The Great Cyber Exit: Why the Number of Illicit Marketplaces Is Dwindling
Shutdowns, takedowns, retirements, and resignations
2021 was a strange year for cybercrime marketplaces—those illicit venues that mimic the e-commerce experience, but for drugs, fraud guides, and other strange oddities and curiosities. While exit scams and sudden closures are ordinarily the norm, this past year was full of planned closures and announced retirements, as well as arrests and graceful shutdowns.
Cybercrime-related threat intelligence should inform the ways security practitioners detect, prioritize, and mitigate cyber risks. In this article we detail the so-called Great Cyber Exit, outlining the most notable closures, takedowns, arrests, and retirements of 2021, plus what this will mean for the threat ecosystem in the year ahead.
REVIL, UniCC, and Russia’s Cybercrime Uey
January was a big month for Russian law enforcement with the arrests of representatives from two cyber crime collectives.
- On January 14, 2022, the FSB announced that it had conducted a special operation against members of the REvil ransomware collective at the request of US authorities, which, according to the Russian authorities, eradicated the collective. This appeared to be a reminder to the US government that Russia regards cybersecurity as a part of wider security talks focusing on Ukraine and has leverage in the field by having access to Russia-based cyber criminals targeting the US.
- On January 22, 2022, the FSB arrested four Infraud Organization members. The authorities arrested Kirill Samokutiev, as well as Mark and Konstantin Bergmanov who were put under house arrest. Andrey Novak, a Russian citizen and the group’s founder—who is wanted by the FBI—is in detention.
These arrests call into question what was previously self-evident to cyber criminals operating on the territory of the Russian Federation – you are safe as long as you are not targeting Russian entities or Russian interests. Now, however, the presumption of safety is shifting. Cyber criminals can become an important chess piece in Russia’s geopolitical ventures and their safety can no longer be taken for granted.
Planned closures and shutdowns
What is an illicit market shutdown?
A shutdown is a voluntary closure of an illicit marketplace that is planned and executed by the administrators of the venue. These closures have often intersected with exit scams, which refer to when an established marketplace halts the fulfillment of existing orders while continuing to accept new orders, eventually disappearing with customers’ money.
However, 2021 saw an unusual number of communicated shutdowns that gave threat actors the opportunity to withdraw funds from their accounts and settle any final tickets or disputes with the venue.
Illicit marketplace Joker’s Stash (operated by threat actor “JokerStash”) was well-known among cybercriminals as the most reliable source of stolen payment card information.
However, on January 15, 2021, JokerStash posted an update in English and Russian (below) on the announcements page of their shop, as well as on various forums, stating that it would be closing for unspecified reasons. In its post, “Finale,” JokerStash stated that they will leave the shop open for 30 days to allow users to spend any remaining account balances, before it wiped all of its servers and backups on February 15.
The Canadian HeadQuarters
On June 28, 2021, The Canadian HeadQuarters (CHQ) purged their subdread, deleted their accounts, and removed their links from the social news site Dread. Several users were perplexed by the exit. As one customer described, “The site was working perfectly one sec and boom next sec offline.”
Typically, when markets shut down, withdrawals are disabled and customers are locked out of their accounts, but that was not the case here. CHQ had also just added new site functionality, including the creation of a v3 Tor link, cleaned-up categories, and other additional site upgrades, making this a strange closure. CHQ emerged as a popular venue for fraud and drugs in 2019, following the shutdowns of other major marketplaces such as Dream and Wall Street Marketplace.
On January 26, 2022, the Canadian Radio-television and Telecommunications Commission (CRTC) highlighted that CHQ was taken offline as part of a law enforcement operation. The CRTC issued penalties to four individuals, including the administrator of the marketplace.
White House Market
On October 1, White House Market (WHM) announced that it was voluntarily shutting down, but kept its operations running for a week to allow customers to transition their funds to other markets. White House Market had been running since August 2019. It had a full range of offerings but was focused primarily on illicit drugs. The market had enforced numerous security protections, such as requiring users to use PGP, processing payments in Monero (XMR), and supporting escrow services. Vendors also had to pay a $1,000 bond to list with the site, which reduced the number of low-quality vendors and scammers on the market.
Related reading: The Fall of Empire Market
The administrator closed by recommending that customers go to Versus and Monopoly market, as opposed to other marketplaces like AlphaBay. AlphaBay relaunched in August 2021 and has drawn mixed feelings from the fraud community. As of this publishing, Monopoly appears to have exited, not passing go, not collecting $200.
Cannazon gets DDoSed
The administrators of Cannazon, a large marketplace for cannabis sales, announced on November 23 that they would be shutting down on November 28 following a massive DDoS attack.
Over the past few years, several marketplaces have been suffering from DDoS attacks from extortionists. Marketplaces like Dream in 2019 chose to shut down rather than have their venues disrupted.
Related reading: From Ransomware to DDoS: Guide to Cyber Threat Actors
Most recently, Torrez marketplace, a large venue for the sale of drugs, announced that they would also be closing their doors. The administrators did not give a reason but left open the possibility for a return à la AlphaBay. It is unclear where vendors will go following the latest shutdown.
Illicit marketplace takedowns
What is a takedown of an illicit marketplace?
A takedown involves an external cause for a closure that leads to an outside party, usually law enforcement, forcing a marketplace to go offline and stop serving its customers. This may lead to arrests of involved individuals. The threat of takedowns has fueled the characteristic distrust that is present in illicit communities for fear of unknowingly dealing with undercover law enforcement or security researchers. Several prominent venues experienced takedowns in 2021.
The year started out strong with one of the largest marketplaces, DarkMarket, being taken down by international law enforcement. Europol announced the takedown with DarkMarket’s logo of an insect under a flyswatter. The takedown set the tone for the year, leading to the temporary increased growth of markets like White House, and possibly the reincarnation of AlphaBay.
Law enforcement was able to take down DarkMarket after gaining access to CyberBunker, an underground former military bunker used for illicit bulletproof hosting services, in Germany in October 2019. The takedown led to several arrests, including the Dutch operator, who was recently sentenced to five years and nine months in prison.
On October 26, 2021, Europol announced the arrest of 150 alleged suspects involved in buying, selling, and coordinating the sale of illicit goods across underground marketplaces and shops. The law enforcement operation, dubbed “Operation DarkHunTor,” was part of a coordinated series of actions of nine countries.
DarkHunTor was unusual because certain details of the investigation were leaked from the Italian Guarda Di Finanza Nucleo Speciale Frodi Tecnologiche on September 21, 2021. The information was published in the underground social news site Dread, and then later publicly announced by international law enforcement. The details were also unusual in that they detailed the law enforcement takedown of marketplaces Berlusconi and DeepSea, which shuttered in November 2019 and September 2020, respectively. They additionally included details of Televend, the Telegram based cybercrime marketplace.
Since the DarkMarket, Europol had been compiling intelligence packages, which led to the arrests of 150 individuals.
Monopoly marketplace, the recommended marketplace following White House Market’s closure, was no longer accessible in late December. In similar fashion to CHQ, the marketplace seemed to suddenly go offline without much of an explanation. On January 28, 2022, nearly a month after Monopoly went offline, the Twitter account for DarkDotFail noted that Monopoly’s servers were seized by law enforcement. At this time, there have been no official notices regarding the takedown, or any arrests. DarkDotFail also noted how Cartel Market has vanished alongside Monopoly.
Resignations and retirements
What does it mean when the admin of an illicit marketplace resigns?
A resignation, similar to a shutdown, is the voluntary abdication of a cybercrime figure that usually leads to the closure of their marketplace. These administrators may choose to return to the world of cybercrime venues later on, which may mean either starting a new marketplace or reviving the one they resigned from.
Retirements are resignations that normally imply that the administrator will not be returning to the cybercrime community to open a new venue. In these instances mentioned below, threat actors who operated on illicit marketplaces whose leaders have retired are usually warned not to trust copycats that may try to impersonate prominent retired figures. Retirements often come after an administrator has built a successful marketplace, although this year Flashpoint also saw figures step back before their venue had reached its full potential.
Amigos Bot Shop
Amigos is the latest shop to join a growing list of cybercriminal resignations. This is in addition to the law enforcement takedowns of account shops like Slil_PP and the Telegram messaging bot Televend. Other fraud venues have also closed due to inactivity, or mismanagement. For example, Mouse in Box bot shop unceremoniously closed in July 2021.
Flashpoint observed the growth of “bot shops” in 2021. Bot shops have been around since approximately 2018, originating with Genesis Market, followed by Russian Market in 2019, and Amigos and Mouse in Box in 2020. Newer entrants like 2Easy Shop and Top[.]cc have added logs along with other products like compromised accounts and credit card numbers.
Amigos was not unique in that it wasn’t. Amigos was remarkably similar to Russian Market, a shop that, like Amigos, sells compromised credit cards, SSH and RDP accesses, and malware logs. However, Amigos also sold shells, cPanels, mailers, bank login information, merchant accounts, accounting info, compromised US tax ID information, and physician leaks, as well as accounts on popular entertainment, social media, and banking sites.
The reason for the Amigos’ administrator’s resignation is not apparently clear, though judging from the long list of retirees in 2021, sometimes it’s good to quit while you are still on top.
Detect, prioritize, and mitigate cyber risks with Flashpoint
Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo or free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.