A guest?article by Mark van Staalduinen (TNO) and Roeland van Zeijst (Dutch National Police) on the Dark Web, the Silk Road 2.0 case and expected future trends. Note: this article discusses several suspects in current criminal court cases, who of course are legally considered to be innocent until proven otherwise.
In November 2014, the illegal TOR market place Silk Road 2.0 was taken down, as well as its alleged owner, ?Defcon? a.k.a. Blake Benthall (26). After being in business for exactly 1 year, Silk Road 2.0 approximately had 150,000 active users and generated millions of dollars of revenue per month. Benthall by then drove a $127,000 Tesla car that he had paid for in bitcoins. On the last morning he drove it, he didn?t get out of his driveway.
Alleged digital druglord ?Defcon? is facing life in prison because he chose the wrong hosting country
?Defcon? found himself surrounded by?20 armed FBI agents. Immediately after his arrest, the digital drug lord confessed to being the owner and operator of Silk Road 2.0. The alleged kingpin might end up in prison for life. An evil empire collapsed, partly because the owner had made the mistake of hosting it, for some time, in the Netherlands.?Dutch police investigated Silk Road 2.0 when its servers were temporarily located in the Netherlands, and were able to confirm Benthall?s identity. They also were able to offer proof to the FBI that the webserver under investigation, and operated by Benthall, was running the criminal TOR hidden service Silk Road 2.0.
Alleged digital druglord ?Defcon? is facing life in prison because he chose the wrong hosting country But what does Benthall?s arrest have to do with cyber security? Well, Silk Road 2.0 was one of the so-called darknet markets within the TOR hidden services, where users tend to think they are completely untraceable and anonymous. Darknet markets mainly offer drugs and weapons. Some marketplaces even provide human trafficking, hitmen and child abuse. Less well-known is the trade in illegal cyber products and cyber services, e.g. DDoS attacks, espionage services, ID fraud, botnets, etc. This is one of the ways cyber criminals meet, team up and exchange tricks, tools and bitcoins.
On the market place?Evolution seemingly anything is for sale
Taking down Silk Road 2.0 (and a number of even worse illegal marketplaces simultaneously) was a huge hit to criminals operating on TOR. Operation Onymous (literally: ?not anonymous?) is not the first action of Law Enforcement against the darknet markets, but by far the biggest and best coordinated one until now. Over 404 ?.onions? were taken down and illegal traders were arrested worldwide. There were many questions about how Law Enforcement was able to track down so many illegal marketplaces and their (ab)users.*3
Silk Road 2.0 was called ?2.0? because until late 2013 there had been a previous marketplace called Silk Road, named after the legendary trade route in ancient Asia. It was (allegedly) operated by Ross Ulbricht (The FBI claims that Blake Benthall was his second-in-command), who is standing trial for, amongst committing other crimes, having paid a hitman $500,000 to murder six people.?It seems that none of the murders ordered have taken place. Rip-offs are another big risk of darknet markets.
Shortly thereafter, darknet markets Black Market Reloaded and Utopia were seized, the latter as part of Operation Commodore by the Dutch police. A total of five people were arrested and half a million euros worth of bitcoins was seized in the Netherlands and Germany.
As a consequence of this sequence of takedowns and arrests, the traders spread their risks and started to act on multiple marketplaces at the same time. In 2013 less than ten marketplaces were active, while in November 2014 approximately twenty marketplaces were in the air (source; before the mass takedown, the number of active marketplaces was well over thirty).
Message of the FBI and European law enforcement agencies after taking down Silk Road 2.0
Darknet market traders are getting more and more professional. Some traders, we estimate, have a turnover of millions of euros per year. Access to these marketplaces is simple and traders reach a global scale immediately, their effectiveness augmented by the provision of secure payments (bitcoin) and international escrow services. Discussions in the forums illustrate their increasing professionalization. Traders only discuss business and take good care of their reputation. As we explained before, darknet markets tend to offer not only goods, but also criminal services. This is one of the places where cyber criminals meet and team up. The now defunct Rent-a-Hacker webshop had a very user-friendly shopping cart system that even the most computer-illiterate buyer could use:
Service catalogue of Rent-a-Hacker
Dealing with such marketplaces poses fundamental problems. Forbidding networks like TOR, Freenet or I2P is not a viable solution, because this would negate Dutch net neutrality and moreover it would eliminate the positive side of such networks from a worldwide human rights perspective. Logos of several anonimyzation networks.
Logos of several anonimyzation networks
But still, given the fact that traders have turnovers of millions of euros per years, whilst people (and perhaps your networks or computers) are falling victim to crime, we need to act. Therefore, we are gathering information to better understand what is happening on the darknet markets. For example, is this a typical Dutch problem? What geographical attributes can be identified? Based on online discussion topics on darknet markets, TNO technology provided data, which was then analysed in co-operation with the Dutch Prosecutors? Office. This resulted in a picture of European countries that were mentioned on darknet markets more often (red) than others (green).
Geographical analysis of mentions of countries and capitals on darknet markets
For the emerging pattern, one explanation might be that the ?red? countries have the facilities and infrastructures to enable many people to mine for bitcoins. This is the most important way of payment on the marketplaces.1 Another reason might be that attractive cybercrime victims can be found in the ?red? countries, for which specific online banking malware can be traded. Finally, some countries are mentioned a lot because criminals are constantly debating their modus operandi. Dutch police have found several examples of criminals stressing the need to avoid the Netherlands, or even explaining to each other how to avoid the Dutch police. Some of these criminals are, however, now awaiting their trials in the Netherlands. Others will too, in 2015. It is also good to know that bitcoin transactions are less anonymous than is often presented, partly due to the transparency of the transaction table (blockchain).
Of course, most of the darknet criminals are not physically acting from within the Netherlands. But when they are abusing Dutch infrastructure, the National High Tech Crime Unit (THTC) might choose to track them down.
Cyber criminals discussing their modus operandi, trying (idly) to avoid law enforcement
From a cyber security perspective, our common challenge is to prevent and disrupt criminal business cases. To develop and implement this strategy is not only a government task: the responsibility is shared by companies and scientific institutions alike. So, also your organization can join in!
There is good news here. Unlike with zero-days, it is possible to know what is for sale, due to the fact that products and services are offered in open forums. Next step will be to enhance the information into a global picture, so it will be possible to judge the potential of new criminal products or services. Invitation This innovative approach requires deep understanding of the newest malware, the cyber underground, and will also apply big data analytics to process the enormous amount of information into actionable intelligence. TNO, National Police and partners are working to make the Netherlands more resilient, and to strengthen cyber security as a whole. Therefore, we will be shedding more light on darknet markets and surrounding phenomena. This can be achieved by public, private and science partners cooperating closely. It is a challenge we are happy to embrace together with you.
TNO, the National Cyber Security Center (NCSC), Team High Tech Crime of the Dutch National Police and KPN jointly published the second edition of their annual European Cyber Security Perspectives report (see below).
The European Cyber Security Perspectives publication offers insight into the latest developments, initiatives and achievements in the field of cyber security, cyber crime and cyber resilience. In this new edition, TNO a.o. addresses the current ?trends to watch? and the ever increasing role of threat intelligence in the cyber domain.