Insights from the Tobias Feakin paper : “Cryptomarkets – illicit goods in the darknet”.
The “darknet” is a part of the ‘deep web’, where content isn’t accessible through traditional search engines and where access is anonymous and largely untraceable. The deep web refers to a collection of all the websites and databases that search engines such as Google don’t or can’t index.
Remarkably, it holds many times the volume of available on the web as most of us know it.
In the darknet, trading in illicit goods and services in online black markets has become increasingly commonplace and adds to the problems that law enforcement already faces in tracing and prosecuting illegal activities online.
Silk Road and the growth of cryptomarkets
In October 2013, the US Federal Bureau of Investigation (FBI) arrested Ross Ulbricht and took down his online marketplace, Silk Road. He was believed to have accumulated around US$80 million from Silk Road, where customers bought a range of legal and illegal goods and data, such as drugs, ‘exploit’ software kits, credit card details and fake identification.
However, following the taking down of Silk Road, there has been a diversification of cryptomarkets which are expanding to meet the demand of increasing clientele. Ironically, publicity about the take-down of Silk Road caused some of that growth, but so did the cryptomarkets’ mimicking of legal e-commerce sites such as eBay and Amazon, where convenience, product choice, price and peer review play a large role.
In July 2014, the BBC reported that listings of illegal drugs online in the darknet had more than doubled from the previous year. In October 2013, there were 18,174 drug listings in four major markets; by 31 July 2014, there were 43,175 in 23 markets.
Three of the largest markets were Silk Road 2.0 (largely based on its predecessor), Agora and Evolution, each of which had more listings than the original Silk Road did at the time of its demise. Those three markets all ban child pornography, but their other operating principles vary greatly.
Silk Road 2.0 focused on drugs, while Agora also sells weapons. However, the fastest growing of all is Evolution, which has the loosest restrictions and advertises guns, stolen credit-card data, stolen medical information and fake identification. Evolution offers a highly professional operation and more secure transactions than Silk Road and other competitors. One unique security feature offered is a bitcoin payment feature called ‘multi-signature transactions’. When a purchase is made, users deposit their bitcoins in an escrow account created by Evolution. The account is controlled by Evolution’s administrators, the buyer and the seller. At least two of the three parties must authorise the transaction before the payment is made making it difficult for the bitcoins to be stolen or be seized by law enforcement officials. The site also provides encryption when logging on, when activated users are required to decrypt a message with a private Pretty Good Privacy (PGP) key. This creates difficulties for law enforcement and incentives for users.
The malicious darknet and the growth in the hacker market
There are genuine concerns that the darknet provides a haven for dealers in child pornography, contract killers, human traffickers, terrorists and sellers of state secrets. One alarming study from the University of Portsmouth stated that, even though drug forums and contraband markets are the largest single category of sites hidden in the darknet, traffic to those sites is dwarfed by visits to child pornography sites. 80% of visits to hidden services sites were to sites holding paedophilic content.
A recent RAND Corporation research report concluded that black markets are growing in size and complexity, with the hacker market in particular developing considerably over the past 20 years. The hacker market was once a varied landscape of discrete networks made up of of individuals initially motivated by little more than ego and notoriety and has transformed into a playground of financially driven, highly organized, and sophisticated groups.
The report noted that after law enforcement actions black markets responded with higher levels of encryption and more rigorous and aggressive vetting of individuals, resulting in greater challenges for law enforcement agents attempting to infiltrate these groups (a common prior tactic) in the future.
Anonymity online – the Tor browser
Users have relative anonymity when accessing the darknet using browsers such as Tor (The Onion Router, known as such due to the layers of encryption that surround and obscure the data being passed back and forth when it’s used). The genesis of Tor was in the research of three US Naval Research Laboratory scientists. As late as 2011, the US Government supplied 60% of its funding, and Google supports the non-profit organisation that administers it.
The US Government has an interest in funding such a tool as military and intelligence agencies could use it for covert communications, and police could use it to receive anonymous tips and investigate illegal online activities without alerting the targets. It has also provided an opportunity for dissidents and journalists living under authoritarian regimes to communicate with others beyond their borders.
The ability to browse illegal goods anonymously and the growth in cryptocurrencies that allow relatively anonymous payment for those goods are obstacles for law enforcement. Bitcoin have been the most well-known cryptocurrency however new currencies are emerging such as Zerocash, which claims to be a privacy-preserving version of its predecessor.
Some victories against the darknet for law enforcement
In February 2014, Dutch and German police shut down darknet site Utopia, as part of Operation Commodore. Utopia traded in drugs, stolen credit cards, weapons and other illegal goods. The site had only operated for nine days, but in that time there were around 13,000 listings, many offering global postage services.Police made five arrests and confiscated firearms and 900 bitcoins, which were worth about US$610,900 at the time.The message from the authorities was clear: ‘You are not untouchable using the Tor browser and the darknet.’
This was the largest ever law enforcement action taken against the darknet. The operation’s most prominent target was Silk Road 2.0, but it was initially reported to have taken down more than 400 other illicit services based on the Tor network. The operation was conducted by the US FBI, the UK National Crime Agency and 15 other nations’ law enforcement agencies. Seventeen arrests were made in sixteen countries, including of the alleged head of Silk Road 2.0, Blake Benthall. The authorities seized US$1 million worth of bitcoin, as well as drugs, guns and large amounts of cash.
After the initial reports of more than 400 take-downs, the figures became confused. According to Europol, the European Union’s law enforcement agency, upwards of 50 sites were disrupted, however the FBI would only publicly confirm the closing of 27 markets.
Whatever the numbers, the operation closed some significant markets, including the following:
- Silk Road 2.0, Pandora, Blue Sky, Hydra and Cloud Nine, all of which were black markets offering a range of illegal goods and services including drugs, stolen credit-card data, counterfeit currency and fake identity documents.
- Executive Outcomes, which specialised in firearms (including assault rifles, automatic weapons and sound suppressors) and stated that it used secure drop-ship locations throughout the world so that anonymity was ensured throughout the shipping process and that all serial numbers from the weapons it sold were removed and refilled with metal.
- Fake Real Plastic, which offered to sell counterfeit credit cards, encoded with ‘stolen credit card data’ and ‘printed to look just like real VISA and Mastercards’; the cards were guaranteed to have at least $2,500 left on the credit card limit and could be embossed with ‘any name you want on the card’.
- Fake ID, which offered fake passports from a number of countries, advertised as high quality and having all the security features of original documents, and which advertised its ability to ‘affix almost all kind of stamps into the passports’.
- Fast Cash! and Super Notes Counter, which offered to sell counterfeit euros and US dollars in exchange for bitcoin.
The almost instantaneous response by the darknet
Within hours of the operation being announced, a Silk Road 3.0 site appeared via the Tor network. Those involved in cryptomarkets re-established themselves with speed and agility. Some markets that are still trading, such as Agora and Evolution, will soon outsize the Silk Road franchise.
The number of people trading in these markets also poses a capacity problem for law enforcement. For example, it was found during the trial of Ross Ulbricht, the owner of the original Silk Road site, that between 6 February 2011 and 23 July 2013 there had been 1,229,465 completed transactions, involving 146,946 buyer accounts and 3,877 vendor accounts.
What can law enforcement do?
Feakin identifies three key ways that law enforcement agencies can increase their capabilities:
- Invest in technology – Cybercriminals invest in the latest technologies, while government agencies struggle to purchase and absorb new technology quickly enough for it to give them an edge. Agencies need to include some technology forecasting in their analytical and strategy work, and they should reach out to the private sector in order to understand the latest technical trends.
- Build a sustainable skills base -Without an appropriate skills base it will be impossible for law enforcement to be able to respond. Training should be a central part of any agency’s strategy, and upskilling its members so that all are ‘cybersavvy’ is essential. The agencies need to aim to recruit, develop and retain staff with specialist skills.
- Build international partnerships- Most cybercrimes involve linkages across international boundaries. Therefore, countering them requires increased international cooperation and coordination between the agencies involved.
Asia-Pacific Cybercrime Cooperation
There are distinct challenges in the Asia–Pacific region, and subsequently for Australia. The level of cybercrime is likely to continue growing in the region because of three factors: the economic growth the region as a whole, the growth in internet penetration in the region, and the differences in legislative approaches, capability and capacity in the region. A recent ASPI report found that Australia, Japan and South Korea all have well-developed legislation and law enforcement capabilities, whereas nations such as Papua New Guinea, Cambodia and Myanmar are still in the early stages of developing their cybercrime legislation and capabilities.
This means that as cybercrime to increase there’s an urgent need to help less developed nations reach an adequate level of capability.
Nations in the region will increasingly be targets for criminal activity as criminals follow emerging sources of income and seek out legislative settings that are less likely to lead to their arrest and conviction. Of all signatories to the Budapest Convention, only three are from the Asia Pacific region (Australia, Japan and the US), which makes wider coordination much more difficult.
Furthermore, some nations in the region, most prominently China, are ideologically opposed to the Budapest Convention because they see it as a construct of European nations and European vested interests as they weren’t involved in its development.
As a result, Australian law enforcement has to work mainly on a bilateral basis on specific cases, negotiating coordination case by case, which slows down investigations and subsequent prosecutions. However, some progress has been made. Notably, in Indonesia, the Australian Federal Police has helped to establish a Cyber Crime Investigation Centre and several related cyber units.
Nyman Gibson Miralis provides expert advice and representation in complex international cybercrime investigations. Our expertise includes dealing with malware, phishing and computer hacking offences, bootlegging and tripping, Bitcoin and crypto-currency fraud, as well as offences relating to identity theft, spreading computer viruses and DDoS attacks.
Contact us if you require assistance.