Darknet Quarterly Review – Q4 2021

The final quarter of 2021 saw disruption across the English-language darknet market landscape, with multiple well-established markets ceasing operations. This created a void that has yet to be filled. This quarter also saw the darknet forum RAMP experience significant growth, creating a new place for ransomware operators and cybercriminals to gather.

Shifting Market Landscape

In the last few months of 2021, for a variety of reasons, several notable darknet markets stopped operating. Late November saw an announcement from the administrators of the darknet market Cannazon that they were retiring, and the market would be shut down. In the weeks prior to this, the market had experienced multiple Distributed-Denial-of-Service (DDoS) attacks, which had severely hampered its uptime. Cannazon catered to a comparatively niche audience by focusing primarily on cannabis and other related products. This has limited the impact that its shutdown had on the broader market landscape.

The following month, in late December, Torrez market announced it would also be shutting down. Torrez launched in early 2020 and by this time had become relatively well-established on the darknet. Like Cannazon, the Torrez administrators claimed this shutdown was entirely voluntary. Finally, in early January, the darknet market Monopoly went offline. The circumstances around this shutdown remain unclear, as there has been little communication from the market administrators.

Many former Monopoly users now suspect the market exit scammed, but this remains unconfirmed. Some users are also concerned this shutdown was a result of law enforcement intervention. This threat is particularly prescient after the public reveal of Operation Dark HunTOR, which saw various law enforcement entities arrest approximately 150 suspects, who were identified in part by data obtained from the seizure of infrastructure belonging to DarkMarket.

These shutdowns all occurred in the aftermath of White House market shutting down (covered in our previous quarterly review). White House was the dominant market in the English-language darknet community. With White House gone, various markets were left competing to fill the void. This latest round of shutdowns, particularly Torrez and Monopoly, has removed two well-established markets from the competition. Consequently, various smaller markets have aggressively attempted to capitalise on these shutdowns, using tactics such as waiving vendor bonds, the fees vendors pay in exchange for being allowed to sell on a market. The logic behind waiving vendor bonds is that customers will follow the well-established vendors.

Smaller markets, such as AlphaBay and Bohemia, have been observed employing this tactic, though their success is difficult to measure. Currently, Dark0de Reborn and Versus are the markets that have experienced the most growth in the aftermath of these shutdowns. However, Versus in particular has been hindered by recent DDoS attacks significantly reducing its uptime.

Beyond the English-language darknet community, Hydra has continued to dominate the Russian-language darknet community. Indeed, some metrics indicate Hydra is now the largest active darknet market by some margin. This is particularly impressive considering Hydra’s relatively unique method of delivery, which involves couriers, known as ‘kladmen’, distributing the products via dead drops. The implementation of these additional steps in the delivery process increases Hydra’s impact on the criminal ecosystem by creating additional jobs for individuals operating as ‘kladmen’.

Rise of RAMP

In July, a new darknet forum known as RAMP was launched. In subsequent months, public activity on this forum increased substantially. In part, this was likely fuelled by the ransomware ban in place across several other well-known cybercrime forums. Previously covered in our Darknet Quarterly for Q2 2021, this ban forbade cybercriminals offering Ransomware-as-a-Service from explicitly advertising their products on these forums. RAMP immediately set itself apart, however, by not implementing such a ban. This has led to multiple well-known ransomware groups becoming active on the forum and using it as a platform to recruit affiliates: the most notable of these are Conti and AvosLocker. Moreover, several new ransomware groups have begun openly advertising their RaaS products on this forum. These new groups include SugarLocker and AlphV (also known as BlackCat), the latter of which has already launched its own darknet data leaks site.

However, there is more to RAMP than just ransomware. The forum is now being used to conduct numerous access sales, and high-profile access brokers who are active on other darknet forums have begun to establish a presence on the market. Moreover, aside from ransomware, other forms of malware are now being advertised and sold on RAMP. Likewise, various leaked databases are frequently shared on the forum, too. The growth of RAMP in the final quarter of 2021 was undoubtedly noteworthy. However, it still has some way to go before it achieves even a modicum of the popularity and influence of the most prominent Russian-language cybercrime forums.

2022

It is likely that the English-language darknet community will coalesce around a few markets which are viewed as credible. Dark0de Reborn and Versus are currently the most promising candidates for these positions, given their recent growth. Nevertheless, as the final quarter of 2021 demonstrated, darknet markets are inherently volatile and the landscape can change rapidly. At this stage, it is unclear if any of the current crop of markets will be able to successfully replicate the dominance of White House market.

It is also worth noting that the long-term trend of darknet market vendors and customers adopting encrypted instant messaging platforms is still ongoing. Televend was one of the first attempts to formalise this shift by creating a service specifically for darknet vendors selling on Telegram. While Televend has shut down (covered in our previous quarterly review here), criminal activity on these platforms is still widespread and will likely increase further if darknet market volatility persists. Moreover, given how popular Televend became in a relatively short period of time, is it conceivable that similar services will be launched in the future, as there is a clear demand for them.

Scroll to Top