2020 was a year of instability around the world, and the darknet was not unaffected. COVID-19 had a large part to play in the turmoil of the cybercriminal underworld, as drug vendors had their supply chains disrupted. Delays in both international and domestic transport led to many vendors temporarily halting their operations. Beyond the pandemic, the largest darknet markets, Empire and Apollon, both disappeared. This left a void in the market landscape which has yet to be filled. In comparison to previous quarters, however, the darknet was relatively static during the final quarter of 2020.
COVID-19 Vaccine Scams Return
At the start of 2020, we observed numerous darknet vendors allegedly selling PPE, hand sanitiser and other COVID-19-related products in bulk. There were even a few rare instances of vendors claiming to have unspecified “samples” of the virus. None of these products were being sold by reputable vendors; indeed, they were all almost certainly scam listings.
However, the final quarter of 2020 saw a noticeable uptick in darknet vendor listings related to COVID-19 vaccines. Again, we found no evidence to indicate that these were anything but scams; nevertheless, the FBI recently issued a statement warning of criminals using vaccine-themed lures to obtain sensitive personal information or financial payments (1). Likewise, as various COVID-19 vaccines become more widely distributed, it is likely that darknet listings related to said vaccines will also proliferate.
In comparison to previous quarters, the final quarter of 2020 was a relatively stable period for darknet markets. While the impact of Empire’s disappearance (discussed in our previous quarterly review – here) continues to be felt, the overall market landscape has remained relatively static since the end of 2020’s third quarter.
As always, several darknet markets went offline during this final quarter. Firstly, the admin of Hyper market announced they were shutting down operations, although no reason was provided. Hyper was a relatively new market, having only launched in June. During its brief lifespan, it failed to develop a significant customer base. Secondly, and far more damaging, was the disappearance of DeepSea market. Again, DeepSea was a relatively new market, but one that had already gained popularity. The precise circumstances around its disappearance remain unclear, but it is highly unlikely the market will return.
During this period, several new markets also launched, including Orange Market and Liberty. At this time, neither has developed a significant following and there are no clear features setting them apart from rival markets. Consequently, with the exception of DeepSea’s disappearance, the darknet market landscape remained relatively static, with WhiteHouse continuing to dominate.
What to expect in 2021?
Ransomware was a defining feature of 2020 and is unlikely to abate in 2021. Most ransomware groups now use darknet sites to leak stolen data in a bid to increase the pressure on victims to pay. However, there are some indications that the methods used to leak victim data are evolving. Moreover, new ransomware groups will continue to emerge, but the skills-gap between them and the well-established (and well-funded) groups is likely to grow. For small groups utilising the ransomware-as-a-service model, this increasing gap could result in difficulties recruiting new affiliates. In turn, this could potentially lead to a decrease in operational activity and volume of attacks.
It is hard to envision any of the current crop of markets displacing WhiteHouse. Of course, this should be caveated with the fact that the darknet market landscape is relatively volatile and markets can disappear almost overnight – as illustrated by the recent takedown of DarkMarket (2). Dark0de is perhaps the closest rival to WhiteHouse in terms of popularity. It is growing rapidly, seemingly due to casual darknet users having difficulties with WhiteHouse’s security measures.
We also anticipate Televend will experience significant growth in the coming year. Many vendors have already established a presence on Telegram via this service. For would-be buyers, Televend appears to provide a source of relative stability in comparison to markets. Even if markets disappear, they can still contact their preferred vendors directly via Telegram. Nevertheless, Televend remains highly vulnerable to disruption as the channels it operates could be shut down at any time.