Top Dark Web Markets: TheRealDeal, Paranoia and Zero-Day Exploits

In trying to demystify the Dark Web, we’ve talked about the customer-friendly features of markets, the hand-holding nature of cybercrime-as-a-service, and the secure payment options that can protect anonymous buyers.

As we turn our attention to the exploit-centric TheRealDeal Market, it gives us a chance to examine an aspect of the Dark Web that isn’t so rose-colored: the paranoia that runs deep for many buyers, sellers and market operators.

A Quick Look at TheRealDeal Market

Of the many Dark Web markets, TheRealDeal Market has perhaps the most interesting backstory. While other markets focus on things such as drugs and stolen payment card information, TheRealDeal Market launched in 2015 with a focus on code — from zero-day exploits to known vulnerabilities to source code. This led to stories in high-profile outlets such as Wired, which described TheRealDeal as “a new marketplace [that] hopes to formalize that digital arms trade.”

Shortly after making those headlines, several members were arrested, the site went offline, came back online for a short period, and then disappeared again. Finally, half a year later, it relaunched in December 2015.

Exploits such as this alleged zero-day for ecommerce software are frequently listed on TheRealDeal Market.

The main reason for the long downtime was “paranoia,” as the site admin put it in an interview. That paranoia was grounded in real world events.

On July 13, 2015, the popular cybercrime forum Hell was shut down after its administrator, Ping, was arrested. A few days later — on July 15, 2015 — the FBI announced the dismantling of a dark web forum known as Darkode, which U.S. Attorney David J. Hickton described as “a cyber hornets’ nest of criminal hackers ” and “one of the gravest threats to the integrity of data on computers in the United States and around the world.” The coordinated law enforcement effort, known as Operation Shrouded Horizon, led to 70 Darkode members and associates across 20 countries being charged, arrested or searched.

As DeepDotWeb reported, those arrests tied up several members of TheRealDeal Market team.

“What I can say is that most of the original team is not with us at the moment,” TheRealDeal admin said in December. “Currently, at least for the time being, the market will be under the management of me (identified in support as admin S.P.), an old vendor that has stuck with us from the beginning, and a couple of trustworthy people from other darknet communities. I can also add that the main reason of the last down time was paranoia, if it turned out to be justifiable or not, I cannot say.”

That paranoia tends to run throughout all dark web markets — paranoia of law enforcement, paranoia of exit scams, paranoia of other users. As one drug vendor from the now-defunct Evolution Market said in a 2014 interview, “In this business it’s always better to be too paranoid than not paranoid enough.”

Feeding into that paranoia is the fact that the main administrator appears to have vanished recently and support has stopped replying to messages, at least according to one popular vendor.

“This [is] very strange by just leaving the market like this without any management or any notice for leaving,” the vendor told Motherboard in an online chat.

Yesterday, TheRealDeal Reddit account said the reason for the absence was an accident.

“Admin not dead, just almost,” the account wrote. “The only guy with the actual keys to the kingdom had a small accident. … More coming soon.”

What’s For Sale on TheRealDeal Market?

Since its December 2015 relaunch, TheRealDeal Market has once again been making national news. Most recently was a vendor selling a 200 million-strong database of alleged Yahoo user credentials, most likely stolen in 2012, for 3 bitcoin (around $1800). A Yahoo spokesperson said the company is aware of the listing and is investigating whether the data is legitimate.

The same vendor has recently sold massive databases of credentials from LinkedIn and MySpace.

A posting from TheRealDeal Market claiming to contain 200 million user passwords for Yahoo.

TheRealDeal Market sparked another national story this summer when a different vendor began offering a series of healthcare databases for sale. That actor was able to use the media — along with initial price tags in the hundreds of thousands of dollars — to generate a significant amount of attention around the postings, his or her alias, and TheRealDeal Market. A half dozen databases have since been posted ranging from 23,000 records to 9.3 million records.

One of the more recent postings is from a healthcare organization in Fairview, Illinois.

The seller claimed he or she was able to access various healthcare databases due to a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.”

“[The data] was retrieved from an accessible internal network using account credentials that were garnered through the token impersonation of an employee,” the listing reads. “First stage access was accomplished using RDP 0day.”

Although various stolen databases have generated most of the media attention around TheRealDeal Market, code-related items are a staple of the market — and one of the reasons it was founded.

“We actually tried selling such information and codes ourselves at some point [on established marketplaces] but it seems that all people want on those markets is credit cards and tutorials on how to make money with credit cards,” an admin said in an interview in April 2015. “The problem is that 90% of these dealers are scammers. People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.”

The past month SurfWatch Labs has observed various alleged zero-day exploits for sale on TheRealDeal Market.

These include a listing claiming “a remote code execution that allows installation of any APK file on any Android phone that has [a certain gambling application] running.”

The alleged zero-day exploit is selling for 12 bitcoin (around $7000).

There is also a posting claiming a local privilege escalation zero-day that will “go from user to SYSTEM in a few lines of code.”

This alleged local privilege escalation zero-day is also selling for 12 bitcoin (around $7000).

Then there is an alleged zero-day in a popular messaging app, which can lead to denial of service.

This denial-of-service exploit for a popular app is listed for 7.5 bitcoin (around $4,500).

In addition to zero-days and known exploits, there is also a variety of source code and other listings that can be found on the TheRealDeal Market.

For example, a recent listing claims to be selling information stolen from a large HL7 developer located in the United States.

“In addition to the source code for the HL7 Interface Engine software, the private keys for signing the code will also be included as well as the licensing database that entails a full record of all clients and their status information,” the listing reads. “There are many legitimate and nefarious uses for this exclusive package offer. You are only limited by your imagination.”

This source code, signing keys and licensing database from a U.S. HL7 software developer comes with a hefty price tag of 40 bitcoin (around $23,000).

Another listing offers an enterprise code signing certificate.

“No timewasters please, if you don’t know why this is so expensive or what to do with it  — don’t bother,” the seller wrote.

This enterprise code signing certificate is listed for 15 bitcoin (around $9,000).

These are just a sampling of the many recent listings on TheRealDeal Market.

Although TheRealDeal Market may not be as popular as AlphaBay or other markets that we’ve profiled over recent months — which tend to be dominated by things such as illegal drugs, hacking tutorials, payment card information and stolen credentials — TheRealDeal Market has managed to frequently make headlines for the types of information sold there, connections to other high-profile arrests, and now, the recent disappearance of the current admin.

Top Dark Web Markets: HANSA, Piracy and Exit Scams

HANSA Market is the third most popular dark web market this year, according to data from SurfWatch Labs. It’s a new and growing market focused on the security of its users. Previously in this series we’ve talked about Alpha Bay and the problem of stolen credentials and Dream Market and the cybercrime-as-a-service model. As we turn our attention to HANSA, it’s an opportunity to reflect on how these dark web markets work — and the reason there has been so much turnover the past few years.

Piracy is one of the top trending cybercrime categories on HANSA market. This includes pirated software, video games, movies, books and other media as well as credentials for related accounts. In the screenshot above a vendor is selling a collection of 21 ebooks by a popular author for just $4.99.

HANSA was created in response to the many exit scams that have occurred over the past few years. Most dark web markets require buyers to deposit money (bitcoins) before they can purchase. Once a market becomes popular, there can be a significant amount of bitcoins in limbo, and owners are often tempted to shut the market down and take all the money that has built up. HANSA created a system that they claim ensures that no exit scam is possible.

“After recent exit scams of various marketplaces (e.g. Evolution, BlackBank) we wanted to create a market where it is impossible for either admins or vendors to run away with your funds,” the admins wrote. “Most markets operate the same: Blindly deposit money into your account, wait for confirmations and then make the purchase. … On HANSA you do not have to deposit Bitcoins before your purchase. Every order is simply a Bitcoin transaction itself.”

How Do Exit Scams Work?

Not long ago — before the FBI took down Silk Road and creator Ross Ulbricht was sentenced to life in prison — there was a dream of a victimless black market where users could Anonymously purchase illicit goods such as drugs beyond the reach of intrusive government laws. But as Wired’s Andy Greenberg wrote in January, that dream is now largely dead due to the many exit scams and the turnover in marketplace leaders over the past few years:

The result has been that the libertarian free-trade zone that the Silk Road once stood for has devolved into a more fragmented, less ethical, and far less trusted collection of scam-ridden black market bazaars. Instead of the Silk Road’s principled—if still very illegal—alternative to the violence and unpredictable products of street dealers, the dark web’s economy has become nearly as shady as the Internet back alley politicians and moralizing TV pundits have long compared it to.

The most striking example of this is the Evolution Market exit scam. In March of 2015, the Evolution marketplace halted bitcoin withdrawals from the site for a week, using the excuse of technical difficulties as the owners, known as Verto and Kimble, let the virtual coffers build. Then they closed up shop and walked away with an estimated $12 million in bitcoin.

An admin for the market summed up the bad news to fellow users in a Reddit post, “I am so sorry, but Verto and Kimble have fucked us all.”

In April 2016, a year after the disappearance of Evolution, Nucleus Market, at the time the number two most popular dark web marketplace, suddenly vanished. Rumors of an exit scam abound.

However, not all exit scams are so high profile. Most exit scams are actually done by individual vendors, as Motherboard’s Jon Christian noted.

“It turns out that a logistical problem with darknet markets is that when a vendor throws in the towel, it’s very tempting for him or her to stop mailing drugs, but continue pocketing customers’ payments for as long as possible,” Christian wrote. “If you’ve built up a good reputation on a darknet market’s seller rating system — which, like eBay, is based on feedback from other users — why not keep pulling in cash until the review system catches up with you?”

Escrow Payments and Finalizing Early

Many markets offer protection to buyers against this type of scam in the form of escrow payments. A neutral third party such as the market holds the money until the buyer has received the goods. After the buyer receives the order, payment is released. In the case of disputes, marketplace admins often act as an arbiter. However, many buyers and sellers use something known as “Finalize Early.” Essentially, the buyer releases the funds from escrow before receiving the goods or services. Some vendors abuse this trust.

HANSA does not offer the option to Finalize Early, ensuring that extra layer of protection is behind all market transactions.

While this policy helps protect buyers from vendor exit scams, there is still the concern that the market itself may perform an exit scam. In fact, this is one reason why some vendors prefer Finalizing Early. With numerous transactions in escrow, the market can at any time be holding a significant amount of bitcoins, and that can be tempting to steal. Finalizing Early lets those vendors receive payment immediately.

Multisignature Transactions

This is where multisignature escrow applies. HANSA uses a 2-of-2 multisignature escrow process (vendor-HANSA). As they explain, “Funds can only be accessed by the vendor after the buyer finalizes a transaction and can never be accessed by the site staff. Theft from either party is impossible.”

In January HANSA announced that it now supports 2-of-3 multisig transactions (buyer-vendor-HANSA) as well.

“The only flaw our market had in the past was the loss of Bitcoins in cases like the vendor losing his/her Bitcoin private key or him/her refusing to refund buyers in cases of disputes,” HANSA announced. “Fortunately this has happened very rarely and we have reimbursed the buyer every time out of our own pocket. Still, this can be avoided.”

With 2-of-3 multisig transactions, money is transferred into an escrow fund shared by the buyer, the seller and HANSA. Once two out those three parties approve the transaction, the funds are released.

This isn’t a new system. In fact, Evolution offered multisignature transactions designed to stop the exact kind of exit scam they eventually performed, but not many buyers used the feature.

As a moderater of the DarkNetMarket subreddit noted after the Evolution theft, “Maybe this will open more people’s eyes to the benefits of multisig.” Then he added, “Nah, who am I kidding? When has an event like this ever changed anything?”

The disadvantage is that the process can seem complicated and may turn away some users, which may be one of the reasons why HANSA is not quite as popular as AlphaBay and Dream Market — although at the moment it remains as one of the more trusted and stable dark web markets.

Healthcare Databases for Sale on Dark Web, but What Else is Being Sold?

The recent theft and potential sale of various healthcare databases has once again put the sector at the forefront of cybercrime — and makes many wonder how their information is affected by criminal activity on the dark web. While healthcare-related data is not nearly as prevalent on the dark web as other sectors like financial services, SurfWatch Labs has observed a variety of items being offered up for sale in addition to this week’s headline-making healthcare databases.

As previously noted, common threat intelligence found on the dark web includes compromised credentials, stolen financial information, stolen intellectual property, threats stemming from an organization’s supply chain, and information on a wide range of hacking services and other cybercrime tools. These same categories also apply to healthcare organizations.

Over the past year SurfWatch Labs has observed direct healthcare breaches, third-party breaches that have impacted healthcare organizations’ employee accounts, fraudulent prescriptions, and other healthcare-related cyber threats.

What’s Being Sold on the Dark Web Now?

This week, several healthcare databases were put up for sale on the dark web by an actor going by the name “TheDarkOverlord” — along with a hefty price tag for that information.

On Monday, after previously posting three different databases that contain names, addresses, Social Security numbers, birth dates and some phone numbers of 655,000 individuals, the hacker told the Daily Dot that he was sitting on a “large” number of other databases. On Tuesday he followed through on that claim, adding for sale a database of 34,000 records from a New York Clinic as well as a health insurance database with 9.3 million patients, which he said was stolen using a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.” On Wednesday he again made headlines by naming one of the companies breached, Midwest Orthopedic Clinic in Farmington, Missouri, and said that the owner “should have just paid up to prevent this leak from happening.”

According to the post, the 2GB file contains 9,278,352 records and is selling for 750 bitcoin (around $485,000), a far higher price than is typical for items sold via dark web markets.

A posting of more than 9 million records is on the extreme end of the price spectrum, and it could be that the actor is trying to spin up some media attention in order to better extort potential victims or drive future sales — if he is indeed sitting on many more databases to sell.

More typical of the type of healthcare-related information found for sale on the dark web is counterfeit documents and other identity information that can be used for different types of fraudulent purposes, including but not limited to medical. Although this information does not sell for hundreds of thousands of dollars and make national headlines, it is much more prevalent.

For example, fraudulent medical cards from around the world are available for approximately a few hundred dollars.

In the posting below, a vendor is selling a Quebec Medicare card template for $700. “Why is it so good?” the vendor asks rhetorically. “Because it has the latest security features, and is a valid photo ID. Most places will trust the Medicare [card] before they trust the DL [driver’s license] because almost no one makes them.”

The vendor is also selling driver’s license templates, but fraudulent Medicare cards are an easier option for the buyer, he wrote. With this card, all the buyer needs is a hologram overlay (which he conveniently also sells) and an embosser.

Likewise, non state-sponsored health cards are available. The listing below, from a now-defunct dark web marketplace, is selling a U.S. health insurance card for $40.

Why? “These are to provide proof that you have health insurance in the United States,” the seller wrote, adding that an insurance card like the one provided is an excellent way to round out a fake identity. “If a fake ID is questioned, this can be pulled out to back it up and eliminate any question. [It] may save you. In addition it may be used as a secondary form of ID to open up a PO box under a false identity.”

Insurance cards like the one for sale here have a variety of cybercriminal uses ranging from direct medical identity theft to verification purposes in order to perpetrate other forms of fraud.

Some items for sale on the dark web leverage physicians’ identities. The posting below is from a vendor who is currently selling a signed California drug prescription form from a medical group with six different doctors. “These are REAL doctors Rx Scripts, from a REAL CA medical practice,” the vendor wrote. “These are extremely hard to come by.”

The form, which includes up to three prescriptions, is selling for $75, and the vendor will even fill out the script for an extra $100 if the buyers are unsure how to do so.

“The form contains Doctors Names, DEA numbers, and CA license numbers,” the listing reads. “These are signed prescriptions you can fill out yourself for pharmaceuticals in CA, I would like to get rid of these ASAP.”

Additionally, the dark web is often associated with illegal drugs – and for good reason. Reporting on dark web markets such as Silk Road tends to focus on hard drugs; however, prescription drugs are readily available. They can be purchased from a variety of sellers on nearly every dark web marketplace.

This vendor is selling a wide wide range of prescription drugs in different dosages.

Utilizing Cyber Threat Intelligence

In addition to the postings from open marketplaces shown above, there is information to be gained from the private cybercriminal forums and markets on the dark web. As more researchers and law enforcement turn to the dark web for intelligence gathering purposes, cybercriminals have begun to take more precautions. Some markets require a referral to gain access. Some require a user fee. This chatter, both the public postings and more restrictive groups, can provide important insight into the most active cyber threats facing your organization.

For example, SurfWatch Labs has previously observed certain forum members requesting health insurance records from specific companies – presumably to assist in perpetrating insurance fraud as one actor was specifically looking for “high cost treatments.” Knowing which actors are targeting an organization, what those actors are looking for, and other chatter around potential cyber threats can be invaluable when it comes to planning, budgeting and implementing a company’s cyber risk management strategy.

This type of dark web threat intelligence provides direct insight into the malicious actors that target healthcare organizations, and it goes beyond the big ticket items that generate news headlines and spark a national conversation. Those stories are important, but in many ways the dark web shines a light on a cybercrime problem that is much more insidious: death by a thousand cuts.

With so many different threats out there, knowing which threats to focus on is critical. In many ways cybersecurity is simply about effective prioritization, and to that point, cyber threat intelligence and the dark web is a vital aspect.

Top 5 Items for Sale on the Dark Web, and What Businesses Can Learn From Them

In April 2016, the dark web market Nucleus went offline. Before its disappearance, Nucleus had become the number two most popular market on the dark web, hosting tens of thousands of listings for a variety of illicit goods and services. The debate continues around why Nucleus vanished; however, it was just one of the many different markets where users could go to anonymously purchase credentials to customer accounts, stolen payment card data, pirated software, counterfeit currency and goods, malware, hacking services and more.

pic 1
Screenshot of Nucleus Market before it went offline in May.

Knowing this can be quite useful to businesses and threat researchers. It can be leveraged for valuable cyber threat intelligence including the kind of data being bought and sold by cybercriminals, tools and services that are commonly used, and vulnerabilities that are being actively exploited. Most importantly, the dark web provides much needed context. But with the huge number of threats out there, some legitimate and some not, where should organizations focus their resources? Threat intelligence from the dark web can help provide businesses with that important insight. With that in mind, here are five of the most common items for sale on the dark web, and how that information can help organizations combat cybercrime, according to SurfWatch Labs data.

1.Stolen Credentials

Although a wide variety of cybercrime-related items are for sale on the dark web, stolen credentials are among the most prevalent. When looking at the most popular dark web market in 2016, credentials trade accounts for nearly a quarter of the data collected by SurfWatch Labs. Cybercriminals initially get this information by using phishing messages, malicious applications, and other methods to get malware such as keyloggers installed on victims’ devices. These stolen usernames and passwords often end up for sale on the dark web where other malicious actors then use them for a variety of purposes. Although online banking accounts are a natural target, other types of credentials readily available for purchase include employee and personal email accounts, social media accounts, eBay and PayPal accounts, and other popular services such as Netflix, Uber, and more.

How this can help your organization: With the huge number of data breaches and stolen credentials out there, it is likely that some employees have had their usernames and passwords compromised, and in many instances those include work-related email addresses. Monitoring the dark web for stolen credentials related to your brand and your employees can allow you to educate users, prevent fraudulent logins and stop a future attack from spreading.


pic 2


2. Fraud and Stolen Identities

When a point-of-sale data breach occurs, that stolen payment card information often ends up for sale on various dark web markets. Cybercriminals act very quickly to monetize those accounts. The longer a stole card is on the market, the less valuable it becomes due to the likelihood of it being tied to a data breach, theft, or other fraud — and cancelled by the bank or cardholder. Other items for sale related to fraud include counterfeit documents such as passports and driver’s licenses as well as personal information needed to open lines of credit such as Social Security numbers, dates of birth and other identifiers. Like traditional crime, cybercrime is largely driven by money, and fraud and stolenidentities have traditionally been the go-to methods for turning a quick profit. However, it is not just the occasional thugs perpetrating these acts. It is often professional cybercrime rings run by gangs in other countries that have been perfecting their techniques for years.

How this can help your organization: Many point-of-sale data breaches aren’t discovered until the stolen payment card information shows up for sale or fraudulent charges begin occurring on enough cards to pinpoint a source of the compromise. By finding the stolen information sooner rather than later, retailers and financial institutions can shorten the shelf life of stolen cards and reduce potential losses.

pic 3


3. Intellectual Property

Media piracy is a popular practice on the dark web. Stolen ebooks, music, movies and other forms of entertainment are sold at a fraction of the cost — with none of the profits going to the creators. In addition to piracy, even more damaging forms of intellectual property are bought and sold on the dark web. This may include source code, stolen customer lists, trade secrets and other sensitive data stolen from organizations. A report by the Commission on the Theft of Intellectual Property stated that stolen intellectual property costs the United States as much as $300 billion each year, and the Center for Responsible Enterprise and Trade estimates trade secret theft costs between one and three percent of the GDP of advanced economies. Not all of that is sold on the dark web — much of it is nation-state espionage — however, of all the items for sale on the dark web, intellectual property tends to be the most impactful and have the most long-term consequences for organizations.

How this can help your organization: Finding intellectual property such as source code for sale on the internet is a significant cause for concern. Unlike payment card information, which can be stolen from a variety of locations, intellectual property is a likely indicator of either an intruder gaining access or an insider selling valuable information. Media piracy, which is the most common form of intellectual property for sale, can lead to a significant loss of income, particularly if that item finds it’s way onto popular torrent sites where users freely share stolen material.

pic 4


4. Supply Chain Threats

Effective threat intelligence should include all the cyber risks facing an organization, including risk faced by third-party partnes and vendors. Vendors may have their own credentials or intellectual property for sale on the dark web, or there may be relevant vulnerabilities that are being actively exploited by malicious actors. Those potential issues may move down the supply chain and impact other organizations along the way. For example, in April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include professional sports leagues as well as major media and entertainment companies. A malicious actor indicated plans to infect those brands’ users with malware. Although these incidents are often not the direct fault of those companies, the fallout from customers, investors and regulators does tend to fall directly at the feet of those organizations.

How this can help your organization: Vendors and the supply chain are among the most common causes of data breaches, yet they’re often a blind spot when it comes to an organization’s cybersecurity practices. Having insight into potential issues not just within your organization, but with your partners can help to give a more complete picture of your organization’s risk and help alert you to any potential issues before they make way down the supply chain and into your business.

pic 5


5. Hacking Tools and Services

In addition to stolen items, malicious actors can purchase many different types of hacking tools and services. One popular market actually began by specializing in selling zero-days and other rare exploits. For example, one user was previously selling a new way to hack Apple iCloud accounts for $17,000. Other items for sale include exploit kits, keylogging malware, phishing pages, remote access Trojans, hacking guides and more. The cybercrime tools purchased may even come with subscription services, easy-to-use interfaces, technical support and other features often associated with legitimate software. In addition, cybercrime services are for sale including distributed denial-of-service attacks, doxing and help hacking accounts. The cybercrime-as-a-service model has segmented the market so that actors can specialize in their own field, whether that is running a botnet, creating exploit kits or stealing credentials. All types of cybercrime tools and services are available — for a price.

How this can help your organization: Knowing what tools are readily available and popular can help organizations defend against common attack methods. In addition, new exploits that are put up for sale or modifications to existing tools can provide insight into how cybercriminals are evolving their attacks in order to evade detection. This context, combined with other dark web threats, can help provide the necessary threat intelligence to help effectively guide your organization’s cyber risk management strategy.

pic 6

Top Dark Web Markets: With Dream Market You Can Be a Criminal Too!

Two weeks ago we talked about the disappearance of Nucleus Market and how many of its former users have moved to AlphaBay, the unquestioned leader in terms of current dark web activity.

This week we turn our attention to Dream Market, the second most popular dark web market of 2016, according to SurfWatch Labs’ threat intelligence data.

A Quick Look at Dream Market

The places where cybercriminals go to sell their illicit goods and services are constantly changing. This is due to a combination of exit scams that rip off buyers, law enforcement disrupting operations, and a healthy paranoia that may lead those running certain markets to close up shop before getting caught. Dream Market has been around since November 2013 — a significant achievement in the ever-evolving cybercriminal scene. At two-and-a-half years of age, it is the oldest existing dark web marketplace, and that longevity has helped it to establish a certain level of trust among its users.

Although most dark web markets sell a wide variety of items, certain sites tend to attract specific types of listings over others. For example, when we wrote about AlphaBay, we focused on the problem of stolen credentials, the market’s most popular practice tag, according to SurfWatch Labs’s data.

When looking at Dream Market, credentials trade is much less popular. Instead, the most popular type of listing involves crimeware.

This heat map is colored by the most popular cybercrime practice tags found on each market, with red signifying a higher percentage of listings. Interestingly, the three most popular markets this year all have a different focus: carded account trade for the now-defunct Nucleus Market, credentials trade for AlphaBay, and crimeware trade for Dream Market.

Although Dream Market’s popularity is growing, some users have reported occasional issues accessing the market since Nucleus went offline. This may be due to the influx of former Nucleus users or — as has occurred in the past — DDoS attacks from competitors trying to disrupt the user base.

Crimeware Trade and “Sophisticated” Cybercriminals

There’s a perception that cybercriminals are growing increasingly sophisticated. This is driven home by the fact that nearly every company’s PR team rolls out the “we were victims of a sophisticated cyber-attack” line after each incident. It’s true; the cybercrime-as-a-service model has allowed for advanced techniques to be more readily available to the average hacker. However, the root causes of data breaches and other cyber incidents tend to remain relatively unsophisticated.

When looking at the many listings on Dream Market related to crimeware trade, it’s clear that not everyone is a criminal mastermind performing million dollar wire fraud or business email compromises scams. In fact, many crimeware items for sale on Dream Market and elsewhere aren’t malware like remote access Trojans or keyloggers at all, but rather basic guides on how to perform simple, low-level thefts.

For example, there’s the below vendor who’s selling a guide on how to scam a major retailer for in-store credit. This “dead serious” scam has even been used to make money to take dates out for drinks and to get a tank of gas. Your satisfaction is guaranteed!


Are you hungry? You won’t be anymore if you follow this other vendor’s advice on scamming a popular pizza chain. Get unlimited free pizza.


Or are you an aspiring fraudster looking for someone to take you under their wing? For just the low price of $2.99, you can learn how to take advantage of this company’s obvious security flaws, handy smartphone application, and no-questions-asked refund policy. The vendor even claims it’s legal!

Dream_Scam2 - Copy

Or maybe you’ve hit hard times and need a few bucks. No worries! This vendor has a guide that’s “perfect for those in financial instability situations.” Just purchase some of the many bank account credentials that are advertised with enticing balances, and pair those with this handy step-by-step tutorial to cash them out — no knowledge necessary.


Or maybe you hear about all these tools used to discover vulnerabilities and hack businesses, but you don’t know how to use them. There are plenty of guides for those without technical knowledge.


Of course, real malware, tools and hacking services are for sale, along with stolen credentials, pirated media, counterfeit documents and more.


Although it’s fun to look at some of the over-the-top salesmanship and scams for sale on Dream Market and others, it is important to note that those low-dollar fraudulent charges, while not enough to make news headlines, do have a significant impact on the companies they’re targeting and the individuals they’re ripping off.

Also, the fact that potential criminals can have their hands held throughout the whole process of cybercrime — from phishing to malware to cashing out funds — is a growing concern. As we wrote in SurfWatch Labs’ 2015 Year in Review, “This separation of the technical aspect of cybercrime has widened the pool of potential hackers and lessened the knowledge gap that previously separated groups of malicious actors.”

There is no need to build an exploit kit or point-of-sale malware from scratch. Simply purchase the latest tools complete with customer service and technical support. Need a phishing page or information on a company’s employees? Buy one of the many guides on social engineering. No time for that? Simply hire one of the many services to do the technical legwork for you.

The good news? All of the information and tools available to those wannabe hackers can be leveraged by organizations as well. This dark web threat intelligence can help us better understand the relevant cyber threats facing organizations, their supply chain and their customers.

Next week we’ll look at another dark web market to see what intelligence we can learn.

Top Dark Web Markets: AlphaBay and Stolen Credentials

Dark web markets are constantly changing. The last major shakeup to occur was the disappearance of the Nucleus Market, which has been offline for nearly a month and a half. Since then, the site’s users have flocked to other markets in search of an alternative.

Many of those users have transitioned to AlphaBay, the current king of dark web markets. AlphaBay was the most popular marketplace before Nucleus Market disappeared. Since then it has only grown more popular.

A vendor selling hacked bank account logins on AlphaBay.

A similar surge happened in March 2015 after the administrators of the dark web marketplace Evolution shut down and stole users’ bitcoins in an “exit scam.” In the three days following Evolution’s disappearance, AlphaBay received 18,000 new registrations, said alpha02, a well-known carder and founder of the AlphaBay market. A few months later another major dark web market, Agora, announced it was shutting down due to security issues. Once again, AlphaBay membership surged. By October 2015 AlphaBay announced it had hit 200,000 users and become one of the most popular markets on the dark web.

That growth has continued. In early January there were approximately 12,500 fraud-related listings. Today there are close to 20,000.

How Does AlphaBay Work?

As we noted last month, there are a lot of misconceptions about the dark web, and it is not hard for the average person to find these websites and purchase illicit goods and services. However, the markets are also full of law enforcement, researchers conducting threat intelligence (like SurfWatch Labs), and scammers. As a result, those buying and selling items tend to be concerned about two things: anonymity and security.

  1. Anonymity when purchasing: The combination of tools such as Tor, which helps users anonymously access the markets, and the growth of virtual currencies, which helps users anonymously purchase illegal items, has helped dark web markets such as AlphaBay flourish.
  2. Security among thieves: AlphaBay offers multi-signature escrow to help protect buyers from getting scammed. Money is deposited into a wallet with three people having keys: the buyer, the seller and the market. Two of those keys are needed to approve payment. If the buyer is happy, he or she releases the key and the seller is paid. If there is a dispute, the moderator can approve payment and give the second key to the seller — or deny payment and give the key to the buyer.

In addition, in just the past few months AlphaBay has rolled out mandatory two-factor authentication for vendors as well as a detailed privacy policy — the first dark web market ever to do such a thing, it claims.

Many markets try to emulate the customer-friendly features seen on popular e-commerce sites such as Amazon or eBay. In the case of AlphaBay, there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users. In addition, buyers can view feedback in the forms of reviews and star ratings.

Seller ratings on AlphaBay.

The key takeaway for those unfamiliar with these cybercriminal markets is that it is not that different an experience from buying things via the normal web.

What’s for Sale on AlphaBay?

Being the most popular dark web market, AlphaBay offers nearly every type of item or service for sale. Drugs are the most common type of item — as is true of most markets. SurfWatch Labs doesn’t collect data on every listing, instead focusing mainly on cybercrime-related items. Of those, credentials trade is the top trending practice tag over the past 30 days.

Although all types of items are for sale on AlphaBay, credentials trade is the top trending practice tag over the past month, according to SurfWatch Labs.

Credentials trade includes logins for various services and financial institutions. Those credentials can then be used for fraud, as a stepping stone for further attacks, or simply to use legitimate services such as Netflix or Uber for free. 

Specific items related to credential theft for sale the past few weeks include …

Credentials to access various credit card accounts or the information to answer associated security questions:


Credentials that can be bought in bulk such as this list of 10,000 German email addresses and passwords:


Credentials for customer accounts at various restaurants and coffee shops, including some that have payment information connected to “auto-reload” the account whenever the balance gets low enough:


Credentials for reward accounts from airlines and other retailers that can be redeemed for various goods and services:


Credentials for hacked websites such as WordPress blogs:


Full profiles — which include names, email, passwords, phone numbers, Social Security numbers, dates of birth and more — basically, everything needed to set up an account, apply for credit or perform other fraudulent actions:


And credentials for many, many more accounts.

Where do all of these stolen credentials come from? They come from data breaches, malware that captures keystrokes, phishing and, as we noted earlier this week, the problem of people continuing to reuse passwords across multiple sites, which allows automated tools to use those giant lists of previously stolen credentials to gain access to other sites.

Of course, AlphaBay offers a plethora of other items for sale unrelated to stolen credentials, and we’ll touch on some of those in the coming week’s as we examine the other dark web markets. Those top markets tend to change due to exit scams, security concerns or law enforcement actions, but for now AlphaBay remains the king of the underground.

Nucleus Market Vanishes – Now What?

Over the past year, the number two Dark Web market in terms of activity was Nucleus. As of late 2015, this market had more than 25,000 vendor listings, but on April 13 of this year, Nucleus disappeared.

While it’s not the first time Nucleus has been down and it’s not uncommon for Dark Web markets to go offline, we are now one month into this “downtime.” As recently as May 8 there are still more than 5000 Bitcoins in the Nucleus wallet (a value of more than $2.25M USD). Here are some possible explanations:

  1. Exit Scam? There is a lot of talk from Nucleus Market buyers and sellers of an “exit scam.” Exit scams occur when the marketplace vendor wants out of the game and closes up shop, but doesn’t tell users and continues to accept payments in Bitcoin. If this is case, the owner of Nucleus Market may have pulled off quite the heist. However, there is a substantial quantity of bitcoins associated with the Nucleus Market and they continue to build each day. Since the market went offline there have been no withdrawals from the Nucleus wallet; however, there has been continuous deposits. Is the owner planning to grab that money and run? Or not?
  2. Hacked? Another possibility is that Nucleus was hacked and subsequently brought down. Legit business aren’t the only ones being victimized. There is some speculation that an actor who goes by the handle “theDmaster” exacted revenge on the market after he was kicked out. If this occurred, it’s possible that a) the access to the Bitcoins has been blocked as part of the attack or b) that the owners of Nucleus are in fact trying to get the market back up and running and thus have not run off with the Bitcoins.
  3. Busted? It’s also possible the Nucleus market was busted by law enforcement and/or the site’s owners are in hiding. The alleged administrators of Nucleus recently posted a comment about Interpol seizing their servers and that they were now working with Dream Market (another dark web marketplace) but this could just as easily be a plug from  competitor Dream Market in the hopes of winning Nucleus market customers.

Investigations will of course continue into Nucleus Market but how does what we know now impact dark web trade?

Before its disappearance from the Dark Web, Nucleus market was one of the top places to go for:

  • Drugs and paraphernalia
  • Fraud related activity (such as payment card information, stolen accounts)
  • Guides & tutorials (How to card; Get rich quick schemes; Black Hat SEO; Drug manufacturing)
  • Services (such as hacking for hire, fraud related services)
  • Counterfeits (i.e. money, apparel, tickets, etc.)
  • Digital goods, media piracy
  • Electronics
  • Erotica
  • Jewelry
  • Lab supplies
  • Weapons

Nucleus vendors now need to get their wares ready for sale on other markets. There has been significant buyer and vendor chatter about moving to AlphaBay, Dream Market, Hansa, Oasis, Valhala, Acropolis and new markets such as LEO. If they do, these vendors must re-establish street cred on the markets where they set up shop. It may also take time for buyers to find their preferred vendors.

What does this mean for you?

First, recognize there is no honor among thieves. Second, and more importantly, this highlights the “intelligence challenge” of dark web surveillance as markets and vendors disappear and sometimes reappear. By tracking the commodities being sold on the black markets, organizations can gauge the underground market economy and get an idea of what commodities are being actively sold, what prices they are being sold for, and how much volume they are moving. No different than a legitimate business, you can get a sense of what commodities are the top desired items and therefore gain an understanding of what the future targets may be. Most importantly, you will know if you look similar to those targets.

When markets such as Nucleus cease operations, the actors who were operating in that area will quickly scatter to new locations and start anew. From an intelligence perspective this creates an instance where past history measurements lose some steam and causes a moment of chaos until the market places begin to settle down.

While the Nucleus Market going offline is most impactful to the users who lost their money, it does illustrate the need for continuous monitoring of the black markets to understand the potential fraud footprint and how it shifts. For organizations that have to continuously battle a large fraud footprint, it is critical to maintain situational awareness of the ebb and flow of market change.

Dark Web Insights: Misconceptions About the Dark Web

The Dark Web is often misunderstood. For the unfamiliar, it is often viewed as either a mysterious place full of technological gurus communicating via primitive interfaces or else something akin to the Wild West — a no-holds-barred free-for-all of dangerous and illicit activity. 

However, neither is the case.

The most popular marketplaces, where everything from stolen identities and credit cards to drugs and weapons are for sale, are more reminiscent of popular e-commerce sites than of the shady, backdoor dealings one may expect from criminals. Buying stolen accounts and intellectual property — as well as exploit kits, hacking-for-hire services, and the infrastructure to distribute malware is actually quite simple.

This reality runs contrary to much of the media coverage around the Dark Web. Stories such as the 2013 take down of the infamous Silk Road marketplace tend to focus on the scary aspects of “hidden” websites or scandalous details such as the Silk Road’s murder-for-hire plot — ignoring the fact that most people with an hour of free time and a few Google searches can easily find these sites and purchase illicit goods and services if desired.

In this series of blog posts, SurfWatch Labs hopes to shine on light on various aspects of the Dark Web, starting with what the Dark Web actually is — and what it isn’t.

1. Most Dark Web Markets are Customer Friendly

Those new to the Dark Web are often surprised by the level of customer service and the ease of which fraudulent goods and services can be obtained. However, this makes sense given the fact there are many competing marketplaces on the Dark Web. Customers and sellers are going to gravitate towards markets that appear the safest and have the best features.

AlphaBay is among the most popular and established Dark Web marketplaces (Nucleus Market, another popular marketplace, recently went offline). These marketplaces try to emulate the features seen on popular e-commerce sites such as Amazon or eBay.

PayPal accounts for sale on AlphaBay

Some of these features include:

  1. Easy Navigation – Items are categorized into high-level categories such as fraud with subcategories like accounts, credit cards, personal information, data dumps and others.
  2. Vendor and Trust Levels – Sellers often have ratings. In the case of AlphaBay there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users.
  3. Feedback and Refunds – Buyers can also see feedback from customers and often have the option of returns or replacements such as credit card numbers that may no longer work due to being reported stolen.

Although these Dark Web markets tend to not be discoverable through Google and often require special software such as the Tor browser in order to access, they do want users to find and use them — so they are easy to locate, search for goods or services and make purchases.

2. They’re Concerned About Security and Trust

Most people know the old adage “there is no honor among thieves,” and these illicit markets work hard to help assuage those fears. This begins at the customer level with ratings and reviews.

Seller ratings on AlphaBay Market appear similar to the ratings on eBay. The system includes independent ratings for stealth, quality and value of the product; the total number positive, negative and neutral ratings over set periods; and text reviews from previous customers about their purchases.

These features help to establish trust when buying things like malware and stolen credit cards. Through ratings and feedback the community can collectively judge whether the items for sale can be used for legitimate fraud and attacks – or if they are just a scam.

In fact, these markets are actively trying to combat spammers and other bad actors just like e-commerce sites on the surface web. In March AlphaBay announced that they were rolling out mandatory two-factor authentication. As Motherboard’s headline ironically noted, “Some Dark Web Markets Have Better User Security than Gmail, Instagram.”

“We now enforce mandatory 2FA (two-factor authentication) for all vendors,” read the AlphaBay announcement. “This is part of an increasing effort to stop phishing on the marketplace. We recommend that everyone uses 2FA for more security.”

In addition, many markets try to avoid coming to the attention of law enforcement. Following the November 2015 terrorist attacks in Paris, which killed 130 people, Nucleus Market posted this message on its homepage:

Message posted on Nucleus Market stating they would now longer allow the sale of weapons.

The decision came just a week after the shootings and news reports that the guns used in the attacks may have been acquired from the Dark Web. Likewise, although child pornography is prevalent on the Dark Web, most of the markets do not sell it alongside the drugs, counterfeit goods and other illegal stolen items because that would attract unwanted attention to them and their user base.

Some Dark Web markets combat the the influx of law enforcement and researchers by requiring a referral in order to gain access. Others only show items that are for sale to established users or require authorization from the seller to view details about the product. This can make it harder for agents posing as “new customers” to monitor activity, and it helps to increase the trust factor around those marketplaces and forums.

3. No, the Dark Web is Not That Massive

In the summer of 2015, two researchers set an automated scanning tool loose on the Tor Network in an effort to find vulnerabilities on Dark Web sites. After just three hours the scan was over and they’d uncovered a little more than 7,000 sites.

A more recent effort to index the Dark Web put that number at close to 30,000 sites — a sizeable amount, but still far less than the massive underground world many have described.

As Wired wrote last year, the number of people on the Dark Web is quite small:

The Tor Project claims that only 1.5 percent of overall traffic on its anonymity network is to do with hidden sites, and that 2 million people per day use Tor in total. In short, the number of people visiting the dark web is a fraction of overall Tor users, the majority of whom are likely just using it to protect their regular browsing habits. Not only are dark web visitors a drop in the bucket of Tor users, they are a spec of dust in the galaxy of total Internet users.

4. It’s a Valuable Source of Threat Intelligence

The Dark Web is a valuable place to gather threat intelligence. SurfWatch Labs threat intelligence analysts proved that recently when they uncovered a breach into web hosting provider Invision Power Services.

That’s not to say everyone should jump on the Dark Web and poke around. It is easy to stumble across illegal things such as child pornography, and without the proper precautions companies or individuals may end up infecting their computers or putting themselves on the radar of cybercriminal groups — making themselves a potential target. However, what better way is there to understand the current threat landscape and the motivations of these malicious actors than to see for yourself what they are talking about, what they are selling, and if your company — or anyone in your supply chain — is being mentioned.

The Dark Web isn’t the cybersecurity cure-all that some companies make it out to be, but it is a significant part of a complete threat intelligence operation. Without visibility into these markets and the active threats they contain, your organization is operating at a disadvantage.


This real-life case study will contain some info, but not all – to protect individuals’ personally identifiable information – as well as our intelligence collection sources – with our goal of highlighting the importance of having visibility into your supply chain cyber risks. In the beginning of April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include some professional sports leagues as well as major media and entertainment companies.

The actor, going by the name AlphaLeon, is associated with both the AlphaBot and Thanatos trojans – early strains of these pieces of malware appear to date back to early 2015. AlphaLeon has been known to sell access to these trojans on the dark web. While the actor has not been a seller for very long, the group’s experience and presence indicates they have been active in this space for more than five years – including multiple dark web and open web forums.

After discovering information related to the latest activity of this actor, we alerted Invision Power Services (IPS) who had not yet detected this compromise. We worked with them to validate that the actor appeared to have established a presence within the managed hosting environment that Invision Power Services operated via Amazon Web Services (AWS).

It is our understanding that IPS is still working through their own internal investigation into the incident and additional information may be uncovered, but it appears that the initial cause of the compromise was most likely the result of unpatched software. AlphaLeon indicated that this access, which affected multiple high level brands, would allow them to install Exploit Kits with the purpose of infecting users visiting these sites with their trojan. This would grow the group’s botnet further, which would in turn be sold via various underground markets. The trojan appears to be capable of:

  • Stealing banking credentials and bitcoins
  • Gaining (and selling) webcam access
  • Delivering ransomware
  • Sending spam
  • Stealing gaming credentials
  • Distributed Denial of Service

As of the date of this post it does not appear that AlphaLeon has initiated this specific campaign.

This case study highlights three primary things:

  1. This is a classic case of supply chain risk management. Invision Power Services is a supplier to some of the largest brands. These companies entrusted their web hosting provider to perform a reasonable service based on whatever contractual agreements were in place. Even if the impacted companies are not at fault, they still have their own customers and their brand and reputation to protect. If you are going to outsource a service that has cyber risk tied to it, you are outsourcing a portion of your brand and reputation in some way shape or form and you need to keep some eyeballs on that supply chain.
  2. Having a dark web intel capability is an important component of your overall cybersecurity efforts. In this situation, a bad actor was observed in a dark web forum. This source was key to gaining intel that was not available through normal open channels. The dark web is certainly not the only source you should be pulling from in your intel efforts, but it is an important area for which you should have a collection capability.
  3. The intel process works. SurfWatch Labs analysts observed discussions that concerned us, we notified the victim hosting provider, they confirmed the issue and started to react. That is what is supposed to happen.

As you outsource capabilities to other vendors, your cyber risk exposure expands. Make sure you cast a wide net in regards to your intelligence collection capabilities. It is critical to understand this and to keep a watchful eye on not only your internal environment, but that of the vendors you do business with.