The day international authorities announced last summer they had shuttered the AlphaBay and Hansa Deep & Dark Web (DDW) markets signaled a new order of doing business on the cybercrime and fraud underground.
Gone in a relative instant were the days of the massive, centralized markets peddling drugs, guns, malware and more, and introduced instead was a spider web of smaller markets and scattered vendors who choose third-party platforms such as secure messaging apps to close deals and move illicit goods.
While observers waited for an English-language successor to stand up the same kind of infrastructure and economy as AlphaBay, it’s been a vigil in vain. None of have stepped up, and instead business is moving to smaller centralized platforms while some cybercrime and fraud interactions and transactions are carried out on the Discord and Telegram chat platforms, for example. Smaller Dark Web markets have forums that continue to be discussion hubs for fraud and cybercrime, but have yet to cultivate comparable activity as AlphaBay or Hansa. Some emerging communities act as shops without forums, specializing in selling personally identifiable information (PII), such as Social Security numbers (SSNs).
But the lack of a single, centralized DDW market acting as a hub for the same type of membership or discussions on the range of topics once emblematic of AlphaBay and Hansa is noteworthy.
DreamMarket may be the closest since many of its vendors also had a presence on AlphaBay and Hansa, but even so, it’s viewed as less secure and less aesthetically pleasing than AlphaBay for example, and it also has a much less active forum component to it. AlphaBay, for example, hosted more than 1.2 million posts dating back to late 2013 right up until the takedown. By comparison, DreamMarket hosts around 178,000 posts dating back to 2015 right up to the present.
DreamMarket is also considered a less reputable market than AlphaBay with reports of issues with internal cryptocurrency wallets surfacing, along with lagging moderator and admin support, as well as security vulnerabilities leaving it exposed to law enforcement and security researchers.
Some legacy vendors who fled AlphaBay and Hansa were also simultaneously doing business on DreamMarket and other smaller yet popular markets and have focused efforts there for the time being. They’re doing so in order to maintain some semblance of a centralized market, but it’s largely because these markets have something that doing business over Discord or Telegram cannot offer: a system that evidences the credibility and reliability of these vendors. This may be a big reason why another massive AlphaBay-style market has yet to emerge. Some of these verification systems include the number of sales attributed to a vendor, positive or negative feedback ratings, and the number of completed sales, all of which give vendors a measure of prominence of trustworthiness on a DDW market.
Flashpoint analysts, meanwhile, have recorded an influx of some fraud-related activity on the Discord and Telegram messaging apps. Vendors and buyers discuss a range of products, including full packages of personal information crucial to identity theft known as fullz, as well as malware, database dumps, and credentials, all of which were previously available on AlphaBay and Hansa.
Originally a video game communications platform, Discord offers cybercriminals a centralized community in which actors can make initial contact in a chatroom before moving to a more secure private messaging service such as XMPP/Jabber (using the Off-the-Record [OTR] cryptographic protocol). For the sake of convenience, however, most actors use Discord’s end-to-end encrypted direct messaging system. Discord’s model lacks a way to verify actor and vendor credibility, which may prevent the platform from becoming a successor to AlphaBay, which offered both Vendor and Trust Level ratings. Moreover, Discord lacks an escrow service to facilitate illicit transactions— a common feature in most underground markets.
Telegram’s service has been the center of controversy on a number of fronts. The messaging app has been banned in Russia and Iran; the action in Russia surfacing after the company refused to share decryption keys with the Russian government which would have allowed the state access to discussions happening over the platform. Dissident governments such as Iran’s, meanwhile, have restricted the app because activists in the country use it to organize protests and other activity considered illicit. The Iranian government instead wants locals to use homegrown message apps that have likely been compromised by the state.
Flashpoint analysts have observed a flux of cybercrime and fraud activity happening on Telegram, though most are Russian-, Portuguese-, and Spanish-speaking, as well as English. Fraud-centric activity happening over Telegram ranges from carding, to credential dumps, to the solicitation of fullz. And as with Discord, the lack of a verification system keeps it from elevating its status as a primary means for fraudulent transactions.
As the first anniversary of the AlphaBay takedown approaches, a successor has yet to emerge. In the meantime, the U.S. Department of Justice continues to crack down, most recently with the June 26 announcement of the arrest of 35 individuals doing business across a number of dark web markets. The DoJ also said it also seized massive amounts of narcotics, firearms, vehicles, cash, gold bars, and cryptocurrency.
No single DDW market community has been able to cultivate the same membership or host discussions on the same expansive range of topics that AlphaBay and Hansa once did. Additionally, no alternative platform appears to have cultivated a membership comparable in experience to the former membership of AlphaBay. The reasons are plentiful, perhaps none as daunting to potential organizers, vendors and buyers as the target a massive, centralized community puts on the back of its organizers for law enforcement and security analysts alike.