February has been a relatively active month on the darknet, as previously persistent DDoS attacks have subsided. The dominant view is that these DDoS attacks were carried out by the Apollon admin to prevent news of their exit scam from spreading. However, these allegations have not been substantiated and law enforcement involvement remains a possibility.
Apollon’s disappearance is Empire’s gain
In light of Apollon’s exit scam, there are no serious rivals to Empire in terms of the most popular darknet market. In a post on Dread, the Empire admin celebrated their two year anniversary and revealed they now have over 1 million users. This achievement is particularly impressive, considering that Empire has been plagued by issues typically associated with lesser markets. Their uptime is still relatively poor, and their admin either fails to respond to disputed tickets or take their time doing so. This latter issue is so severe that the admin introduced ‘office hours’ on their subDread, during which users can raise disputed tickets.
Ultimately, Empire’s enduring popularity reflects the poor quality of its competition – a fact that is unlikely to change in the short term. Nonetheless, the longer a market is active, the greater the risk that the admin is targeted by law enforcement. Faced with this dilemma, most choose to exit scam before they can be caught. Empire’s dominance, therefore, is unlikely to last.
The impact of Apollon’s exit scam has also manifested in other ways. White House has seen a rise in both vendors and users; it currently appears to be the second most popular market, although still lags far behind Empire. There has also been a glut of new markets appearing, including Cypher, Kingdom and Europa. It is unlikely that all of these markets will endure, as illustrated by Kingdom, whose misconfigured server led to its IP address leaking. Of all these new markets, Europa is particularly notable because it currently permits the sale of firearms. It also appears to be growing the fastest, although this is not always an indicator of longevity.
In other news, this month finally saw the launch of the much-anticipated Recon search engine service, built by Dread founder @HugBunter. It allows users to search for a specific product or vendor across a range of markets, both past and present. A profile is generated for each vendor, providing an average rating and the total number of sales.
Recon is by no means the first market search engine, however: this accolade goes to Grams which was launched in April 2014. Grams ceased operating in December 2017 and was superseded by the launch of Kilos, in November 2019, a site with similar features that also allowed users to partially view vendor activity in certain forums.
Despite containing a few new features, Recon is proving popular due to its association with @HugBunter and the promise of market data being updated more frequently than previous search engines. However, the launch of Recon highlights the increasingly central role played by Dread, and other services developed by @HugBunter, in the darknet community. As we observed with the recent DDoS attacks, downtime for these services disrupts the community by denying them a central platform to congregate.
Ransomware victim data published to pressure victims
There has also been an increasing trend of ransomware operators publishing victim data on the darknet. This began with the Maze ransomware operators, punishing victims that refused to pay the ransom demands by posting their data on the Russian-language forum, XSS[.]is. This strategy was then adopted by the operators of various other ransomware, including Sodinokibi (REvil), DoppelPaymer and Nemty. These operators also further developed this strategy by creating websites specifically for publishing victim data. Most of the links to these websites are shared on the Russian-language forums XSS[.]is or Exploit[.]in.
The Sodinokibi operators took this strategy one step further by promising to publish only partial victim data. If victims then still refuse to pay, the threat actors auction off the most sensitive victim data. The Sodinokibi gang also advised affiliates – the cybercriminals that have bought access to the RaaS – to notify stock exchanges of ransomware attacks in order to put more pressure on the victim. Both XSS[.]is or Exploit[.]in have specific sections devoted to the auctioning of stolen data, so it is possible that some victim data may resurface there. While it remains to be seen whether this strategy results in more ransoms being paid, it undoubtedly grants the ransomware operators more leverage.
Finally, Avaris market recently went offline without warning: it has yet to return. The only source of information is a user who advertised Avaris on forums. There have been no updates from the market admins. At this time, it is unclear whether the site has been seized by law enforcement or the admins have exit scammed. Avaris was a relatively small market, so its disappearance is unlikely to have a significant impact. Despite this, its disappearance does serve to underscore how volatile smaller markets can be and why users prefer established markets like Empire, despite their many flaws. Were Empire to disappear in a similar manner, the short-term impact would be significant due to the lack of an obvious successor.