In the wake of recent headlines announcing actions against Hydra Marketplace by the U.S. and German governments, darknet markets have made an ironic entrance into the spotlight.
But what are darknet markets exactly? In this explainer piece, we’ll cover what a darknet marketplace (“DNM”) is, how administrators obfuscate their infrastructure, and why in the case of Hydra and several other recent takedowns, law enforcement and regulators were able to identify and disrupt the marketplaces.
The Three Internets
To understand what DNMs are and how they operate, it’s important to first clarify that there are actually three different layers of the Internet.
- The surface net or clearnet: The commonly known internet, referred to as “surface net” or “clearnet,” includes popular websites such as google.com, ESPN.com, weather.com, and trmlabs.com.
- The deep web: An intermediate area of the internet, commonly referred to as the “deep web,” is not accessible without permission. This includes internal company sites, password protected research, and governmental websites.
- The “darknet” or “darkweb”: decentralized, unindexed, unregulated and only accessible using certain browsers, such as the so-called “Onion Router,” or “Tor” for short. The Tor Project supports the Tor browser which can be used to reach the darknet. The US Naval Research Laboratory was actually involved in developing onion routing, which is the basis of how the Tor browser functions and how Tor hidden services, also known as onion sites, work.
DNMs are located on the “darknet,” which is unreachable on standard internet browsers like Chrome, Firefox, or Safari because the darknet is unindexed. There are certain sites on the darknet (and on clearnet) which attempt to manually track and publish sites on the darknet, but common browsers do not link directly to darknet.
Given the darknet’s infrastructure, which is hidden behind onion routing, the darknet attracts sites whose proprietors want to remain anonymous. In addition to content such as anti-authoritarian political sites within authoritarian regimes (e.g. citizens organizing protests during Arab Spring), the darknet is also a convenient place for illegal content such as DNMs, Child Sexual Abuse Material (“CSAM”), hacking forums, fraud forums, and money laundering forums.
The Emergence of Marketplaces on the Darknet
With the rise of the darknet came the creation of DNMs. Individuals began using the darknet to pseudonymously sell illegal content without face-to-face interaction. Over time, ambitious individuals created infrastructure for these transactions, where for a fee, sellers have access to a digital ‘storefront’ to sell their products in a centralized marketplace.
One technological revolution that significantly accelerated the ease of operating an illicit business such as a DNM on the darkweb was the invention of Bitcoin and other virtual currencies, which provided a convenient payment method for goods exchanged.
The first ever DNM — called Silk Road — was started in 2011 by U.S. citizen Ross Ulbricht. While it included some innocuous listings such as health supplements, the majority of vendors and most of the sales were related to illicit drugs. Silk Road not only aggregated thousands of drug vendors, it created a user-friendly interface that resembled a clear-net shopping website. Ulbricht was eventually arrested by US law enforcement and Silk Road was seized and taken offline. US law enforcement also seized around 177,000 Bitcoin.
Over the years, dozens of large DNMs have been established and eventually shut down by law enforcement, including AlphaBay, Dream Market, Wall Street, and, most recently, Hydra.
Hydra, which operated almost entirely in the Russian language and whose sellers were primarily based in Russia, Ukraine, Belarus, Kazakhstan and surrounding countries, used many of the features of prior marketplaces, such as a user-friendly interface, clean images of the advertised products, seller review systems, and simple, escrow-based purchases. Vendors on Hydra also offered services such as “Hacking for Hire,” “Ransomware as a Service” (“RaaS”), and a myriad of money laundering features. Though the drug transactions were limited to Russia and its geographic neighbors, the cyber and money laundering tools were available to anyone in the world willing to pay.
Tracking Virtual Currency Transactions to Disrupt DNMs
Law enforcement agencies and regulators continue to be interested in identifying and disrupting darknet websites that create, promote, or traffic in illicit activities, including CSAM, illegal weapons sales, drug sales, hacking as a service, and money laundering activities.
How are they going about this?
Blockchain intelligence tools like TRM can be used by law enforcement and regulatory partners to identify counterparties and cashout points used by DNM proprietors, with the goal of obtaining documentation from those counterparties in order to potentially identify the proprietors, their virtual currency holdings, their infrastructure, and their locations. In successful cases, law enforcement can combine this intelligence with other investigative techniques to seize the online infrastructure and residual virtual currency, like in the case of the Silk Road seizure.
Compliant financial institutions, crypto exchanges, and other platforms that facilitate crypto transactions also use blockchain analytics tools to monitor and potentially block transactions flowing to or from darknet marketplaces.
Additionally, where non-compliant cash out points are facilitating the movement of illicit funds from DNMs, regulators and law enforcement may take action to disrupt activity at the cash out point itself. For example, concurrent with the takedown of Hydra was the sanctioning of Garantex, the Moscow-based exchange that made multiple transactions with Hydra-linked addresses.
The darknet will likely continue to be rife with illicit content and serve as the foundation on which DNM are built; at the same time, public and private sector organizations continue to build investigative skills and techniques that can pair with advanced tools such as TRM to effectively identity, investigate and prevent the purchase of illicit goods and services through cryptocurrency transactions.
About TRM Labs
TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.
Want more content like this?
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.