Report: Darknet activity in 2019 is higher than in the past, how should law enforcement agencies respond in 2020?

Original source: Chainalysis ,

Translator: Christina

Source: Planet Daily

Polls show that in 2019, 18% of Americans and 35% of American millennials bought cryptocurrencies, and their acceptance of cryptocurrencies is rising.

Mainstream financial institutions like J.P. Morgan are getting involved. Popular retailers like Amazon and Starbucks now allow customers to pay in Bitcoin. But at the same time, the decentralized, semi-anonymous nature of cryptocurrencies also makes it a unique choice for criminals. In recent years, cryptocurrencies such as Bitcoin have been used to pay for various goods and services (guns, ammunition, drugs, personal information, etc.) on the dark web, which has become an "out-of-law place" and a "shelter heaven".

The data shows that after a slight decline in 2018, the total sales of the dark web market in 2019 increased by 70%, and its sales exceeded US $ 600 million for the first time. Not only that, the share of darknet market transactions in all cryptocurrency transactions has doubled since 2015, from 0.04% to 0.08% in 2019.

As before, the vast majority of dark web transactions are conducted through exchanges. By far, exchanges are the most common service for customers to send cryptocurrencies to suppliers.

Although the share of dark web transactions in cryptocurrency trading activities is still low (only 0.08%). However, due to the recent rebound in dark-net transactions due to increased law enforcement review, the transaction volume has increased.

Although 8 of the 49 darknet markets active in 2018 were closed in 2019, another 8 were added in 2019. Overall, except for the heyday of the Silk Road in 2012 and 2013, the revenue of each active darknet market in 2019 was higher than in other years. This is because when some markets are closed, others seem to be able to make up for shortfalls and meet customer demand.

The above data also confirms that the driver of revenue growth is more purchases, not larger purchases. In terms of USD value, the median purchase size remained relatively stable, but the number of transfers (across the black market) increased again significantly, from 9 million to 12 million. This shows that either more customers will buy from the dark web market in 2019, or more customers will buy more.

Interestingly, compared to other services, trading activities in the dark web market appear to be less affected by price changes in the cryptocurrency market or other seasonal fluctuations. The figure above shows that during 2019, the comparison of the dark web market and the other three services in the total number of bitcoin transactions, the dark web market has soared much less.

Drugs still rule the dark web

From the picture above, you can see how the dark web market has changed over time. Among them, drug followers have always accounted for the largest proportion. However, it is worth noting that some of the above-mentioned high-end markets only serve specific countries or regions. For example, the Hydra Marketplace is by far the most popular market on the chart, and it only targets Russian customers. Below is another version of this chart, which only shows markets with a global customer base. Some markets shown in the second chart are more popular in some countries than others, but overall, the data shown below will be more relevant to investigators in the United States and Western Europe.

The drug market also dominates here. However, markets that specialize in other illicit goods have also brought considerable funding. Joker's Stash Market and UNICC are the two most typical markets that have remained stable throughout the time period.

Fighting cybercrime: Should law enforcement track down sellers or close the market?

For a long time, the law enforcement strategy has been to track down the dark web. On the surface, this seems to be the most logical action. If you can win all the suppliers at once, why bother looking for a single supplier? Following this strategy, law enforcement agencies have achieved a major victory and closed the once prominent darknet markets such as AlphaBay and Hansa. The problem with closing the market, however, is that other markets quickly filled the gap. As of the end of 2019, there are at least 49 active dark web markets, so users and vendors have too many options when looking for new markets. Not only that, they can easily find new markets on forums such as "Dread".

Nightmare Market is a short-lived, moderately popular market that will be closed on July 23, 2019. Unlike the other examples we mentioned earlier, Nightmare has not been banned by law enforcement. It's unclear exactly what happened, but users fled after July 23. By the end of July, Nightmare trading had almost stopped. As the data below show, Empire took over most of Nightmare's previous business because its sales increased significantly as Nightmare fell.

The closure of the Nightmare market is a microcosm of the problems of the dark web market. There are many other markets on the market, and suppliers can easily tell their biggest customers which market they want to go to. This is why many law enforcement agencies have turned their attention to arresting individual traders.

Here is a related case study. We interviewed Stefan Kalman, a user analyst and an anti-drug officer at the Swedish police. His focus is on the dark web market.

In 2014, Stefan Kalman and his team at the Swedish Police Department discovered a dark web hawker named Malvax who was active on Silk Road 2.0 and Evolution. By observing his activities on the Silk Road Forum, they learned that he is also active on two other dark webs: Evolution and Flugsvamp, two darknet markets unique to Sweden. Malvax has more than 280 products on sale, including the dangerous synthetic opiate fentanyl. Although police successfully seized some of his shipments, which were tagged by PostNord, Denmark's leading private mail company, they have not found his true identity.

Malvax shields his true identity through a series of obfuscation techniques and complex operations. However, the police seized an excellent opportunity in 2015 because the FBI closed down the servers of "Silk Road 2.0" in November last year. By looking at the logs of these servers, they were able to obtain some of the Bitcoin addresses used by the distributors under the Malvax name and trace some of them back to regulated UK-based exchanges.

Stefan and his team sent a subpoena to the exchange, which provided them with enough information to find out exactly who Malvax was: Fredrik Robertsson.

Stefan and his team made a secret purchase from Robertsson on Flugsvamp to confirm that he was still drug dealers. Later, Stefan and his team were authorized to listen to Robertsson's phone, install a GPS tracker in his car, and monitor his house through a camera. Test your order by going down more and observe his online and offline behavior.

With evidence gathered by Stefan and his team about the Robertsson brothers, Swedish courts were able to determine that they were selling drugs on the dark web.

Card Store Deep Dive

As we mentioned above, while drug stores are the most popular darknet market type, they are not the only darknet market type that achieves continuous sales. Let's take a look at another popular market type.

You may have heard of major security breaches in companies like Capital One and Home Depot, where tens of millions of customers' credit card information was stolen. Ever wondered where this stolen information will eventually go? Most likely, they went to a credit card store. Credit card stores are a category of the dark web market where users can buy stolen credit card information.

Take UNICC as an example

Above is a list of some UNICC credit cards. Credit card prices range from $ 2 to $ 15, with an average of around $ 10. The exact price depends on several different factors. One is the place of origin. Credit cards in the United States and Western Europe are usually more expensive. Another factor that affects price is cardholder's personally identifiable information (PII), such as street address and phone number. Most online stores require buyers to provide this information, so having this information drives up the price of credit cards.

UNICC received at least $ 22.7 million worth of cryptocurrencies in 2019, making it the fourth most active market last year. Activity throughout the year was relatively stable, peaking in April. Based on total sales and an average cost per card estimated at $ 10, it is estimated that UNICC sold card data for nearly 3 million customers.

Regional data shows that most people who buy stolen credit card data on UNICC come from North America (after the world), while most people who sell stolen credit card data come from China.

What will happen in the dark web market?

Some dark web markets have begun implementing user security features. For example, many companies use multi-signature technology, which means that buyers and sellers must confirm that the order has been completed before the funds can be transferred. The other is walletless hosting, also known as direct deposit. Every next order will receive a new one-time wallet, and the cryptocurrency deposited by the buyer will flow directly to the seller.

Some dark web markets are also adopting new infrastructure to avoid law enforcement shutdowns. For example, OpenBazaar has a completely decentralized structure, similar to the blockchain itself or the Tor web browser. Users only need to download and run a program, and they can connect directly without going through the website.

More "dark web" markets accept or even force the use of "privacy coins" like Monero. Monero uses a vague public ledger that makes it harder for people to see the amount of cryptocurrency sent, received or exchanged in a transaction.