Editorial: The Extent of Cybercrime on the Dark Web

October 17, 2023

Introduction to the Dark Web

The content on the World Wide Web is divided into three parts: surface web, deep web, and dark web. The surface web is the part of the internet that is indexed by search engines and is accessible to the general public through regular web browsers. Websites and content on the surface web are typically meant for public consumption and do not require any special tools or credentials to access. The deep web encompasses all the web content that is not indexed by search engines. This includes content that is hidden behind paywalls, requires login credentials (such as email accounts or online banking), or resides on databases that are not publicly accessible. The deep web is significantly larger than the surface web and consists of a wide range of legitimate and private information. The dark web is a subset of the deep web, and it represents content that is intentionally hidden and requires specific software to access, such as the Tor network or other similar networks like Freenet, I2P, and Riffle.

Dark web sites use encryption software so their visitors and owners can remain anonymous—it’s why the dark web is home to so much illegal activity. However, this side of the internet isn’t reserved for criminals. Over 2.7 million active users browse the dark web every day, and many do so for legitimate reasons. (https://us.norton.com/blog/how-to/how-can-i-access-the-deep-web).

Types of Cyberattacks and Cybercrimes Facilitated on the Dark Web

Dark Web is known for hosting various illegal activities, including cybercrime. Some common types of cybercrime, which are facilitated through services and tools offered on the dark web include:

Hacking: Individuals and groups offer hacking services for hire on the dark web. This includes services like DDoS attacks and hacking into email accounts or websites. (https://www.comparitech.com/blog/information-security/hiring-hacker-dark-web-report/)
Stealing Data & Credentials: Cybercriminals may sell stolen personal information such as credit card data, Social Security numbers, counterfeit id cards and documents or login credentials on dark web marketplaces. (https://sanctionscanner.com/blog/the-digital-black-market-for-identity-data-542) (https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-notorious-hacker-marketplace-selling-your-identity-to-criminals)
Malware Attacks and Exploits: Malware authors and distributors may offer their malicious software, zero-day exploits, and hacking tools on the dark web. (https://arxiv.org/ftp/arxiv/papers/2211/2211.15405.pdf )
Fraud and Scams: Scammers and fraudsters often use the dark web to sell guides and tutorials on various scams, such as identity theft or credit card fraud. (https://www.fraud-magazine.com/cover-article.aspx?id=4295009061 )
Cyberweapons and Exploits: The dark web serves cyberweapons, zero-day exploits, and hacking tools capable of breaching computer systems and networks. These tools can be used to launch large-scale cyberattacks, infiltrate organizations, disrupt critical infrastructure, or engage in state-sponsored cyber espionage. (https://infosecwriteups.com/the-dark-web-unveiling-the-underbelly-of-cybercrime-929bee129ed6 )
Cyberextortion: Some individuals and groups engage in cyberextortion, threatening to release sensitive information or launch attacks against individuals or organizations unless a ransom is paid. (https://newsroom.orange.com/cyberextortion/)
Child Exploitation: The dark web is also known for hosting illegal content related to child exploitation, including explicit imagery and other forms of child abuse. (https://www.europol.europa.eu/media-press/newsroom/news/4-arrested-in-takedown-of-dark-web-child-abuse-platform-some-half-million-users )
Cryptocurrency Theft: Hacks and thefts targeting cryptocurrency exchanges and wallets have been a significant concern. Criminals may steal cryptocurrencies from individuals, exchanges, or other platforms and use them for illicit activities on the dark web. (https://cybernews.com/crypto/crypto-thousands-stolen-tor-browser/)
Cryptocurrency Tumbling: Some dark web users employ cryptocurrency tumbling or mixing services to obscure the source and destination of their funds further. This makes it challenging for law enforcement to trace transactions. (https://www.emcdda.europa.eu/drugs-library/cryptocurrencies-and-drugs-analysis-cryptocurrency-use-darknet-markets-eu-and-neighbouring-countries_en )

Dark Web Service Models

Cybercrime-as-a-Service

Cybercrime-as-a-Service (CaaS) has become a prevalent and concerning trend on the dark web. It refers to the commercialization and commoditization of cybercriminal activities, where individuals or groups offer various cybercrime services to others in exchange for payment, usually in cryptocurrencies. They use Discord servers and Telegram channels, for communication.

The evolution of cybercrime from a niche, skill-based activity to a shadow economy operating as a service has significant implications for cybersecurity worldwide.

(Source : The Rise of Cybercrime-as-a-Service Has Major Consequences for Businesses. Here’s Why, 12 May 2022, available: https://www.graphus.ai/blog/the-rise-of-cybercrime-as-a-service-has-major-consequences-for-businesses-heres-why/ )

Ransomware-as-a-service (RaaS)

Ransomware is malware that locks and encrypts the victim’s computer and demands a ransom to decrypt and unlock the target system. Ransomware-as-a-Service (RaaS) is a subscription-based model that serves ransomware online. Attackers can subscribe to such services to utilize already-developed ransomware tools for attacking enterprises, manufacturing units, and IoT systems.

It is basically a malicious variation of the cloud’s Software-as-a-Service (SaaS) business model. Since the dark web is anonymous and private, numerous shady sellers peddle RaaS with impunity. RaaS model offers 24×7 services to its clients.

Anyone with a criminal mindset could access the online black market on the dark web and purchase the ransomware service. They do not even need to have technical skills to execute the ransomware. The ransomware-as-a-service operator will provide a dashboard with a simple interface so anyone can use it.

(Sources:https://www.packetlabs.net/posts/ransomware-as-a-service-dark-web/ https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ )

Work and Market Spaces on the Dark Web

On the dark web, various online marketplaces and forums exist where cybercriminals advertise their services and tools. These platforms serve as hubs for buying and selling illegal goods and services, including hacking tools, stolen data, malware, DDoS attacks, and other cybercrime-related services. CaaS operates on the dark web, as following:

Dark Web Marketplaces: Dark web marketplaces are online platforms that operate on the dark web and allow users to buy and sell various goods and services, often anonymously. These marketplaces are known for hosting a wide range of both legal and illegal items, and they have garnered attention due to their association with illegal activities. Illegal goods and services are traded, typically rely on cryptocurrencies for transactions. Buyers and sellers use these digital currencies to facilitate their trades, which can include drugs, weapons, stolen data, and other illicit items⁴.
Forums and Communities⁷: Dark web forums and communities provide a platform for cybercriminals to discuss techniques, share resources, and offer their services to potential clients. These forums often have specific sections dedicated to CaaS, where users can request and offer hacking services.
Freelance Platforms: Similar to legitimate freelance platforms, there are dark web equivalents where hackers and cybercriminals can offer their services to potential clients. These platforms facilitate transactions and communication between buyers and sellers of cybercrime services. Source: (https://ventureinsecurity.net/p/the-upside-down-making-sense-of-the)

Items, Tools and Services obtainable on the Dark Web by Cybercriminals

The dark web ecosystem is made up of a wide array of marketplaces and forums, with an astounding variety of services, products and data available for purchase. This includes:

Remote Access Trojans, Infostealers, Ransomware, Crypters, other malware (often bundled and sold as toolkits)
Initial access credentials and access to already compromised servers.
Educational guides and resources on effective tools and techniques
Credit cards and other financial information for straightforward theft and financial fraud
Counterfeit id cards and travel documents
A variety of criminal services (different attack services, hosting services, monetizing and negotiating services, ransomware consultancy)
Personal Identifiable Information (PII), Electronic Health Records, Intellectual property, other data records
Marketing and advertising services that malware developers and service providers use to promote their products/services.

(Source: https://cyrisma.com/cybercrime-and-the-dark-web-2/ )

Transactions on dark web marketplaces – Cryptocurrencies

Criminals on dark web marketplaces often use cryptocurrencies for transactions due to the anonymity they offer. It’s crucial to emphasize that while cryptocurrencies have legitimate and valuable use cases in the broader financial ecosystem, they are, also, used for illegal activities on the dark web. The underground economy is the emerging and increasing trend in the Dark Markets transactions. Among all the internet and mobile technologies that are continuously evolving, enabling the criminals to operate in the darknet market world, digital currencies known as crypto currencies are some more of such digital tools which are currently transforming our criminal underworld facilitating the payment transactions between sellers and buyers for their illegal trading activities and posing threats for money laundering and terrorism financing. Before transactions are initiated money should first be converted to cryptocurrencies.

Here’s how these transactions typically work:

Digital Wallets:

1. Creation: Criminals create digital wallets through various platforms. These wallets generate unique addresses for transactions, ensuring a degree of anonymity.

2. Storage: Cryptocurrencies are stored in digital wallets, which can be software-based (applications or online platforms) or hardware-based (physical devices).

Anonymity and Pseudonymity⁵:

Cryptocurrencies like Bitcoin offer a level of anonymity that traditional financial systems do not. Transactions do not necessarily require personal identification, making it attractive, or those seeking to engage in illegal activities while attempting to hide their identities.

Pseudonymous Transactions: While blockchain transactions are recorded publicly, the identities of the parties involved are represented by cryptographic addresses, not personal information.
Mixing Services: Criminals often use mixing or tumbling services to mix their cryptocurrencies with others, making it harder to trace the origins of funds.

Decentralized Exchanges:

Usage: Criminals may use decentralized exchanges (DEX) that allow direct peer-to-peer trading of cryptocurrencies without the need for central authority. These exchanges often operate on the Tor network, providing an extra layer of anonymity.
Escrow Services:

Role: Many dark web marketplaces use escrow services. When a buyer places an order, the funds are held in an escrow until the buyer confirms receipt of the product. This ensures a certain level of trust among buyers and sellers.

Source: https://cyberintelligencehouse.com/2022/02/24/dark-web-markets-and-cryptocurrencies/

Despite the effort to point out the different types of cybercriminality and consequently the extent of cybercrime in dark web, it becomes obvious that there is no accurate access to real-time data or current statistics. The extent of cybercrime on the dark web can vary over time, and it’s challenging to provide specific figures or images on this topic.

Therefore, depicting dark web cybercriminality is an evolving task that CYBERSPACE intends to undertake throughout its duration.

As a closing remark in this very first attempt to give the extent of cybercrime in dark web, we wish to give a positive aspect by referring at the efforts against this type of criminality, as following:

Law enforcement agencies’ investigative efforts against Dark Web

Law enforcement agencies have had to adapt and innovate to investigate and prosecute criminals operating on the dark web. Here’s how they have been tackling these challenges:

Specialized Cybercrime Units: Law enforcement agencies have established specialized units focusing on cybercrime and digital forensics. These units consist of experts in computer science, cryptography, and data analysis.
Training and Skill Development: Continuous training programs to keep law enforcement officers updated with the latest technological advancements, enabling them to understand the methods used by criminals.
Digital Forensics: Development of advanced digital forensics techniques to recover and analyze data from electronic devices, helping in tracking criminal activities and gathering evidence.
International Cooperation: Collaboration between law enforcement agencies across borders to combat transnational cybercrime, sharing information and resources to investigate and prosecute criminals globally. For example, in the Current Year, according to U.S. Department of Justic (source: https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/press-releases/largest-international-operation-against-darknet-trafficking-fentanyl-and-opioids-results-record) a consortium of U.S. and international law enforcement made 288 arrests and seized over $53 million in cash and cryptocurrency as part of an “unprecedented” dark-web drug enforcement action called Operation SpecTor. Operation SpecTor was a coordinated international effort spanning three continents to disrupt fentanyl and opioid trafficking on the darknet, or dark web. The operation was conducted across the United States, Europe, and South America, and was a result of the continued partnership between JCODE and foreign law enforcement against the illegal sale of drugs and other illicit goods and services on the darknet.
Legislation and Policy Changes: Governments are working to update existing legislation and create new laws to address cybercrimes specifically, allowing law enforcement to prosecute criminals involved in online illegal activities.
Blockchain Analysis: Specialized tools and techniques are developed to analyze blockchain transactions, enabling law enforcement agencies to trace cryptocurrency movements, although privacy-focused cryptocurrencies like Monero present challenges.
Dark Web Monitoring: Law enforcement agencies actively monitor the dark web, infiltrating online forums and marketplaces to gather intelligence on criminal activities and identify potential threats.
Undercover Operations: Law enforcement conducts undercover operations, posing as buyers or sellers on the dark web to catch criminals in the act, gather evidence, and make arrests.
Raising Public Awareness: Defenders against cybercriminal threats ought to invest not only in effective safeguards against emerging attack methods, but also in raising awareness of best defense practices. Educating the public about online security, scams, and the risks associated with the dark web to prevent individuals from becoming victims or unknowingly participating in illegal activities.
Public Private Partnership: Cooperation between law enforcement and the private sector, too, will prove essential in safeguarding individuals and organizations as cybercriminal marketplaces continue to prosper and grow.

While challenges persist, law enforcement agencies continue to adapt and employ a combination of these strategies and techniques to investigate and prosecute criminals operating in the ever-evolving landscape of technology-related crimes.

Authors & Contributors: Center for Security Studies (KEMEA) CYBERSPACE Team

Katerina Triantafyllopoulou (KEMEA-Hellenic Police/Cyber Crime Division)

Theodoros Anatolitis (KEMEA-Hellenic Police/Cyber Crime Division)

Emmanouil Kermitsis (KEMEA)

Dimitra Katechaki (KEMEA)

References

Basheer, Randa & Alkhatib, Bassel. (2021). Threats from the Dark: A Review over Dark Web Investigation Research for Cyber Threat Intelligence. Journal of Computer Networks and Communications. 2021. 1-21. 10.1155/2021/1302999
Group-IB Knowledge Hub, What is the dark web? source https://www.group-ib.com/resources/knowledge-hub/dark-web/
Elbahrawy, Abeer & Alessandretti, Laura & Rusnac, Leonid & Goldsmith, Daniel & Teytelboym, Alexander & Baronchelli, Andrea. (2020). Collective dynamics of dark web marketplaces. Scientific Reports. 10. 18827. 10.1038/s41598-020-74416-y.
Hazar, Hulya. (2020). Anonymity in Cryptocurrencies. 10.1007/978-3-030-53536-0_12
Kavallieros, Dimitrios & Myttas, Dimitrios & Kermitsis, Emmanouil & Lissaris, Euthimios & Giataganas, Georgios & Darra, Eleni. (2021), Using the Dark Web. 10.1007/978-3-030-55343-2_2.
Noah Mainse, The Dark Web And Cybercrime: A Deeper Dive Into The Underworld Of The Internet January 4, 2023 source https://cybermatters.info/cyber-security/dark-web-and-cybercrime/?utm_content=cmp-true
Pete, Ildiko & Hughes, Jack & Chua, Yi Ting & Bada, Maria. (2020). A Social Network Analysis and Comparison of Six Dark Web Forums. 484-493. 10.1109/EuroSPW51379.2020.00071.
Szakonyi, Annamaria & Leonard, Brian & Dawson, Maurice. (2021). Dark Web: A Breeding Ground for ID Theft and Financial Crimes. 10.4018/978-1-7998-5567-5.ch025.
Taking on the Dark Web: Law Enforcement Experts ID Investigative Needs | National Institute of Justice (ojp.gov)
Goodison, Sean E., Dulani Woods, Jeremy D. Barnum, Adam R. Kemerer, and Brian A. Jackson, Identifying Law Enforcement Needs for Conducting Criminal Investigations Involving Evidence on the Dark Web. Santa Monica, CA: RAND Corporation, 2019. https://www.rand.org/pubs/research_reports/RR2704.html.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.