My 30-Day Journey on a Dark Web Marketplace That Belonged to a Cyber Gang

As I sat in my chair, I began to ponder the locations for adequate cybersecurity intelligence sites related to dark web activity. There are numerous articles published all the time, and they are good sources, but I wanted something that was going to be real-time and push the boundaries of my comfort zone. My mind began to race with ideas, but nothing surfaced that satisfied the concept I had. As time progressed, I had an idea. If I wanted the "latest and greatest intel," I needed to go where all the cybercriminals go to sell data and communicate about attacks. That's why I joined a dark web marketplace. Don't worry, though, because I was only there for the comments. I found the marketplace I was interested in through technical white papers and word of mouth. It was a place where a lot of recent data breaches were sold, breaches such as AT&T, Home Depot, and many others. It was also the home of a notorious hacker who was responsible for many of the data breaches mentioned. I was able to deduce all this information due to a feature that was a part of the marketplace called "The ShoutBox." This feature is where all the members and guests use as a chat to talk about everything... and I mean everything. With all the incoming chats in the Shoutbox, I knew I had found my place to hide... my place to watch the comments. Be safe when venturing out into the Dark Web. “With great power, comes great consequences.” Hello, My Name Is… Nobody Really. After I found the dark web marketplace that I wanted to be a part of, I needed to sign up to get access to the website. This is something I needed to do that didn’t tie anything back to my actual name, in case things got weird…as to me wanting to sign up on a dark web marketplace to just view comments. The sign-up page was nothing unique compared to legitimate webpages that we use for business and offered a “Plucky” humor security question to test if you were human and included a Captcha. Once I completed the sign-up portion, I was able to sign in and was greeted with the homepage of the marketplace. The website appeared and functioned like any other website but, of course, there were some major differences. The first section was called the “Shoutbox.” The Shoutbox’s purpose is a chat function for members and guests to talk about anything. I mean…anything. I saw chats that included exploits, zero days, data breaches, upcoming breaches, and questions about hacking and hacking tools. I also saw chats that pertained to personal struggles and growth and questions about ideology and world news. It was an alternate universe to the everyday business world that we live in today. The chats were an important part of the dark web research I was conducting because of the wealth of intel coming from the members. In the cybersecurity realm, we read a lot of articles and whitepapers, but they are usually post-mortem versus the Shoutbox being in real-time. Parlay? One interesting item about the marketplace is there are rules to follow. I had a difficult time comprehending that a place that was built on illegal activity and selling stolen data had order. The idea that criminals had rules to follow in the marketplace but couldn’t follow the established laws of the world was just maddening to me. The website was very informative on what information was collected, expectations, and Ban policy. There was a policy that stated, “Our commitment to children’s privacy.” It stated the same language that COPPA does for children under the age of 13 and not collecting information. The Ban policy was an interesting policy that stated, “If your account gets banned because you broke our terms of services, we take the right to release your information to public viewing.” The marketplace was a very unique business structure model. You had to adhere to a list of rules to sell data and proper etiquette on how to sell data. In order to sell data, you have to follow the “General Rules” and the “Marketplace Rules.” The rules were very similar and sometimes better than the rules that some companies follow today in the business world. The General rules are member-focused for responsibility as well as having rules toward scamming, begging, doxing which is the act of publicly providing personally identifiable information about an individual or organization, and harassment. The marketplace also has a strong stance against “Child Sexual Abuse Material” or CSAM resulting in being banned from the marketplace. No website would be complete without having an “Issues with Payments” section. If you had an issue with payment on the marketplace, you would need to pull a “Karen” and talk to the manager…or in this case the Admin. There is a link you can click on that will open a page to allow you to speak with whoever is in charge that day. If you can’t reach the admins via the link, you can always reach out to them directly. As far as currency goes, unfortunately, the only form of payment is cryptocurrency, and they do not take PayPal. You also have the option to become a “MOD” which means moderator. In order to become a moderator, there is an application process that requires the approval of the admin of the marketplace. Moderators are generally responsible for enforcing forum regulations and policies as well as issuing warnings or bans to members following rule infractions. They also answer forum users’ questions, move content into more appropriate subsections, delete “empty” posts with no meaningful content, and look out for and eliminate potentially damaging scamming activity. It is uncertain if moderators get paid for not selling in the forums; I have only seen one instance so far of a moderator choosing not to sell because of recently achieving moderator status. Well…This Is Awkward. I noticed that some posts referenced past and current data breaches by a member that everyone seemed to revere. The member was very active in the forums and interacted well with other members. They were also very knowledgeable of the forum and its rules. This was also because they had recently achieved “Moderator” status. They also spoke of how they were able to compromise companies, meaning what methods were used as well as discussing hacking tools and current exploits. It wasn’t until a certain post was made that I realized I had selected a marketplace of a known cyber gang. After researching the posts that were made by the member, I concluded that the threat group, which is very active both in the forum and in cyber threat activities, made a name for itself from large-scale data breaches affecting public and private sectors. Data leaks from several large companies including Autotrader, Volvo, Hilton Hotels, Verizon, Home Depot, and AT&T. The marketplace forum has brought forth a wave of speculation, with some viewing it as an FBI Honeypot, while others see it as an opportune space for continued illegal activities. I myself do not see it as a honeypot due to the large amount of traffic and members communicating with other members about selling stolen data. I would not understand if the FBI would allow criminal activity to happen without intervening. The question of being a potential honeypot is due to large amounts of stolen information to sell followed by paranoia in the chats constantly accusing one another of being a federal agent. The other item that I find odd, is the large amount of racism in the group. Criminals that engage in illegal activities and ruin people’s lives, have issues with people of a different race? It didn’t make sense to me at all and left me angry and puzzled about humanity. Where Do We Go From Here? It is safe to say that I ended up “Getting more than I bargained for” when I ended up on a dark web marketplace forum operated by a cyber gang. The sense of urgency was overwhelming with all the sensitive information being sold, as well as all the intel that was coming from the chats. I do embrace the fact that joining a dark web marketplace forum gives the cybersecurity community an advantage. An example would be the conservations from the cyber criminals given in the shoutbox. A cybersecurity specialist would take the below conversation and develop a rule that would trigger if certain internet traffic was seen. When a cybercriminal is in your network, they need to move the stolen data somewhere to sell it. In the conversation below, a cybercriminal is asking for guidance on where they can move large amounts of data. Another example that would be useful is when cybercriminals discuss recent data breaches, they are very proud about the techniques used to accomplish the breach and reveal details that news articles may miss. In the picture below, there was a conversation about a breach and there are details about how the breach was achieved pertaining to a zero-day exploit. If you are a company that shares similar technology to the victim, you may want to use the information to secure your assets. The last example is valuable intel about data breaches. United Health confirmed that it paid $22 million in Ransom to the BlackCat/ALPHV ransomware gang to not leak their data on the dark web back in late February. There were speculations that the BlackCat/ALPHV ransomware gang rebranded under the name Ransomhub and tried to extort United Health for more money. Since the ransom was paid, United Healthcare does not appear on Ransomhub’s wall on the dark web. While researching the dark web marketplace forum, there was a discussion on what the BlackCat/ALPHV ransomware gang may have done with the United Healthcare breach. This is not to say that the intel from the marketplace is valid but gives a different perspective on what may have happened from the criminal perspective. Remember, cybercriminals like to talk about events and each other. It could be potentially useful in the future if cybersecurity professionals embrace the dark web marketplace and gather intelligence for the greater good. As I sat in my chair, I began to ponder the locations for adequate cybersecurity intelligence sites related to dark web activity. There are numerous articles published all the time, and they are good sources, but I wanted something that was going to be real-time and push the boundaries of my comfort zone. My mind began to race with ideas, but nothing surfaced that satisfied the concept I had. As time progressed, I had an idea. If I wanted the "latest and greatest intel," I needed to go where all the cybercriminals go to sell data and communicate about attacks. That's why I joined a dark web marketplace. Don't worry, though, because I was only there for the comments. I found the marketplace I was interested in through technical white papers and word of mouth. It was a place where a lot of recent data breaches were sold, breaches such as AT&T, Home Depot, and many others. It was also the home of a notorious hacker who was responsible for many of the data breaches mentioned. I was able to deduce all this information due to a feature that was a part of the marketplace called "The ShoutBox." This feature is where all the members and guests use as a chat to talk about everything... and I mean everything. With all the incoming chats in the Shoutbox, I knew I had found my place to hide... my place to watch the comments. Be safe when venturing out into the Dark Web. “With great power, comes great consequences.” Hello, My Name Is… Nobody Really. After I found the dark web marketplace that I wanted to be a part of, I needed to sign up to get access to the website. This is something I needed to do that didn’t tie anything back to my actual name, in case things got weird…as to me wanting to sign up on a dark web marketplace to just view comments. The sign-up page was nothing unique compared to legitimate webpages that we use for business and offered a “Plucky” humor security question to test if you were human and included a Captcha. Once I completed the sign-up portion, I was able to sign in and was greeted with the homepage of the marketplace. The website appeared and functioned like any other website but, of course, there were some major differences. The first section was called the “Shoutbox.” The Shoutbox’s purpose is a chat function for members and guests to talk about anything. I mean…anything. I saw chats that included exploits, zero days, data breaches, upcoming breaches, and questions about hacking and hacking tools. I also saw chats that pertained to personal struggles and growth and questions about ideology and world news. It was an alternate universe to the everyday business world that we live in today. The chats were an important part of the dark web research I was conducting because of the wealth of intel coming from the members. In the cybersecurity realm, we read a lot of articles and whitepapers, but they are usually post-mortem versus the Shoutbox being in real-time. Parlay? One interesting item about the marketplace is there are rules to follow. I had a difficult time comprehending that a place that was built on illegal activity and selling stolen data had order. The idea that criminals had rules to follow in the marketplace but couldn’t follow the established laws of the world was just maddening to me. The website was very informative on what information was collected, expectations, and Ban policy. There was a policy that stated, “Our commitment to children’s privacy.” It stated the same language that COPPA does for children under the age of 13 and not collecting information. The Ban policy was an interesting policy that stated, “If your account gets banned because you broke our terms of services, we take the right to release your information to public viewing.” The marketplace was a very unique business structure model. You had to adhere to a list of rules to sell data and proper etiquette on how to sell data. In order to sell data, you have to follow the “General Rules” and the “Marketplace Rules.” The rules were very similar and sometimes better than the rules that some companies follow today in the business world. The General rules are member-focused for responsibility as well as having rules toward scamming, begging, doxing which is the act of publicly providing personally identifiable information about an individual or organization, and harassment. act of publicly providing personally identifiable information about an individual or The marketplace also has a strong stance against “Child Sexual Abuse Material” or CSAM resulting in being banned from the marketplace. No website would be complete without having an “Issues with Payments” section. If you had an issue with payment on the marketplace, you would need to pull a “Karen” and talk to the manager…or in this case the Admin. There is a link you can click on that will open a page to allow you to speak with whoever is in charge that day. If you can’t reach the admins via the link, you can always reach out to them directly. As far as currency goes, unfortunately, the only form of payment is cryptocurrency, and they do not take PayPal. You also have the option to become a “MOD” which means moderator. In order to become a moderator, there is an application process that requires the approval of the admin of the marketplace. Moderators are generally responsible for enforcing forum regulations and policies as well as issuing warnings or bans to members following rule infractions. They also answer forum users’ questions, move content into more appropriate subsections, delete “empty” posts with no meaningful content, and look out for and eliminate potentially damaging scamming activity. It is uncertain if moderators get paid for not selling in the forums; I have only seen one instance so far of a moderator choosing not to sell because of recently achieving moderator status. Well…This Is Awkward. I noticed that some posts referenced past and current data breaches by a member that everyone seemed to revere. The member was very active in the forums and interacted well with other members. They were also very knowledgeable of the forum and its rules. This was also because they had recently achieved “Moderator” status. They also spoke of how they were able to compromise companies, meaning what methods were used as well as discussing hacking tools and current exploits. It wasn’t until a certain post was made that I realized I had selected a marketplace of a known cyber gang. After researching the posts that were made by the member, I concluded that the threat group, which is very active both in the forum and in cyber threat activities, made a name for itself from large-scale data breaches affecting public and private sectors. Data leaks from several large companies including Autotrader, Volvo, Hilton Hotels, Verizon, Home Depot, and AT&T. The marketplace forum has brought forth a wave of speculation, with some viewing it as an FBI Honeypot, while others see it as an opportune space for continued illegal activities. I myself do not see it as a honeypot due to the large amount of traffic and members communicating with other members about selling stolen data. I would not understand if the FBI would allow criminal activity to happen without intervening. The question of being a potential honeypot is due to large amounts of stolen information to sell followed by paranoia in the chats constantly accusing one another of being a federal agent. The other item that I find odd, is the large amount of racism in the group. Criminals that engage in illegal activities and ruin people’s lives, have issues with people of a different race? It didn’t make sense to me at all and left me angry and puzzled about humanity. Where Do We Go From Here? It is safe to say that I ended up “Getting more than I bargained for” when I ended up on a dark web marketplace forum operated by a cyber gang. The sense of urgency was overwhelming with all the sensitive information being sold, as well as all the intel that was coming from the chats. I do embrace the fact that joining a dark web marketplace forum gives the cybersecurity community an advantage. An example would be the conservations from the cyber criminals given in the shoutbox. A cybersecurity specialist would take the below conversation and develop a rule that would trigger if certain internet traffic was seen. When a cybercriminal is in your network, they need to move the stolen data somewhere to sell it. In the conversation below, a cybercriminal is asking for guidance on where they can move large amounts of data. Another example that would be useful is when cybercriminals discuss recent data breaches, they are very proud about the techniques used to accomplish the breach and reveal details that news articles may miss. In the picture below, there was a conversation about a breach and there are details about how the breach was achieved pertaining to a zero-day exploit. If you are a company that shares similar technology to the victim, you may want to use the information to secure your assets. The last example is valuable intel about data breaches. United Health confirmed that it paid $22 million in Ransom to the BlackCat/ALPHV ransomware gang to not leak their data on the dark web back in late February. There were speculations that the BlackCat/ALPHV ransomware gang rebranded under the name Ransomhub and tried to extort United Health for more money. Since the ransom was paid, United Healthcare does not appear on Ransomhub’s wall on the dark web. While researching the dark web marketplace forum, there was a discussion on what the BlackCat/ALPHV ransomware gang may have done with the United Healthcare breach. This is not to say that the intel from the marketplace is valid but gives a different perspective on what may have happened from the criminal perspective. Remember, cybercriminals like to talk about events and each other. It could be potentially useful in the future if cybersecurity professionals embrace the dark web marketplace and gather intelligence for the greater good.