Written byPatrick Howell O'Neill
In December 2016, The Rainmaker Labs was ready to debut its new product.
The startup went through many of the same steps other businesses take on launch day. It advertised a long list of unique and powerful features that highlighted the product’s ease of use, peppered the targeted online marketplace with catchy slogans and filmed a slick YouTube commercial.
Since the launch, The Rainmaker Labs is on pace to earn over $60,000 from the product, dubbed “Philadelphia.” The group’s full suite of offerings has it positioned for six-figure sales numbers for 2017.
This is a big problem for security professionals and law enforcement alike.
Why? The Rainmaker Labs creates malware, packages it with utter professionalism and sells it as a cutting-edge way for crooks to make mountains of money. It’s one of the scores of shady sellers that have turned cybercrime into a living thanks to AlphaBay, the highest-earning and most popular dark web market in the English-speaking world. Facilitating the sale of millions of dollars’ worth of illicit goods — malware, stolen data, drugs, weapons — AlphaBay has risen to become the Amazon.com of the dark web, primarily due to a resilience that sets it far above its competition.
The short history of cybercrime markets is littered with dramatic FBI takedowns, multimillion-dollar thefts and mystery disappearances. Most of these venues, including the infamous Silk Road, have failed to cross the 1,000-day mark in their operations. If AlphaBay lasts to December, it will become the longest-running English-language dark web market in history.
To have a major, albeit illicit, business last this long is leaving most experts scratching their heads. How has AlphaBay survived this long?
“The interesting thing AlphaBay has going for it is it has been really steady,” Emily Wilson, a researcher with security firm Terbium, told CyberScoop. “It has a good reputation, it hasn’t really had to be flashy or overly promise anything. It’s just existed and done a good job. It’s a really good setup, it’s easy to use, you can trust that it’s reliable. That speaks to an organization that can’t be overlooked.”
In many respects, AlphaBay’s natural evolution mirrors the growth of its legal counterparts. The site is faster, more reliable and better stocked than almost all of its competitors. In the world of dark web markets, when you ask the customers — malware sellers, data hawkers and drug dealers — AlphaBay is positioning itself as leaps and bounds above its rivals.
“Right now, AlphaBay is tenfold larger than Silk Road ever was, so there’s plenty of business there.” AlpraKing, a retired dark web Xanax dealer, told CyberScoop. “AlphaBay has been stand up in their transparency. They might have security issues. It’s the underworld, not everything can be absolutely perfect. What we expect is honesty.”
‘Be safe, brothers’
Carnegie Mellon computer security professor Nicolas Christin, who has conducted years of scientific study on dark web market economics, says the ecosystem is no longer experiencing the exponential growth it saw in 2013, but is likely as lucrative as it ever was. The dark web, the anonymous and unindexed computer networks accessible through software like Tor, is used by a wide range of illegal and legal actors.
Like other dark web markets, AlphaBay has taken its lumps, including numerous spats that arose out of critical security issues over its lifespan. Yet while other markets have folded or been shut down, AlphaBay continues to rise.
“Maybe one of the reasons they haven’t been taken down has to do with where they’re hosting the hidden services,” Christin said.
Run by a staff of at least a dozen, this business is by its own admission a supremely organized outfit that, from all appearances, hails right from the heart of global cybercrime: Russia.
AlphaBay, which openly sells stolen personal data from people around the world, forbids the sale of personal information of Russian citizens. At least 20 vendors have been banned on AlphaBay for breaking the rule and selling stolen information on Russians.
The market, which also sells malware and hacking tools with almost no rules or limits, requires a “built-in function” to make sure the malware cannot impact any computer in Russia including those belonging to government, industry or private citizens. Targeting Russians or citizens from the Russian Commonwealth with malware is specifically banned.
AlphaBay staffers, who are regularly open and responsive with press inquiries, not only declined to comment on the subject but also wiped our reporter’s AlphaBay account message log when the question was received.
As if to emphasize that this hidden and anonymous market is as open as can be, AlphaBay’s top administrator uses “Будьте в безопасности, братья” as his signature on the black market’s discussion forum.
Translated from Russian, it reads: “Be safe, brothers.”
Nationalistic rules come up in the cybercrime world, particularly from Russian-speaking communities, for varying reasons. CryptoMarket, a smaller black market that recently disappeared, frequently referenced Russian origins as an explicit advertisement for the fact that it was out of reach of the FBI.
“When you get past a certain level, you really draw law enforcement attention and I think [AlphaBay] has drawn law enforcement attention,” Christin said. “But perhaps it’s the case — and it’s pure speculation — that law enforcement is now more interested in taking down large vendors than they are in taking down marketplaces.”
The idea is that when police take down a marketplace, all they really accomplish is the equivalent of turning on the light in a roach-infested apartment. The big sellers and buyers simply move to the next safe spot.
“You really don’t have that much of an impact on the ecosystem as a whole,” Christin said.
This nationalistic practice is seen across the cybercrime ecosystem. Last year, an Israeli online attack service run by two teenagers banned attacks on websites within that country. The reasons given by the teenagers were a mix of pride — “It’s my home country, and don’t want something to happen to them :),” one of the hackers said — and self-protection. Experts assumed as well that the criminals didn’t want to attract too much attention to themselves from nearby law enforcement.
The most famous alleged example of Russian cooperation with a locally run but globally impactful criminal empire is Evgeniy Mikhailovich Bogachev, a 34-year-old who created both the Gameover ZeuS botnet and CryptoLocker ransomware. As of the time this article published, he is wanted by the FBI for a $3 million reward.
Bogachev’s handiwork adds up to a long list of bank hacking, racketeering and ransomware attacks resulting in losses of more than $100 million. In addition to the monetary gains, Bogachev’s botnet of well over 1 million machines began intensely focusing intelligence collection efforts on Russian adversaries when Russia seized Crimea, confirming American investigators’ suspicions that the lines between the Russian government, intelligence agencies and organized crime are not just blurred, but crossed when it’s convenient.
The story behind AlphaBay is far less clear.
AlphaBay’s Russian rules could plausibly be a result of patriotism, an effort to spare their home country from the harms of the black market’s business. It could be a practical measure to avoid attention from local authorities while signifying no actual connection.
“It’s a normal feature of Russian-speaking cybercrime,” Luke Rodeheffer, a European analyst at the cybersecurity company Flashpoint, told CyberScoop. “There’s an element of nationalism. They mainly see it as a way of making money but not making money on the backs of their fellow citizens.”
“If you’re going to conduct a criminal enterprise and you have a choice of [virtual private server] in U.S. and Russia and you’re worried about the FBI being on your trail, you probably don’t want to host your server in the U.S.,” Christin said.
Even with the Russian government’s demonstrated and repeated cooperation with cybercriminals over the course of the last decade, there’s no evidence pointing to a singular explanation in AlphaBay’s specific case.
Whatever the case, AlphaBay is a unique source of valuable intelligence, Terbium researcher Emily Wilson said.
“I can’t help but wonder what the benefits might be to the law enforcement community as a whole by keeping [AlphaBay] up,” she said. “If you want to have a team that lurks and integrates and builds personas, you have the benefit of having a one-stop shop for this. AlphaBay has to be as much of a source of information for law enforcement as it is a source of goods and services for other people. It’s a great place to observe trends and tradecraft, to see what vendors are selling. I think it’s an interesting learning ground.”
Альфабей навсегда (AlphaBay Forever)
For a moment, imagine how much AlphaBay is giving up by exempting the entirety of Russia from its multimillion-dollar global market. If it is to continue making money, there must be a way to make up the difference.
While Silk Road was a libertarian experiment as much as it was a business venture, AlphaBay is distinctly a way to make crime pay. The organization has formulated a financial strategy — albeit a manipulative one — around the cryptocurrency that funds its operations.
Here’s how the site’s administrator explained the strategy on Reddit last month:
You can see AlphaBay like a bank: While we allow people to deposit and withdraw at will, drugs are merely a product to attract customer. The cold wallet coins aren’t just standing there: We invest in various things anonymously, make money with those investments, while always ensuring to run at 100 percent reserve. We won’t go into details, but there are thousands of ways to make money by investing Bitcoin online.
Consider how the market works with cryptocurrency alternatives to bitcoin: Earlier this year, the daily trading volume of Ethereum, a privacy-focused coin, fluctuated daily between $5 million and $10 million, with the price of a single coin hovering around $12. From March 15 to March 17, the trading volume of Ethereum spiked to unprecedented levels, with the volume suddenly reaching $554 million. On March 18, AlphaBay announced official support for Ethereum. The price hit above $50 soon afterwards as media covered the news, around a 300 percent increase.
A similar sequence of events occurred in 2016 when AlphaBay announced support for Monero. In the days before the official announcement, the daily trade volume for Monero spiked over 1,000 percent. Whoever traded early enough reaped huge rewards when the price spiked 600 percent immediately after AlphaBay went public with Monero support.
“I’m not surprised that people are trying to do essentially financial management in these market places,” CMU professor Christin said. “When you think about what they really are, and this is something I’ve been saying over and over again: Their sellers are drug dealers, but the marketplace themselves are basically risk management platforms. It stands to reason that they’re interested in financial risk management as well. They are a major player in the cryptocurrency landscape and they can use their power to attempt to do some currency manipulation. They buy a bunch of Ethererum, they make an announcement and maybe they can sell some to make a profit.”
“I would not be surprised if these kinds of stunts were [AlphaBay] trying to capitalize on what they have while it is still a possibility,” researcher Sarah Jamie Lewis told CyberScoop.
The long game
Lewis cited a long list of problems AlphaBay has faced in the last year, including administrators asking for private keys and consistent questions about the market’s trustworthiness. In her own view, AlphaBay could go away at any moment.
Yet with all of the problems that come with running an illicit market, AlphaBay hasn’t shown signs of collapsing or disappearing. While competing markets like Evolution and Agora have shut down, AlphaBay continues to develop and grown like any legitimate e-commerce site.
“What they’ve been doing is very strange,” Christin said. “They’ve been developing new features. It seems that these people somewhat believe they’re running a completely regular business and they’re trying to grow.”
Christin, although initially skeptical of AlphaBay’s staying power, believes it now has long-term viability.
“They have a strong enough reputation to absorb such problems,” the Xanax dealer, AlpraKing, told CyberScoop. “They are virtually unopposed in term of number of vendors and products. It’s obvious we want to go where everyone is. Beside minor tweaks and fixes, AlphaBay is very complete.”
“They’re just so far ahead of their competitors,” Flashpoint’s Rodeheffer said. “In terms of English-language online crime forums, they offer such an impressive range of products, they have a sophisticated escrow system, they have such a wide user base.”
“If for some reason AlphaBay went away tomorrow, I don’t really know what a lot of these people would do.”