Looking at Darknet Marketplaces Through A Brazilian Lens
By Ian W. Gray
Darknet marketplaces offering illicit goods and services have been integral to the underground economy since at least 2010. The success of these marketplaces has been largely dependent on their ability to provide a good user experience while also protecting users’ privacy and security.
Newer marketplaces are increasingly striving to account for these elements, but none are immune to the exit scams, law enforcement takedowns, and other factors that have long characterized the dark web’s volatility. And this tends to be especially true for marketplaces that cater to non-English speakers. Portuguese-language marketplaces—most of which are based in Brazil and frequented by Brazilian threat actors—have been particularly volatile in recent years, illustrating how certain regional and cultural factors can influence the underground economy.
One such factor is that Portuguese-language communities in the dark web often seek to emulate—and learn from—their counterparts in other regions.While the takedowns of several large English-language marketplaces remain a deterrent for many threat actors, they have also motivated some Brazilian actors—determined to learn from their predecessors’ mistakes—to start their own marketplaces. Following the takedowns of AlphaBay and Hansa markets in 2017, one actor created, become the administrator of, and attempted to attract vendors to a Brazilian marketplace called Trishula. However, the marketplace was online for a short period of time before getting hacked, having its database leaked on Twitter, and being forced to shut down because its users’ privacy and security had been violated.
Days after the Trishula shutdown, another new administrator rode the wave of enthusiasm to launch an improved Portuguese-language marketplace called Mercado Negro. This administrator ensured to ideologically and technically distance the marketplace from Trishula and from the actions of past administrators of the various other now-shuttered marketplaces. For example, the Mercado Negro administrator referenced that law enforcement was able to investigate and ultimately arrest SilkRoad founder Ross Ulbricht by identifying and capitalizing on his psychological weaknesses. The administrator also weighed in on alleged AlphaBay founder Alexandre Cazes, speculating that his lavish lifestyle at a Thai resort prior to his arrest had likely made him a target for law enforcement.
Chat Services Encroaching on Market Business
But within six months of opening, the administrator confessed that Mercado Negro had not been as profitable as expected. Despite its best efforts and relative lack of competition in the Portuguese-language dark web, the marketplace struggled to overcome several prevailing obstacles. For example, encrypted chat applications are extremely popular in Latin America. While Mercado Negro connected buyers and sellers of various illicit offerings, transactions typically occured on encrypted chat applications, depriving the marketplace of sales commissions it would have otherwise earned.
After one year, Mercado Negro shutdown. The administrator left a final communique on the dark web messaging board Dread, claiming that “the Mercado Negro server was targeted by a Police Authority IP. As a security measure, the server self-destructed.” To maintain its users’ privacy and security, the marketplace’s operations would remain closed. The administrator thanked their community for the adventure of administering the market, and signed off.
While the Mercado Negro administrator alluded to possible targeting from law enforcement, other users speculated an exit scam. Previous messages hinted at a planned shutdown, while other posts indicated that an outside entity may have been targeting the administrator. Although the details surrounding the shutdown remain speculative, no formal arrests were reported by Brazil’s Policia Federal.
Changing Perception of Law Enforcement
The lack of law enforcement activity related to Mercado Negro is largely why many threat actors within the region continued to perceive their dark web activity as unaffected by the takedowns of large English-language marketplaces such as AlphaBay and Hansa. In April 2019, another threat actor began advertising a new Portuguese-language dark marketplace called Genese, or Genesis, Market. Again, the administrators began to separate themselves operationally and ideologically from their Brazilian predecessors, Trishula Market and Mercado Negro, by clearly stating that their lack of assocation. Additionally, they highlighted that Trishula was hacked in a short period of time, and referred to Mercado Negro’s administrator as a scammer.
Shortly after Genese launched on April 30, international law enforcement announced the coordinated takedowns of Wall Street Market and Silkkitie (Valhalla) Market. The indictment included a Brazilian national who had been a Wall Street moderator. Shortly thereafter, a Brazilian resident was named in the DeepDotWeb takedown. Following the arrests of these two Brazilians, the Genese Market administrators chose to shut down the marketplace before risking further actions by the Brazilian Policia Federal.
Indeed, threat actors’ perception of law enforcement appears to be changing the marketplace structure in the Brazilian underground. Decentralized platforms such as OpenBazaar—where two of the largest vendors from Mercado Negro recently migrated—are gaining traction among threat actors in the region. Although these types of platforms lack the community atmosphere of traditional dark web marketplaces, they have become an appealing alternative nonetheless because they eschew the administrators and escrow wallets that contributed to the recent shutdowns and takedowns. Only time—and/or law enforcement—will tell if this decentralized model will remain relatively unique to the Brazilian underground or evolve further into a new standard for dark marketplaces globally.
Ian W. Gray
Senior Intelligence Analyst
Ian W. Gray is a Senior Intelligence Analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is a military reservist with extensive knowledge of the maritime domain and regional expertise on the Middle East, Europe, and South America. As a Veteran Volunteer, Ian supports The Homefront Foundation, a non-profit that helps veterans and first responders share their experiences through focused story-telling workshops. His insights and commentary have been featured in publications including Wired, Christian Science Monitor Passcode, ThreatPost, TechTarget, The Washington Examiner, Cyberscoop, The Diplomat, and others. He holds a bachelor’s degree in Middle Eastern Studies from Fordham University and a Master of International Affairs degree from Columbia University.