Nearly a year has passed since the takedowns of AlphaBay and Hansa by law enforcement efforts that left many speculating about the future of dark web marketplaces. Expectations of an older, established market replacing AlphaBay, or the emergence of a new marketplace, have fallen short. Dream Market and Olympus are among those to have made a play, but no single marketplace has risen to the top, at least among the English-speaking community. And mistrust, fear and high barriers to entry are preventing new marketplaces from flourishing. But as the adage goes, “where there’s a will there’s a way.” So instead, we’re seeing cybercriminals rely on a patchwork of alternative solutions to conduct illegal, online trade.

Users are retrenching to more specialized forums dedicated to hacking and security, which often act as a platform for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as ransomware variants, exploit kits, compromised accounts and payment card data. These sites work on a direct transfer system where vendors and customers will communicate directly to arrange payment, often through messaging services such as Jabber. Typically, sellers will advertise their products on these forums, and then direct users to dark web sites to arrange payment. 

Learning valuable lessons from the takedowns of AlphaBay and Hansa, administrators of these forums have been incorporating new technologies and processes for added security and trust among users. 

Some have been experimenting with a decentralized Blockchain domain name system (DNS), which do not have a central authority, and is deemed to be much harder for law enforcement to take down criminal sites. Despite this promising model, the adoption of blockchain in this way hasn’t taken off yet, but merits ongoing monitoring. Administrators are also updating processes to improve site security – advertising the store without revealing the domain, limiting new users’ access using mechanisms such as posting limits and area access restrictions to hamper law enforcement activity, or requiring multiple invitations or referrals from established members. 

Another significant shift is that many cybercriminals are choosing to conduct their business away from dark web marketplaces and underground forums altogether. Increasingly, they are using their site to advertise their service and then directing users to dedicated channels on Jabber, Internet Relay Chat (IRC), Skype, Discord and Telegram to conduct their business. Buyers can contact sellers directly through peer-to-peer networks and private chat channels and execute transactions using cryptocurrencies or electronic payment services. With buyers and sellers spread widely across an increasingly decentralized community, the belief is that it will be more difficult for law enforcement operations which took advantage of having users congregated into a single, central location such as a marketplace.

As cybercriminals incorporate new processes, technologies and communication methods to continue their operations and realize financial gain, businesses and consumers should remain vigilant. The data and services cybercriminals are advertising within dark web markets and forums, point to four areas of concern:

● Payment card fraud: the sale of credit cards as well as carding support, such as manuals and support services.

● Account takeover: user accounts for sale, including high profile breaches, repackaged credential sets, and cracking software.

● Counterfeits: fraudulent documents, scans, currencies and luxury goods.

● Insider threat: sharing of access to corporate networks and information.

Preventing your data from circulating within the cybercriminal ecosystem is a major challenge. But here are five general tips that can help reduce the chances of your data falling into the wrong hands:

1. Know where your most sensitive data resides, and then understand how a cybercriminal would monetize that data. 

2. Monitor the open, deep and dark web for mentions of your business, brand or personal information.

3. Increase your monitoring to cover peer-to-peer platforms and messaging channels that are increasingly being used by cybercriminals.

4. Use unique and strong passwords on your most sensitive or personal accounts and enable multifactor authentication to prevent account takeovers.

5. Don’t forget about third parties. Contractors and suppliers with privileged access to your sensitive information are also a weak point. Monitor and secure your supply chain networks in the same way you would your own employees and assets. 

Despite the demise of AlphaBay and Hansa, and the success of law enforcement operations, illicit online business will continue, and the same data and services will remain valuable. It is the marketplaces, forums and communication channels that will change. By closely following these shifts and trends, and watching for new activities and actors across a variety of data sources – not just the dark web – security professionals can continue to take steps to mitigate the digital risk to their enterprises, partners and customers.