It might be more difficult these days to conduct an anonymous drug deal on the dark web, but not every online criminal enterprise is feeling the pinch of international law enforcement.
New research shows that as the FBI and other crime-fighting agencies have gone after dark web markets, cybercrime communities have avoided the heat. Stolen financial information, access to hacked social media accounts and malicious software tools are still widely available on forums accessible on the open web, without using the Tor anonymity software.
Among those still operating are the prominent Russian-language marketplace Exploit.in, the “carding” forum Joker’s Stash and Hackforums, which offers guidance on how to become a hacker. Exploit, in particular, has gained nearly 1,000 new accounts over the past six weeks, with current membership at 44,433 user accounts as of May 13, according to research conducted by Digital Shadows exclusively for CyberScoop.
The site is “fully gated,” meaning outsiders must pay $100 for access or prove their authenticity via presence on other forums. To access VIP sections, users need a guarantor to vouch for their credibility. As a result of those measures and others, “Exploit has been a mainstay in the cybercriminal landscape for years,” said Harrison Van Riper, a senior analyst at Digital Shadows who conducted the research.
With police promising their dark web takedowns will continue, cybercriminals will seek out forums that maintain stricter controls over their security, says Shuman Ghosemajumder, chief technology officer at Shape Security, which patrols forums for stolen user credentials.
“Cybercriminals are well aware we’re looking at the dark web,” he said. “That makes the bad guys less willing to do business on dark web forums where they can’t control password or access.”
The survival of sites like Exploit also is a reflection of U.S. law enforcement priorities, experts say, with the White House requesting $27.8 billion for drug enforcement in 2018 while cybercrime receives far less. The Justice Department requested $187 million for its criminal division in 2019, while the FBI requested $370 million for its cyber budget this year. And U.S. interests tend to drive the global agenda. Although most of the dark web stings have involved law enforcement from multiple countries, the cases generally come to U.S. courts.
One of the bigger announcements came last week, when the Department of Justice revealed the arrest of two men accused of operating Deep Dot Web, a website authorities said provided would-be dark web visitors with a roadmap on how to access hidden drug dens. Many of the sites Deep Dot Web advertised, such as Wall Street Market and Dream Market, also were removed in previous raids this year, upending the online ecosystem for narcotics. The U.S. Drug Enforcement Administration says its special operations division led the action against Wall Street Market.
Not exactly hiding
The continued survival of the Exploit market is notable because the site has been involved in a number of high-profile security stories. Sellers were advertising a hacking tool in 2016 that promised to defeat all Microsoft’s security defenses, KrebsOnSecurity reported at the time. The following year, New Zealand’s Computer Emergency Response Team warned about the publication of 593 unique email addresses on the site.
According to Digital Shadows’ research, many of the more than 970,000 posts in nearly 150,000 threads focus on hacking targets like web applications, reverse engineering malware, or how to remain anonymous while carrying out these kinds of nefarious activity. Users frequently will post multiple times under different identities to sell their products or boost their credibility.
Digital Shadows does not detail how it gains access to data on the forums.
But sellers also are advertising access to social media accounts on Instagram, Twitter and VK, a popular Russian platform. One vendor, Faraon1991, as recently as May 8 promised a kind of on-demand hacking service to infiltrate VK accounts for prices starting at $3,500. The hacked account would come with an archive of chats, methods to bypass two-factor authentication and “continued support” from Faraon1991, Digital Shadows found.
Another seller called the Komrakoff Service Group has since September 2018 offered access to services such as Gmail (exclusive access for $590), Outlook.com ($590), Yahoo ($390), and a handful of Russian email services like Mail.ru and Yandex ($150 each).
With access to stolen pages, the Komrakoff Group claims, buyers can also find deleted messages dating back six months, the geolocation of a target’s home and frequently visited places, their phone number, hidden photos and their card payment history.
Of course, buyers need to be comfortable that the illicit services they’re purchasing are legitimate. Ghosemajumder, of Shape Security, estimated that 30 percent of all activity on Exploit and similar forums is made up of scammers who collect their fee then fail to deliver.
It’s perhaps impossible to fully understand how many sales actually go through. But Kamrakoff and Faraon1991 have been active Exploit members for years, a suggestion they’re seen as credible sellers, according to Digital Shadows.
“The fact the users have continued threads existing on one of the more prominent Russian criminal forums suggests they have a positive reputation within the community and likely follow through on the services they claim to provide,” Van Riper wrote in the report prepared for CyberScoop.