Demystifying the Dark Web and DarkNets, Part III
and Dark Marketplaces
Author: Anonymous Hacker, as told to Lindsey Watts
Without international laws in every country that are designed to protect individual data privacy as vehemently as does the General Data Protection Regulation (GDPR), many have turned to DarkNets and cryptocurrencies for their privacy protections – especially in the U.S. Is it surprising that the Washington Post, for example, has a dark web presence? Many people think of DarkNets as places only for criminals, but since inception, they were actually intended to be places where people could communicate without being tracked. That isn’t always malicious. Sometimes, people just don’t like to be followed. Legitimate businesses who have presence on the dark web aren’t necessarily intending to target a criminal readership, but also don’t want to lose a user base that is becoming increasingly uncomfortable surfing the worldwide web and being tracked by tech giants like Google. Absent a legislative body willing to fight big tech with robust privacy laws, some predict that eventually, the dark web usership will surpass standard web users.
Still, it’s worth reiterating in this series that DarkNets are not being encouraged as playgrounds. You wouldn’t wander down a dark alley at night, especially in an unfamiliar city; nor should you just hop on the dark web and “see what happens”. Rather, its very existence forces all of us to ponder a philosophical dilemma: what is the true value of privacy? Is it a human right, or is corporate collection of personal data for financial gain or marketing purposes okay? Where does accountability for an individual’s actions fit into a potential future world where privacy is protected to the ultimate extreme? As our society continues to wrestle with these issues, it’s important to begin by understanding the DarkNet ecosystem – how it works, what fuels it, and (ultimately) how our corporate cybersecurity programs are inextricably tied to activity on DarkNets. After all, if predictions are correct and we all end up on DarkNets as a standard form of communication, we should probably know what we’re getting into.
In this installment of the series, we will explore marketplaces, the increasing demand for consumer data privacy, and crypto.
Financial Exchange on DarkNets
Every business ecosystem needs currency, and as most people know, dark marketplaces are fueled by cryptocurrencies. The pairing of crypto and DarkNets is not surprising, given their shared foundations in anonymity. While many people associate one or both with criminal undertakings, that is not necessarily the case for everyone who uses them. Crypto, in and of itself, is not especially dangerous outside of potential investment risks in a volatile market. Nor are dark marketplaces necessarily bad, either. Both are simply different infrastructures which can, like any good tool, be used to accomplish one’s goals – good or bad.
Is Crypto Untraceable?
With cryptocurrencies as the payment of choice for cyber criminals, it’s easy to see how they have developed negative connotations in some circles. Nearly all digital currency lacks the regulation and paper trails typically associated with legitimate banking. However, crypto currencies are actually very traceable on a per-coin basis. Through their underlying blockchain technology, cryptocurrencies record each action and owner in the course of their lifecycle in what are called ledgers. Ledgers are essentially shared, immutable sources of truth. For this reason, those who wish to maintain anonymity in receiving, storing, and spending their crypto have innovated new ways of processing their coins.
Crypto “tumbling” is the process of combining coins from hundreds of users into one pile. Numerous people deposit coins. Then, the value of each user’s share of the pile, or “pot”, is recorded with the tumbling service, which then functions as the users’ wallet. So, each user still has the same amount of coins they added into the “wash”, but not the same coins.
With many users, a tumbling service is able to provide increased anonymity, because the coins each person walked in with are not the exact same coins they spend. This process is often executed a number of times, making the coins nearly impossible to trace using their ledgers. Additionally, washing services then make payment on users’ behalf when they wish to spend their funds in dark marketplaces, adding increased distance between the coins and their original owners.
Necessity Is the Mother of Innovation
As Jamie Bartlett points out in his popular Ted Talk on the subject, DarkNet users are especially creative, because they have to be. This is just one example of incredibly innovative tools that have been created by some of the brightest minds in technology. They don’t have to be used for bad purposes, and many ethical hackers maintain hope that such financial anonymity could also support people who have a strong moral fabric and want to use it for good purposes. That’s a debate this series will continue to explore.
“Washers” as Wallets
Getting back to the unethical side of DarkNets, however, extortionware and ransomware monies are typically paid to a tumbling service. Often, ransom groups will then take their coins out in smaller chunks and redeposit them elsewhere for further washing. This may happen a series of times, and since there is no available log for law enforcement to check, and no rhyme or reason to which coins are whose, individual coin ledgers in the blockchain become virtually useless.
Linking crypto accounts in this way, users are essentially creating a proxy chain of sorts (see Part II for definition of a proxy chain). There are also a handful of cryptocurrencies that people who wish to protect their identities prefer, because their design lends itself to anonymity more than other currencies: Zcash (ZEC) claims to use the Zero-Knowledge proof in their crypto. Horizen (ZEN), Verge (XVG), and Pirate Chain (ARRR) are also highly trusted.
Where Do Criminals Spend Their Cryptocurrency?
In short, they spend it anyplace they want to. Despite the lower value for crypto coins in recent years, they are likely not going anywhere soon in dark marketplaces. These can range from storefronts offering drugs or other contraband, to hackers-for-hire, to legitimate subscriptions, like news sites that have a presence on DarkNets. Ultimately, crypto exchanges may be used to convert to cash that can be funneled back into economies around the world. As has been the case for organized crime for years, these funds can even be used to invest in legitimate businesses and corporations, depending on where their owners are in the world.
Here are a few examples of legitimate websites who also have a presence on the dark web:
One example of an illegal purchase that can be made on DarkNets, is stolen mobile phones that have been unlocked to provide access to users other than the phones’ original owners:
Where Privacy and Accountability Collide
The biggest question when it comes to DarkNets is that of privacy versus accountability. The truth is, being able to track internet users and their accounts leads to better law enforcement efforts when a hunt is underway for someone who has harmed another human in some way. Being able to see where they go, who they talk to, what they are buying, and more can lead to the arrest of people who have committed unthinkable crimes. On the other hand, big tech companies like Google, Meta, Apple, Tesla, Waymo (did you know both automobile companies collect, store, and process track drivers’ exact locations?), and more are exploiting people’s personal data for corporate gain. Many citizens who have no interest in criminal activity are incensed that their every word, location, purchase, relative, and even health decision is being aggregated into databases for purposes other than law enforcement.
What’s the answer? Does everyone move to DarkNets for protected communication? Do expert hackers who know how to navigate these communication channels still have a moral responsibility in how they access, collect, and store data?
Who Is Responsible for Enforcement?
The facts are that in our modern world, all actions can potentially be recorded and later uncovered. No matter how good any single person is at hiding, they may ultimately be held to account for how they navigate and use communication channels. While people on DarkNets are incredibly innovative, there are many who have just as much skill and a strong ethical core. Those “hacktivists” are definitely a threat to truly bad actors, because they are committed to exposing those who violate their moral codes. Yes, it’s a form of vigilantism, and that in itself is an ethical debate. Is it okay to go after people who hurt others? Where does one draw the line? Do they hold themselves accountable for privacy violations?
At the end of the day, accountability can come in many forms and may not be limited to what can be proven in a court of law. Society has to decide for itself what can be tolerated and what can’t. In the meantime, as long as big tech and some public entities are permitted to collect and potentially misuse personal data, there will continue to be a rise in DarkNet users.
If you would like to speak with an expert about testing your incident response plan to make sure you don’t have any gaps that could lead to failure during a real attack, you can reach out to us here anytime. We have the right people on-hand to help.