Drugs, malware, counterfeited goods, stolen jewels, cloned credit cards, fake documents, money laundering, guns, (child) pornography…whatever illegal item you are looking for, you are likely to find it in the dark web. In the third cybercrime episode of Bar Lume, the Italian podcast on organized crime, mafia and terrorism, you will learn how dark web marketplaces work, who runs them and most importantly, how to take them down.
Listen to the original podcast (in Italian) here
The rise and fall of Berlusconi (and other dark web markets)
On October 26, 2021 the Italian Guardia di Finanza announced a historic success: the takedown of DeepSea, a dark net marketplace where you could buy illegal drugs, computer viruses, cloned credit cards, stolen documents, counterfeit jewelry and even money laundering services. The operation was coordinated by the Brescia Prosecutor’s Office and led to the arrest of two men in the city of Modena. One of them was the creator of the platform, while the other was an accomplice who helped him run the 27 million euro business it generated. One person could indeed not manage DeepSea alone: at the heigtht of its success, DeepSea had as many as 1,000 accredited sellers and more than 110,000 customers. In the six months prior to the takedown, some 70,000 transactions were made on the platform, 64% of which were to buy and sell narcotics including cannabis, psychotropic drugs, ecstasy, opioids and hard drugs such as cocaine and heroin. To give you a better idea of the scale of the operation, officers also confiscated 3.6 million euros worth of cryptocurrencies (Bitcoin and Monero), 3 luxury cars worth 370,000 euros and 9 brand-name watches worth 90,000 euros, as well as the computer equipment to maintain the platform. Interestingly, the seizure was part of an even larger operation involving the FBI, the German Bundeskriminalamt, the French Gendarmerie, and the British National Crime Agency under the coordination of Europol. This international operation, named “HunTOR” for its willingness to “hunt down” black markets accessible only through the TOR browser, led to the arrest of a 150 people, the seizure of 31 million euros worth of cash and cryptocurrencies, 234 kilograms of drugs, and some 20 servers in Moldova and Ukraine. But what makes this takedown more special than others?
The DeepSea takedown matters because it is the second of its kind in Italy and the sixth in the world after Silk Road, Alpha Bay, Hansa Market, and Dark Market. Indeed, a group of Italian cybercriminals had already made a name for themselves with another illegal e-commerce platform, the Berlusconi Market. Before its takedown in 2019, the Berlusconi Market was one of the most important sites for dealing and selling illegal goods on the dark web. Launched in 2017 by three young men from Apulia, southern Italy, the Berlusconi Market had 103,000 listings and a turnover of 2 million euros a year. To be consistent with the name of the platform, the three adminsitrators took up the names of controversial politicians: one of them called himself “Vladimir Putin,” another “Emmanuel Macron,” and the last “Angelino Alfano”, a former Italian minister. Unlike in DeepSea, in the Berlusconi market you could also find firearms, ammunition, explosives and bank codes at very competitive prices. Customers were mostly based in Europe and the United States and could rely on highly secure transactions. Another difference with DeepSea is that two of the administrators of the Berlusconi Market were also involved in offline trafficking. Indeed, it was this dual role that exposed them. By following the trail of a cocaine dealer known as “g00d00,” the Guardia di Finanza and the Brescia Public Prosecutor’s Office managed to trace two individuals who were later arrested in Barletta in possession of more than 2 kilograms of cocaine, firearms, 3,000 euros in cash, and various computers and smartphones. Forensic analysis of the latter revealed that the two men not only shared the account “g00d00” and a Bitcoin wallet containing the equivalent of 846,000 euros, but also that they were two of the three administrators of the Berlusconi Market.
The origins of dark web markets
How long have people been trafficking online? One could say that illicit transactions on the Web are almost as old as the Web itself. The first known one dates back to 1972 — it was a small cannabis trade between students at MIT and Stanford, two of the most prestigious U.S. universities, on the ARPANET, the ancestor of the modern Internet. One has to wait until 2006, however, for the first digital marketplace for drugs. Founded by a Dutchman called Marc Peter Willem, the Adamflowers platform offered all the services of a normal e-commerce site: guaranteed shipping, customer support, forums…the only difference was that you could buy illegal substances such as LSD, ecstasy, fentanyl and marijuana. The online black market was so in its infancy at the time that the platform (later renamed The Farmer’s Market) operated undisturbed for 4 years on the surface web: it only moved to the dark web in 2010, thus exploiting the anonymity of the TOR network, but preserving its reliance on regular payment methods such as PayPal and Western Union. In 2012, a joint operation by law enforcement agencies from the U.S., the Netherlands, Scotland, and Colombia managed to arrest and trial Willem and his 7 associates.
While the FBI was scrambling after Willem and his associates across the world, in the United States a guy named Ross Ulbricht was launching another site: Silk Road. Combining the anonymity of the dark web with the pseudonymity of Bitcoin, Silk Road, “the Amazon of narcotics,” offered something that The Farmer’s Market lacked: the complete masking of users’ identities. After its takedown by authorities in 2013, the Silk Road model went viral. All the major black markets developed in the following years (from the “big four” AlphaBay, Hansa, Dream, and RAMP to the more recent Wall Street, White House, and Hydra), operate on anonymous networks such as TOR and i2p and require cryptocurrency payments, to the point that the term “cryptomarket” has become synonymous with “dark net market.” AlphaBay in particular perfected the Silk Road model by introducing payments in Monero, a completely anonymous currency, now the only one accepted on White House. You can read my explanation of how criminals exploit crypto in this other blogpost.
How can you get to dark web marketplaces?
We’ve talked about “dark net,” “TOR,” “cryptomarket,” but you may be wondering: where are these virtual spaces? To get to the black marketplaces of the dark web, we have to go down a few levels, a bit like Leonardo di Caprio in Inception.
If you are reading this article, you’ve probably been surfing the so-called surface web. It’s the first layer of the Internet, the one where you find all the information that is both publicly accessible and indexed, such as the results that appear by typing “Bar Lume” into Google. Just below the surface web is the deep web. This is where you find information that is still accessible, but only to authorized people (through login or with a key) and is not indexed, i.e., cannot be found on a search engine. All your online purchases, but also the confidential data of governments, institutions and companies are transmitted throught the deep web. It is estimated that the volume of data in the Deep Web is hundreds, if not thousands, of times that of the surface web. But let’s go down one more level: the dark web. The dark web is the part of the deep web that hosts both confidential and non-indexed information. For example, no one can see your IP address, even after authentication, and sites cannot be found on a normal search engine, even by typing the right URL. In other words, what happens on the dark web, stays on the Dark Web. How do you access such an obscure place?
You have to install a special browser, which allows anonymous browsing. The most famous (and the one where you find the most black markets) is TOR, but there are also others, such as i2p (Invisible Internet Project) and Freenet. To ensure the anonymity of communications, TOR uses “The Onion Routing” system (hence the acronym TOR), developed in the 1990s by three U.S. Navy researchers. Here’s how it works: every message sent over TOR is “wrapped” in several layers of encryption to hide its contents. Instead of reaching the recipient directly, the message is “bounced” to the servers composing the TOR network across around the world (so-called “nodes”) so that you can’t find its origin. With each bounce, the message loses a layer of encryption so that when it reaches the recipient it is readable. This system makes transactions on TOR extremely secure, but also slower than any browser on the surface web. Now, you should not think that TOR is (exclusively) a criminals’ den. On the contrary, it is estimated that less than 10% of TOR users access it for illicit purposes. The rest are people living under authoritarian regimes who try to access censored sites in their own country, contact their allies while avoiding surveillance by the authorities, or circumvent firewalls to communicate with the outside world, including NGOs and journalists. Whistleblowers such as Edward Snowden also use TOR to ensure the confidentiality of their communications.
The risks of buying in a the dark web marketplace
Now that you have landed on the dark web, where do you find the goods you need? First, we need to distinguish between two types of black markets: generalist and niche. Niche markets sell a few categories of products, usually the riskier ones, such as weapons and child pornography. Because administrators decide which products can be sold on their marketplaces, hard drugs, such as cocaine and heroin, and assassins are also often banned from generalist platforms.
Although online marketplaces remove the violence associated with street trafficking, they present other dangers. Sellers, for example, may try to scam customers by saying goods were lost when in fact they were never shipped. To minimize this risk, sites offer a review system similar to like Amazon’s, allowing users to comment on sellers and attribute them ratings stars, so that if vendors end up with a bad reputation, the lose customers. Interviews conducted by criminologists have even shown how reviews push certain vendors (who, let us remember, remain criminals) to “professionalize”!
The reverse risk also exists: a customer may claim not to have received the shipment in order to have another one sent for free. If the two parties do not come to an amicable resolution, the platform moderator can intervene, for example by paying a security deposit, held by the platform, to the seller.
But administrators cannot be trusted too much either: it can happen that, after a few months of operation, the site continues to accept orders but does not ship them, so as to collect money without providing any service in return. This is a scam known as an “exit scam”: in other words, administrators “exit” the site with the loot, as was done with the marketplace Nightmare in 2019. Administrators can also plan to close the marketplace after a certain date. Such was the case with Dream Market, which was hit by a storm of speculation from users that law enforcement had secretly taken control of the platform and continued to operate it, instead of shutting it down, to identify sellers and customers. Such a covert operation is known as “honeypot,” because it requires undercover agent to lure customers, sellers, administrators into their trap.
Is organized crime involved in the dark web?
Who are the criminals behind the dark web marketplaces and more importantly, what is their relationship with organized crime? As discussed above, it can take as little as one person to build an online black market, but one or two more are often involved in administering it. Small criminal syndicates can thus be formed, bound neither by geographical proximity nor by the hierarchies typical of traditional organized crime. Another difference lies in the way they offer protection to drug and other illegal markets: where mafias rely on the threat and, often, the exercise of violence, administrators of dark web sites offer instead technical solutions that are both defensive (such as protection from cyberattacks) and offensive (such as deanonymization of competitors). In addition to being organized and operating differently, administrators of dark web sites appear to be unrelated to traditional mafias. A recent study by the Catholic University of Milan, for example, indicates how there is no empirical evidence of organized crime involvement in selling drugs on the dark web. This can be explained by the fact that digital black markets still count for a very small fraction of the overall drug market and remain retail-oriented. The work of three researchers at Oxford University further supports this claim, by showing that the rise of dark web sites has not altered the drug supply chain: 70% of online sellers remain active in the world’s top five consumer countries (the United States, the United Kingdom, Australia, Germany, and the Netherlands) rather than in producing countries.
Investigating in the dark web
So how do you hunt down criminals on the dark web? It is not a simple matter. First of all, detectives must meet certain legal requirements. Under Italian law, for example, these investigations involve an undercover operation and only law enforcement agencies are allowed to carry them out. In addition to these legal constraints, detectives also face other challenges: for example, English-language dark markets only account for a small part of all platforms on the dark web. To uncover criminals, law enforcement must thus infiltrate also forums in Russian, Chinese, Arabic, and other languages. This requires not only knowledge of the language, but also of the specific jargon of a particular community so as not to arouse suspicion.
As people are hard to track on the dark web, undercover agents usually start from the products. The standard procedure goes as follows: an undercover agent starts with a keyword search, such as a product identifier, or certain stolen data. Then the investigator exposes themselves by asking if anyone is in possession of the goods in question. A monitoring phase follows until a deal is struck allowing law enforcement to identify the seller. This is not always easy though, as undercover agents may fall for a scam just like any other user.
Investigating the dark web is a complex process. Although law enforcement is increasingly effective in dismantling dark web black markets, eradicating the phenomenon seems arduous, as administrators are very agile: they respond to massive seizures of particularly dangerous substances or content like guns and child pornography by banning them from their marketplaces so as not to attract the attention of law enforcement; they respond to cyberattacks from competing sites and infiltration attempts by undercover agents by improving security measures, and so on. Worse still, for every takedown, another platform appears (or even reappears!). After DarkMarket closed in January 2021, for example, WhiteHouse took its place as the first dark web marketplace. There have been as many as three versions of Silk Road, while a certain DeSnake claims to have rebuilt the site of which he was co-administrator, AlphaBay. This is why law enforcement is increasingly shifting its focus from administrators to active sellers on the dark web, as exemplified by the 150 arrests of Operation HunTOR mentioned in the beginning.
This episode was recorded with my old time friend and co-host Tiziana Pezzotti.