Darknet (shadow internet, DarkNet)

Hosting darknet providers

• Daniel's Hosting
• Freedom Hosting Reloaded;
• Ablative Hosting
• Onehost
• IBHost

2024: How the darknet develops. Trends from Kaspersky Lab

On January 18, 2024, the antivirus company Kaspersky Lab published a study in which it spoke about the main trends in the darknet.

Rise in ransomware virus blog posts

In 2023 Kaspersky , Digital Footprint Intelligence specialists discovered about 476 reports of successful hacks of public companies with help every month, viruses extortioners while in 2022 the number of such posts was at 386.

Kaspersky Lab spoke about the main trends of the darknet

Increase the risk of user and company data breaches

According to Kaspersky Lab, in 2023, the darknet increased the number of messages related to steelers - programs for stealing confidential information, such as login credentials, financial details and personal data. For example, the monthly number of ads selling Redline log files, a popular family of steelers, rose from an average of 370 in 2022 to 1,200 in 2023. And the number of publications on underground forums with the free distribution of malware log files containing compromised user data increased by almost 30% in 2023.

Growing demand for crypto runners

Kaspersky Lab expects an increase in demand for crypto runners - a type of malware for fast and automatic withdrawal of funds from legal crypto wallets to attackers' wallets.

Promote sites with built-in malware ON using ad engines in search engines

According to Kaspersky Lab experts, attackers will distribute malware not only through phishing emails, but also through advertising in popular search engines in order to provide their pages with the top positions in search results. Sellers of such services are likely to become more active on the darknet.^[1]

2023

Fraudsters put up for sale on the black market at least 5 companies a day

Experts of the Solar Group in 2023 discovered 1844 Russian companies put up for sale in the shadow segment of the Internet for illegal activity, and this is an average of five companies a day. At the same time, the number of such ads in comparison with 2022 increased by 42%, this trend continues in 2024. The company announced this on March 22, 2024.

According to experts from the Solar AURA Center for Monitoring External Digital Threats, legal entities buy for illegal activity, for example, illegal cashing and laundering of funds. In addition, companies can be involved in attacks on supply chains or scenarios related to false partnerships. Similar companies can also be used for frauds related to one-day firms. Such schemes are most dangerous - a company that wants to become a counterparty and was created a week ago raises more suspicions than a secretly bought organization with a long history.

When analyzing the compromised data over the past year, 420 incidents related leaks of confidential information to Russian companies were found. The first two places in the number of incidents were taken by the service sector and (e-commerce 28% and 26%, respectively), since they had not previously paid due information security to low interest. In hackers third place was industry constructions development (12%), in fourth and fifth - IT (9%) and the sector (8%). formations

At the same time data , 170 companies have already leaked in the first 2.5 months of 2024, which is 40% of the total number of incidents in 2023. The number of published data amounted to 450 million lines, among them - 27.7 million compromised email and 137 million telephone numbers. To protect against leaks, you should use complex, passwords do not set the same logins and passwords for different accounts, connect, where possible, do not two-factor authentication provide personal ones on data suspicious and unofficial websites, and also use them on anti-virus ON all your devices.

In addition, in 2023, experts recorded 13.3 thousand ads on the dark web and Telegram channels offering various kinds of illegal services - this is, for example, the sale of hacked accounts, products bypassing official channels, etc.

Most of all, the attackers were interested in offers to sell accounts, break through data and recruit employees to carry out cyber attacks on large Russian organizations and departments (38%). In second place in terms of the interest of hackers were announcements in the financial sector (31%) - these are offers for the sale of bank cards and access to the personal account of a bank client or registration of bank accounts without a visit to the bank.

A one-day firm is easily calculated - any, even the most superficial check will detect it, therefore, in the black market trends of 2023 and this year, the purchase of ready-made legal entities for illegal activity. The danger of such companies is that with external reliability, for example, excellent financial and other indicators, interaction with them can carry serious risks for business, - explained Alexander Vurasko, head of the Solar AURA Solar Group external digital threat monitoring service.

Experts of the Solar Group recommend that companies constantly increase the level of knowledge of employees about possible external threats, ensure the delineation of access rights and monitoring the movement of data within the organization, as well as implement and maintain a set of tools and classes of solutions for their protection.

To protect businesses from reputational and financial losses, Solar AURA's external digital threat monitoring service monitors company sales announcements and forms a base of potentially unreliable counterparties. The service also allows you to identify signs of preparing attacks on the dark web, possible data leaks, phishing on behalf of the company, illegal use of the brand, suspicions of illegal use of acquiring and other factors of digital risks.

The full version of the Solar AURA report "Key External Digital Threats for Russian Companies in 2023" can be found at the link.

Most phishing attacks help generate software from the darknet

More than 80% phishing of mailings are made with, software which attackers buy on the dark web. The most popular programs cost from 299, and rubles some are distributed free of charge. With their help, you can steal passwords and accounts. data There are also expensive programs that give access Telegram to the user and allow you to intercept keystrokes - their cost reaches $15,000. This was announced on November 21, 2023 by the press service of the deputy. State Duma of the Russian Federation Anton Nemkin More. here

Darknet market InTheBox "for a penny" sells malicious packages to steal data from banking applications and crypto wallets

The InTheBox store promotes the Russian web injections on cybercriminal forums to steal credentials data and confidential from information bank applications crypto wallets and applications. e-commerce This became known on February 2, 2023.

Web injections are compatible with various banking Trojans for Android and mimic the popular applications of large organizations used on almost all continents. As a rule, mobile banking Trojans check which applications are present on the infected device and extract web injections corresponding to certain applications from the C2 server. When the victim launches the target application, the malware automatically downloads an overlay that mimics the interface of the legitimate product.

InTheBox Store

According to Cyble's analysis, as of January 2023, InTheBox sells the following web injection packages:

• 814 web injections compatible with Alien, ERMAC, Octopus and MetaDroid for $6,512;
• 495 Cerberus-compatible web injections for $3,960;
• 585 Hydra-compatible web injections for $4,680.

For those who don't want to buy entire packages, InTheBox also sells web injections individually at $30 apiece. The store also allows users to order web injections individually for any malware.

InTheBox web injection packages include PNG application icons and HTML-file with code that JavaScript collects account data victims and other sensitive data. In most cases, injections have a second overlay that asks the user to enter a number, credit card expiration date, and CVV number. Cyble claims that InTheBox injections check the validity of credit card numbers algorithm with Luhn algorithm, which filters out incorrect ones. data Then the stolen data is converted into a string and sent to the one server controlled by the attacker.

Overlay pattern code (left) and script for card number verification (right)

InTheBox has been selling web injections for since Android February 2020, constantly adding pages aimed at more banks financial and apps. Cyble experts confirmed that InTheBox web injections were used by Coper and Alien Trojans in 2021 and 2022, respectively. The availability of web injections in such numbers and at low prices allows cybercriminals to focus on other parts of their campaigns, developing malware ON , and expanding theirs to attacks other regions.

Resources experts who discovered this darknet market called InTheBox the most significant source of bank theft and mobile fraud. Most mobile malware supported by InTheBox is focused on Android devices^[2].

One of the biggest drug marketplaces on the darknet is hijacked by a competitor

In mid-January 2023, it became known that the Solaris site, a major player in the darknet market specializing in drugs and illegal substances, was seized by a smaller competitor. Read more here.

2022

Darknet store revenues halved to $1.5 billion

In 2022, revenues of darknet markets and fraudulent trading platforms decreased compared to the previous year. The total training of such platforms amounted to $1.5 billion against $3.1 billion in 2021. Such data are given in a study by Chainalysis, the results of which were released on February 9, 2023.

The darknet market led Hydra Market despite it being closed in April 2022. The next three platforms in terms of profitability are Mega Darknet Market, Blacksprut and OMG! OMG! Such sites sell stolen personal data, for example, information about bank cards.

The closure of Hydra caused a decrease in darknet market revenues, while the average daily revenue on a global scale decreased from $4.2 million to $447 thousand, the study says.

Before its closure, Hydra was capturing 93.3% of the market's 2022 darknet ecosystem. At the same time, drug sales and money laundering services are leading in the Russian segment.

During most of April and May 2022, the OMG! OMG! captured more than 50% of the overall market share, peaking at 65.2% in the spring. In fact, this platform became the successor to Hydra. In June 2022, the site was subjected to a DDoS attack, which probably forced market participants to switch to Mega Darknet Market and Blacksprut. At the end of November 2022, the Blacksprut platform was attacked.

It is also noted that 2022 was the most profitable year for crypto hackers: $3.8 billion was stolen from cryptocurrency companies. For comparison: in 2021, this figure was $3.3 billion, and in 2020 - $0.5 billion. Bursts of hacker activity were recorded in March and October 2022. For example, in the fall (in October alone), $775.7 million was stolen in 32 separate attacks. DeFi protocols accounted for 82.1% of all cryptocurrency stolen by hackers: this is approximately $3.1 billion.^[3]

Services for the release of assets of Russians blocked on foreign crypto exchanges

By December 2022, the number of offers of services for the release of assets of Russian investors blocked on foreign, cryptoexchanges Binance,, Kraken Huobi KuCoin is growing on the darknet. This is possible, for example, through the withdrawal of funds to an unblocked account, re-registration of accounts with the reset of the KYC condition. But services can be expensive, 35-85% of the value of assets, and are often provided. fraud

The darknet found the largest market for viruses to steal money from bank accounts

On November 25, 2022, Resecurity announced the discovery of the largest market for malicious software on the darknet to steal money from bank accounts. Read more here.

Development of cross-border payment services due to sanctions against Russia

In November 2022, the service for conducting cross-border payments is gaining popularity on the darknet, "" wrote.Kommersant

The reason was the difficulties in conducting funds through banks, including due to their disconnection from international payment services. For 20-30% of the transfer amount, intermediaries make international payments for Russians in any currencies to pay for parallel imports, circumvent sanctions or currency control. Foreign counterparties use such schemes to avoid the risk of falling under secondary sanctions.

2021

Three people accused of selling people's personal data via the dark web arrested in Moscow

Law enforcement officers detained three men in Moscow on charges that they searched for personal data of private individuals for money. This became known on November 2, 2021.

Reportedly, the detainees unwittingly helped the founder of FBK Alexei Navalny in the investigations (FBK was included by the Ministry of Justice in the register of organizations performing the functions of a foreign agent and was recognized as an extremist organization).

According to his TASS, Peter Katkov, Alexander Zelentsov and Igor Zaytsev were detained. With the help of the shadow Internet, they searched for customers and sold them personal data of various citizens: phones, addresses, etc. To do this, they used fake documents, including certificates of police officers.

The detainees were charged with forgery and violation of the secrecy of telephone conversations. By decision of the Basmanny Court, the suspects were sent under house arrest due to an investigation under Articles 327 and 138 of the Criminal Code of the Russian Federation^[4].

On the darknet, the average price of access to hacked networks is $10 thousand.

On August 11, 2021, the company's experts IntSights shared data a study that examined the sale of access to networks on underground Russian-speaking English-speaking and forums.

The study includes a quantitative and qualitative analysis of a sample of 46 marketed access to networks on underground forums. Of this sample, seven sellers accounted for more than half of the hotspots sold, representing a broader trend of concentrated attacks by vendor-specific hackers. 40 ads selling access to hacked networks indicated the location of the victims' organizations. 40% of the companies hacked were in the United States or Canada.

According to experts, 10 of the 46 companies hacked worked in the telecommunications industry, while financial services, healthcare and pharmaceuticals, power and industry ranked second in popularity.

According to the results of the study, more than 37% of all victims in the data sample were from North America, with an average access price of $9,640. Access to a large telecommunications provider in Asia with an annual income of more than $1 billion cost $95 thousand.

According to the researchers, the darknet forums allow for a decentralized system in which less experienced cybercriminals can rely on each other for various tasks, allowing most ransomware operators to simply buy access from others.

Proposed network access ranges from system administrator credentials to full remote network access. As millions of people switched to remote work due to the coronavirus pandemic (COVID-19), network access sales have grown significantly over the past 18 months.

Sometimes attackers understand that there is no data in the hacked network that can be stolen or sold, as a result of which they decide to sell access to ransomware groups. Messages offering compromised access to the network include information about the victim, form and level of access. Sometimes victims are identified by location, industry or sector, and income information is often included. Descriptions may also include the number and types of computers on the network or the types of files and data they contain.^[5]

The Russian Foreign Intelligence Service has opened a virtual reception room on the darknet

The Russian Foreign Intelligence Service (SVR) opened a virtual reception room on the darknet, becoming the first intelligence service in Europe to complain on the shadow Internet. This became known on April 20, 2021. Read more here.

Darknet market for drugs and stolen credit cards liquidated

Europe USA DarkMarket, liquidated by law enforcement officers, specialized to trade drugs in fake money, stolen credit cards, anonymous SIM cards and. harmful ON This became known on January 26, 2021.

At the time of closure, DarkMarket had 500 thousand users and more than 2.4 thousand suppliers of illegal goods. The archives preserved data on 320 thousand transactions with a total value of about $170 million.

Law enforcement officers arrested the alleged creator of the site. It turned out to be a 34-year-old citizen. Australia He was detained at the border Germany and. Denmark

The liquidation of DarkMarket was a side result of a large-scale investigation into the "bulletproof" hosting of CyberBunker, whose services were used in the past by The Pirate Bay and WikiLeaks.

Law enforcement officers managed to seize control over the entire hardware infrastructure, including more than two dozen servers physically located in Moldova and Ukraine.

Europol regularly reports on operations against various markets on the darknet, but not all of them are really successful. For example, at the very end of 2020, Europol announced the liquidation of the Joker'sStash market, but its owner said that only the external domain was neutralized, and the market itself continues to function without any problems.

This is far from the first liquidated underground market, and not even the largest: in May 2020, Europol exterminated the Wall Street Market, which had more than a million users, says Anastasia Melnikova, an information security expert at SEQ (formerly SEC Consult Services). - The problem is that the place of each such destroyed site is quickly occupied by another, and sometimes several at once. The resources that need to be spent on the elimination of such breeding grounds are much higher than those spent by the creators of such markets, so you cannot count on the final victory of law enforcement officers. Only that there will be a minimum number of[6] these sites[7].

SQLi vulnerability on Pickpoint.ru for $1000 put up for sale

A vulnerability on the Pickpoint.ru is put up for sale on the darknet SQLi and is sold for $1000. This became known on January 18, 2021. Read more here.

2020

Sales of access to compromised networks of companies increased 4 times

Group-IB, an international company specializing in the prevention of cyber attacks, investigated the key changes that have occurred in the field of cybercrime in the world and on November 25, 2020 shared its forecasts for the development of cyber threats for 2021. Read more here.

According to the Group-IB Hi-Tech Crime Trends 2020-2021 report, the volume of access to corporate networks of companies sold on darknet forums is increasing annually, but the peak was in 2020. It is quite difficult to assess the total volume of the market for the sale of access in the underground: attackers often do not publish prices, and transactions take place "in private." However, Group-IB technologies for the study of such sites, including taking into account information deleted and hidden by cybercriminals, made it possible to estimate the total market size in the current period (H2 2019 - H1 2020) at $6,189,388, which is four times more than the last period (H2 2018 - H1 2019), when it was $1,609,930.

Group-IB has recorded a trend of participation in this "business" of pro-state groups seeking to find additional funding: they are also starting to sell access to corporate networks. So, in the summer of 2020, lots were published on the sale of access to a large number of networks, including US government agencies, defense contractors (Airbus, Boeing, Raytheon, etc.), IT giants and media companies. In total, the author of the post asked for about $5 million for lots.

In the first half of 2020 alone, hackers put up for sale 277 lots selling access to hacked corporate networks of companies. The number of sellers also rose to 63, of which 52 began their activity this year. By comparison, only 37 access sellers were active in 2018. In 2019, just 50 sellers put access to 130 companies up for sale. In total, the growth in sales of access to compromised networks of companies amounted to 162% compared to last year (138 offers versus 362 in the current one).

Analyzing the segment of access sales, Group-IB analysts trace geographical and industry correlations with ransomware attacks: the largest number of lots was put up for American companies (27%), and production remained the most attacked industry in 2019 (10.5%), and 2020 brought demand for access to government organizations (10.5%), educational institutions (10.5%) and IT companies (9%). It is worth noting that sellers of such a "product" on hacker forums are less and less indicating such attributes as the name of the company, location or industry, so it is often impossible to establish the victim and its location without interaction with attackers. The sale of access to the company, as a rule, is only a stage in the implementation of the attack: the privileges obtained can be used both to launch a ransomware program with subsequent extortion, and to steal data for sale on darknet forums or espionage.

List of companies affected by ransomware published

On August 27, 2020, it became known that a list of companies and organizations that were attacked by ransomware operators was published on the darknet. Data Base contains a list of 280 victims of 12 different cybercriminal groups.

The list, for example, lists one of the largest USA manufacturers alcoholic beverages Brown-Forman Corporation that owns brands such as Jack Daniel's and Finlandia. The operators of the ransomware ON REvil, also known as Sodinokibi, announced in mid-August that the company's computer systems had been hacked. According to the criminals, they managed to steal about 1 TB of confidential from the data company's network, including information about employees, contracts, financial documents and internal correspondence.

Also on the list is the American crystal systems manufacturer (SoC) MaxLinear, which in June 2020 was the victim of a cyber attack by Maze ransomware operators. The attackers encrypted the data of some of the company's computer systems and soon published 10.3 GB of accounting and financial information from more than 1 TB of stolen data.

Recently, more and more ransomware operators have been developing sites where they publish stolen confidential data of victims who refused to pay ransom. Now such a type of ransomware as Conti has joined their ranks. However, the reports of experts from Arete, Bleeping Computer Carbon Black and claim that Conti "is controlled by the same group that in the past carried out ransomware attacks." Ryuk

The leak site Conti already lists 26 companies that were victims of the group's attacks and refused to pay a ransom.^[8]

Free service launched to monitor the availability of company data on the dark web

In mid-May 2020, ImmuniWeb, a web security company, unveiled the ImmuniWeb Domain Security Test, a free service that will allow enterprises and organizations to assess their vulnerability on the darknet. The online test detects whether the company's data and documents are present on the "dark web." Read more here.

Positive Technologies: The popularity of trading in access to corporate networks is growing in the black market

On April 27, 2020, it became known that Positive Technologies experts conducted a study of trading platforms in the shadow cyber services market and found a surge in interest in access to the corporate network: in the first quarter of 2020, the number of offers to sell access is 69% higher than the previous quarter. The identified trend significantly affects the security of the corporate infrastructure during the period of mass transfer of employees to remote work.

As reported, in the fourth quarter of 2019, more than 50 accesses to networks of large companies from all over the world were put up for sale on hacker forums (the same number was counted for the entire 2018), and already in the first quarter of 2020 there were more than 80 accesses on sale. Most often, access is sold to industrial organizations, companies from the service sector, finance, science and education, information technology (all this is 58% of the proposals in the aggregate).

If a year or two ago, cybercriminals were mainly interested in accessing single servers, which cost within $20, then since the second half of 2019 there has been an increase in interest in buying access to local networks of companies. The amount of transactions also increased. For example, as of April 2020, companies with annual revenues of $500 million offer a share of up to 30% of potential profits for access to infrastructure after the attack is completed. The average cost of privileged access to the local network is now about $5,000.

Victims for April 2020 include organizations with annual revenues ranging from hundreds of millions to several billion dollars. Most often, access is sold in companies from the United States (more than a third of all offers), and the top five also include Italy and the United Kingdom (5.2% of offers each), Brazil (4.4%), Germany (3.1%). At the same time, in the case of the United States, access to service organizations (20%), industrial companies (18%) and government agencies (14%) are most often sold. With regard to Italy, the leaders in demand are industry (25%) and services (17%), and in the UK ― the field of science and education (25%) and the financial sector (17%). 29% of all sold access to German companies falls on the IT and services sector.

Usually buyers of such goods are other attackers. They acquire access to develop an attack on their own or hire an experienced team of hackers to elevate privileges on the network and place malicious files on critical nodes of the victim's infrastructure. One of the first such scheme was adopted by ransomware operators.

We expect that in the near future large organizations may fall under the sight of low-skilled violators who have found a way to easily earn money. During the worldwide quarantine, when companies massively transfer employees to remote work, hackers will look for any open hole in systems on the perimeter of the network. The larger the company to access the network, and the higher the privileges received, the more the offender can earn. told Vadim Solovyov, senior analyst at Positive Technologies

In order to avoid problems, Positive Technologies experts recommend that companies pay attention to comprehensive infrastructure protection - both on the network perimeter and on the local network. First of all, you should make sure that all services on the perimeter of the network are protected, and the local network provides a sufficient level of monitoring of security events to identify the offender. Regular retrospective analysis of security events will detect previously missed cyber attacks and eliminate the threat before attackers steal information or stop business processes.

The darknet began to sell the blood of those who recovered from coronavirus

In early April 2020, cyber threat researchers at McAfee discovered a post on a web forum on the dark web, the author of which offered blood for sale from a person who recovered from Covid-19 infection.

The announcement is likely related to the latest news, according to which some patients showed improvement after transfusion of plasma from recovered patients. According to the British edition of the Guardian, improvement was observed in two patients in two different pilot studies, one in Wuhan and the other in Shenzhen. However, a randomized trial has not yet been conducted, and an independent attempt to transfuse blood of unknown origin, especially if it was obtained on the black market, can be deadly.

Cyber ​ ​ threat researchers at McAfee found a post on a web forum on the dark web, the author of which offered blood for sale from a person who recovered from Covid-19 infection

McAfee lead researcher Christian Beek and principal investigator Raj Samani note that the explosion of fraud amid global events was not a surprise to cybersecurity experts, but the coronavirus pandemic has identified many unexpected threat vectors.

We've seen numerous examples of fraudsters abusing people's trust using current news, and current global events are no exception, "Bik and Samani wrote on their blog. - Covid-19 as a bait does not lose its relevance. We regularly identify all new campaigns that use the coronavirus in selfish interests.

Bik and Samani study the underground markets of Onion and other services using channels in the Telegram messaging service. Among other things, they found an incredible number of sellers cashing in on face masks. One site sold masks at a price 10 times the retail price. The seller was allegedly a legal wholesaler and supplier of medical masks, but did not disclose his identity.^[9]

2019

How insiders are recruited in banks in the Russian-language darknet

At the end of 2019, about 70 insider recruitment services in banks operate in the Russian-speaking segment of the darknet, which daily leak confidential information about customer accounts, dataleak reports.

The recruiter receives an average of 15,000 per employee from the "puncher." The job specifies search criteria - for example, a position in an organization. Then the customer simply waits for the recruiter to throw off the contacts of the ready-to-work employee. Waiting on average lasts 5-7 days.

The cost of recruitment ranges from 7,000 to 100,000 rubles and depends on the complexity of the task.

US leads on firearms trade on the dark web

Data for 2019

Discovery of 200 "bulletproof" hosting provider servers

On September 30, 2019, it became known that 200 servers so-called "bulletproof" were hostingprovider located in a former bunker. NATO More. here

Russian language - in the top five most popular in Darknet

On September 10, 2019, Trend Micro published a study, Uncovering IoT Threats in the Cybercrime Underground, which describes how cybercriminal groups use IoT devices for their own purposes and what threats this poses. Trend Micro analysts investigated the dark web, finding out which IoT vulnerabilities are most popular among cybercriminals, as well as what languages ​ ​ the participants in the cyber underground speak. During the study, it turned out that the Russian language was included in the top five most popular in the Darknet. In addition to Russian, the top 5 languages ​ ​ of the darknet include English, Portuguese, Spanish and Arabic. The report provides an analysis of five cybercriminal communities classified according to the languages ​ ​ they use to communicate. Language has proved to be a more important unifying factor than geographical location. Read more here.

Selling TrueCaller App Subscriber Base

July 18, 2019 InfoWatch reported the results of the second quarter of 2019 in terms of leaks confidential information from organizations and identified the largest incidents. A huge database of subscribers to the popular TrueCaller application is put up for sale on the darknet - only about 140 million accounts. For the entire package data , unknown persons want to receive 25 thousand euros. More. here

The attacker earned $760 thousand on fake domains in the dark net

Digital Shadows specialists on March 21, 2019 reported an unusual fraudulent operation - a massive case of typesquatting in the dark net dark net. By typesquatting is meant a reception with the registration of domain names similar in spelling to the names of well-known brands. Relatively speaking, the name of the example.com domain at first glance is quite difficult to distinguish in the address bar from the name exarnple.com. In the case of popular brands, this allows attackers to create fake sites on similar domains to steal visitors' accounts data or funds.

The use of typesquatting in common top-level domains has long been known. But its application in an anonymous network Tor is something else. Digital Shadows researchers accidentally stumbled upon the statements of an anonymous attacker, boasting that he was able to create a network of 800 fake names in the "dark network" (on the pseudo-domain.ONION). Domains imitated the names of various legitimate dark net resources. However, the word "legitimate" in this case is inappropriate, since we are talking mainly hacker about trading platforms, forums and other resources of this kind. For four years, fake pages brought the fraudster about 760 thousand in dollars. to cryptocurrency bitcoin The money was received from payments for goods and services (which the attacker, of course, did not provide), donations to maintain resources (a common practice for the "dark web") and trading accounts whose credentials were stolen.

Digital Shadows experts failed to check the fraudster's financial achievements. But they were able to detect at least 500 fake domains that really imitated the popular resources of the Tor network. And it is very likely that typesquatting in it is indeed a profitable business. The task of attackers, in this case, is also facilitated by the fact that the addresses of onion resources are a long set of often arbitrary characters, and therefore memorizing the desired address and distinguishing it from a fake one is an almost impossible task^[10]

Mass detentions of shadow Internet users

At the end of March 2019, it became known about the mass detentions of criminals who conducted their illegal activities on the shadow Internet.

According to the ComputerWeekly portal, citing a statement by Europol, as part of a joint operation called SaboTor, law enforcement agencies in different countries, including the United States, Canada and Europe, made 61 arrests and closed 50 web services used to conduct illegal business.

The police raided the shadow Internet. 61 arrests and 50 closed services at a time

After receiving 65 search warrants, the police seized a total of 300 kg of drugs, 51 firearms and more than 6.2 million euros of illegally earned money, including 4 million euros in cryptocurrency, 2 million euros in cash and about 35 thousand euros in gold). In addition, 122 people were questioned during Operation SaboTor.

Along with information about mass detentions and searches, the administration of the largest underground trading platform Dream Market announced the termination of its activities. According to a post on the website's home page, closure is scheduled for April 30, 2019, with all operations to be managed by a "partner company."

A variety of theories spread on social media, up to the assumption that the marketplace is already controlled by law enforcement, and it is not safe to enter Dream Market (and a new site, whose opening is expected later).

Europol says that the shadow Internet provides a safe environment for personal privacy and freedom of action, but also remains a "fertile environment" for criminals and various illegal actions.

Europol chief executive Catherine De Bolle says the dark web is not as hidden an environment as many people think.^[11]

When you buy or sell illegal goods on the Internet, you are not hidden from law enforcement and endanger yourself, "she said.

617 million accounts from 16 hacked sites are sold on the dark web for $20 thousand in bitcoin

On February 12, 2019, it became known that 617 million accounts stolen from users of 16 hacked sites were put up for sale on the Dream Market black market on the darknet. Read more here.

Notes