On July 15, law enforcement authorities from 20 countries arrested more than two dozen suspects allegedly associated with Darkode, an online forum for malicious hacking.
For agencies tasked with cracking down on the Internet's underworld, it was a rare victory, cyber experts told The Crime Report.
The Darkode bust, they said, shows that you don't have to scour the deep web — a part of the Internet that isn't indexed by Google — to find illegal products. The Internet is home to hundreds of illicit markets, where products ranging from hacking tools and codes to guns and drugs can be purchased with relative anonymity. Neverthless, busting illicit markets in cyberspace remains extremely difficult.
A TCR investigation revealed the hoops investigators must jump through to target these growing illegal markets.
The best markets can't be found with a simple Google search, but the first step is to find the ones that can, according to Tom Holt, a professor at Michigan State University who researches illicit data markets.
“There are multiple tiers, and the lower tier ones are different from what’s on offer,” he said. “You'll see marketing for credit card information and basic DDOS (Distributed Denial of Service software), but in those more secure ones you’ll find more sophisticated, brand new products.”
Researchers and investigators often start by looking in basic hacking forums for links and references to the more secure markets — a few actually actively advertise on the less-secure sites — but once those markets are found, it can be tricky getting inside.
Many illicit online markets are invitation-only, which means a current member has to vouch for a new member. The best way to earn enough trust to get recommended is to purchase something illegal on a basic market, said Holt. Researchers aren't allowed to pursue that option, but government informants have been known to.
“Paying for a service is helpful, because it demonstrates a willingness to really engage in the market, you can't be trusted to invest in a community if you’re not going to invest in its products,” Holt said.
But just buying a product or service isn't enough.
Investigators and researchers trying to avoid unwanted attention also have to learn the lingo.
During an October 2014 seminar at the annual conference of the International Association of Chiefs of Police in Orlando, John Szydlik, a special agent with the Secret Service, gave tips on fitting in when interacting on an illegal market.
Szydlik told a room of roughly three dozen police officials that while arresting a suspect accused of data crimes, he asked how to make it so no one on a dark forum will think he's a cop.
“All you gotta do is refer to everybody as 'bro' and you'll be OK,” Szydlik said the suspect told him.
“Bro” certainly gets thrown around a lot, but Szydlik noted that agents also need to know how use proxies and drop emails—and be conversationally familiar with sophisticated money-laundering techniques and a host of other tools that malicious hackers use to obscure their crimes.
Still, talking a good game can only get you so far, said Chase Cunningham, the threat intelligence lead for FireHost, a secure cloud service.
Cybercriminals are aware that researchers and investigators are constantly seeking access to their forums and markets, and can be particularly paranoid. To gain trust and access, Cunningham said he has put years into building alternative online identities that have reputations on dark markets.
“You need to have people vouch for you, but they're not going to vouch for Chase Cunningham, so I've spent quite a bit of time building these entities that will get me in,” he said.
A lot of work goes into gaining access without actually running afoul of the law, Cunningham said.
“Social media accounts and everything else have to sync up,” Cunningham said. “You have to construct that whole entity so it all looks legit; you're trying to get knowledge without doing anything illegal.”
This is the point that separates researchers from investigators. While an FBI informant can purchase malware or other products as part of an undercover investigation, people like Holt and Cunningham can only go so far, they both said.
But an undercover case can take years to develop as dark markets expand in number and scope, researchers said.
Cunningham said a few markets rapidly filled the vacuum left behind by Darkode, as many of that market's most active participants switched their locations.
He named one market on the verge of taking off: exploit.in
“It's at least as good as Darkode,” Cunningham said.
Exploit.in is a forum and market where, like on Darkode, malicious hacks, guns and other products can be bought and sold. And then there's the elephant in the dark room: the primarily language used on Exploit.in is Russian.
Darkode, an English-language site, may have been a powerful player in the illicit cybereconomy, but those with experience say the best markets conduct business in Russian.
Researchers working with Holt at Michigan State University and East Carolina University analyzed 1,899 threads used as forums for black market data dealers.
The study, which was funded in part by the federal National Institute of Justice, found that the most reliable dealers — and expensive credit card dumps — are on Russian-language threads, while English-language markets are crowded with customers complaining about ripoffs.
Even Europol and the Justice Department were careful to couch their celebratory press releases about the Darkode bust with the caveat that it was “prolific” and “sophisticated” for an English-language forum.
It's a point echoed by Szydlik, the Secret Service agent, and Holt.
“The Russian-language markets are better, more sophisticated,” said Holt, whose research team included Russian-speaking analysts. He noted that certain countries in Eastern Europe, including Russia, Ukraine and Romania, have become hubs for cybercrime, in part because hackers in the U.S. and in Western Europe are pursued by a more determined, better funded, set of law enforcement.
Even on Russian markets, when financial information is sold, it tends to be American. That's partly because of the United States' strong financial standing, and partly because American firms have yet to implement the more secure cards used throughout Europe that employ “chip and pin” technology — a system that makes it harder for hackers to make use of stolen credit card information.
“If you've got the United States as your cash cow, why would you spend your time trying to find your way around chip and pins?” Szydlik said.
But while Russian is the language of the darkest corners of the Internet, English markets still remain a challenge for law enforcement. Just two weeks after Darkode shuttered, a new site bearing its name popped up in the Deep Web.
Multiple outlets reported in late July that Darkode.cc — a site that can be reached using the Tor anonymous router — launched with the following message from a reputed administrator who uses the name, “Sp3cial1st.”
“Most of the staff is intact, along with senior members ,” Sp3cial1st reportedly wrote. “It appears the raids focused on newly added individuals or people that have been retired from the scene for years.”
“The forum will be … invite only, and members we can confirm are still active will be given an invite.”
The site is now harder to find and harder to access than ever before.
Graham Kates is deputy managing editor of The Crime Report. He can be found on Twitter at @GrahamKates. Readers comments are welcome.