Dark web markets are constantly changing. The last major shakeup to occur was the disappearance of the Nucleus Market, which has been offline for nearly a month and a half. Since then, the site’s users have flocked to other markets in search of an alternative.
Many of those users have transitioned to AlphaBay, the current king of dark web markets. AlphaBay was the most popular marketplace before Nucleus Market disappeared. Since then it has only grown more popular.
A similar surge happened in March 2015 after the administrators of the dark web marketplace Evolution shut down and stole users’ bitcoins in an “exit scam.” In the three days following Evolution’s disappearance, AlphaBay received 18,000 new registrations, said alpha02, a well-known carder and founder of the AlphaBay market. A few months later another major dark web market, Agora, announced it was shutting down due to security issues. Once again, AlphaBay membership surged. By October 2015 AlphaBay announced it had hit 200,000 users and become one of the most popular markets on the dark web.
That growth has continued. In early January there were approximately 12,500 fraud-related listings. Today there are close to 20,000.
How Does AlphaBay Work?
As we noted last month, there are a lot of misconceptions about the dark web, and it is not hard for the average person to find these websites and purchase illicit goods and services. However, the markets are also full of law enforcement, researchers conducting threat intelligence (like SurfWatch Labs), and scammers. As a result, those buying and selling items tend to be concerned about two things: anonymity and security.
- Anonymity when purchasing: The combination of tools such as Tor, which helps users anonymously access the markets, and the growth of virtual currencies, which helps users anonymously purchase illegal items, has helped dark web markets such as AlphaBay flourish.
- Security among thieves: AlphaBay offers multi-signature escrow to help protect buyers from getting scammed. Money is deposited into a wallet with three people having keys: the buyer, the seller and the market. Two of those keys are needed to approve payment. If the buyer is happy, he or she releases the key and the seller is paid. If there is a dispute, the moderator can approve payment and give the second key to the seller — or deny payment and give the key to the buyer.
Many markets try to emulate the customer-friendly features seen on popular e-commerce sites such as Amazon or eBay. In the case of AlphaBay, there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users. In addition, buyers can view feedback in the forms of reviews and star ratings.
The key takeaway for those unfamiliar with these cybercriminal markets is that it is not that different an experience from buying things via the normal web.
What’s for Sale on AlphaBay?
Being the most popular dark web market, AlphaBay offers nearly every type of item or service for sale. Drugs are the most common type of item — as is true of most markets. SurfWatch Labs doesn’t collect data on every listing, instead focusing mainly on cybercrime-related items. Of those, credentials trade is the top trending practice tag over the past 30 days.
Credentials trade includes logins for various services and financial institutions. Those credentials can then be used for fraud, as a stepping stone for further attacks, or simply to use legitimate services such as Netflix or Uber for free.
Specific items related to credential theft for sale the past few weeks include …
Credentials to access various credit card accounts or the information to answer associated security questions:
Credentials that can be bought in bulk such as this list of 10,000 German email addresses and passwords:
Credentials for customer accounts at various restaurants and coffee shops, including some that have payment information connected to “auto-reload” the account whenever the balance gets low enough:
Credentials for reward accounts from airlines and other retailers that can be redeemed for various goods and services:
Credentials for hacked websites such as WordPress blogs:
Full profiles — which include names, email, passwords, phone numbers, Social Security numbers, dates of birth and more — basically, everything needed to set up an account, apply for credit or perform other fraudulent actions:
And credentials for many, many more accounts.
Where do all of these stolen credentials come from? They come from data breaches, malware that captures keystrokes, phishing and, as we noted earlier this week, the problem of people continuing to reuse passwords across multiple sites, which allows automated tools to use those giant lists of previously stolen credentials to gain access to other sites.
Of course, AlphaBay offers a plethora of other items for sale unrelated to stolen credentials, and we’ll touch on some of those in the coming week’s as we examine the other dark web markets. Those top markets tend to change due to exit scams, security concerns or law enforcement actions, but for now AlphaBay remains the king of the underground.