (e.g., bank information, credit card details and online credentials), fraudulent documents (e.g., forged IDs and driver's licenses), malicious software (e.g., malware, password crackers and zero-day exploits), and other cyber-crime oriented services (e.g., background checks, booter services and phishing campaigns). ...
... Zhou et al. [33] collected data from the Dream marketplace. In their study, they estimate the income of the marketplace, and the type of products being sold by analysing almost 2M items. ...
... To the best of our knowledge, there is no crawler that can bypass CAPTCHA and login challenges. In addition, available darkweb crawlers [1,8,26,33] are dedicated to specific marketplaces or Table 1: List of most popular darkweb marketplaces, accessible from Tor and/or I2p, and whether they include CCRPs. forums, and present major design limitations that make customisation unfeasible. ...
Conference Paper
Full-text available
The darkweb is nowadays considered a very popular place to sell and buy illegal cyber-crime related content. From botnet services and malware, to user data such as credit card information and passwords , darkweb marketplaces offer ease of use, product variety, and most importantly effective anonymity to both buyers and vendors. In this paper, we crawl 8 popular darkweb marketplaces and perform a comprehensive quantitative analysis with a focus on cyber-crime related products. Moreover, we report some preliminary findings when examining the same marketplaces through their I2P mirrors. Our results suggest that overall there is a multitude of products that fall into the cyber-crime category, with products under the Fraud category dominating the market, and that the average cyber-crime products' price is relatively low. Furthermore, we explore how the vendors of this specific product group are distributed across platforms, utilizing harvested information such as usernames and PGP keys, and investigate how their reputation scores affect their operation.
... The hidden nature of the .onion websites on the Tor network can be abused to facilitate various illicit services (e.g., Silk Road marketplace), where anonymous payment systems (e.g., cryptocurrencies) are generally used in such cybercriminal activities [9,10]. Now, we will briefly summarize the various malicious cyber activities that are known to be conducted on dark web and facilitated using cryptocurrencies. ...
... -Contract Killers: There exist many dark websites that allow one to hire a hitman to murder another person [9]. For example, a White-hat hacker named "bRpsd" reportedly helped the FBI to arrest several hitmen in May 2016 by hacking into the "Besa Mafia" site on the dark web, and leaking contract information such as user accounts, client messages and other information. ...
Chapter
Full-text available
The dark web is often associated with criminal activities such as the sale of exploit kits using cryptocurrencies as payment. However, the difficulty in determining the identities of dark website owners and the tracing of the associated transactions compounds the challenges of investigating dark web activities. In this study, we explore how cryptocurrencies have been involved in cybercriminal activities on the dark web and the factors that drive cryptocurrency investments. Then, we present several recommendations and guidelines for prospective investors to help identify determinant factors for assessing investment risks in the cryptocurrency marketplace. We also present several potential research opportunities in cryptocurrency.
... The tactic of "doxxing" is one example that could be weaponised by actors ascertaining and revealing the identity of rivals in ways that could compromise their physical safety (e.g., de Bruijne et al., 2017). Cryptomarket researchers have suggested that denial of service (DoS) attacks have been launched against those running competitor sites (Moeller et al., 2017;Zhou et al., 2020). If these claims are accurate, they represent examples of cybercrime groups using cyber-attacks against the infrastructure of rival groups in an attempt to monopolise or gain market share within highly profitable online illicit markets. ...
Article
Full-text available
The concept of organised cybercrime has been the subject of much debate over the last decade. Many researchers who have applied scholarly definitions of organised crime to cyber-criminal groups have concluded that such groups are not “organised criminal groups” and do not engage in “organised crime”. This paper adopts a different perspective to argue that certain cyber-criminal groups involved in ransomware can and should be considered organised crime if a more contemporary and flexible framework for conceptualising organised crime is adopted. We make this argument using three primary domains of organised crime first described by von Lampe: criminal activities, offender social structures, and extra-legal governance. We narrow in on the concepts of violence and extra-legal governance in particular as they have been interpreted to hold significant differences for criminal groups operating in physical and digital domains. The paper argues that it is time to move on from criminological debates regarding whether organised cybercrime can exist to focus on the many rich questions that researchers can take from organised crime scholarship and apply to cyber-criminal groups. We put forward a reconceptualisation of organised cybercrime towards this end.
... (i) Transaction costs. If the coordinated attack is the result of a collaboration or cooperation of different actors, than this cooperation contains transaction costs [6,99]. From Transaction Cost Economics these costs contain costs of working together, sharing profit, not knowing whether you could trust the other party, etc. [100,6]. ...
Article
Full-text available
Recent leaks (such as Conti) have provided greater insights on the working of cybercriminal organisations. Just like any other business, these malicious actors strategically manage their processes in order to maximise their revenues. Coordinating different types of cybercrimes as part of a single attack campaign provides another opportunity to these criminal groups to improve the efficiency of their attacks. To investigate the promise of this “coordination” between cybercrimes in improving the financial gains realised by cybercriminals, we take a two-step approach. First, we perform a bibliometric analysis of past scientific literature discussing the concept of “coordination” w.r.t to cybercrime. Second, as a case study, analysing the attack chains of DDoS, phishing and ransomware attacks, we identify vantage points for potential coordination from an attacker’s perspective. Based on our findings, we propose a model (COORDINATE) to identify the types of potential cybercrime “coordinations”. COORDINATE considers three relevant types of coordination: direct collaborated coordination, indirect collaborated coordination, and opportunistic coordination. Given the advantages of coordinated attacks, our results suggest that one crime may provide opportunities for the next one. Coordinated attacks will become more prevalent, and that we may witness the development of a dynamic that leads to more online crime.
... For example, Zhou et al. (2020) used a decision tree to classify commodities in an ideal market to identify illegal trades involving cryptocurrencies. Al-Haija and Alsulami (2021) used two supervised learning algorithms, including a decision tree, to identify ransomware payments. ...
Article
Cryptocurrency has captured the interest of financial scholars and become a major research topic in blockchain. In cryptocurrency research, the use of machine learning algorithms is enabled by the presence of many types of data and abundant resources. However, there is currently no comprehensive review on cryptocurrencies using machine learning. Therefore, we collect papers on cryptocurrency-related using machine learning in the web of science database, and summarise these papers according to the algorithm, and draw the following conclusions: (1) The application of machine learning for cryptocurrencies research is increasing year over year; (2) Predicting cryptocurrency price trends and income fluctuations is the most relevant research topic; (3) The machine learning algorithm utilised in cryptocurrency research is not unique, and the practise of combining multiple machine learning approaches has emerged; (4) Concerns such as overfitting and interpretability still persist with machine learning methods. Finally, we suggest future research directions.
... Recent attention has focussed on Darknet or cryptomarket sites, which are only accessible through the use of The Onion Router (Tor) and often make use of cryptocurrencies. Scholars have analysed perhaps the earliest cryptomarket Silk Road 14 , the largest and most prolific to date AlphaBay 15 , and the more recent leading cryptomarket DreamMarket 16 . These articles report that these sites cater mostly to drugs, that many transactions generate excellent feedback, that vendors are likely to use several aliases on one platform or trade on several platforms, and that drug offerings come from a few consumer countries rather than production countries 17 . ...
Article
Full-text available
Cybercriminal markets serve as hubs for offenders and enable the sale of illegal goods and services. Thus far, the primary tactics that have been employed against these sites are arrests of cybercriminals and takedowns of marketplace infrastructure. This research note examines a different genus of disruptive strategy: attacks on user reputation. In this area, there has been some scholarly discussion of slander and Sybil operations as a means of fostering distrust. But carrying out empirical work on the effectiveness of these tactics is challenging. This research note presents a possible method for investigating this topic: social laboratory experiments. It reports on a feasibility pilot study inspired by cybercrime disruption, but which speaks to a broader range of extra-legal markets.
Chapter
This chapter offers an extensive overview of law enforcement interventions against cryptomarkets and their measurable impact on the dark web ecosystem thereafter. In short, an overview of the history of cryptomarket takedowns is undertaken, detailing the deterrent and preventative efficacy of these interventions while offering a set of suggestions on how law enforcement might successfully intervene against cryptomarkets. This chapter offers key insights into how law enforcement approaches cryptomarket interventions, how actors on the dark web readjust their operations in the wake of disruptions and the implications of this dynamic for the overall dark web ecosystem in the medium and long term. To this end, this chapter discusses law enforcement’s fragmentation of the dark web ecosystem and inadvertent improvement of post-intervention criminal efficiency. These themes offer insights not only into the cat-and-mouse game played by law enforcement and cybercriminals but the increasing deficiencies of law enforcement entities despite their actions in this sphere. The clear conclusion is that law enforcement entities seeking to disrupt cryptomarkets should aim for more calibrated approaches and interventions which, at minimum, consider the extant evidence of success a priori while also determining the potential second-order effects of their actions. Given the increasing sophistication of cybercriminals and the inexhaustible need for illicit and controlled substances, law enforcement might opt to curtail the growth and influence of cryptomarkets instead of shutting them down entirely.
Article
Full-text available
Research Summary We present a comprehensive description of Hydra, the largest darknet marketplace in the world until its shutdown in April 2022. We document the main features of Hydra such as dead‐drop delivery, feedback and reputation system, escrow, and dispute resolution. Using data scraped from the platform, we quantitatively examine the scale and the structure of the marketplace. We find that it has been highly competitive, geographically covering at least 69% of the Russian population and trading a wide variety of drugs, while also allowing the wholesale trade of drugs and precursors. The dead‐drop delivery system used on Hydra was expensive, as the courier costs comprised a substantial proportion of the sale price of drugs on Hydra. We contribute to the research on drug cryptomarkets by studying an unprecedentedly large non‐Western marketplace that existed substantially longer than any other known darknet market. Policy Implications The phenomenon of Hydra shows that shut‐down policies applied to darknet marketplaces have a large effect and implicitly shape the whole drug market. Without these policies, a pervasive digitalization of the drug trade can occur. The major cost of allowing marketplaces to grow is the probable increase in the consumption of illegal drugs due to convenience for consumers and facilitated cooperation between suppliers. This cost must be weighed against the potential benefits, including a higher quality of drugs, a decrease in potential violence, and the incentives for a large marketplace to self‐regulate. The case of Hydra also suggests the relevance of financial regulation to limit the growth of darknet marketplaces.
Article
Full-text available
We present a comprehensive description of Hydra, the largest darknet marketplace in the world until its shutdown in April 2022. We document the main features of Hydra such as dead-drop delivery, feedback and reputation system, escrow, and dispute resolution. Using data scraped from the platform, we quantitatively examine the scale and the structure of the marketplace. We find that it has been highly competitive, geographically covering at least 69% of the Russian population and trading a wide variety of drugs, while also allowing the wholesale trade of drugs and precursors. The dead-drop delivery system used on Hydra was expensive, as the courier costs comprised a substantial proportion of the sale price of drugs on Hydra. We contribute to the research on drug cryptomarkets by studying an unprecedentedly large non-Western marketplace that existed substantially longer than any other known darknet market. The phenomenon of Hydra shows that shut-down policies applied to darknet marketplaces have a large effect and implicitly shape the whole drug market. Without these policies, a pervasive digitalization of drug trade can occur. The major cost of allowing marketplaces to grow is the probable increase in the consumption of illegal drugs due to convenience for consumers and facilitated cooperation between suppliers. This cost must be weighed against the potential benefits, including a higher quality of drugs, a decrease in potential violence, and the incentives for a large marketplace to self-regulate. The case of Hydra also suggests the relevance of financial regulation to limit the growth of darknet marketplaces.
Conference Paper
Full-text available
Researchers have observed the increasing commoditiza-tion of cybercrime, that is, the offering of capabilities, services, and resources as commodities by specialized suppliers in the underground economy. Commoditiza-tion enables outsourcing, thus lowering entry barriers for aspiring criminals, and potentially driving further growth in cybercrime. While there is evidence in the literature of specific examples of cybercrime commoditization, the overall phenomenon is much less understood. Which parts of cybercrime value chains are successfully com-moditized, and which are not? What kind of revenue do criminal business-to-business (B2B) services generate and how fast are they growing? We use longitudinal data from eight online anonymous marketplaces over six years, from the original Silk Road to AlphaBay, and track the evolution of commoditiza-tion on these markets. We develop a conceptual model of the value chain components for dominant criminal business models. We then identify the market supply for these components over time. We find evidence of com-moditization in most components, but the outsourcing options are highly restricted and transaction volume is often modest. Cash-out services feature the most listings and generate the largest revenue. Consistent with behavior observed in the context of narcotic sales, we also find a significant amount of revenue in retail cybercrime, i.e., business-to-consumer (B2C) rather than business-to-business. We conservatively estimate the overall revenue for cybercrime commodities on online anonymous markets to be at least US $15M between 2011-2017. While there is growth, commoditization is a spottier phenomenon than previously assumed.
Article
Full-text available
In this article, we study the various functions of online cybercriminal meeting places from a unique perspective: We do not take the criminal meeting place as a starting point, but the users—the criminal networks. This allows not only for a view of what is happening on online meeting places, but it also places online meeting places into perspective. Our data consisted of detailed case descriptions of 40 cybercriminal networks active in the Netherlands (18), Germany (3), the United Kingdom (9), and the United States (10). Reconstructions were made based on analysis of police files and/or interviews with case officers and public prosecutors. Online meeting places play a role in the majority of our cases: to meet co-offenders, to buy tools, or to sell data. However, from a crime script perspective, the role of forums is much more modest. Forums, for example, can be used to find suitable co-offenders, but in the majority of our cases the core members did not meet at forums. Offline meeting places still play an important role in cybercriminal networks. Furthermore, forums can be viewed as online versions of offline offender convergence settings—physical locations such as a bar—where criminals can meet, and ensure continuity and structure. However, forums might be more accessible than physical criminal meeting places. For a curious newbie, it is, for example, easier to visit all sorts of forums than it is to visit all sorts of criminal bars. Finally, our cases show that the learning function of forums should not be underestimated.
Article
Full-text available
Objectives The current study is the first to examine the network structure of an encrypted online drug distribution network. It examines (1) the global network structure, (2) the local network structure, and (3) identifies those vendor characteristics that best explain variation in the network structure. In doing so, it evaluates the role of trust in online drug markets. Methods The study draws on a unique dataset of transaction level data from an encrypted online drug market. Structural measures and community detection analysis are used to characterize and investigate the network structure. Exponential random graph modeling is used to evaluate which vendor characteristics explain variation in purchasing patterns. Results Vendors’ trustworthiness explains more variation in the overall network structure than the affordability of vendor products or the diversity of vendor product listings. This results in a highly localized network structure with a few key vendors accounting for most transactions. Conclusions The results indicate that vendors’ trustworthiness is a better predictor of vendor selection than product diversity or affordability. These results illuminate the internal market dynamics that sustain digital drug markets and highlight the importance of examining how new anonymizing technologies shape global drug distribution networks.
Article
Full-text available
This study examines the signals of trust in stolen data advertisements by analysing the structural and situational factors that influence the type of feedback sellers receive. Specifically, this article explores the factors associated with positive and negative buyer feedback from the purchase of stolen credit card data in a series of advertisements from a sample of Russian and English language forums where individuals buy and sell personal information. The results of zero-inflated Poisson regression models suggest that the sellers may influence their likelihood of receiving feedback by specifying the type of payment mechanism, choosing the advertisement language and selecting the type of market they operate within. The implications of this study for our understanding of online illicit markets, criminological theory and policy-making will be explored in depth.
Conference Paper
Full-text available
We perform a comprehensive measurement analysis of Silk Road, an anonymous, international online marketplace that operates as a Tor hidden service and uses Bitcoin as its exchange currency. We gather and analyze data over eight months between the end of 2011 and 2012, including daily crawls of the marketplace for nearly six months in 2012. We obtain a detailed picture of the type of goods sold on Silk Road, and of the revenues made both by sellers and Silk Road operators. Through examining over 24,400 separate items sold on the site, we show that Silk Road is overwhelmingly used as a market for controlled substances and narcotics, and that most items sold are available for less than three weeks. The majority of sellers disappears within roughly three months of their arrival, but a core of 112 sellers has been present throughout our measurement interval. We evaluate the total revenue made by all sellers, from public listings, to slightly over USD 1.2 million per month; this corresponds to about USD 92,000 per month in commissions for the Silk Road operators. We further show that the marketplace has been operating steadily, with daily sales and number of sellers overall increasing over our measurement interval. We discuss economic and policy implications of our analysis and results, including ethical considerations for future research in this area.
Article
Full-text available
Research examining offender risk reduction strategies within illicit markets focus primarily on those operating in the real world for drugs and stolen goods. Few have considered the strategies that may be used by individuals in virtual illicit markets that are hidden from public view. This study addresses this gap through a grounded theory analysis of posts from 10 Russian and three English language web forums selling stolen data to engage in identity theft and fraud. The findings indicate that buyers employ multiple strategies to reduce their risk of loss from unreliable vendors, along with resources provided by forum administrators to manage relationships between participants. The implications of this study for law enforcement and offender decision-making research are also discussed.
Conference Paper
Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.