Darknet Quarterly Review – Q2 2020

The darknet is often characterised as an autonomous entity, detached from the economic and social realities affecting the clearnet. This view is reinforced by the popular but flawed iceberg analogy: where the clearnet is the small tip of the iceberg, and the darknet is the bulk hidden below, dangerous to the boats floating above but insulated from the weather affecting them.

In truth, the darknet is like any other online community in terms of how it can be shaped by real-world events. Never has this been clearer than over the past quarter: much like the rest of the world, the darknet has been dominated by the COVID-19 pandemic. The sheer scale of COVID-19 meant its impact on the darknet has been both unprecedented and multifaceted.

COVID-19 and drugs on the darknet

Perhaps the most immediate impact of COVID-19 was felt by the drugs trade. Large multinational drug vendors rely heavily on international supply chains, for both importing materials for their products and exporting them to resellers or customers. Much like legitimate businesses, COVID-19 led to multinational drug vendors experiencing major disruptions to their supply chains. Consequently, many vendors temporarily shut down their operations creating a vacuum that was soon filled by smaller, less-established drug vendors.

Typically, these smaller drug vendors operated at only a domestic scale. However, during a time of mass international disruption, this meant they were more reliable for customers. It remains unclear whether this will lead to any long-term shifts in customer allegiances towards these less-established drug vendors. Nevertheless, this is a noteworthy development and one which is unlikely to have occurred without COVID-19.

Yet these smaller domestic drug vendors could not escape entirely from the impact of COVID-19. Darknet drug vendors are heavily reliant on national postal services which serve as the primary mode of delivery for their products. However, many countries’ national postal services experienced significant disruption due to staffing shortages and quarantine rules, which in turn led to delays in the delivery of drugs. On the darknet, where there is a real risk of suspicious packages being identified and vendors frequently scam customers by claiming to have sent drugs which never materialise, a delay of any sort inevitably breeds concern. Nevertheless, faced with no alternatives, customers soon accepted these delays as an extra hurdle to be cleared when ordering drugs on the darknet.

Despite these disruptions, the drug trade can be said to have flourished during the pandemic. The most likely explanation for this is that unlike other areas of the economy, COVID-19 failed to dent the demand for drugs. Indeed, the increased risk from close contact with others may have spurred users towards ordering drugs online.

Where some see a crisis, others see opportunity

While the drug trade bore the brunt of the darknet disruption brought about by COVID-19, another effect of the pandemic was the rapid proliferation of vendors selling products related to the virus. Unsurprisingly, the majority of COVID-19 related products listed on darknet markets appeared to be scams. These listings were initially limited to large quantities of PPE and facemasks imported from China, but quickly escalated to unspecified COVID-19 cures.

Similarly, there was also a noticeable spike in vendors selling hydroxychloroquine, a drug traditionally used to treat malaria but was touted by some as a cure for COVID-19. Perhaps unsurprisingly, given the sheer bulk of pharmaceutical products already available on the darknet, a few of these hydroxychloroquine listings appeared genuine, albeit with inflated prices. However, most COVID-19 related products on the darknet appeared to be scams, causing markets to take a more proactive approach in banning the associated vendor accounts.

Beyond market listings, COVID-19 phishing lures also became exceptionally popular among cybercriminals. Phishing lures are used to either trick victims into providing sensitive information or to redirect them to malicious websites used to distribute malware. COVID-19-themed phishing lures swiftly became a popular commodity on several darknet forums. Some threat actors went so far as to develop their own customisable COVID-19-themed phishing lures, which they then sold. The pervasiveness of COVID-19 over the past few months means it is hardly surprising that cybercriminals incorporated it into their operations. However, it does underline how quickly cybercriminals will adapt their phishing lures to current events to increase their effectiveness.

Empire’s reign continues

Despite the turmoil facing the darknet drug trade, the wider market landscape has remained comparatively static. Empire continues to be the most popular market, with no obvious competitor in sight. Furthermore, in a bid to further cement their leadership position, Empire recently partnered with Dread, a popular darknet forum similar to Reddit. So far, this partnership has yielded a new CAPTCHA system to mitigate DDoS attacks.

DDoS attacks remain a common tool used by law enforcement and rival markets to take a market offline. As a result, much like any online business, maintaining a consistent uptime is crucial for successful darknet markets. The CAPTCHA system provided by Dread has done much to improve Empire’s inconsistent uptime – an issue which had been plaguing users since the market’s creation.

The White House and Monopoly marketplaces are both still distant rivals to Empire, whilst nonetheless having loyal customer bases of their own. In the past quarter, multiple markets have gone offline, including Europa, Pax Romana and Avior. None of these was a major player, and their disappearance had little impact on the overall market landscape. Other markets, such as Yakuza, Hyper and DeepSea have recently launched, but they have yet to establish themselves in any meaningful way.

Ultimately, none of the current crop of markets seems likely to pose a serious risk to Empire. Nevertheless, the ever-present threat of law enforcement means the darknet landscape can shift rapidly and market leaders can literally disappear overnight. Consequently, the current market landscape is unlikely to be permanent.

What to expect in Q3

Much like the rest of the world, the darknet is gradually returning to a semblance of normality post-COVID-19. The large, multinational drug vendors who temporarily shut down their operations, as noted above, have now started to retool their operations, remerging into a changed vendor environment. The clout these vendors used to hold is unlikely to have waned in the three to four months since they paused their business. But it will be intriguing to trace the ways in which the smaller drugs vendors are able to keep some of the business they undoubtedly gained from the bigger operators. While COVID-19 themed phishing lures are still being utilised, they are no longer frequently discussed on the darknet. Likewise, the deluge of COVID-19 related scam listings on darknet markets has slowed, though these may reappear as a vaccine gains more traction or if second waves begin to hit societies around the world – a distinct possibility and an opportunity that could be swiftly exploited by these threat actors.

It is still too early to tell what, if any, long-term developments COVID-19 has forced on the darknet community. Nevertheless, the COVID-19 pandemic has provided an unprecedented illustration of how the darknet, or indeed any online criminal community, can be transformed by real-world events.

Scroll to Top