Like every free market, the Dark Net economy sees its many rises and falls. Sites come and go, just like brick and mortar stores open and close. Yet in recent months, we’ve seen a large number of sizeable illicit Dark Net sites closing, and smaller niche ones taking their place.
What Do Shutdowns Look Like and What Happens Next?
When a department store succumbs to the retail apocalypse, there’s a common pattern of events: initial announcement, signs in the window, increasingly deep discounts, employees fired, doors closed, repurposing of the retail space, etc.
Similarly, when a Dark Net site shuts down, there is a common pattern of events occurring prior to its official demise. We frequently see a site crash, followed by ominous silence. Then an explanation emerges, and the site’s brand equity is “repurposed.”
The site crash is generally posted by the market admin, and is often announced as “only temporary” for technical reasons or site upgrades. But then, the maintenance lasts much longer than expected, and the site admin goes AWOL, without any explanation whatsoever. The true explanation of the shutdown generally surfaces shortly thereafter – in one of three primary ways:
1. Takeover by law enforcement – This pattern is generally seen in sites that deal in highly-illicit items, such as drugs and weapons. Following the shutdown, the site re-opens for a period of a few weeks and seems to continue working regularly. Yet in reality, it is being run by law enforcement who took over the site behind the scenes.
By way of example, the massive international effort around the takedown of AlphaBay and Hansa enabled the Dutch National Police to run the Hansa marketplace and covertly monitor criminal activities on the platform until it was finally shut down.
2. Takeover by a competitor – Comparable to a hostile takeover – but according to Dark Net rules. We generally see the site in question re-open for a few weeks, during which time it seems to continue working regularly. In reality, it’s being run by a different entity who took over the site. This is common in basic credit card markets – where there is one person or group operating the market.
Just a few months ago, the BriansClub credit card market was compromised by a competitor – who leaked over 23 million compromised cards. The admin of BriansClub then took to a popular Dark Net forum to defend his reputation.
3. Exit scam – Known in both the real world and the Dark Net, an exit scam is when a reputable business simply stops shipping orders, but continues to get payment for new ones. Depending on the entity’s reputation, the amount of time between this action and when consumers discover it can be long enough to generate significant profit.
Exit scams are most prevalent when the market has multiple operators and works under an escrow business model. We saw this most recently in the Apollon market - one of the Dark Net’s largest markets – who locked vendor accounts while still allowing buyers to place orders.
Department Stores, Out. Niche Shops, In?
Dark Net market shutdowns have peaked in the last few months, with three major markets shutting down last November alone: one by law enforcement, one due to an exit scam, and the last unknown.
While going out of business is not a new phenomenon, online or off, the fact that large and popular Dark Net sites are shutting down is motivating cybercriminals to find alternatives.
Today, we’re seeing many smaller, more targeted niche markets coming online – including automated botnet markets and other similar enterprises. There is no lack of innovation and motivation among cyber-criminals who are hungry for profits, and creating new Dark Net business models to replace ones that were shut down is at the top of their agendas.