This chapter uses Elfreda Chatman’s concept of ‘small worlds’ and Reijo Savolainen’s concept of ‘Way of Life’ to examine identity information sharing on a Finnish Dark Web drug trading image board.
Based on a curated set of posts, it shows how people’s identity information sharing on such anonymous fora often centres around issues of trust and safety. The chapter discovers that like other small world virtual communities, these too are of information poor environments, where some participants are seen as outsiders and some as insiders, based on factors such as age, ethnicity, and information sharing.
[Keywords: information practices, information sharing, Dark Web, drug trading, image board]
We present a framework for web-scale archiving of the dark web. While commonly associated with illicit and illegal activity, the dark web provides a way to privately access web information. This is a valuable and socially beneficial tool to global citizens, such as those wishing to access information while under oppressive political regimes that work to limit information availability. However, little institutional archiving is performed on the dark web (limited to the Archive.is dark web presence, a page-at-a-time archiver). We use surface web tools, techniques, and procedures (TTPs) and adapt them for archiving the dark web. We demonstrate the viability of our framework in a proof-of-concept and narrowly scoped prototype, implemented with the following lightly adapted open source tools: the Brozzler crawler for capture, WARC file for storage, and pywb for replay. Using these tools, we demonstrate the viability of modified surface web archiving TTPs for archiving the dark web.
Illicit drugs take up by far the largest market share out of all categories of illicit items sold on the dark web marketplaces. With the rapid growth of darknet users over the last decade, and the notorious popularization of the Silk Road business model, drug vendors, both new and established, have been becoming adept in marketization of their goods. The cryptomarket platforms became reminiscent of traditional e-commerce websites, such as Amazon or eBay, with item descriptions, vendor ratings, reviews, and discounts.
There exists a gap of knowledge regarding the effects of vendor popularity on the price of drugs, created by the new “black e-commerce” business model. This research uses secondary forms of data analysis to discover if a relationship exists between vendor popularity and prices on dark web marketplaces.
[Keywords: drug trafficking, dark web marketplaces, analysis, drug vendors, drug pricing, vendor popularity]
Modern law enforcement agencies strive to identify current trends and developments in Darknet markets. Extracting information from such markets requires knowledge about the contained entities, which can be extracted via Named Entity Recognition (NER).
Modern NER models are trained via supervised learning, which requires an annotated dataset, but such datasets for specific application domains, e.g. drug detection in Darknet markets, are rarely available. In this work, we created a NER dataset focused on drugs in Darknet markets and evaluated resources and techniques for domain and task adaptation of our NER models. The dataset, with about 3,500 item listings, was created via crowd-Sourcing and refined via a manual review. It is approximately 3× the size of the only other available NER dataset for Darknet markets, we were aware of at this time.
We found that we were able to improve our NER prediction performance by ‘domain adaptation’ via fine-tuning our language models on Darknet item descriptions and reduced versions of Wikipedia texts about illicit drugs. Our models were able to predict drug entities with a F1-Score of up to 84.04 points according to the CoNLL2003NER evaluation metric.
[Keywords: NER, Named Entity Recognition, noisy user-generated text, darknet, drug detection, crowd-sourcing, Mechanical Turk]
…The Darknet data is loaded from 2 primary sources, the Darknet Market Archives [BCDH+15] and AZSecure-data [DZE+18].
The Darknet Market Archives contain multiple datasets about Darknet Market platforms and forums. We only used the “grams” dataset. This dataset contains nearly daily scrapes of multiple market platforms (e.g. “Agora”). We chose to use the last date where these markets were scraped “2015-07-12” and only a subset of these markets, namely: “Abraxas”, “Agora”, “Alpha”, “ME”, and “Oxygen”. This dataset was only used for adjusting our language models to the target domain, called domain adaptation (see section 2.1). For the dataset creation we used a dataset from AZSecure-data, which was scraped from a platform called “Dream Market”. At this time it was the largest Darknet market platform according to [DZE+18]. The data was collected from 2013 to 2017 and contained 91,463 listings of which 61,420 were found in a category associated with drugs. The dataset contains a variety of product and vendor information.
In scope of this work, we were only interested in the product name and description. The item description was used for the annotation of named entities and the product name, was used to provide context to the annotators. However, other types of information were used during the pre-processing for pseudonymization purposes. The pseudonymization included removing all vendor names from the item listings, removing email addresses and telephone numbers and all links found in the dataset (those might also identify a vendor profile). A recent example for a drug item listing, which was online at the time of our project, can be seen in Figure 3.1.
Our experiment design required further datasets as representatives for standard NER corpora and text corpora with noisy user-generated data.Our standard NER text corpus is the well-known CoNLL2003NER dataset[TKSDM03], which is based on newswire texts annotated with Person, Location, Organization and Miscellaneous entities. As representatives for the noisy user-generated text datasets we chose the Broad Twitter Corpus [DBR16] and the WNUT 2017 dataset [DNEL17]. The Broad Twitter Corpus contains 9,551 Tweets with annotations for entities of type Person, Location and Organization. The WNUT 2017 dataset contains 2,295 text from various sources (Reddit, Twitter, YouTube, and StackExchange comments) with annotations for Person, Location, Corporation, Product, Creative-Work and Group as named entity types. Furthermore, we used the extension from Al-Nabki [NFAFR20] of theWNUT 2017 dataset called “NuToT”. This dataset version is extended by Darknet market listings, which advertise illicit goods.
The Darknet has become a place to conduct various illegal activities like child labor, contract murder, drug selling while staying anonymous. Traditionally, international and government agencies try to control these activities, but most of those actions are manual and time-consuming. Recently, various researchers developed Machine Learning (ML) approaches trying to aid in the process of detecting illegal activities.
In this work, we use some more modern techniques like Doc2Vec, & Bidirectional Encoder Representation From Transformers (BERT) that have not been studied yet.
The primary problem of this project is to classify illegal advertisements published on the Darknet by exploring the above-mentioned state of the art and comparing them against known approaches that use classical techniques, like TF-IDF. Also, we use various data balancing techniques and perform experiments using that data on classical techniques like TF-IDF.
Exploring the darknet can be a daunting task; this paper explores the application of data mining the darknet within a Canadian cybercrime perspective. Measuring activity through marketplace analysis and vendor attribution has proven difficult in the past. Observing different aspects of the darknet and implementing methods of monitoring and collecting data in the hopes of connecting contributions to the darknet marketplaces to and from Canada. The significant findings include a small Canadian presence, measured the product categories, and attribution of one cross-marketplace vendor through data visualization. The results were made possible through a multi-stage processing pipeline, including data crawling, scraping, and parsing. The primary future works include enhancing the pipeline to include other media, such as web forums, chatrooms, and emails. Applying machine learning models like natural language processing or sentiment analysis could prove beneficial during investigations.
Darknet markets for illicit goods face law enforcement and public health researchers with new challenges and give economists a unique opportunity to study production under uncertainty. While current cryptomarket research focuses on the effects of police intervention on market participants, this thesis extends the literature by exploring the effects of Bitcoin price volatility, which is the main currency used on cryptomarkets.
Using scraped data from the largest cryptomarkets between 2014 and 2015, I exploit an event study design to causally estimate dynamic paths of shocks to these 2 types of production risk. Within a month, high levels of police intervention and Bitcoin volatility s statistically-significant decrease the expected probability of market entry by 4.3% and 6.4%. While established vendors only show weak reactions to impulses in terms of drug supply, they pass on the added risk to buyers in the form of a short-term risk premium of around 4.8% (8.7%) in the case of an arrest (volatility) shock.
To my knowledge, this is the first study to establish a causal link between Bitcoin volatility and market outcomes on cryptomarkets, showing that criminals see police intervention as one of several production risks that vendors respond to with higher prices rather than lower supply.
Darknet market forums are frequently used to exchange illegal goods and services between parties who use encryption to conceal their identities. The Tor network is used to host these markets, which guarantees additional anonymization from IP and location tracking, making it challenging to link across malicious users using multiple accounts (sybils). Additionally, users migrate to new forums when one is closed, making it difficult to link users across multiple forums. We develop a novel stylometry-based multitask learning approach for natural language and interaction modeling using graph embeddings to construct low-dimensional representations of short episodes of user activity for authorship attribution. We provide a comprehensive evaluation of our methods across four different darknet forums demonstrating its efficacy over the state-of-the-art, with a lift of up to 2.5× on Mean Retrieval Rank and 2× on Recall@10.
Opioids, including the highly potent synthetic opioids fentanyl and carfentanil, are commonly sold on illicit cryptomarkets or Tor darknet markets. Data collected throughout 2019 from 12 large darknet markets that sold opioids enabled observation of the impact of law enforcement seizures and voluntary or scam market closures on the availability of fentanyl and other opioids.
Trends in opioid and fentanyl availability before and after law enforcement interventions indicate whether market operators and sellers are deterred and whether market closures lead to displacement, dispersal or substitution. Evidence of all of these outcomes was present in both descriptive and trend analyses, although most effects were short lived. Market closures, especially law enforcement seizures, reduced the availability of opioids, in particular fentanyl, as well as increasing prices and displacing vendors to other markets. Market closures also led vendors to substitute fentanyl for other opioids or other illicit drugs.
Opioids, including the highly potent synthetic opioid fentanyl and carfentanil, which has the potential to be used as a chemical weapon, are commonly sold on illicit cryptomarkets or Tor darknet markets. This report investigates the impact of darknet market closures (voluntary or exit scams) and law enforcement market seizures on the availability of fentanyl and other opioids. Quantitative methods were used to investigate the presence of potential effects of closures and seizures. We analysed these effects across four dimensions: opioid availability (as measured by unique listings), vendor or trader movement and cross-market activity, market stock value and variations in the prices of opioid products. A unique product listings time series was constructed, and the time series was then split into several sub-intervals based on the timing of market closures.
Data were collected over 352 days, from 2 January to 20 December 2019 (excluding weekends), combining 251 scrapes from initially eight darknet markets: Apollon, Empire, Dream, Nightmare, Tochka (also known as Point), Berlusconi, Valhalla (also called Silkitie), and Wall Street. In April three ‘new’ markets (Agartha, Dream Alt and Samsara) were added after Wall Street and Valhalla were seized by law enforcement and Dream voluntarily closed. In July Cryptonia was added as a substitute for Nightmare, which closed in an exit scam (where a business stops sending orders but continues to accept payment for new orders). Cryptonia operated until a planned (voluntary) closure in November
Darknet markets have presented unique problems to law enforcement agencies (LEAs) since the inception of Farmer’s Market in 2006, and its subsequent move to the Tor hidden service in 2010. In 2011 Silk Road 1.0 emerged as a substantial innovation, combining then relatively novel cryptocurrencies with the anonymity of Tor, before it was seized and its operators arrested in 2013. The Silk Road model proved enduring and darknet markets continued to evolve. Accordingly, LEA operational techniques continue to adapt to the criminal use of the Tor platform and, as with cybercrime in general, transnational policing methods have become essential.
In early 2019, a transnational law enforcement task force of US and European LEAs, the Joint CriminalOpioid and Darknet Enforcement (J-CODE) team, focused on the darknet trade infentanyl.J-CODE’s Operation SaboTor targeted Wall Street, a darknet market that was then among the most active in selling fentanyl and its derivatives. Under Operation SaboTor, Finnish Customs (with French National Police and Europol) seized Valhalla in February 2019, and then in April the German Federal Criminal Police (Bundeskriminalamt) arrested three Germans who operated Wall Street. Another 61 associated vendors or dealers, mostly located in the US and Europe, were also arrested. In May a major online gateway, DeepDotWeb, which linked buyers to darknet market URLs, was also seized by the J-CODE team. Throughout 2019, several other darknet markets also closed, either in exit scams (Nightmare in July, Tochka in November) or in voluntary closures (Dream Market in March, Cryptonia in November). In September 2019, as part of Operation Darknet, the Italian Guardia di Finanza seized Berlusconi, a market that was also active in the sale of fentanyl and other opioids.
The potential deterrence of market operators and sellers and the displacement, dispersal or product substitution that may follow such closures were explored by comparing trends in opioid and fentanyl availability before and after law enforcement interventions. Evidence of all of these outcomes was present in both descriptive and trend analyses, although effects were often short lived. Analysis also showed that market closures, especially seizures of markets by law enforcement, reduced the availability of opioids, in particular fentanyl, increased prices and displaced vendors to other markets. Market closures also led buyers to substitute fentanyl for other illicit drugs or other opioids.
Throughout 2019 a total of 2,089,694 listings, excluding duplicates, were identified, advertising a diverse range of illicit drugs and other contraband. 3% (n = 63,567) of these listings were opioids, of which ~5% (n = 3,151) were fentanyl. Among fentanyl listings, 19% (n = 606) were the extremely potent analogue carfentanil.
Over the observed period, Berlusconi offered the greatest number of unique listings, representing 36% of all listings. The items identified included illicit drugs, digital products such as malware and other contraband. Berlusconi also had the highest number of opioid listings (again at 36%) while Wall Street dominated listings of fentanyl (55%) and carfentanil (41%) until its seizure in April 2019. Tochka accounted for 21% of fentanyl and 30% of carfentanil availability until its exit scam in November of that year.
After the closure of Dream and the seizures of Valhalla and Wall Street, the April–July 2019 period saw the largest growth of opioid listings—from 5,320 at the end of April to 16,930 at the end of July. Yet this period also saw a decline in fentanyl listings: from 792 at the end of April to 531 listings by the end of July, and in December only seven listings (five of which advertised carfentanil) remained on Empire. Wall Street dominated fentanyl availability between January and April, but after its seizure Tochka took over the dominant market share until its exit scam in November. New markets also took up some market share after Tochka’s closure.
Over the observed period, 4,156 opioid vendors with unique aliases were identified. Roughly three-quarters (74%) of these vendors (n = 3,090) operated in only one market, while the remaining 26% of vendors (n = 1,066) operated across two or more markets. Almost one in five opioid vendors sold fentanyl (n = 793), with about a quarter (n = 212) of these advertising carfentanil.
This study shows the strengths and limitations of LEA operationstargeting darknet markets. The results suggest that LEA operations targeting specific high-risk products (eg fentanyl) on darknet markets have a greater impact than voluntary closures or exit scams. However, there has always been an element of self-regulation in the operation of darknet markets, such as the widespread policy of banning the listing of child exploitation material. Many markets respond to LEA interventions by implementing further self-regulation of high-risk products. Potent synthetic opioids such as fentanyl and its derivatives were widely banned by many darknet markets throughout 2018 and 2019, indicating that the darknet market economy is risk sensitive and evolving.
LEA operations targeting darknet markets require a long-term effort, with success often the consequence of user error and complacency. Darknet criminal actors are aware of LEA disruption efforts and may underestimate the risks associated with policing activities such as undercover operations and the arrests of vendors and buyers. Market displacement and dispersal as a consequence of closures (voluntary or exit scams) and police operations make buyers, sellers and market operators more adaptable and risk averse.
The implications for criminal justice policy and policing practice are discussed and the probable forms of organised crime and criminal enterprise that may comprise the darknet economy are considered. Transnational and cross-agency police cooperation is crucial in the investigation and prosecution of darknet market players. Persistent surveillance and suppression will be necessary if the availability of the most dangerous synthetic opioids is to be disrupted. The darknet economy has proven to be resilient, and the large profits to be earned from fentanyl, carfentanil and other opioids ensure that these and other products will continue to be available on some darknet markets.
The COVID-19 pandemic has reshaped the demand for goods and services worldwide. The combination of a public health emergency, economic distress, and misinformation-driven panic have pushed customers and vendors towards the shadow economy. In particular, dark web marketplaces (DWMs), commercial websites accessible via free software, have gained substantial popularity.
Here, we analyse 851,199 listings extracted from 30 DWMs [Atshop/Black Market Guns/CanadaHQ/Cannabay/Cannazon/Connect/Cypher/DarkBay/DBay/DarkMarket/Darkseid/ElHerbolario/Empire/Exchange/Genesis/Hydra/MEGA Darknet/MagBO/Monopoly/Mouse In Box/Plati.market/Rocketr/Selly/Shoppy.gg/Skimmer Device/Tor Market/Torrez/Venus Anonymous/White House/Willhaben/Yellow Brick] between January 1, 2020 and November 16, 2020. We identify 788 listings directly related to COVID-19 products and monitor the temporal evolution of product categories including Personal Protective Equipment (PPE), medicines (eg., hydroxychloroquine), and medical frauds. Finally, we compare trends in their temporal evolution with variations in public attention, as measured by Twitter posts and Wikipedia page visits.
We reveal how the online shadow economy has evolved during the COVID-19 pandemic and highlight the importance of a continuousmonitoring of DWMs, especially now that real vaccines are available and in short supply. We anticipate our analysis will be of interest both to researchers and public agencies focused on the protection of public health.
Although Dark Net Market (DNM) has attracted more and more researchers’ interests, we found most works focus on the markets while ignore the forums related with them. Ignoring DNM forums is undoubtedly a huge waste of informative intelligence. Previous works usually utilize LDA for darknet data mining. However, traditional topic models cannot handle the posts in forums with various lengths, which incurs unaffordable complexity or performance degradation. In this paper, an improved Bi-term Topic Model named Filtered Bi-term Model, is proposed to extract potential topics in DNM forums for balancing both overhead and performance. Experimental results prove that the topical words extracted by FBTM are more coherent than LDAand DMM. Furthermore, we proposed a general framework namedpyDNetTopic for content extracting and topic modeling uncovering DNM forums automatically. The full results we apply pyDNetTopic to Agora forum demonstrate the capability of FBTM to capture informative intelligence in DNM forums as well as the practicality of pyDNetTopic.
Activity of the six leading dark web marketplaces is measured.
There was a larger volume of trades on Monday, Tuesday and Wednesday nights.
There were fewer trades on Saturdays and Sundays.
The drug trade for retail purposes accounts for a large part of the cryptomarkets
Operation Onymous simply displaced users and did not deter activity.
Online illicit marketplaces known as cryptomarkets have gained considerable attention from the media, government authorities, law enforcement agencies, and researchers. An increasing number of studies have investigated various aspects of these cryptomarkets’ characteristics, such as product categories, sale volumes, and the number of listings and vendors. However, there is a gap in the literature regarding whether illegal transactions (of illicit drugs) take place during the day or week. This study fills this gap by tracing Bitcoin addresses associated with the six previously leading and most active cryptomarkets—Silk Road, Silk Road 2.0, Agora, Evolution, Nucleus, and Abraxas—to identify the specific timings of these transactions. This study reveals clear patterns of activity on the marketplaces. First, transactions more often take place at night in European countries (Germany, Netherlands, the UK), the US, and Canada, where the cryptomarket drug trade is most active. Second, there are more transactions on Mondays, Tuesdays, and Wednesdays, and fewer on Saturdays and Sundays. This indicates that the retail drug trade accounts for a large part of the cryptomarkets. Further, this study examines the impact of a cryptomarket policing effort known as Operation Onymous, and indicates that this policing effort only displaced users among these marketplaces and did not deter their activity, even in the short-term. It also suggests that Operation Onymous did not alter users’ transaction patterns.
Despite the persistent effort by law enforcement, illicit drug trafficking in darknet markets has shown great resilience with new markets rapidly appearing after old ones being shut down. In order to more effectively detect, disrupt and dismantle illicit drug trades, there’s an imminent need to gain a deeper understanding toward the operations and dynamics of illicit drug trading activities. To address this challenge, in this paper, we design and develop an intelligent system (named dStyle-GAN) to automate the analysis for drug identification in darknet markets, by considering both content-based and style-aware information.
To determine whether a given pair of posted drugs are the same or not, in dStyle-GAN, based on the large-scale data collected from darknet markets, we first present an attributed heterogeneous information network (AHIN) to depict drugs, vendors, texts and writing styles, photos and photography styles, and the rich relations among them; and then we propose a novel generative adversarial network (GAN) based model over AHIN to capture the underlying distribution of posted drugs’ writing and photography styles to learn robust representations of drugs for their identifications. Unlike existing approaches, our proposed GAN-based model jointly considers the heterogeneity of network and relatedness over drugs formulated by domain-specific meta-paths for robust node (ie., drug) representation learning. To the best of our knowledge, the proposed dStyle-GANrepresents the first principled GAN-based solution over graphs to simultaneously consider writing and photography styles as well as their latent distributions for node representation learning.
Extensive experimental results based on large-scale datasets collected from 6 darknet markets and the obtained ground-truth demonstrate that dStyle-GAN outperforms the state-of-the-art methods. Based on the identified drug pairs in the wild by dStyle-GAN, we perform further analysis to gain deeper insights into the dynamics and evolution of illicit drug trading activities in darknet markets, whose findings may facilitate law enforcement for proactive interventions.
Activity of the seven leading dark web marketplaces is measured.
Transactions of Bitcoin is investigated.
Internal Bitcoin transactions within each marketplace have a common characteristic.
Dark web marketplaces continue to thrive despite of international policing effort.
This study measures the evolution of the anonymous marketplaces Silk Road, Silk Road 2.0, Agora, Evolution, Nucleus, Abraxas, and AlphaBay, which were the seven leading and most active dark web marketplaces. We identify that all the seven marketplaces use the same software to manage Bitcoin by investigating transactions in these marketplaces. However, the software was no longer used since May 2016 because of its vulnerability to protect anonymity. It indicates that dark web marketplaces advanced to the next stage with anonymity-enhancing tools around in March 2016. Using simple heuristics to identify and trace Bitcoin addresses associated with these marketplaces, purchases on these marketplaces are identified and evaluated. Our method provides evidence on market size, development, and fluctuation over time to fill a gap in previous studies. Dark web marketplaces continue to thrive because users migrate to new marketplaces after the existing ones are shut down. The total sales volume on Silk Road was 192.7 million US dollars between June 2012 and October 2013. The corresponding figures for Silk Road 2.0, Agora, Evolution, Nucleus, and Abraxas were 112.9, 220.7, 69.7, 88.3, and 35.6 million US dollars, respectively. The figures for AlphaBay was 166.0 million US dollars between December 2014 and February 2016.
Over the past decade, the Darknet has created unprecedented opportunities for trafficking in illicit goods, such as weapons and drugs, and it has provided new ways to offer crime as a service. Along with the possibilities of concealing financial transactions with the help of crypto currencies, the Darknet offers sellers the possibility to operate in covert.
This article presents research and development outcomes of the COPKITproject which are relevant to the SECURWARE 2020 conference topics of data mining and knowledge discovery from a security perspective.
It gives an overview about the methods, technologies and approaches chosen in the COPKIT project for building information extraction components with a focus on Darknet Markets. It explains the methods used to gain structured information in form of named entities, the relations between them, and events from unstructured text data contained in Darknet Market web pages.
[Keywords: natural language processing, information extraction, named entity recognition, relationship extraction, event detection]
The technological peculiarities of the Darknet as well as the availability of illicit items on the embedded market-places have raised heated debates in the media and keen interest by law enforcement and academics. In prior work, researchers have already investigated the infrastructure of Darknet platforms and the global distribution of Darknet market activity.
In our work, we take a broader perspective by studying the Darknet as a regional, socio-economic and technological phenomenon. Our starting assumption is that there exist cross-country indicators that are related to Darknet market activity. We identify relevant indicators, and discuss their relationship to cybercrime from a theoretical perspective. We apply regression modelling and conduct a qualitative comparative analysis (QCA) to study the impact of the identified indicators on the number of items offered on the Darknet. We find that GDP per capita, the number ofBitcoin downloads per capita, the number of Tor relay users per capita and an education index correlate with market activity on Darknet platforms.
This research is about authorship attribution (AA) within multiple Dark Web forums and the question of whether AA is possible beyond the boundaries of a single forum. AA can become a curse for users that try to protect their anonymity and simultaneously become a blessing for law enforcement groups that try to track users.
In this paper, we explore AA within multiple Dark Web forums [DNMAvengers, The Majestic Garden (TMG), The Hub (TH), Dread] to determine whether AA is possible beyond the boundaries of a single forum.
The analysis revealed that analyzing all features together with a single classifier does not achieve as good results as when they are classified separately and the final result is computed by a voting mechanism. The latter achieves an F1-Score that is up to 44% higher than in the former case. On top of that, the analyses show that the author of a post is at least 94% within the top 3 most likely candidates.
This shows that AA can threaten the anonymity of Dark Web users across the boundaries of different forums.
[Keywords: authorship attribution, Dark Web, machine learning, natural language processing, voting]
…3.2 Dark Web Forums Used: The number of active users in the dark web forums found between October–December 2019 within the context of this research ranged either between a few hundred or between a thousand and more. Since the probability of finding users who are active in 2 or more forums is expected to be higher when concentrating on those forums that seem to be the most popular, only forums with more than 1000 active users were selected. However, in future work, this threshold could be lowered to also include smaller forums with only a few hundred users to increase the size of the data set.
At the end of 2019 there were fewer than 10 Dark Web forums found with a large community (around 1000 active authors or more). Unfortunately, the number of those forums that allow users to publish their PGP keys in their user profiles, was even smaller. In the end, only 4 forums fulfilled the requirements for this analysis, which are presented in Table 1.
Background: Illicit drugs are increasingly sold on cryptomarkets and on social media. Buyers and sellers perceive these online transactions as less risky than conventional street-level exchanges. Following the Risks & Prices framework, law enforcement is the largest cost component of illicit drug distribution. We examine whether prices on cryptomarkets are lower than prices on social media and prices reported by law enforcement on primarily offline markets.
Methods: Data consists of online advertisements for illicit drugs in Sweden in 2018, scraped from the cryptomarket Flugsvamp 2.0 (n = 826) and collected with digital ethnography on Facebook (n = 446). Observations are advertisements for herbal cannabis (n = 421), cannabis resin, hash (n = 594), and cocaine (n = 257) from 156 sellers. Prices are compared with estimates from Swedish police districts (n = 53). Three multilevel linear regression models are estimated, one for each drug type, comparing price levels and discount elasticities for each platform and between sellers on each platform. Results: Price levels are similar on the two online platforms, but cocaine is slightly more expensive on social media. There are quantity discounts for all three drug types on both platforms with coefficients between −0.10 and −0.21. Despite the higher competition between sellers on cryptomarkets, prices are not lower compared to social media. Online price levels for hash and cocaine are similar to those reported by police at the 1 g level. Conclusion
Mean prices and quantity discounts are similar in the two online markets. This provides support for the notion that research on cryptomarkets can also inform drug market analysis in a broader sense. Online advertisements for drugs constitute a new detailed transaction-level data source for supply-side price information for research.
[Keywords: drug prices, risks and prices, Sweden, cryptomarket, social media, online drug sales]
Exchange patterns between users of an illegal drug cryptomarket are analyzed.
Buyers repeatedly exchange with a trusted seller (high dyadic embeddedness).
For new ties, sellers’ market reputation matters less than dyadic embeddedness.
Unsatisfied drug buyers tend to leave the market rather than form ties with new sellers.
Large-scale online marketplace data have been repeatedly used to test sociological theories on trust between strangers. Most studies focus on sellers’ aggregate reputation scores, rather than on buyers’ individual decisions to trust. Theoretical predictions on how repeated exchanges affect trust within dyads and how buyers weigh individual experience against reputation feedback from other actors have not been tested directly in detail. What do buyers do when they are warned not to trust someone they have trusted many times before? We analyze reputation effects on trust at the dyadic and network levels using data from an illegal online drug marketplace [Abraxas]. We find that buyers’ trust decisions are primarily explained by dyadic embeddedness—cooperative sellers get awarded by repeated exchanges. Although buyers take third-party information into account, this effect is weaker and more important for first-time buyers. Buyers tend to choose market exit instead of retaliation against sellers after negative experiences.
Over the last two decades, researchers explored various aspects of the operational practices of online illicit market operations through the Open and Dark Web for various physical and digital goods. Far less work has considered the presence of counterfeit identity documents for sale within these markets, or the process of advertising, purchasing, producing, selling, and delivering these materials.
This study utilized a qualitative crime script analysis of 19 vendors advertising counterfeit documents on the Open and Dark Web, focusing on the advertising, actualization, and delivery of various products. The pricing for various document types and the locations they claim to reflect citizenship of were examined, along with the variations dependent on where the product was advertised.
The findings demonstrated that the market for identity documents shared common practices to other online markets, highlighting the value of crime script analyses to understand the distribution of goods through illicit markets generally.
The social identity approach suggests that group prototypical individuals have greater influence over fellow group members. This effect has been well-studied offline. Here, we use a novel method of assessing prototypicality in naturally occurring data to test whether this effect can be replicated in online communities. In Study 1a (n = 53,049 Reddit users), we train a linguistic measure of prototypicality for two social groups: libertarians and entrepreneurs. We then validate this measure further to ensure it is not driven by demographics (Study 1b: n = 882) or local accommodation (Study 1c: n = 1,684 Silk Road users). In Study 2 (n = 8,259), we correlate this measure of prototypicality with social network indicators of social influence. In line with the social identity approach, individuals who are more prototypical generate more responses from others. Implications for testing sociopsychological theories with naturally occurring data using computational approaches are discussed.
[Keywords: computational social science, identity prototype, machine learning, online social influence, social identity theory]
The number of blockchain users has tremendously grown in recent years. As an unintended consequence, e-crime transactions on blockchains has been on the rise. Consequently, public blockchains have become a hotbed of research for developing AI tools to detect and trace users and transactions that are related to e-crime.
We argue that following a few select strategies can make money laundering on blockchain virtually undetectable with most of the existing tools and algorithms. As a result, the effective combating of e-crime activities involving cryptocurrencies requires the development of novel analytic methodology in AI.
The Dark Web has changed the way drugs are traded globally by shifting trade away from the streets and onto the web. In this paper, I study whether the Dark Web has an impact on street crime, a common side effect of traditional drug trade. To identify a causal effect, I use daily data from the US and exploit unexpected shutdowns of large online drug trading platforms. In a regression discontinuity design, I compare crime rates in days after the shutdowns to those immediately preceding them. I find that shutting down Dark Web markets leads to a statistically-significant increase in drug trade in the streets. However, the effect is short-lived. In the days immediately following shutdowns, drug-related crimes increase by 5 to almost 10% but revert to pre-shutdown levels within 10 days. I find no impact of shutdowns of Dark Web marketplaces on thefts, assaults, homicides and prostitution.
Physical, technological, and social networks are often at risk of intentional attack. Despite the wide-spanning importance of network vulnerability, very little is known about how criminal networks respond to attacks or whether intentional attacks affect criminal activity in the long-run. To assess criminal network responsiveness, we designed an empirically-grounded agent-based simulation using population-level network data on 16,847 illicit drug exchanges between 7,295 users of an active darknet drug market and statistical methods for simulation analysis. We consider three attack strategies: targeted attacks that delete structurally integral vertices, weak link attacks that delete large numbers of weakly connected vertices, and signal attacks that saturate the network with noisy signals. Results reveal that, while targeted attacks are effective when conducted at a large-scale, weak link and signal attacks deter more potential drug transactions and buyers when only a small portion of the network is attacked. We also find that intentional attacks affect network behavior. When networks are attacked, actors grow more cautious about forging ties, connecting less frequently and only to trustworthy alters. Operating in tandem, these two processes undermine long-term network robustness and increase network vulnerability to future attacks.
33 Novel Synthetic Opioids identified on Dream Market from 03/2018 to 01/2019.
Novel Synthetic Opioids represented 3.3% of all opioid listings advertised.
On average 2.8 kilograms of fentanyl and fentanyl analogs were proposed at each crawl.
High availability of Novel Synthetic Opioids from within and to the US.
Background: The United States is facing a “triple wave” epidemic fueled by novel synthetic opioids. Cryptomarkets, anonymous marketplaces located on the deep web, play an increasingly important role in the distribution of illicit substances. This article presents the data collected and processed by the eDarkTrends platform concerning the availability trends of novel synthetic opioids listed on one cryptomarket.
Methods: Listings from the Dream Market cryptomarket “Opioids” and “Research Chemicals” sections were collected between March 2018 and January 2019. Collected data were processed using eDarkTrends Named Entity Recognition algorithm to identify opioid drugs, and to analyze their availability trends in terms of frequency of listings, available average weights, average prices, and geographic indicators of shipment origin and destination information.
Results: 95,011 opioid-related listings were collected through 26 crawling sessions. 33 novel synthetic opioids were identified in 3.3% of the collected listings. 44.7% of these listings advertised fentanyl (pharmaceutical and non-pharmaceutical) or fentanyl analogs for an average of 2.8 kilograms per crawl. “Synthetic heroin” accounted for 33.2% of novel synthetic opioid listings for an average 1.1 kilograms per crawl with 97.7% of listings advertised as shipped from Canada. Other novel synthetic opioids (eg., U-47,700, AP-237) represented 2% of these listings for an average of 6.1 kilograms per crawl with 97.2% of listings advertised as shipped from China.
Conclusions: Our data indicate consistent availability of a wide variety of novel synthetic opioids both in retail and wholesale-level amounts. Identification of new substances highlights the value of cryptomarket data for early warning systems of emerging substance use trends.
The size of the global market for illicit tobacco products is estimated to be between USD$8.6 and USD$11.6 billion yearly. In addition to an estimated cost of USD$40.5 billion in lost tax revenue the illicit tobacco market further increases the accessibility of a harmful substance for minors and provides a revenue stream for both organised crime and violent political groups. In this paper, we examine how tobacco products are distributed globally through illicit online platform economies known as cryptomarkets. Using data from the cryptomarket Empire, we find tobacco products remain a small niche market exclusively shipping from the EU and that shipping patterns suggest the emergence of new supply routes for end-consumers within Western Europe originating from the UK. We find that the market for tobacco on cryptomarkets remains minimal, as in previous research, compared to the market for drugs.
Purpose: Trading illicit drugs on cryptomarkets differs in many ways from material retail markets. This paper aims to contribute to existing studies on pricing by studying the relationship between price changes in relation to changes in nominal value of the cryptocurrency. To this, the authors qualitatively study product descriptions and images to expand the knowledge on price formation.
Design/methodology/approach: The authors analysed 15 samples based on visual and textual scrapes from two major drug markets—for Dream Market between January 2014 and July 2015 and for Tochka between January 2015 and July 2015. This longitudinal study relates changes in process to variations in the Bitcoin exchange rate and selling strategies. The analysis of the marketing of drugs online also addressed the development of the vendor profile and product offers.
Findings: Product prices change in relation to variations in the Bitcoin exchange rate. This points to the application of mechanisms for automatic price adaptations on the market level. Real prices of the drug offers constantly increase. The authors assert that there is a bidirectional relationship. Vendors structure price and discounts to encourage feedback. And feedback in combination with signals of commitment and authenticity inform pricing. Product descriptions are an important feature in the successful marketization of goods, whereas product images are predominantly used as an aspect of recognisability and feature of the vendor’s identity.
Research limitations/implications: Findings suggest that there is great potential for further qualitative research into the relationship between the online and offline identity of drug vendors, as well as price setting when entering the market and subsequent changes for offered products.
Practical implications: Findings also suggest that further investigation into the constitution and management of vendor’s identity on the cryptomarkets would allow a better understanding of vendors and their interactions on cryptomarkets.
Social implications: A better understanding of drug trading on cryptomarkets helps to more effectively address potentials for harm in the online drug trade. Also targeting crime would benefit from a better understanding of vendor identities and pricing.
Originality/value: The findings represent a valuable contribution to existing knowledge on drug trading on cryptomarkets, particularly in view of pricing and vending strategies.
Cryptomarkets tap into the very large and profitable market of illegal drugs, estimated to be in the billions of EUR. Some of the hazards (and societal costs) of illegal drug consumption are derived from the lack of quality control of these substances (adulteration and purity imbalances).
This study analyzes the effect of cryptomarkets in the quality of cocaine, comparing worldwide results of analyzed samples sourced from cryptomarkets versus traditional markets. Our findings show that cryptomarkets do not offer a substantially higher quality of cocaine with respect to traditional drug markets and we observe a lack of correlation between price per gram and quality. For both cryptomarkets and traditional markets, the geographical factor was the decisive factor in quality of cocaine.
We also show the inter and intra-country cocaine trade in cryptomarkets and we analyze and quantify the effect of the harm reduction possibilities enabled by cryptomarkets, showing that making an informed purchase has clear benefits in expected drug quality.
The usage and number of darknet users has increased rapidly in recent years. A key reason is that the darknet allows users to be fully anonymous when browsing on the darknet. Though such privacy is needed for some users, others decide to abuse the darknet by selling or buying illicit goods off the darknet marketplace without being arrested or punished. Despite the hidden nature of darknet marketplaces, they oftentimes shut down due to reasons such as law enforcement activities or exit scams. As a result, the average life span of a darknet marketplace tends to be around 8 months. This leads to an important question: If a vendor has built up a good reputation before a darknet was shutdown, does that mean he will start over again from scratch? Not likely. A vendor would most likely use their username as a brand, in order to be recognizable on a different darknet marketplace when others shut down.
This thesis states and explores the hypothesis: Accounts that belong to the same individual are likely to have similar usernames, which are being used as a “brand” by the vendor. To verify this hypothesis, we first devise a method to correlate the accounts in a darknet marketplace data set using their PGP keys, thus linking multiple accounts to a single user. We then devise a method for determining username similarity, and check if the correlated accounts have a username similarity above a certain threshold. These experiments are done both internally within the datasets for the Evolution marketplace and the Silk Road 2 marketplace, and also between the two datasets.
From the experiments, 4 behaviors were identified and they were used to verify and strengthen the hypothesis. Most importantly, we find that two accounts that belong to the same user are likely to have similar usernames if the accounts belong to different marketplaces, but not if the accounts belong to the same marketplace. We thus conclude a modified version of our initial hypothesis: Accounts that belong to the same individual, but are on different marketplaces, are likely to have similar usernames, which are being used as a “Brand” by the vendor.
We outline in this article a study of ‘adversarial scraping’ for academic research, which involves the collection of data from websites that implement defences against traditional web scraping tools. Although this is primarily a research methods article, it also constitutes a valuable systematic accounting of the different defensive techniques used by the administrators of illicit online services. Some of these administrators intentionally implement functionality which attempts to prevent web scrapers from gathering data from their site, and some will unintentionally design their sites in ways that make data gathering harder. This is of particular importance for criminological research, where websites such as cryptomarkets and underground forums are publicly available (and hence there is an ethical case for data collection), but the illicit activity involved means that the administrators of these services limit scraping. We classify different anti-crawling techniques taken by websites and outline our developed countermeasures. Based on this, we evaluate which of these methods do and do not succeed at preventing data gathering from a website, as well as those which impact the scraper but do not necessarily prevent the data from being obtained. We find that there are some defences that, if used together, might thwart scraping. There are also a series of defences that are successful at slowing down scrapers, making historical scraping more difficult. On the other hand, we show that many defences are easy to work around and do not impact scraping.
[Keywords: web crawling, web scraping, underground forums, chat channels, cybercrime]
Cryptomarkets may open up the drugs supply in remote areas where access to drugs was expensive or patchy. However, using cryptomarkets relies on risk-limiting techniques to avoid detection which may be easier in urban areas. However, little is known about the geographical patterning of cryptomarket use, in part because data sources on the locations of cryptomarket purchasers are hard to come by. We use a novel dataset of packages of drugs packages intercepted by Scottish law enforcement, likely reflecting cryptomarket use, to understand the flows of drugs through cryptomarkets at regional and neighbourhood levels. This gives previously unavailable insights into the geographical patterns of cryptomarket use at the sub-national level.
We use descriptive statistics, Bayesian hierarchical regression models, and exploratory analysis of spatial clustering to describe the relationship between neighbourhood characteristics and expected rate of drugs consignments identified across Scotland.
The majority of intercepted drug packages were destined for urban centres, but there was a higher than expected delivery rate to some of Scotland’s remote and rural locations. Increased rates of drug delivery within Scottish neighbourhoods was associated with higher levels of crime and deprivation, internet connectivity and with access to services, but not with higher rates of drug-related hospitalisation.
Analysis of spatial clustering showed that drug delivery to the most remote and rural locations was still associated with good access to services because the packages were typically delivered to addresses in larger settlements within remote locations.
Cryptocurrencies have been recognised as a promising financial innovation, offering security and privacy benefits for users. While these digital currencies are mostly used for legitimate purposes, they could also be exploited for criminal or illicit activities. However, there is currently a lack of understanding regarding if and how cryptocurrencies are actually used for illicit or criminal purposes. To balance the potential risks of novel cryptocurrencies with their benefits, more evidence is needed in this area. To help inform public debate and decision making on this issue, RAND Europe explored the uses of cryptocurrencies for illicit or criminal purposes, focusing on Zcash. Commissioned by the Electric Coin Company, who developed and maintain Zcash, this study offers new insights for law enforcement professionals, policymakers, regulators and others interested in cryptocurrencies.
Key Findings: While most transactions made with virtual coins are legitimate, cryptocurrencies are also used for a wide range of illicit or criminal purposes by a diverse group of malicious actors. The three most prominent illicit use-cases of cryptocurrencies are:
Trade in illicit goods and services
Cryptocurrencies were found to have varying levels of illicit use. In relation to the extent Zcash is used for illicit or criminal purposes (ie. the scope, scale and nature of this phenomenon), several key findings were produced:
Zcash is relatively unknown in the academic research community, and the links between Zcash and illicit or criminal activities have not been substantially researched.
This study found no evidence of widespread illicit use of Zcash, however vigilance against its malicious use is still important.
Zcash has only a minor presence on the dark web, indicating that Zcash is seen as a less attractive option to dark web users and is used less often compared to other cryptocurrencies, particularly Bitcoin and Monero.
Users engaged in illicit activities may not fully understand the Zcash operating model. They may also not understand the value in Zcash’s privacy-preserving features, or else are not aware of or confident in them.
Bitcoin is still perceived to be the dominant cryptocurrency for illicit or criminal activities on the dark web, despite the creation of several more privacy-focused cryptocurrencies.
Table of Contents: 1. Introduction · 2. The illicit use of cryptocurrencies · 3. The use of Zcash for criminal or illicit purposes · 4. Factors that may influence the future use of Zcash for illicit purposes · 5. Appendix A: Methodology · 6. Appendix B: List of interviewees
Tor hidden services and anonymity tools alike provide an avenue for cyber criminals to conduct illegal activities online without fear of consequences. In particular, dark marketplaces are hidden services that enable the trade of paraphernalia such as drugs, weapons, malware, counterfeit identities, and pornography among other items of criminal nature.
Several effective Dark Web analysis techniques have been proposed for Dark Web Forums and primarily focus on authorship analysis where the goal is one of two tasks: (a) user attribution, where a user is profiled and identified given an artifact they own, and (b) alias attribution, where pairs of users are identified to belong to the same individual. While these techniques may support dark web investigations and help to identify and locate perpetrators, existing automated techniques are predominately forum-based and stylometry-based, leaving non-textual artifacts, such as images, out of consideration due to the illicit nature of dark marketplace listings. Thus, new methodologies for adequate evidence collection and image handling in dark marketplaces are essential.
In this thesis, stylometric, image, and attribute-based artifacts are collected from 25 dark marketplaces and machine learning based Dark Vendor Profiling methodologies are proposed to achieve dark vendor attribution and alias attribution across dark marketplaces, thereby supporting investigative efforts in deanonymizing cyber criminals acting on the anonymous web.
Namely, we first propose the collection of image hashes in place of image content to reduce the storage demands of our proposed technique and reduce the risk of obtaining illicit digital material during data collection. Second, we design two unique feature sets for authorship analysis tasks that are extracted per listing and per vendor. Third, we propose a novel application of the Random Forest machine learning technique for the task of vendor attribution in dark marketplaces, achieving over 90% accuracy in distinguishing between over 2,500 unique dark vendors from various marketplaces. Lastly, we propose a novel application of the Record Linkage technique for the task of alias attribution and obtain imperative preliminary observations from Support Vector Machine and Logistic Regression based models that can assist in the design of future alias attribution models.
Therefore, this thesis presents a detailed description of these contributions along with an evaluation of our proposed Dark Vendor Profiling system and several future research directions.
Most users have several Internet names. On Face-book or LinkedIn, for example, people usually appear with the real one. On other standard websites, like forums, people often use aliases to protect their real identities with respect to the other users, with no real privacy against the web site and the authorities. Aliases in the Dark Web are different: users expect strong identity protection.
In this paper, we show that using both “open” aliases (aliases used in the standard Web) and Dark Web aliases can be dangerous per se. Indeed, we develop tools to link Dark Web to open aliases. For the first time, we perform a massive scale experiment on real scenarios. First between two Dark Web forums, then between the Dark Web forums and the standard forums. Due to a large number of possible pairs, we first reduce the search space cutting down the number of potential matches to a small set of candidates, and then on the selection of the correct alias among these candidates. We show that our methodology has excellent precision, from 87% to 94%, and recall around 80%.
Darknet markets have been increasingly used for the transaction of illegal products and services in the last decade. In particular, it is estimated that drugs make up two-thirds of darknet market transactions. The growth of illicit transactions on darknet markets have led enforcement agencies to invest greater proportion of time and efforts to monitor and crack down on criminal activities on the darknet websites.
Despite the successes in convicting perpetrators, it is unknown whether these policing efforts are truly effective in deterring future darknet transactions, given that the identities of the transacting parties are well protected by the markets’ features and that these participants may migrate to other darknet platforms to transact. To this end, this study attempts to empirically evaluate the susceptibility of darknet markets breaking down upon successful policing of participants on the platform.
Using drug review data from three largest darknet markets [Silk Road 2, Agora, Evolution], we rely on a difference-in-difference procedure to assess the impact of policing on future transaction levels, by contrasting various outcomes from the policed site with those from the non-policed sites. Our analyses found that enforcement efforts produce a negative effect on subsequent transactions on the policed site, for both vendors in the same country and in different countries as that of the arrested perpetrators. Not only do the average number of transactions per vendor decreased, we also found that the number of active vendors that remained on the site dropped substantially.
This dampening effect cannot be explained by migratory behaviors, to which we interpret as evidence of a deterrence effect at work. Furthermore, we find heterogeneity effects in the enforcement effort, wherein small vendors and vendors with short site tenure are relatively more affected by the arrest shock. Study findings have policy and theoretical implications to law makers, enforcement agencies, and academicians.
Can organized illegal activities grow stronger and more advanced in response to legal pressure? In October 2013, the FBI shut down Silk Road, a thriving e-commerce market for illegal drugs. After the shock, market actors adopted a new identity verification method that enabled mass-migration to other markets, and created websites for information distribution that reduced post-shock uncertainties. The outcome was a decentralized market in which actors could operate in “open secrecy” across multiple websites. With verifiable pseudonyms and securely obfuscated real-world identities, actors could publicly discuss, plan, and participate in illegal activities. Threats from police and opportunistic criminals persisted but were no longer crippling concerns as buyers and sellers could reasonably expect that their exchange partners would be available for future business; the illegal market could operate more like a legal one. Drawing on quantitative and qualitative data, the author argues that advances in information technology have expanded the opportunity structure for cooperation and creative problem-solving in the underworld, and therefore that shocks did not hinder but rather stimulate development in digital drug markets. Data, collected in 2013–2017, include nearly one million transactions from three illicit e-commerce markets, three million messages from eight discussion forums, and website traffic from two market-independent websites.
Anonymity networks, such as Tor, facilitate the hosting of hidden online marketplaces where dark vendors are able to anonymously trade paraphernalia such as drugs, weapons, and hacking services. Effective dark marketplace analysis and dark vendor profiling techniques support dark web investigations and help to identify and locate these perpetrators. Existing automated techniques are text-based, leaving non-textual artifacts, such as images, out of consideration. Though image data can further improve investigative analysis, there are two primary challenges associated with dark web image analysis: (a) ethical concerns over the presence of child exploitation imagery in illegal markets, and (b) the computational overhead needed to download, analyze, and store image content. In this research, we investigate and address the aforementioned challenges to enable dark marketplace image analysis. Namely, we examine image metadata and explore several image hashing techniques to represent image content, allowing us to collect image-based intelligence and identify reused images among dark marketplaces while preventing exposure to illegal content and decreasing computational overhead. Our study reveals that approximately 75% of dark marketplace listings include image data, indicating the importance of considering image content for investigative analysis. Additionally, 2% of considered images were found to contain metadata and approximately 50% of image hashes were repeated among marketplace listings, suggesting the presence of easily obtainable incriminating evidence and frequency of image reuse among dark vendors. Finally, through an image hash analysis, we demonstrate the effectiveness of using image hashing to identify similar images between dark marketplaces.
Ransomware is an epidemic that adversely affects the lives of both individuals and large companies, where criminals demand payments to release infected digital assets. In the wake of the ransomware success, Ransomware-as-a-Service (RaaS) has become a franchise offered through darknet marketplaces, allowing aspiring cyber-criminals to take part in this dubious economy. We have studied contemporary darknet markets and forums over a period of two years using a netnographic research approach. Our findings show that RaaS currently seems like a modest threat relative to popular opinion. Compared to other types of illegal digital goods, there are rather few RaaS items offered for sale in darknet marketplaces, often with questionable authenticity. From our data we have created a value chain and descriptions of the actors involved in this economy.
In this paper we have conducted a comprehensive measurement and analysis on the Dream market, an anonymous online market that uses cryptocurrency as transaction currency. We first collect data between October 30th 2018 and March 1st 2019. Then we use decision tree-based approach to classify goods. Following we analyze the category of goods sold in the market, the shipping place of vendors. By analyzing more than 1,970,303 items, we find the goods sold in Dream Market are mainly drugs and digital goods. We estimate the total sales of all vendors, and find that an average monthly income is $14 million during the measurement period, which means that the market commission income is more than $560,000 per month. Based on these data, we use transaction cost theory to analyze the transaction attributes of illegal transactions, which shows that anonymous online market can reduce transaction cost of illegal transactions. We finally discuss the results analyzed and the intervention policy, as well as recent DDoS attacks and future trends of illegal transactions in anonymous online market.
Background: Buyers and sellers of illegal drugs in cryptomarkets have been found to overcome trust issues created by anonymity and the lack of legal protection with the help of reputation systems. Cryptomarkets rarely operate for longer than a year before closing or getting shut down due to external shocks, such as law enforcement operations. This results in large flows of users migrating between market platforms. An important question in order to better understand why cryptomarkets recover quickly after external shocks is: to what extent can reputation be carried over between different markets? This problem is non-trivial given the anonymity of cryptomarket users and the fact that reputation is tied to a user’s online identity. Here we analyze conditions under which sellers choose to migrate with the same identity and whether reputation history from previous cryptomarkets yields benefits in new contexts.
Methods: We analyze sellers’ migration in three cryptomarkets (Abraxas, Agora and AlphaBay) and follow their reputation history by linking user accounts between marketplaces using the Grams database. We use longitudinal multi-level regression models to compare market success of migrant and non-migrant sellers. In total, the data contains more than 7,500 seller account and 2.5 million buyers’ reputational feedback messages over a period of 3 years.
Findings: It is predominantly the successful sellers with a large number of sales and high reputation who choose to migrate and maintain their identity using cryptographic methods after market closures. We find that reputation history from previous markets creates a competitive advantage to migrant sellers compared to market entrants.
Conclusion: Reputation transferability embeds cryptomarket users beyond a single market platform, which incentivizes cooperative behavior. The results also suggest that reputation transferability might contribute to a quick recovery of online drug trade after shutdowns and accumulation of market share in the hands of a small fraction of successful sellers.
[Keywords: Trust, Reputation, Transferability, Cryptomarkets, Dark web, Online drug markets]
Over the past decade, the darknet has created unprecedented opportunities for trafficking in illicit goods, such as weapons and drugs, and it has provided new ways to offer crime as a service. Natural language processing techniques can be applied to find the types of goods that are traded in these markets. In this paper we present the results of evaluating state-of-the-art machine learning methods for the classification of darknet market offers.
Several embeddings, such as GloVe embeddings , FastText , Tensor Flow Universal Sentence Encoder , Flair’s contextual string embedding  and term-frequency inverse-document-frequency (TF-IDF), as well as our domain-specific darknet embedding have been evaluated with a series of machine learning models, such as Random Forest, SVM, Naïve Bayes and Multilayer Perceptron.
To find the best combination of feature set and machine learning model for this task, the performance was evaluated on a publicly available collection covering 13 darknet markets with more than 10 million product offers . After extracting unique advertisements from the corpus, the classifier was trained on a subset with those advertisements that contain strings related to weapons. The purpose was to determine how well the classifier can distinguish between different types of advertisements which seem all to be related to weapons according to the keywords they contain.
The best performance for this classification task was achieved using the Linear Support Vector Machine model with the Tensor Flow Universal Sentence Encoder for feature extraction, resulting in a micro-f1-score of 96%.
[Keywords: Natural language processing, machine learning, text classification, document embedding, darknet market]
This is the first study to explore how cryptomarket actors are increasingly adopting encrypted messaging applications to “direct deal” beyond the provided platforms, to obviate the protocols of cryptomarkets, and to diversify the communication experience of drug buying via the dark net. Drawing on 965 forum posts discussing encrypted messaging applications, results showed that direct dealing may be more likely to occur in the context of preestablished trust between vendors and buyers, during instances of law enforcement crackdowns, and when buyers are enticed by discounts or promotions. Our findings also suggested a general hesitancy toward direct dealing, as it was often associated with greater exposure to scams, and perceptions that direct dealing increases the risks concerning personal security and detection from law enforcement. These findings provide insight into the interconnection of online drug markets, and how actors make decisions to drift between multichannel supply points mediated by perceptions of trust and risk.
OpenBazaar, a decentralized electronic commerce market-place, has received substantial attention since its development was first announced in early 2014.
Using multiple daily crawls of the OpenBazaar network over approximately 14 months (June 25, 2018–September 3, 2019), we measure its evolution over time. We observed 6,651 unique participants overall, including 980 who used Tor at one point or another. More than half of all users (3,521) were only observed on a single day or less, and, on average, only approximately 80 users are simultaneously active on a given day. As a result, economic activity is, unsurprisingly, much smaller than on centralized anonymous marketplaces. Furthermore, while a majority of the 24,379 distinct items listed seem to be legal offerings, a majority of the measurable economic activity appears to be related to illicit products. We also discover that vendors are not always using prudent security practices, which makes a strong case for imposing secure defaults.
We conclude that OpenBazaar, so far, has not gained much traction to usher in the new era of decentralized, private, and legitimate electronic commerce it was promising. This could be due to a lack of user demand for decentralized marketplaces, lack of integration of private features, or other factors, such as a higher learning curve for users compared to centralized alternatives.
International trafficking of drugs enabled by the dark-web is still a problem despite the increase in take-down actions. Even though the transaction takes place digitally, the national postal systems are the ones being exploited and used for delivery. Users of the dark-web readily share information on forums, cryptomarkets, and feedback pages to maximize their safety and success while conducting these drug transactions. Using data collected from forums, vendor profiles, and feedback pages, this study provides an evidence that the knowledge being shared on the dark-web is rich data law enforcement and governments need to use as intelligence. Users discuss all aspect of the delivery process, including proper addressing, stealth packaging, and risks associated with taking delivery of the package. Based on these findings, policy recommendations are made to guide the implementation of techniques to counter the rise of dark-web-enabled drug shipments in the fight against drugs and cryptomarkets…Data collected for this research was obtained from two forums and one cryptomarket between the period of November 2017 and April 2018. [/r/DNM, Dread, & Dream Market respectively].
Often neglected in the literature about communities of practice is the fact that online knowledge-sharing communities thrive among illicit collectives whose activities are stigmatized or outlawed. This paper focuses on a knowledge-sharing community of users who engage in illegal practices by examining the ways in which the community’s network structure changes when a high-stakes, uncertain event—the July 2017 shutdown of the dark web market Alphabay—occurs. This study compares the discussion network structures in the subreddit r/AlphaBay during pre-shutdown days (the “routine” period) and shutdown days (the “market defect” period) and offers a content analysis of the knowledge and resources shared by users during these periods. Several differences were observed: (a) the network structure changed such that the network size grew while becoming more centralized; (b) new crisis-specific players emerged; (c) types of knowledge shared during the market defect period was qualitatively different from the routine period.
Due to its anonymity and non-traceability, it is very difficult to research websites on the dark network. The research of the dark network is very important for our network security. Now there is very little data for studying the dark network, so we independently developed dark web crawler that runs automatically. This article will detail the implementation process of our dark web crawler and the data analysis process of crawled data. Currently, we can use crawled data to detect if multiple URLs belong to the same site. We can use data to extract features of similar websites and we have generated an ever-increasing data set that can be used for simple website classification. We use the crawled data as a categorical dataset to categorize newly discovered URLs. When we get a certain number of newURLs, we crawl again and the crawled data will be added to the previous data set. After multiple rounds of crawling, our data sets will be more and more abundant. Through our approach, we can solve the problem that the dark network data is small, researchers can use our method to get enough data to study all aspects of the dark network.
Underground marketplaces have emerged as a common channel for criminals to offer their products and services. A portion of these products comprises the illegal trading of consumer products such as vouchers, coupons, and loyalty program accounts that are later used to commit business fraud. Despite its well-known existence, the impact of this type of business fraud has not been analyzed in depth before.
By leveraging longitudinal data from 8 major underground markets from 2011–2017 [Agora, Alphabay, BlackMarket Reloaded, Evolution, Hydra, Pandora, Silk Road 1, Silk Road 2], we identify, classify, and quantify different types of business fraud to then analyze the characteristics of the companies who suffered from them. Moreover, we investigate factors that influence the impact of business fraud on these companies.
Our models show that cybercriminals prefer selling products of well-established companies, while smaller companies appear to suffer higher revenue losses. Stolen accounts are the most transacted items, while pirated software together with loyalty programs create the heaviest revenue losses. The estimated criminal revenues are relatively low, at under $600,000 in total for the whole period; but the total estimated revenue losses are up to $7.5 million.
This dissertation consists of two essays analyzing the various effects of market competition in the United States. The first chapter explores the impact of competition among drug dealers. Although opioid buyers are often addicted to the products they are purchasing, due to the competition among sellers, the buyers have a wide variety of opioid chemicals to choose from. The net result shows buyers to be price sensitive and without loyalty to any particular opioid compound. The second chapter shows that although Mushroom Council post market price and quantity information to all mushroom growers, it does not serve as a focal point for farmers to tacitly collude.
In this work we analyse the use of malicious mimicry and cloning of darknet marketplaces and other ‘onion services’ as means for phishing, akin to traditional ‘typosquatting’ on the web. This phenomenon occurs due to the complex trust relationships in Tor’s onion services, and particularly the complex webs of trust enabled by darknet markets and similar services.
To do so, we built a modular scraper tool to identify networks of maliciously cloned darknet marketplaces; in addition to other characteristics of onion services, in aggregate. The networks of phishing sites identified by this scraper are then subject to clustering and analysis to identify the method of phishing and the networks of ownership across these sites. We present a novel discovery mechanism for sites, means for clustering and analysis of onion service phishing and clone sites, and an analysis of their spectrum of sophistication.
With the rapid development of Internet technology, the abuse of dark networks and anonymous technology has brought great challenges to network supervision. Therefore, it is important to study the anonymous market. In this paper, we propose a single-mode multivariate classification model for anonymous market product classification. Divide anonymous markets products into 5 categories. Our algorithm uses the word vector embedded in a convolutional neural network based on Word2vec training. Compared with the simple machine learning classification model, the accuracy of the single-mode multivariate classification model on the test set is 91.84%. By studying the classification of anonymous market products, law enforcement personnel can better supervise anonymous market of illegal products and maintain network security.
Cryptomarkets, anonymous online markets where illicit drugs are exchanged, have operated since 2011, yet there is a dearth of knowledge on why people use these platforms to sell drugs, with only one previous study involving interviews with this novel group. Based on 13 interviews with this hard to reach population, and data analysis critically framed from perspectives of economic calculation, the seductions of crime, and drift and techniques of neutralization, we examine the differentiated motivations for cryptomarket selling. Throughout the interviews, we observe an appreciation for the gentrified norms of cryptomarkets and conclude that cryptomarket sellers are motivated by concerns of risks and material rewards, as well as non-material attractions in a variety of ways that both correspond with, and differ from, existing theories of drug selling.
Dark markets are commercial websites that use Bitcoin to sell or broker transactions involving drugs, weapons, and other illicit goods. Being illegal, they do not offer any user protection, and several police raids and scams have caused large losses to both customers and vendors over the past years. However, this uncertainty has not prevented a steady growth of the dark market phenomenon and a proliferation of new markets. The origin of this resilience have remained unclear so far, also due to the difficulty of identifying relevant Bitcoin transaction data. Here, we investigate how the dark market ecosystem re-organises following the disappearance of a market, due to factors including raids and scams. To do so, we analyse 24 episodes of unexpected market closure through a novel datasets of 133 million Bitcoin transactions involving 31 dark markets and their users, totalling 4 billion USD. We show that coordinated user migration from the closed market to coexisting markets guarantees overall systemic resilience beyond the intrinsic fragility of individual markets. The migration is swift, efficient and common to all market closures. We find that migrants are on average more active users in comparison to non-migrants and move preferentially towards the coexisting market with the highest trading volume. Our findings shed light on the resilience of the dark market ecosystem and we anticipate that they may inform future research on the self-organisation of emerging online markets.
Online anonymous marketplaces are a relatively recent technological development that enables sellers and buyers to transact online with far stronger anonymity guarantees than are available on traditional electronic commerce platforms. This has led certain individuals to engage in transactions of illicit or illegal goods. We investigated how commerce on online anonymous marketplaces evolved after the takedown of the AlphaBay marketplace. Namely, we studied, over the summers of 2017 and 2018, a collection of market-places—Dream Market, TradeRoute, Berlusconi, and Valhalla. In this report, we present an analysis of sales, with a focus on the drug supply coming from the European Union (EU). Keeping in mind the limitations inherent to such data collection, we found that, for the period and the marketplaces considered:
The overall ecosystem appears to have (slightly) grown again since the combined takedown of the AlphaBay and Hansa marketplaces, and now exceeds EUR 750 000 euros per day. This calls into question the long-term impact of such takedowns on the overall online anonymous marketplace ecosystem.
Dream Market is overwhelmingly the dominant marketplace, and its daily volume exceeds previous numbers gathered for AlphaBay (Christin, 2017).
EU-based suppliers represent approximately 43% of all drug sales; this is in line with the 46% for marketplaces previously studied (Christin, 2016) in the 2011–15 period, and a marked increase compared with the roughly 25% observed in the subsequent AlphaBay study (Christin, 2017).
EU-originating drugs continued to come primarily from Germany, the Netherlands, and the United Kingdom.
Cannabis, cocaine and other stimulants altogether continued to represent the majority of all EU-based drug sales.
The supply of new psychoactive substances (NPS) remained modestwith revenues below EUR 10 000 per day at market peak, but these slightly increased compared with our previous measurements.
As in our previous studies, marketplace vendors primarily operated in the retail space, but there was evidence of larger (bulk) sales. Volume-based discounting tended to occur, albeit at relatively modest levels.
As in our previous studies, half of the vendors specialised in one type of drug, and half of the drug sellers tended to stick to a given weight category.
Most of the trends observed in this report confirm what we had previously found for other market-places in the 2011–17 period (Christin, 2016, 2017). In other words, despite takedowns and scams, the ecosystem, as a whole, appears relatively stable over time, with the fluctuation in the European sales share noted above indicating an exception.
…we collected 35 scrapes of four markets—Dream Market, Traderoute, Valhalla, and Berlusconi Market—between summer 2017 and summer 2018.
The darknet markets are notorious black markets in cyberspace, which involve selling or brokering drugs, weapons, stolen credit cards, and other illicit goods. To combat illicit transactions in the cyberspace, it is important to analyze the behaviors of participants in darknet markets. Currently, many studies focus on studying the behavior of vendors. However, there is no much work on analyzing buyers. The key challenge is that the buyers are anonymized in darknet markets. For most of the darknet markets, We only observe the first and last digits of a buyer’s ID, such as “a**b”. To tackle this challenge, we propose a hidden buyer identification model, called UNMIX, which can group the transactions from one hidden buyer into one cluster given a transaction sequence from an anonymized ID. UNMIX is able to model the temporal dynamics information as well as the product, comment, and vendor information associated with each transaction. As a result, the transactions with similar patterns in terms of time and content group together as the subsequence from one hidden buyer. Experiments on the data collected from three real-world darknet markets demonstrate the effectiveness of our approach measured by various clustering metrics. Case studies on real transaction sequences explicitly show that our approach can group transactions with similar patterns into the same clusters.
Illicit market exchanges in cybercriminal markets are plagued by problems of verifiability and enforceability: trust is one way to ensure reliable exchange. It is fragile and hard to establish. One way to do that is to use the administrative structure of the digital market to control transactions. This is common among a specific type of market—darknet cryptomarkets. These are sites for the sale of illicit goods and services, hosted anonymously using the Tor darknet. However, reliance by users on the technology and the market administrators exposes users to excessive risk. We examine a case of a market that rejects several key technological features now common in cryptomarkets but that is nonetheless reliable and robust. We apply a techno-social approach that looks at the way participants use and combine technologies with trust relationships. The study was designed to capture the interactional context of the illicit market. We aimed to examine both person-to-person interaction and the technical infrastructure the market relied on. We find that the social space of the market maintains itself through a shared common security orientation, community participation in key decisions about products sold, performing trust signalling, and relying on lateral trust between members. There are implications for how resilience in cryptomarkets is understood.
A large majority of e-commerce happens on the “Surface Web”, which consists of all the websites that can be accessed through search engines. However, there has recently been a rapid growth in the “Dark Web”, consisting of websites which cannot be indexed by search engines. The Dark Web offers a high degree of anonymity and security to its users and has attracted illicit activity. Online marketplaces similar to eBay and Etsy on the Surface Web have also evolved on the Dark Web and are commonly known as “Darknet markets”. These markets have attracted sellers and buyers of illegal products such as drugs, weapons, and counterfeits. Law enforcement agencies are interested in curbing the rise of these markets. In this research, we focus on a bust operation conducted by the FBI and Europol in November 2014 that shut down Silk Road 2.0, one of the biggest Darknet markets at the time. Using the bust as an exogenous shock, we investigate the causal effect of the bust on Evolution and Agora, the next two biggest Darknet markets that were not subject to the bust. We find that the bust had positive marketing consequences for the buyers and the administrators of Evolution and Agora. Specifically, the prices reduced, and the number of transactions per vendor increased following the bust. Our results also indicate that these benefits are not simply a product of the forces of supply and demand but that they occur despite them. Our findings demonstrate that there could be surprising and unintended consequences to such busts and recommend law enforcement agencies consider them into their enforcement strategies.
[Keywords: two-sided markets, e-commerce, Dark Web.]
U.S. overdose deaths attributed to synthetic opioids, such as fentanyl, have increased from under 3,000 in 2013 to nearly 20,000 in 2016, making up half of all opioid-related overdose deaths. Using web scrapes of darknet markets from 2014 to 2016, I provide historical prices for fentanyl and its most popular analogues and find that fentanyl vendors priced fentanyl in 2014 at a 90% discount compared to an equivalent dose of heroin. Using regression discontinuity, I evaluate the effects of two major law enforcement and regulatory events. I find minimal lasting effects of U.S. legal actions intended to disrupt darknet markets, but there are statistically-significant indications of a price increase corresponding with regulatory action in China. Despite these indications of some regulatory success, fentanyl prices remained approximately 90% cheaper than heroin.
Internet access has provided new ways to trade goods. Unlike conventional legal sale sites, cryptomarkets facilitate exchanges in a context where the anonymity of participants is warranted. The aim of this article was to obtain a better understanding of the trafficking of prescription drugs and medicine on the AlphaBay cryptomarket. The results showed that alprazolam, oxycodone, and Adderall were the most offered prescription drugs while alprazolam, diazepam, and oxycodone were the most sold substances. The sale was dominated by North America, Australia, and Western European countries. The revenue of prescription drugs was estimated to be more than US$65 million since the creation of AlphaBay, a small market in comparison with the worldwide legal pharmaceutical market’s estimate of US$1.3 trillion in 2020. Digital traces offer a complementary way to understand the trafficking of prescription drugs and medicine and to identify the most prolific vendors and their implication in this trafficking.
The nature of online underground gun markets on the dark web has been relatively under-researched in comparison to those regarding drugs or malware. This work attempts to improve the general understanding of the nature of these markets, with a longitudinal assessment of the market as a whole. From this assessment, the various properties that characterize the market such as overall sales and the breadth of items on offer can be catalogued and compared against offline markets, or other online markets.
In addition to this longitudinal study, the online communities surrounding the sale of firearms were identified, with topic models fit to the datasets spanning approximately five years, with the intent of characterizing and comparing them to each other in a more structured manner. Once the topic models were generated, documents were drawn from before and after mass shooting attacks. These documents were then labeled by the separate topic models, and then contrasted and compared against each other in order to assess the reactions of these communities to traumatic events, thus observing if there were clear patterns of behavior universal across these communities.
Online underground arms markets were found to be generally thin, albeit larger in scale than a few years before, and appear to be predominantly focused on the sale of rifles, pistols, and custom orders. Gun communities online were observed to differ depending on the strictness of moderation of their parent communities, though still have a number of shared topics, such as gun legislation or usage. Furthermore, the assessed communities varied heavily in their reactions to attacks, further highlighting their differences.
This paper examines prices of cannabis sold over the anonymous internet marketplace AlphaBay. We analyze cannabis prices of 500 listings from about 140 sellers, originating from 18 countries. We find that both listing characteristics and country characteristics matter. Cannabis prices are lower if sold in larger quantities, so there is a clear quantity discount. Cannabis prices increase with perceived quality. Cannabis prices are also higher when the seller is from a country with a higher GDP per capita or higher electricity prices. The internet based cannabis market seems to be characterized by monopolistic competition where many sellers offer differentiated products with quality variation causing a dispersion of cannabis prices and sellers have some control over the cannabis prices.
Dark Net Markets (DNMs) are websites found on the Dark Net that facilitate the anonymous trade of illegal items such as drugs and weapons. Despite repeated law enforcement interventions on DNMs, the ecosystem has continued to grow since the first DNM, Silk Road, in 2011. This research project investigates the resilience of the ecosystem and tries to understand which characteristics allow it to evade law enforcement.
This thesis is comprised of three studies. The first uses a dataset contained publicly available, scraped data from 34 DNMs to quantitatively measure the impact of a large-scale law enforcement operation, Operation Onymous, on the vendor population. This impact is compared to the impact of the closure of the DNM Evolution in an exit scam. For both events, the impact on different vendor populations (for example those who are directly affected and those who aren’t) are compared and the characteristics that make vendors resilient to each event are investigated.
In the second study, a dataset acquired from the server of the DNMSilk Road 2.0 [by UK LEA] is used to better understand the relationships between buyers and vendors. Network analysis and statistical techniques are used to explore when buyers trade and who with. This dataset is also used to measure the impact of a hack on Silk Road 2.0 on its population.
In the final study, discussions from the forum site Reddit were used to qualitatively assess user perceptions of two law enforcement interventions. These interventions were distinct in nature—one, Operation Hyperion, involved warning users and arresting individuals and the second, Operation Bayonet, actively closed a DNM. Grounded Theory was used to identify topics of conversation and directly compare the opinions held by users on each intervention.
These studies were used to evaluate hypotheses incorporated into two models of resilience. One model focuses on individual users and one on the ecosystem as a whole. The models were then used to discuss current law enforcement approaches on combating DNMs and how they might be improved.
In the first study of this thesis, several methodologies for data preparation and validation within the study of DNMs were developed. In particular, this work presents a new technique for validating a publicly available dataset that has been used in multiple studies in this field. This is the first attempt to formally validate the dataset and determine what can reasonably used for research. The discussion of the dataset has implications for research already using the dataset and future research on datasets collected using the same methodology.
In order to conduct the second study in this thesis, a dataset was acquired from a law enforcement agency. This dataset gives a new insight on how buyers behave on DNMs. Buyers are an unstudied group because their activities are often hidden and so analysis of this dataset reveals new insights into the behaviour of these users. The results of this study have been used to comment on existing work using less complete datasets and contribute new findings.
The third study in this thesis presents a qualitative analysis of two law enforcement interventions. This is the first work to assess the impact of either intervention and so provides new insights into how they were received by the DNM ecosystem. It uses qualitative techniques which are rare within this discipline and so provides a different perspective, for example by revealing how individuals perceive the harms of law enforcement interventions on DNMs. The value of this work has been recognised through its acceptance at a workshop at the IEEE European Symposium on Security and Privacy, 2019.
Part of this research has been conducted in consultation with a [UK] law enforcement agency who provided data for this research. The results of this research are framed specifically for this agency and other law enforcement groups currently investigating DNMs. Several suggestions are made on how to improve the efficacy of law enforcement interventions on DNMs
…A response to the criticisms of (Dolliver (2015a)) has been presented in (Dolliver (2015b)). Here, Dolliver (2015b) attempts to provide further evidence that Silk Road 2.0 overestimated the number of listings advertised by including the results of a manual inspection of the site (Dolliver (2015b)). The response also calls into question the use of the Branwen dataset which was collected by an independent researcher and has not been peer-reviewed. Dolliver (2015b) claims that the “manually crawling approach” adopted by Van Buskirk et al. (2015) is also problematic as it will miss listings that are uploaded and removed during the time it takes to crawl the site. Finally, other, unpublished datasets cited in (Dolliver (2015b)) also point to Silk Road 2.0 being especially volatile in nature before it was closed down and show that the number of listings varied by thousands from week to week. This volatility could potentially explain the contradicting depictions of Silk Road 2.0 given by (Dolliver (2015a)) and (Munksgaard et al. (2016)) and allow for both studies to have accurately described the site. However, empirical evidence in the form of police reports that describe the size of Silk Road 2.0 after its closure shows that the data collected by Dolliver (2015a) is an underestimate. Indeed, new data presented in this body of work also demonstrates that Silk Road 2.0 was bigger than Dolliver (2015a) claims, even at the beginning of its lifetime.
As the Internet based applications become more and more ubiquitous, drug retailing on Dark Net Marketplaces (DNMs) has raised public health and law enforcement concerns due to its highly accessible and anonymous nature. To combat illegal drug transaction among DNMs, authorities often require agents to impersonate DNM customers in order to identify key actors within the community. This process can be costly in time and resource. Research in DNMs have been conducted to provide better understanding of DNM characteristics and drug sellers’ behavior. Built upon the existing work, researchers can further leverage predictive analytics techniques to take proactive measures and reduce the associated costs. To this end, we propose a systematic analytical approach to identify key opioidsellers in DNMs. Utilizing machine learning and text analysis, this research provides prediction of high-impact opioidproducts in two major DNMs. Through linking the high-impact products and their sellers, we then identify the key opioid sellers among the communities. This work intends to help law enforcement authorities to formulate strategies by providing specific targets within the DNMs and reduce the time and resources required for prosecuting and eliminating the criminals from the market.
This paper presents the results of a qualitative study on discussions about two major law enforcement interventions against Dark Net Market (DNM) users extracted from relevant Reddit forums. We assess the impact of Operation Hyperion and Operation Bayonet (combined with the closure of the site Hansa) by analyzing posts and comments made by users of two Reddit forums created for the discussion of Dark Net Markets. The operations are compared in terms of the size of the discussions, the consequences recorded, and the opinions shared by forum users. We find that Operation Bayonet generated a higher number of discussions on Reddit, and from the qualitative analysis of such discussions it appears that this operation also had a greater impact on the DNM ecosystem.
Dark net markets present a rare opportunity to examine markets with little contract enforcement and strong asymmetric information. The review systems on these sites prevent market collapse by allowing good vendors to accrue reputation, signaling high quality products. This paper examines cocaine listings on the Dream Market dark net site. Despite uniformly high ratings across all vendors, I find a price differential between escrow transactions—which function as strong contracts—and non-escrow transactions.
This supports existing models of markets with reputation signaling that become heavily saturated with highly reputable vendors, yet these vendors still have a nonzero chance of scamming their customers in an exit-scheme. I argue that the price differential represents the discount high-reputation vendors must offer consumers to offset the inherent risk the transaction is a scam.
[Keywords: Adverse Selection, Dark Net Markets, Moral Hazard, Online, Drugs.]
Keeping up with threat intelligence is a must for a security analyst today. There is a volume of information present in ‘the wild’ that affects an organization. We need to develop an artificial intelligence system that scours the intelligence sources, to keep the analyst updated about various threats that pose a risk to her organization. A security analyst who is better ‘tapped in’ can be more effective.
In this paper we present, Cyber-All-Intel an artificial intelligence system to aid a security analyst. It is a system for knowledge extraction, representation and analytics in an end-to-end pipeline grounded in the cybersecurity informatics domain. It uses multiple knowledge representations like, vector spaces and knowledge graphs in a ‘VKG structure’ to store incoming intelligence. The system also uses neural network models to pro-actively improve its knowledge. We have also created a query engine and an alert system that can be used by an analyst to find actionable cybersecurity insights.
Cryptocurrencies are among the largest unregulated markets in the world. We find that approximately one-quarter of bitcoin users are involved in illegal activity. We estimate that around $76 billion of illegal activity per year involve bitcoin (46% of bitcoin transactions), which is close to the scale of the U.S. and European markets for illegal drugs. The illegal share of bitcoin activity declines with mainstream interest in bitcoin and with the emergence of more opaque cryptocurrencies. The techniques developed in this paper have applications in cryptocurrency surveillance. Our findings suggest that cryptocurrencies are transforming the black markets by enabling “black e-commerce.”
For nearly ten years, illicit markets have taken advantage of the anonymity and convenience afforded by the dark web. Despite its benefits, however, this anonymity has also resulted in difficulties establishing trust and managing conflict on cryptomarkets. A number of common features have been implemented to serve this function. This study was conducted to contribute to the growing literature on conflict management in cryptomarkets through a thematic analysis of publicly available content from two popular cryptomarkets [Tochka & Wall Street]. Of particular interest is whether conflict management has changed following the closure of many popular cryptomarkets and how conflicts are managed differently in relation to unique types of transaction or delivery offered by the marketplaces under study. Findings indicate that, rather than evolving to become different from those marketplaces that have been shut down, the two marketplaces under study have slowly changed to become more like them, based on suggestions from users. Implications for law enforcement are discussed.
The goal of this research is to get a better understanding of buyer behavior on cryptomarkets, and to what extent buyers buy repeatedly from sellers. Cryptomarkets are anonymized markets only accessible through encryption software such as Tor. These markets provide opportunity for people to trade in illegal goods such as drugs in relative safety from legal authorities. Trading on cryptomarkets relies on trust and reputation.
Theory from The Trust Game is used to explain the relations between buyers and sellers, as well as the actions that the actors can make. Although sellers have high short-term incentives to scam their customers, long-term success relies on trustworthy behavior. Buyers have to make risk assessments to place trust based on available information and experience. Data was gathered from the AlphaBay cryptomarket shortly before it was taken down by U.S. authorities. Logistic regressions were used to analyze the odds of buyers repurchasing after each purchase both on network level as well as on dyad level. 69.4% of the buyers on AlphaBay bought repeatedly, and 32.5% of all dyads were repeated. It was found that positive experiences give better odds of buyers making more purchases on network and dyad level. Using safe payments services such as escrow and experience also increase odds of buyers repeatedly purchasing.
Future quantitative research on buyer behavior may want to focus on availability of alternative products and sellers for buyers, qualitative research may be valuable for finding buyer motivations to keep purchasing, stop purchasing or change sellers.
This chapter explores collective information processing among black-hat hackers during their crises events. The chapter presents a preliminary study on one of Tor-based darknet market forums, during the shutdowns of 2 cryptomarkets.
Content and network analysis of forum conversations showed that black-hat users mostly engaged with rational information processing and were adept at reaching collective solutions by sharing security advices, new market information, and alternative routes for economic activities. At the same time, the study also found that anti-social and distrustful interactions were aggravated during the marketplace shutdowns. Communication network analysis showed that not all members were affected by the crisis events, alluding to a fragmented network structure of black-hat markets.
The chapter concludes that, while darknet forums may constitute resilient, solution-oriented users, market crises potentially make the community vulnerable by engendering internal distrust.
[Google Translate of French abstract] Where do you find drugs on the Internet, how are they sold, what is the size of the market and what is Switzerland’s place in it? To try to answer these questions, Addiction Switzerland and the School of Criminal Sciences at UNIL have collected and analyzed a set of relevant data on behalf of the Federal Office of Public Health.
The Internet is made up of three basic components: a transmission network (cables or waves), a system for recognizing interconnected devices (the IP protocol) and data transport protocols. Together, they allow the use of applications (web, e-mail, messaging) for communication and information sharing. It is possible to find and buy drugs on many applications including websites, whether concealed or not, but also social networks and messaging applications. You can come across different promotion strategies, different sales spaces but also evaluation of the drugs offered. Other products such as drugs, narcotics, and new psychoactive substances (NPS) are also on sale.
Knowledge about the sale of narcotics on the various applications present on the Internet is still in its infancy, with the exception of crypto-markets which are often specialized in this field. These are sales platforms that allow for some anonymity. The use of specific infrastructures (called darknets), web spaces that are not or not very regulated (dark webs), encrypted communications and cryptocurrencies like Bitcoin allow this anonymity. The dark webs, and the crypto-markets they host, however, are tiny compared to all the spaces on the web.
The sale of narcotic drugs on crypto-markets has been revealed by the Silk Road website. Since then, many similar sites have appeared but with often relatively short lifespans, due to internal fraud or the intervention of the police. The sites are based on management by administrators and on advertisements that describe the product, its price and the conditions of its acquisition. They also rely on the assessment of products and sellers by buyers. They are thus, in their form, similar to many sites known as eBay.
To understand Switzerland’s place in this market, downloads of data from one of the main crypto-narcotics markets (AlphaBay, active from the end of 2014 to July 2017) were carried out. They show that the most cited countries of origin are the Anglo-Saxon countries (United States, Canada, Australia, United Kingdom), the Netherlands and Germany. Switzerland occupies a less important place but, if we consider its size, its role is not negligible in terms of sales. Thus, 57 seller accounts declaring to be located in Switzerland carried out just over ten thousand transactions for a turnover of approximately 1.3 million francs on AlphaBay. The sale of stimulants concerns 85% of these transactions, especially with small quantities and prices close to those of the physical market. These sales represent in fact only a very small part of the narcotics market in Switzerland, but some sellers make substantial sales of up to almost $30,000 a month.
There is little data on people in Switzerland who order drugs online. Analysis of data from the Global Drug Survey suggests that shopping on the web and on dark webs remains limited, but with an increasing trend. Older data shows that cannabis and stimulants are the products most ordered by Swiss buyers. They order from sellers in Switzerland but also abroad, especially in Germany, the Netherlands, the United Kingdom and Belgium. Overseas orders are generally associated with larger quantities but remain relatively small. On average, apart from cannabis, purchases rarely exceed 5–10 grams on average.
A small survey of cantonal police has shown that surveys of online drug purchases have so far been relatively rare. They often result from information provided by an informant or from the discovery of a computer turned on during a search. The most frequent case concerns parcels intercepted by customs with small quantities ordered on the Internet, most often cannabis, stimulants or hallucinogens.
We will retain from this exploration of the data on the Internet drug markets, that these are found in different spaces of the web, in particular the dark webs, but that they seem so far to constitute only a very small part of the drug market for narcotic drugs, at least in Switzerland. There are, however, some indications that the phenomenon is tending to spread, even if it is happening at a slower pace than one might have thought. Like other innovations, the sale and purchase of psychoactive substances on the Internet probably follows an adoption phase in a small group of individuals before, perhaps, becoming a wider phenomenon.
Reputation is one of the key assets of a digital entrepreneur in markets for experience goods, especially in settings like Darknet and anonymous marketplaces. But what happens if this asset is diminished by a shock, ie. negative feedback? We study how entrepreneurs on anonymous marketplaces respond to negative feedback by adjusting their product portfolio, or even exiting the market altogether.
We find that the entrepreneurs are more likely to exit following negative feedback, but that a entrepreneur’s accumulated transactions experience on the market platform negatively moderates this. Interestingly, the entrepreneurs that do remain tend to expand their product portfolio. This effect, however, is again driven by entrepreneurs with relative high transactions experience, ie. those with a high prior transactions volume.
These results suggest that the reputation and the transactions experience of an entrepreneur interact in intricate ways to drive an entrepreneur’s choice of remaining in the market or adjusting her portfolio. We derive managerial and policy implications of these results.
[Keywords: digital entrepreneurship, reputation, anonymous marketplaces, illicit drugs, darknet]
Online data were compared to data related to traditional market descriptors.
The results highlighted a link between the virtual and physical markets.
Forensic drug intelligence processes rely on the combination of different information.
Technology provides new ways to access customers and suppliers while enhancing the security of off-line criminal activity. Since the first cryptomarket, Silk Road, in 2011, cryptomarkets have transformed the traditional drug sale by facilitating the creation of a global network of vendors and buyers. Due to the fragmented nature of traces that result from illegal activities, combining the results of concurrent processes based on traces of different nature should provide supplementary benefit to understand the drug market.
This article compares the data of the Australian virtual market (in particular data extracted from cryptomarkets) to the data related to traditional market descriptors, namely national seizures and arrests, prevalence data, shipping countries of seized post shipments as well as outcomes of specific surveys targeting users’ behaviour online. Results revealed the domestic nature of the online illicit drug trade in Australia which is dominated by amphetamine-type substances (ATS), in particular methylamphetamine and cannabis. These illicit drugs were also the most seized drugs on the physical market.
This article shows that the combination of different information offers a broader perspective of the illicit drug market in Australia and thus provides stronger arguments for policy makers. It also highlights the links between the virtual and physical markets.
[Keywords: darknet, illicit drug market, problem-oriented approach, National Forensic Rapid Laboratory (Australia)] [part I]
Weapons related webpages from nine cryptomarkets were manually duplicated in February 2016. Information about the listings (ie. sales proposals) and vendors’ profiles were extracted to draw an overview of the actual online trafficking of weapons. Relationships between vendors were also inferred through the analysis of online digital traces and content similarities. Weapons trafficking is mainly concentrated on two major cryptomarkets. Besides, it accounts for a very small proportion of the illicit trafficking on cryptomarkets compared to the illicit drugs trafficking. Among all weapon related listings (n = 386), firearms only account for approximately 25% of sales proposal since the proportion of non-lethal and melee weapons is important (around 46%). Based on the recorded pseudonyms, a total of 96 vendor profiles were highlighted. Some pseudonyms were encountered on several cryptomarkets, suggesting that some vendors may manage accounts on different markets. This hypothesis was strengthened by comparing pseudonyms to online traces such as PGP keys, images and profiles descriptions. Such a method allowed to estimate more accurately the number of vendors offering weapons across cryptomarkets. Finally, according to the gathered data, the extent of the weapons trafficking on the cryptomarkets appear to be limited compared to other illicit goods.
[Keywords: Darknet markets; Firearms; Ammunition; Digital traces; Forensic intelligence; Internet traces.]
…The selected markets are: Aflao marketplace (AFL), AlphaBay (ALB),Dr D’s multilingual market (DDM), Dream market(DMA), French Darknet(FRE), The Real Deal (TRD), Oasis (OAS), Outlaw market (OUT), Valhalla(aka Silkkitie) (VAL).
Black hat hackers are far more shrewd than the public’s stereotypical perception of them. They are no longer script kiddies who are trying to impress their social circles, but skilled businessmen with the general aim to profit from exploitative attacks. Very little research has been done on how the cyber-criminals involved make decisions based on profit margin calculations.
The dark net provides the perfect environment to commit cyber crimes without being tracked down by law enforcement. An entire economy has emerged in the dark net as a result of transactions of illegal goods and services supported by cryptocurrencies. The social structure of the members in the dark net is strong enough to survive any intrusions made by law enforcement.
The dynamic shifts in the field of cyber security has encouraged many researchers to pro-pose different methodologies that capture the true intent of an attacker. In this report, a netnographic study was done to obtain data useful for threat predictions and attacker profiling. This included observations of the online marketplaces in the dark net and the re-searcher’s reflections on the social communications between the different actors involved in the creation and distribution of ransomware. Data collected from this study was also used to deduce a cost-benefit framework.
Purpose: This paper aims to shed light into money laundering using bitcoin. Digital payment methods are increasingly used by criminals to launder money obtained through cybercrime. As many forms of cybercrime are motivated by profit, a solid cash-out strategy is required to ensure that crime proceeds end up with the criminals themselves without an incriminating money trail. The authors examine how cybercrime proceeds can be laundered using services that are offered on the Dark Web.
Design/methodology/approach: Focusing on service-percentages and reputation-mechanisms in underground bitcoin laundering services, this paper presents the results of a cash-out experiment in which 5 mixing and 5 exchange services are included.
Findings: Some of the examined services provide an excellent, professional and well-reviewed service at competitive cost. Whereas others turned out to be scams, accepting bitcoin but returning nothing in return.
Practical implications: The authors discuss what these findings mean to law enforcement, and how bitcoin laundering chains could be disrupted.
Originality/value: These cash-out strategies are increasingly facilitated by cryptocurrencies, mainly bitcoin. Bitcoins are already relatively anonymous, but with the rise of specialised bitcoin money laundering services on the Dark Web, laundering money in the form of bitcoins becomes available to a wider audience.
I present evidence that communication between marketplace participants is an important influence on market demand. I find that consumer demand is approximately equally influenced by communication on both formal and informal networks—namely, product reviews and community forums. In addition, I find empirical evidence of a vendor’s ability to commit to disclosure dampening the effect of communication on demand. I also find that product demand is more responsive to average customer sentiment as the number of messages grows, as may be expected in a Bayesian updating framework.
This study uses a Corpus Assisted Discourse Studies methodology to provide the first systematic analysis of how trust is discursively constructed in crypto-drug markets. The data come from two purpose-built corpora. One comprises all the forum messages posted on the flag ship crypto-drug market Silk Road during the years in which it traded on the hidden net (c. 250 million words). The other corpus comprises all the reports published by the United Nations Office on Drugs and Crime (UNODC) during the same period (c. 153,000 words). Our analysis of trust focuses on the identities of those buying and selling drugs. The findings reveal that the Silk Road community members (a) regularly discussed vendors’ identities alongside a continuum of trust–risk calculation, explicitly identifying both ‘good’ and ‘bad’ practices and hence engaging in self-regulatory discourses, and (b) mainly constructed drug users’ identities in relation to values of expertise, integrity and benevolence. The findings also suggest that hard law enforcement activity, such as crypto-drug market closure, may encourage technological innovation within these markets. Moreover, our results show a disconnect between the discursive reality of the policy-making documents we examined and the very crypto-drug markets that they seek to legislate.
Do drug dealers entice nonusers with free samples? Police, the popular press, and social media users say so, but crime researchers have found little support for this theory and argue instead that sample distribution is an unsound strategy for illegal market business. But what about in digital drug markets, where operational logics are based on sophisticated anonymization technology and reputation systems? The author collected data from a large e-commerce website for drugs over 305 days in 2014 and 2015 and documents that (a) drug dealers give away samples of all major substance categories and (b) sample distribution increases vendor sales for prescription drugs and opioid-based painkillers. To explore possible explanations of these findings, the author collected data from the market’s online forum and analyzed 175 discussions (2,218 posts) about samples. Among the findings is that samples are preferably given to reputable review writers, or “drug critics.”
Cryptomarkets are online illicit marketplaces where drug dealers advertise the sale of illicit drugs. Anonymizing technologies such as the Tor network and virtual currencies are used to hide cryptomarket participants’ identity and to limit the ability of law enforcement agencies to make arrests. In this paper, our aim is to describe how herbal cannabis dealers and buyers in the United States have adapted to the online sale of herbal cannabis through cryptomarkets. To achieve this goal, we evaluate the size and scope of the American herbal cannabis market on cryptomarkets and compare it to other drug markets from other countries, evaluate the impact of cryptomarkets on offline sales of herbal cannabis, and evaluate the ties between the now licit herbal cannabis markets in some States and cryptomarkets. Our results suggest that only a small fraction of herbal cannabis dealers and drug users have transitioned to cryptomarkets. This can be explained by the need for technical skills to buy and sell herbal cannabis online and by the need to have access to computers that are not accessible to all. The slow rate of adoption may also be explained by the higher price of herbal cannabis relative to street prices. If cryptomarkets were to be adopted by a larger portion of the herbal cannabis market actors, our results suggest that wholesale and regional distributors who are not active on cryptomarkets would be the most affected market’s participants.
Purpose: The purpose of this paper is to analyse dynamics amongst members to better understand in what terms and to what extent marketplace forums can be seen as new forms of harm reduction.
Design/methodology/approach: This is a qualitative analysis focused on conversations about psychoactive substances on the forum community of AlphaBay Market. A sample consists of 100 online threads. The data, collected in July 2016, were analysed by applying the grounded theory approach with the support of Atlas.ti.
Findings: Conversations in the marketplace forum focus mostly on the purchase. Concerns and disputes are voiced in a substantial proportion of them, and interactions are affected by a climate of distrust where stigmatisation processes can emerge between users of different drug categories. This casts a certain amount of doubt on the thesis that marketplace forums—like online forums—are new forms of harm reduction and peer-led communities.
Research limitations/implications: The study focuses on only one marketplace forum. Other such forums should be analysed to corroborate its findings.
Practical implications: Harm reduction interventions in the online environment should take different form according to the forum type, and take the differences and boundaries that separate users of different substances into account.
Originality/value: Thanks to its infrequently used qualitative approach, the study provides a more thorough understanding of the relationships on marketplace forums.
Does recent growth of darknet markets signify a slow reorganisation of the illicit drug trade? Where are darknet markets situated in the global drug supply chain? In principle, these platforms allow producers to sell directly to end users, bypassing traditional trafficking routes. And yet, there is evidence that many offerings originate from a small number of highly active consumer countries, rather than from countries that are primarily known for drug production. In a large-scale empirical study, we determine the darknet trading geography of three plant-based drugs across four of the largest darknet markets, and compare it to the global footprint of production and consumption for these drugs. We present strong evidence that cannabis and cocaine vendors are primarily located in a small number of consumer countries, rather than producer countries, suggesting that darknet trading happens at the ‘last mile’, possibly leaving old trafficking routes intact. A model to explain trading volumes of opiates is inconclusive. We cannot find evidence for significant production-side offerings across any of the drug types or marketplaces. Our evidence further suggests that the geography of darknet market trades is primarily driven by existing consumer demand, rather than new demand fostered by individual markets.
Results revealed the domestic nature of the virtual Australian illicit drug trade.
The virtual Australian illicit drug trade is dominated by amphetamine-type substances (ATS).
The online price fixed by Australian sellers for the considered illicit drugs is higher than for any other shipping countries.
Understanding the link between virtual and physical drug market necessitates the integration of different perspective.
Analysing and understanding cryptomarkets is essential to become proactive in the fight against the illicit drug trade. Such research seeks to combine a diversity of indicators related to the virtual (darknet markets) and physical (the traditional “offline” market) aspects of the illicit drug trade to provide information on the distribution and consumption as well as to assess similarities/differences between the virtual and physical markets.
This study analysed data that had previously been collected on cryptomarkets from December 2013 to March 2015. In this article, the data was extracted from 2 marketplaces, Evolution and Silk Road 2, and analysed to evaluate the illicit drug trade of the Australian virtual market (eg. information about the supply and demand, trafficking flows, prices of illicit drugs and market share) and highlight its specificities.
The results revealed the domestic nature of the virtual Australian illicit drug trade (ie. Australian sellers essentially ship their products to local customers). This may explain the coherence between supply and demand. Particularly, the virtual Australian illicit drug trade is dominated by amphetamine-type substances (ATS), mainly methamphetamine and 3,4-Methylenedioxymethamphetamine (MDMA), and cannabis. Australia, as a shipping country, accounts for half of the methamphetamine offered and purchased on Silk Road 2. Moreover, it was observed that the online price fixed by Australian sellers for the considered illicit drugs is higher than for any other shipping countries, which is in line with previous studies.
Understanding the virtual and physical drug market necessitates the integration and fusion of different perspectives to capture the dynamic nature of drug trafficking, monitor its evolution and finally improve our understanding of the phenomenon so policy makers can make informed decisions.
[Keywords: cryptomarkets, supply & demand, illicit drug market, Australian perspective, darknet] [part 2]
Knowledge graphs and vector space models are robust knowledge representation techniques with individual strengths and weaknesses. Vector space models excel at determining similarity between concepts, but are severely constrained when evaluating complex dependency relations and other logic-based operations that are a strength of knowledge graphs. We describe the VKG structure that helps unify knowledge graphs and vector representation of entities, and enables powerful inference methods and search capabilities that combine their complementary strengths. We analogize this to thinking ‘fast’ in vector space along with thinking ‘slow’ and ‘deeply’ by reasoning over the knowledge graph. We have created a query processing engine that takes complex queries and decomposes them into subqueries optimized to run on the respective knowledge graph or vector view of a VKG. We showthat the VKG structure can process specific queries that are not efficiently handled by vector spaces or knowledge graphs alone. We also demonstrate and evaluate the VKG structure and the query processing engine by developing a system called Cyber-All-Intel for knowledge extraction, representation and querying in an end-to-end pipeline grounded in the cybersecurity informatics domain.
Type and proportions of all products offered for sale on Evolution are analysed.
A combined study of shipping country and type of product indicates spatial trends.
The study of trafficking flows reveals the global or domestic character of the trade.
Spatial specificities tend to reflect the structure of the traditional market.
Cryptomarkets are online marketplaces, located on the darknet, that facilitate the trading of a variety of illegal goods, mostly drugs. While the literature essentially focus on drugs, various other goods and products related to financial or identity fraud, firearms, counterfeit goods, as well as doping products are also offered on these marketplaces.
Through the analysis of relevant data collected on a popular marketplace in 2014–2015, Evolution, this research provides an analysis of the structure of trafficking (types and proportions of products, number of vendors and shipping countries). It also aims at highlighting geographical patterns in the trafficking of these products (eg. trafficking flows, specialisation of vendors and assessment of their role in the distribution chain).
The analysis of the flow of goods between countries emphasises the role of specific countries in the international and domestic trafficking, potentially informing law enforcement agencies to target domestic mails or international posts from specific countries. The research also highlights the large proportion of licit and illicit drug listings and vendors on Evolution, followed by various fraud issues (in particular, financial fraud), the sharing of knowledge (tutorials) and finally goods, currencies and precious metals (principally luxury goods). Looking at the shipping country, there seems to be a clear division between digital and physical products, with more specific information for physical goods. This reveals that the spatial analysis of trafficking is particularly meaningful in the case of physical products (such as illicit drugs) and to a lesser extent for digital products. Finally, the geographical analysis reveals that spatial patterns on Evolution tend to reflect the structure of the traditional illicit market.
However, regarding illicit drugs, country-specificity has been observed and are presented in this article.
We analyze reputation dynamics in an online market for illicit drugs using a novel dataset of prices and ratings. The market is a black market, and so contracts cannot be enforced. We study the role that reputation plays in alleviating adverse selection in this market. We document the following stylized facts: (i) There is a positive relationship between the price and the rating of a seller. This effect is increasing in the number of reviews left for a seller. A mature highly-rated seller charges a 20% higher price than a mature low-rated seller. (ii) Sellers with more reviews charge higher prices regardless of rating. (iii) Low-rated sellers are more likely to exit the market and make fewer sales. We show that these stylized facts are explained by a dynamic model of adverse selection, ratings, and exit, in which buyers form rational inferences about the quality of a seller jointly from his rating and number of sales. Sellers who receive low ratings initially charge the same price as highly-rated sellers since early reviews are less informative about quality. Bad sellers exit rather than face lower prices in the future. We provide conditions under which our model admits a unique equilibrium. We estimate the model, and use the result to compute the returns to reputation in the market. We find that the market would have collapsed due to adverse selection in the absence of a rating system.
The Evolution cryptomarket is described through the analysis of source code files.
Illicit drug orders on Evolution and chemical analyses are performed.
The study of packaging reveals concealment techniques used to avoid detection.
Products purity does not correspond with information provided on listings.
Chemical profiling reveals a relationship between purchases and police seizures.
Darknet markets, also known as cryptomarkets, are websites located on the Darknet and designed to allow the trafficking of illicit products, mainly drugs. This study aims at presenting the added value of combining digital, chemical and physical information to reconstruct sellers’ activities. In particular, this research focuses on Evolution, one of the most popular cryptomarkets active from January 2014 to March 2015.
Evolution source code files were analysed using Python scripts based on regular expressions to extract information about listings (ie., sales proposals) and sellers. The results revealed more than 48,000 listings and around 2700 vendors claiming to send illicit drug products from 70 countries. The most frequent categories of illicit drugs offered by vendors were cannabis-related products (around 25%) followed by ecstasy (MDA,MDMA) and stimulants (cocaine, speed). The cryptomarket was then especially studied from a Swiss point of view. Illicit drugs were purchased from 3 sellers located in Switzerland. The purchases were carried out to confront digital information (eg., the type of drug, the purity, the shipping country and the concealment methods mentioned on listings) with the physical analysis of the shipment packaging and the chemical analysis of the received product (purity, cutting agents, chemical profile based on minor and major alkaloids, chemical class). The results show that digital information, such as concealment methods and shipping country, seems accurate. But the illicit drugs purity is found to be different from the information indicated on their respective listings. Moreover, chemical profiling highlighted links between cocaine sold online and specimens seized in Western Switzerland.
This study highlights that (1) the forensic analysis of the received products allows the evaluation of the accuracy of digital data collected on the website, and (2) the information from digital and physical/chemical traces are complementary to evaluate the practices of the online selling of illicit drugs on cryptomarkets.
The Tor Network, a hidden part of the Internet, is becoming an ideal hosting ground for illegal activities and services, including large drug markets, financial frauds, espionage, child sexual abuse. Researchers and law enforcement rely on manual investigations, which are both time-consuming and ultimately inefficient.
The first part of this paper explores illicit and criminal content identified by prominent researchers in the dark web. We previously developed a web crawler that automatically searched websites on the internet based on pre-defined keywords and followed the hyperlinks in order to create a map of the network. This crawler has demonstrated previous success in locating and extracting data on child exploitation images, videos, keywords and linkages on the public internet. However, as Torfunctions differently at the TCP level, and uses socket connections, further technical challenges are faced when crawling Tor. Some of the other inherent challenges for advanced Tor crawling include scalability, content selection tradeoffs, and social obligation. We discuss these challenges and the measures taken to meet them. Our modified web crawler for Tor, termed the “Dark Crawler” has been able to access Tor while simultaneously accessing the public internet.
We present initial findings regarding what extremist and terrorist contents are present in Tor and how this content is connected to each other in a mapped network that facilitates dark web crimes. Our results so far indicate the most popular websites in the dark web are acting as catalysts for dark web expansion by providing necessary knowledge base, support and services to build Tor hidden services and onion websites.
[Keywords: Tor network, web crawler, criminal network, dark web, web graph, social network analysis]
Background: The recent proliferation of cryptomarkets and the associated emergence of a sub-field of research on the anonymous web have outpaced the development of an ethical consensus regarding research methods and dissemination amongst scholars working in this unique online space. The peculiar characteristics of cryptomarket research, which often involves encryption, illegal activity, large-scale data collection, and geographic separation from research participants, challenge conventional ethical frameworks. A further complicating factor for reaching ethical consensus is the confluence of scholars drawn from a variety of academic disciplines, each with their own particular norms, practices and perspectives.
This paper is intended to stimulate awareness and debate, and to prompt further reflection amongst scholars studying these fascinating online phenomena. The paper explores tensions and addresses some of the more prominent and pressing ethical questions, including public vs. private online spaces, anonymity, data sharing and ownership, risks and threats to research subjects and researchers. Also discussed is how best to balance the potential harms of cryptomarket research against benefits to the public.
[Keywords: cryptomarkets, research ethics, anonymous web, online drug distribution]
Introduction: User surveys indicate that expectations of higher drug purity are a key reason for cryptomarket use. In 2014–2015, Spain’s NGO Energy Control conducted a 1-year pilot project to provide a testing service to cryptomarket drug users using the Transnational European Drug Information (TEDI) guidelines. In this paper, we present content and purity data from the trial.
Methods: 219 samples were analyzed by gas chromatography associated with mass spectrometry (GC/MS). Users were asked to report what substance they allegedly purchased.
Results: 40 different advertised substances were reported, although 77.6% were common recreational drugs (cocaine, MDMA, amphetamines, LSD, ketamine, cannabis). In 200 samples (91.3%), the main result of analysis matched the advertised substance. Where the advertised compound was detected, purity levels (m ± SD) were: cocaine 71.6 ± 19.4%; MDMA (crystal) 88.3 ± 1.4%; MDMA (pills) 133.3 ± 38.4 mg; Amphetamine (speed) 51.3 ± 33.9%; LSD 123.6 ± 40.5 μg; Cannabisresin THC: 16.5 ± 7.5% CBD: 3.4 ± 1.5%; Ketamine 71.3 ± 38.4%. 39.8% of cocaine samples contained the adulterant levamisole (11.6 ± 8%). No adulterants were found in MDMAand LSD samples.
Discussion: The largest collection of test results from drug samples delivered from cryptomarkets are reported in this study. Most substances contained the advertised ingredient and most samples were of high purity. The representativeness of these results is unknown.
[Keywords: cryptomarkets, drug markets, purity, adulterants, drug checking, drug trend monitoring]
[Debunking a remarkably sloppy darknet market paper which screwed up its scraping and somehow concluded that the notorious Silk Road 2, in defiance of all observable evidence & subsequent FBI data, actually sold primarily e-books and hardly any drugs. This study has yet to be retracted.] The development of cryptomarkets has gained increasing attention from academics, including growing scientific literature on the distribution of illegal goods using cryptomarkets. Dolliver’s 2015 article “Evaluating drug trafficking on the Tor Network: Silk Road 2, the Sequel” addresses this theme by evaluating drug trafficking on one of the most well-known cryptomarkets, Silk Road 2.0. The research on cryptomarkets in general—particularly in Dolliver’s article—poses a number of new questions for methodologies. This commentary is structured around a replication of Dolliver’s original study. The replication study is not based on Dolliver’s original dataset, but on a second dataset collected applying the same methodology. We have found that the results produced by Dolliver differ greatly from our replicated study. While a margin of error is to be expected, the inconsistencies we found are too great to attribute to anything other than methodological issues. The analysis and conclusions drawn from studies using these methods are promising and insightful. However, based on the replication of Dolliver’s study, we suggest that researchers using these methodologies consider and that datasets be made available for other researchers, and that methodology and dataset metrics (eg. number of downloaded pages, error logs) are described thoroughly in the context of web-o-metrics and web crawling.
Background: Dread Pirate Roberts, founder of the first cryptomarket for illicit drugs named Silk Road, articulated libertarian political motives for his ventures. Previous research argues that there is a large political component present or involved in cryptomarket drug dealing which is specifically libertarian. The aim of the paper is to investigate the prevalence of political discourses within discussions of cryptomarket drug dealing, and further to research the potential changes of these over the timespan of the study.
Methods: We develop a novel operationalization of discourse analytic concepts which we combine with topic modelling enabling us to study how politics are articulated on cryptomarket forums. We apply the Structural Topic Model on a corpus extracted from crawls of cryptomarket forums encompassing posts dating from 2011 to 2015.
Results: The topics discussed on cryptomarket forums are primarily centered around the distribution of drugs including discussions of shipping and receiving, product advertisements, and reviews as well as aspects of drug consumption such as testing and consumption. However, on forums whose primary function is aiding operations on a black market, we still observe political matter. We identified one topic which expresses a libertarian discourse that emphasizes the individual’s right to non-interference. Over time, we observe an increasing prevalence of the libertarian discourse from 2011 to the end of 2013. In the end of 2013—when Silk Road was seized—we observe an abrupt change in the prevalence of the libertarian discourse.
Conclusions: The libertarian political discourse has historically been prevalent on cryptomarket forums. The closure of Silk Road has affected the prevalence of libertarian discourse suggesting that while the closure did not succeed in curtailing the cryptomarket economy, it dampened political sentiments.
[Keywords: digital methods, cryptomarkets, discourse analysis, harm-reduction, political theory, anarchism, topic models, libertarianism]
Marketplaces specializing in malicious hacking products—including malware and exploits—have recently become more prominent on the darkweb and deepweb. We scrape 17 such sites and collect information about such products in a unified database schema. Using a combination of manual labeling and unsupervised clustering, we examine a corpus of products in order to understand their various categories and how they become specialized with respect to vendor and marketplace. This initial study presents how we effectively employed unsupervised techniques to this data as well as the types of insights we gained on various categories of malicious hacking products.
Bitcoin has enjoyed wider adoption than any previous cryptocurrency; yet its success has also attracted the attention of fraudsters who have taken advantage of operational insecurity and transaction irreversibility. We study the risk investors face from the closure of Bitcoin exchanges, which convert between Bitcoins and hard currency. We examine the track record of 80 Bitcoin exchanges established between 2010 and 2015. We find that nearly half (38) have since closed, with customer account balances sometimes wiped out. Fraudsters are sometimes to blame, but not always. 25 exchanges suffered security breaches, 15 of which subsequently closed. We present logistic regressions using using longitudinal data on Bitcoin exchanges aggregated quarterly. We find that experiencing a breach is correlated with a 13-times greater odds that an exchange will close in that same quarter. We find that higher-volume exchanges are less likely to close (each doubling in trade volume corresponds to a 12 percent decrease in the odds of closure). We also find that exchanges who derive most of their business from trading less popular (fiat) currencies, which are offered by at most one competitor, are less likely to close.
February 2011 saw the emergence of Silk Road, the first successful online anonymous marketplace, in which buyers and sellers could transact with anonymity properties far superior to those available in alternative online or offline means of commerce. Business on Silk Road, primarily involving narcotics trafficking, rapidly boomed, and competitors emerged. At the same time, law enforcement did not sit idle, and eventually managed to shut down Silk Road in October 2013 and arrest its operator. Far from causing the demise of this novel form of commerce, the Silk Road take-down spawned an entire, dynamic, online anonymous marketplace ecosystem, which has continued to evolve to this day. This paper presents a long-term measurement analysis of a large portion of this online anonymous marketplace ecosystem, including 16 different marketplaces, over more than two years (2013–2015). By using long-term measurements, and combining our own data collection with publicly available previous efforts, we offer a detailed understanding of the growth of the online anonymous marketplace ecosystem. We are able to document the evolution of the types of goods being sold, and assess the effect (or lack thereof) of adversarial events, such as law enforcement operations or large-scale frauds, on the overall size of the economy. We also provide insights into how vendors are diversifying and replicating across marketplaces, and how vendor security practices (eg., PGP adoption) are evolving. These different aspects help us understand how traditional, physical-world criminal activities are developing an online presence, in the same manner traditional commerce diversified online in the 1990s.
The online cryptomarket Silk Road has been oft-characterised as an ‘eBay for drugs’ with customers drug consumers making personal use-sized purchases. Our research demonstrates that this was not the case.
Using a bespoke web crawler, we downloaded all drugs listings on Silk Road in September 2013. We found that a substantial proportion of transactions on Silk Road are best characterised as ‘business-to-business’, with sales in quantities and at prices typical of purchases made by drug dealers sourcing stock. High price-quantity sales generated between 31–45% of revenue, making sales to drug dealers the key Silk Road drugs business.
As such, Silk Road was what we refer to as a transformative, as opposed to incremental, criminal innovation. With the key Silk Road customers actually drug dealers sourcing stock for local street operations, we were witnessing a new breed of retail drug dealer, equipped with a technological subcultural capital skill set for sourcing stock. Sales on Silk Road increased from an estimate of $18.79$14.42012 million in mid-2012 to $115.33$89.72013 million by our calculations. This is a more than 600% increase in just over a year, demonstrating the demand for this kind of illicit online marketplace. With Silk Road functioning to considerable degree at the wholesale/broker market level, its virtual location should reduce violence, intimidation and territorialism.
Results are discussed in terms of the opportunities cryptomarkets provide for criminologists, who have thus far been reluctant to step outside of social surveys and administrative data to access the world of ‘webometric’ and ‘big data’.
[Keywords: drug markets, cryptomarkets, webometrics, drug dealing]
From, in or about January 2011, up to and including on or about October 2, 2013, an underground website known as ‘Silk Road’ hosted a sprawling black-market bazaar on the Internet, where illegal drugs and other illicit goods and services were regularly bought and sold by the site’s users. The Grand Jury indicts Defendants Andrew Michael Jones, Gary Davis, and Peter Phillip Nash on three counts of Narcotics Trafficking Conspiracy, Computer Hacking Conspiracy, and Money Laundering Conspiracy.
We perform a comprehensive measurement analysis of Silk Road, an anonymous, international online marketplace that operates as a Tor hidden service and uses Bitcoin as its exchange currency. We gather and analyze data over eight months between the end of 2011 and 2012, including daily crawls of the marketplace for nearly six months in 2012. We obtain a detailed picture of the type of goods sold on Silk Road, and of the revenues made both by sellers and Silk Road operators.
Through examining over 24,400 separate items sold on the site, we show that Silk Road is overwhelmingly used as a market for controlled substances and narcotics, and that most items sold are available for less than three weeks. The majority of sellers disappears within roughly three months of their arrival, but a core of 112 sellers has been present throughout our measurement interval. We evaluate the total revenue made by all sellers, from public listings, to slightly over USD 1.2 million per month; this corresponds to about USD 92,000 per month in commissions for the Silk Road operators. We further show that the marketplace has been operating steadily, with daily sales and number of sellers overall increasing over our measurement interval.
We discuss economic and policy implications of our analysis and results, including ethical considerations for future research in this area.
We perform a comprehensive measurement analysis of Silk Road, an anonymous, international online marketplace that operates as a Tor hidden service and uses Bitcoin as its exchange currency. We gather and analyze data over eight months between the end of 2011 and 2012, including daily crawls of the marketplace for nearly six months in 2012. We obtain a detailed picture of the type of goods being sold on Silk Road, and of the revenues made both by sellers and Silk Road operators. Through examining over 24,400 separate items sold on the site, we show that Silk Road is overwhelmingly used as a market for controlled substances and narcotics, and that most items sold are available for less than three weeks. The majority of sellers disappears within roughly three months of their arrival, but a core of 112 sellers has been present throughout our measurement interval. We evaluate the total revenue made by all sellers, from public listings, to slightly over USD 1.2 million per month; this corresponds to aboutUSD 92,000 per month in commissions for the Silk Road operators. We further show that the marketplace has been operating steadily, with daily sales and number of sellers overall increasing over our measurement interval. We discuss economic and policy implications of our analysis and results, including ethical considerations for future research in this area.
Anonymity in Bitcoin, a peer-to-peer electronic currency system, is a complicated issue. Within the system, users are identified by public-keys only. An attacker wishing to de-anonymize its users will attempt to construct the one-to-many mapping between users and public-keys and associate information external to the system with the users. Bitcoin tries to prevent this attack by storing the mapping of a user to his or her public-keys on that user’s node only and by allowing each user to generate as many public-keys as required. In this chapter we consider the topological structure of two networks derived from Bitcoin’s public transaction history. We show that the two networks have a non-trivial topological structure, provide complementary views of the Bitcoin system and have implications for anonymity. We combine these structures with external information and techniques such as context discovery and flow analysis to investigate an alleged theft of Bitcoins, which, at the time of the theft, had a market value of approximately half a million U.S. dollars.