Dark web crime markets targeted by recurring DDoS attacks
A rash of DDoS attacks have been wreaking havoc among the users and operators of dark web crime-focused marketplaces for the past three months, ZDNet has learned.
Targets include the Dream Market, Empire Market, and Nightmare Market, three of the biggest dark web marketplaces today, known for selling illegal products such as drugs, guns, malware, and hacked data.
One market has already shut down
The attacks have already made a victim, with the Dream Market announcing plans last month to shut down after seeing a sustained wave of DDoS attacks for over seven weeks.
According to a Dream Market moderator, those attacks have been the work of a suspicious threat actor who has demanded payment of a $400,000 ransom to stop the DDoS onslaught.
Dream operators didn’t want to give in to the extortion attempt, but they also failed to stop the attacks, which they blamed on the attacker using a vulnerability in the Tor anonymization network itself, which was almost impossible to mitigate.
But shortly after Dream announced it was shutting down, the DDoS attacks also suddenly stopped and started targeting other marketplaces instead.
Their prime target was the Empire Market, which has been under intermittent DDoS attacks for nearly a month, according to Patrick Shortis, PhD Candidate at the Centre for Criminology and Criminal Justice at The University of Manchester.
Other DDoS attacks have also targeted the Nightmare Market, and the Wall Street Market –but to a lesser degree, since the operators of the Wall Street Market have exit-scammed and ran away with users’ funds, leaving their market in disrepair, and of no interest to either extortionists or competitors.
Is it extortionists?
For now, it is unclear if these subsequent DDoS attacks are being carried out by the same extortionist who targeted Dream, or by the operators of other marketplaces trying to take down their competition.
“If they are extortion attempts it might be better to keep it quiet. If an admin admits the market is being extorted and the attack stops, this might suggest that the admin paid the extortionist. Such a move could encourage copycat attacks,” Shortis told ZDNet.
“DDOS attacks have undoubtedly been successful in the past for extracting ransom demands, we know this from Ross Ulbricht’s trial,” Shortis added. “The Silk Road administrator, Dread Pirate Roberts, paid off a DDOS attacker to keep the site open.”
Yet, Shortis, an expert on dark web cybercrime, is unsure if these recent DDoS attacks are connected to the two-month DDoS ordeal that has led to Dream’s shutdown.
“Some suggest it’s a single attacker behind all of them, utilising the same Tor exploit that was rumoured to be behind the attack on Dream,” he said. “This is a plausible theory because if true then it is unlikely Dream paid the ransom (it chose to close instead), and so the attacker might turn their attention to other markets.
“However it is equally plausible that this is the result of competitors vying for market share,” Shortis added. “These points of market chaos after the closure of a top market mean that thousands of users are up for grabs.
“Users usually migrate to the next largest site; however, if that market is inaccessible due to a DDOS attack, they may move on to a competitor. We’ve seen this kind of tactic used before in dark web markets, such as the DDOS attacks between Silk Road and Tor Market.”
In addition, something similar also happened in the fall of 2017, after law enforcement seized the AlphaBay, Hansa Market, and RAMP marketplaces over the course of three months.
The sudden void created on the dark web crime e-commerce scene has led to a barrage of DDoS attacks that hit at least nine markets for over half a year in late 2017 [1, 2, 3, 4], many of which have been blamed on hackers hired by competing markets to sabotage rivals.
We may now be seeing a similar scenario like in 2017, with new markets trying to carve a market share after Dream’s demise.
Or is it law enforcement?
But Shortis also points out a third theory behind the DDOS attacks.
“It could be a deanonymisation attack by law enforcement, Shortis told ZDNet. “Some users have discussed this, but, of course, we won’t know until any busts take place.”
Yet, this seems like a very implausible scenario and just paranoia on the part of some users and vendors, as no law enforcement agency has ever been seen carrying out DDoS attacks of any kind.
More cybersecurity coverage: