Fidelis Cybersecurity
Fidelis Blog

Private: Aamil Karimi
Sr. Intelligence Analyst, Threat Research Team

Aamil Karimi is a former US Army All-Source intelligence analyst and spent over 6 years in Afghanistan working with the US Army, Air Force Office of Special Investigations, and supporting USSOCOM as an... Read More


Leave a Reply

Another Marketplace Bites the Dust

April 2019 will stand alongside July 2017 and October 2013 as times that threw the world of darknet market operations into chaos. In October 2013, the US Department of Justice arrested Ross Ulbricht, owner of one of the largest and most popular darkweb marketplaces of the time, Silk Road. July 2017 marked the culmination of a multi-national law enforcement effort, Operation Bayonet 2.0, that simultaneously took down AlphaBay and Hansa Market. Operation Bayonet 2.0 not only shut down two of the largest marketplaces and disrupted illicit commerce and services, but the circumstances around the seizures and compromise of vendor and consumer accounts also hallmarked a new reality of distrust and uncertainty within these anonymous spaces.

April 2019 also saw two highly controversial and disruptive events related to darknet market operations. The first was the announcement of Dream Market, the largest and most popular marketplaces remaining since AlphaBay, shuttering its services on 30 April 2019. The message was posted to the home page and followed the arrests of multiple drug vendors in March 2019 who were operating on Dream Market; however, the key difference between Dream and the situation with AlphaBay and Hansa is that Dream has provided vendors and consumers on its platform nearly a month’s notice of its operations winding down and allowing its members to cash out and withdraw any funds from their accounts and escrows.

The second event that disrupted darknet market operations in April was the rumor, and eventual materialization, of another popular marketplace, WallStreet Market (WSM), ceasing all transactions in mid-April and siphoning any funds in escrow to an external cryptocurrency wallet. A tactic known as “exit-scamming”, in which administrators basically steal all funds from vendor and consumer accounts and shut down the market leaving all members hanging out to dry. Since that time these market participants have been seeking multiple alternatives to Dream and WSM but remain leery of any options due to risk of potential law enforcement honeypot and entrapment operations echoing 2017’s Operation Bayonet 2.0.

Based off Fidelis Threat Research Team’s (TRT) current and historical observations on various forums and threads, the seizures and disruptions of the underground and illicit commerce platforms, whether due to law enforcement or insider scamming activities, will result in several potential courses of action and actions. These may range from participants trying to seek other marketplaces to continue their trade, avoiding any platform and initiating deals directly over chat and direct messaging services, or even the criminals taking advantage of the uncertainty and standing up fly-by-night marketplaces for the sole purpose of duping desperate vendors and buyers and exit-scamming with funds after short period of time and further exasperating the situation.

Dream Market Wind-Down and WallStreet Market Scam

In late-March 2019, Dream Market announced it was ceasing operations on 30 April, however provided members the opportunity to cash out. As news of the closure circulated, buyers and vendors looking for alternatives discussed other marketplaces, including Empire and WallStreet Market (WSM).

Around 17 April, multitude contributors on Reddit began discussing rumors of WSM administrators freezing operations and transactions on the marketplace under the guise of maintenance issues. Over the following days, rumors and suspicions were augmented with millions of dollars in cryptocurrency siphoned from escrow accounts to external wallets, which were assumed to the be carried out by administrators. Contributors to these threads also suggested alternatives to WSM, including Empire and Nightmare. Some vendors also suggested direct deals over chat applications like Wickr. Members were extremely cautious of both options due to the resemblance of the back-to-back shut-downs of Dream and WSM to the 2017 seizures and take-downs of AlphaBay and Hansa Market.

Fidelis TRT Intelligence assesses that as both vendors and consumers of underground marketplace services search for the next platforms to set up shop or whether to take the risk to do business directly through applications like Wickr, there is the potential for scammers to take advantage of the chaos and set up fly-by-night marketplaces established specifically for the purpose of stealing funds deposited by unsuspecting vendors or buyers. The possibility that recent events is another coordinated effort by law enforcement also exists, however there isn’t any information available at this time to prove this.

Stay up to date on all things security

Subscribe to the Threat Geek Blog