Darknet markets worth keeping an eye on - you may see your data for sale

News by Tony Morbin

Jamie Bartlett, author of The Dark Net, advises monitoring the darknet markets, both to respond to your own data being sold, but also to protect your reputation if passwords are alleged to come from you following a hack elsewhere.

During Nominet's Vibrant Digital Future summit in London last month, covering strategy, governance and security, Jamie Bartlett, journalist, author of The Dark Net,  and the Director of the Centre for the Analysis of Social Media at the think-tank Demos spoke to SC Media UK about his presentation on the threat posed by Darknet actors.

The Darknet was described as a network of 5,000 to 20,000 sites - ranging from whistleblowing sites in oppressive regimes to  the opposite end of the political spectrum, comprising criminal hackers and paedophile rings  - thus representing the extremes of freedom.

Bartlett explained to SC how over last couple of years this vibrant set of marketplaces has developed, selling stolen information, stolen passwords, credit card data etc.  He adds, “It's a very highly competitive and innovative market, it has good customer service, with offers such as buy-one-get-one-free; it's like eBay for illegal stuff.  And its not going away as there will always be a market for buying stolen stuff - and the stuff being sold could be yours.”  

Consequently Bartlett says companies need to be prepared for this possibility, and may need to monitor sites relevant to their industry, for example, sites dealing with pharma goods.  

“It's a very creative place,” adds Bartlett, noting how darknets  have been using crypto-currencies for a long time and have developed crypto-enhanced browsers  etc, thus we can learn from them.

SC noted how law enforcement had anecdotally seen a downturn in activity following major takedowns such as AlphaBay and Hansa, despite reports that 54 percent, of users that migrated from the seized platforms to Dream Market, and asked, were takedowns eliminating such online criminality.

Bartlett responded: “It's too early to say - once one a site is taken down there is a mad flurry, and users become concerned as to what other sites are being monitored, and the owners try to patch up any vulnerabilities that led to the takedown.  So there is a downturn [in transactions]  in the first few weeks, but then it starts to pick up  - and there are some sites that keep goning fine without being taken down.”

However the big catch-all site takedowns have led to a change in the nature of the marke.  “ There are more single market vendors.  Many [criminals] set up their own personal marketplace as a single vendor or specialist, eg a government secrets specialist market, or credit card details market, so there has been a slight evolution,”  says Bartlett.

The entire ecosystem depends upon a certain societal toleration of people operating outside law -  as the sites are not disappearing, and people are learning to live with them. Hacking forums are  available all the time for anyone who wants them.  “For authorities, they need to act as deterrent. Often that includes infiltrating the gangs using old fashioned policing, and by bringing them down it shows they can't go on without impunity.,” he adds, suggesting that  our best hope is to reduce the levels of online criminality, rather than wipe it out.

Asked where he sits on the question of some law enforcement and government agencies calling for ways to access encrypted data, Bartlett suggest that all forms of encryption do not really put data totally beyond the reach of law enforcement - but they makes it much more expensive and difficult to access,  thus it becomes a question of needing more resource and making it a higher priority.  Bartlett suggests that it is not worth law enforcement and government spending all its time on breaking encryption and work-arounds as these may even make things easier for drug dealers and easier for say the Russian government to catch dissidents. He also notes how some government agencies, such as GCHQ disagree, and are on the record as saying that there is a need to encrypt everything, and no aim to weaken encryption. Instead there is a view that privacy is becoming more vital for society's well being and its becoming economically more important.  

The cost of cyber-crime and fighting it is going up, “and I am especially sorry for local police forces,” says Bartlett, adding, “but unfortunately I believe that's the price we have to pay [for the benefits of digitisation].

Bartlett's view on whether cryptocurrency was simply a means of engaging in crime, is that: “Two or three years ago it was primarily used to facilitate crime. Now it's more South Sea bubble than crime.  Its insane rocketing price has changed opinion.  All these versions, different ideas on how blockchain could be used, including to store gov records.  And the Bank of England is considering whether it should launch its own cryptocurrency.”

He noted how volatility is not a good pricing mechanism for anything, especially for something that was supposed to be used in shops. Now it has fallen by the wayside as transaction costs and going up. Why spend it? He adds that the volatility has not hurt criminals so much as ordinary users.  But it is still interesting for criminals as its easy to get your hands on without resorting to physical crime.  Though we have had physical extortion to get BitCoins.

As to whether the blockchain system makes it harder for criminals to cash out anonymously, Bartlett explained, “Armed robbers with technical backgrounds can transfer their BitCoins to another cryptocurrency like Monero, which has no record, then transfer it to a smaller  currency like Etherium. Are police able to do the sophisticated traffic analysis to follow the transactions from when the bitcoin wallet was set up? And if they lose thread they lose the criminals.”

Overall - online criminality was growing exponentially as the barriers to entry lowered - but Bartlett says it has now stabilised and is not growing so much - its just a steady reliable source of criminal activity that never totally disappears.

All evidence has been showing that physical robbery is going down and online crime going up - though the recent Bitcoin extortion theft combined the two. But while crime has moved online, the police were set up to police in offline world when most crimes they dealt with were conducted  in their area. Now they can be done on server in another country and law enforcement is in a very difficult moment during the transition between two types of crime.

The wages of crime - and industry - also pay better than law enforcement, adding to the skills shortage in the public sector says Bartlett, commenting: “Government departments, including the police, lose people to big tech companies - and there is also an international dimension. If you are in Macedonia where there is high youth unemployment it is significantly more profitable to be in cyber-crime [getting international criminal rates of pay].  Long term prospects from AI putting people out of work will add to the problem. What will they do, but cyber-crime?”  Attractions include the fact that it is non-violent and the victims are usually unknown and far away.

Bartlett suggest that new police recruits straight out of university are likely to be more technically able than many of their more senior colleagues, and forces should work hard and  spend time finding hidden tech talent among this group.

For companies, the issue is, how do you prepare for your data ending up on these darkweb sites.  When one organisation (company A),  is hacked, the criminals use the stolen information such as passwords and user combinations to identify it as valid for other organisations (company B & C) - and resell the information on the darkweb. Journalists might see and report company B and C as having been hacked, but often it was the other company (A) that had its data stolen, which was tested on other companies (B & C) and then sold on - purported to be stolen from you. If you monitor sites in your sector you can quash the story and maybe inform users to change their passwords or look out for phishing attacks.

GDPR is another reason to monitor what's happening on the dark web, so that you know the data wasn't stolen, and thus protect yourself  legally (from fines) and reputationally.

Bartlett concludes that companies really should monitor what's happening on the darknet, that it's worth keeping an eye on developments - eg its where bitcoin came from, and those who got in early made a fortune, so keep an eye out for next ‘coin.'  But don't go on there yourself, just keep keep an eye on what's happening from the specialist news.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews