This article was written by Urszula McCormack and Jack Nelson.
Last week, two major online marketplaces dealing in drugs, stolen goods and weapons were shut down through the combined efforts of international law enforcement agencies.
This article describes what happened, and how such “dark net marketplaces” operate. It highlights how law enforcement agencies are working together (and getting creative) to tackle internet-based crime. We also flag the key issues that you should be thinking about in order to prevent your business networks from inadvertently participating in these marketplaces.
On 4 July 2017, the popular dark net marketplace “AlphaBay” suddenly went quiet. Users attempting to access AlphaBay were greeted with an error page. As no law enforcement agency made any announcement regarding AlphaBay, the site’s users did not know whether it had been compromised, or was merely experiencing technical issues.
In the resulting confusion, AlphaBay users migrated to other dark net marketplaces, including one known as “Hansa”. Unknown to all, however, was that AlphaBay had been taken down by the U.S. Federal Bureau of Investigation (“FBI”) on 4 July – and that the Dutch police had taken over Hansa the previous month.
On 20 July, the trap was revealed. The FBI and the Dutch police announced that they had respectively seized AlphaBay and Hansa.
That same day, the FBI unsealed an indictment naming Alexandre Cazes as AlphaBay’s alleged founder. Cazes, a Canadian, had been arrested in early July by the Royal Thai Police. Cazes was subsequently found dead in his cell in Bangkok - an apparent suicide.
In a news conference announcing the seizures, the U.S. Attorney-General said:
“Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity using the dark net. The dark net is no place to hide.” (our emphasis)
What is the dark net?
At a high level, the dark net (also often referred to as the “dark web”) is a portion of the deep web that is not indexed by traditional search engines. The dark net is inaccessible through standard web browsers and can provide anonymity to users.
There are, in fact, many “dark nets”, because they can comprise peer-to-peer networks, as well as larger networks operated by particular organisations and individuals, such as “Tor” and “Freenet”. More about Tor below.
What are dark net marketplaces, and how do they work?
Dark net marketplaces operate a lot like regular e-commerce platforms that operate on the (public) World Wide Web. As stated in the AlphaBay indictment:
“AlphaBay’s user interface was configured like a conventional e-commerce website. Users could sign up for free and provide a screen name and password of their choosing. The site encouraged users to not include any information in their profile that could reveal their true identities.” (our emphasis)
Many dark net marketplaces also include dispute resolution services, and allow users to review products and sellers. The real difference between dark net marketplaces and sites like eBay or Amazon is that the products found on dark net marketplaces are almost exclusively illegal. The other key difference, of course, is that they operate on the dark net.
The AlphaBay indictment continues:
“AlphaBay’s homepage allowed users to browse categories of illegal goods, with categories including: fraud, drugs and chemicals, counterfeit items, weapons … stolen credit card numbers … and malware.” (our emphasis)
One of the most infamous dark net marketplace was known as the “Silk Road”, which was seized by the FBI in 2013. At the time of seizure, Silk Road had approximately 14,000 items listed for sale. By contrast, AlphaBay had over 350,000 listings – and a far larger number of buyers and sellers.
Finding and accessing a dark net marketplace
You cannot simply enter a web address to access a dark net marketplace. Nor can you find dark net marketplaces using a conventional search engine. Rather, they are only accessible through “overlay networks”. In contrast to the networks we use on a daily basis (referred to as the “clear net”), these overlay networks are designed to obscure the locations and identities of users, and other data that travels across such networks (hence the term “dark net”).
AlphaBay and Hansa were only available to users of one such overlay network: the “Tor” network.
The Tor network consists of over 7,000 nodes that relay encrypted internet traffic between and amongst themselves. A Tor-enabled client computer will pick a random path through the Tor network to the destination server.
Surveying and eavesdropping on traffic flowing through the Tor network is extremely difficult. Conversely, accessing the network is simple: users can download and install the open-source Tor browser for their computer, and run it much like Chrome, Firefox or Internet Explorer.
Making payments on a dark net marketplace
Dark net marketplaces thrive on anonymity – but how can money be transferred between unknown buyers and vendor anonymously? After all, bank account numbers are ultimately traceable back to the person or entity that opened the account.
Enter cryptocurrency. Because cryptocurrencies are transferred peer-to-peer, users can avoid using regulated financial institutions. By relying on pseudonymous cryptocurrencies such as Bitcoin for payments and commissions, buyers, sellers and operators can enjoy a degree of anonymity – especially if they use decentralised coin mixers to make tracing even more difficult (if not impossible in practice). Dark net marketplaces overwhelmingly require buyers and sellers to transact using cryptocurrencies, and receive their commissions in cryptocurrencies. This enables digital commerce to take place outside of the traditional financial system.
In the example chart below, dark net marketplace buyers and sellers use Bitcoin (“BTC”) and an escrow arrangement operated by the dark net marketplace (“DNM”) operator to transact.
In contrast to the highly digital transaction approach, delivery of physical items is effected “the old fashioned way” - through the postal system, other logistics providers or potentially even in person. Importantly, postal systems offer a degree of anonymity, as anyone can drop a letter or package into a post-box. Conversely, the address of the recipient will be clearly stated. Cross-border postage may require declarations by the sender, but generally do not require verification of sender identity (so a sender can simply lie).
Digital items and services are often delivered and coordinated using a dark net marketplace (or other Tor-based) messaging service, or one-time email accounts, greatly lowering the chances of detection.
What (and whose) law applies?
While the internet operates globally, it remains subject to national laws. Many jurisdictions criminalise a wide variety of online behaviour.
For example, in Hong Kong section 161 of the Crimes Ordinance (Cap. 200) prohibits “access to a computer with criminal or dishonest intent” – it is a purposefully broad provision that can capture of a wide variety of online activities. Arguably, even accessing the Tor network may potentially breach section 161, given the widespread use of the Tor network for illegal activities.
Similarly, in Australia Part 10.6 of the Criminal Code (Commonwealth) addresses the dishonest use of carriage services, as well as the use of telecommunications networks with intention to commit an offence.
Those involved in dark net marketplaces could also face charges related to criminal enterprises, money laundering, drug trafficking, weapons dealing and child pornography, as well as aiding and abetting such activity. Cazes, for example, was charged with 16 different offences, relating to racketeering, drug trafficking, identity theft, counterfeiting, credit card fraud and money laundering.
Avoiding the dark economy and mitigating risk – how?
Today, business is increasingly conducted partly, or wholly, online. While this brings many benefits, it important to know what your business’s online risks are – and how to control them.
The exact risks differ from industry to industry. The following chart identifies a handful of points where legitimate businesses can inadvertently become enmeshed in the “dark economy”.
However, complete “de-risking” is neither possible, nor is it the solution. Rather, a risk-based approach should be adopted by businesses with potential exposure to dark net marketplaces. Controls are then essential to avoid unintentionally becoming enmeshed in internet crimes.
The diagram above shows how financial institutions and internet service providers face a broad risk of becoming involved in dark net marketplace transactions. They can potentially become involved at multiple points in these transactions.
Financial institutions will often be used as the conduit by which fiat currency is transferred to cryptocurrency exchanges by both buyers and sellers. The initial purchases by sellers of the items sold on a dark net marketplace (for example, purchases of prescriptions medication from a pharmacy) may also be conducted in fiat currencies.
Internet service providers (“ISPs”) handle all of the data traffic on dark net marketplaces, and may also offer hosting and domain name services that facilitate these marketplaces.
Cryptocurrency exchanges also face a particular risk, typically being one step closer than financial institutions to transactions. In some jurisdictions, cryptocurrency exchanges also operate in a legal “grey” zone, and may be targeted by authorities not only in respect of dark net marketplace transactions, but for money laundering and taxation issues.
For example, just this week, a United States jury indicted a digital currency exchange operator and alleged criminal “mastermind”, alleging that he had use it to launder more than USD4 billion for persons allegedly involved in various forms of criminal activity, including hacking and drug trafficking.
It is easy to conflate the “bad apples” with all cryptocurrency exchanges. However, many exchanges are legitimate businesses with strong controls. This is important for financial institutions in particular to recognise, so as to avoid inappropriate de-risking.
Courier, postal and logistics companies should be aware that they may be carrying illegal items in everything from small letters to large packages. For example, a fraudulent driver’s license being sent via the postal system is virtually impossible to detect.
All businesses with potential exposure need to carefully assess their risks, and consider how to handle information requests and investigations from law enforcement (both at home and abroad).
Think about risk-based controls
To start with, all businesses should consider barring access to the Tor network from their computers, unless there is a genuine business need for such access. There are numerous other known dark networks – the same applies.
While keeping within relevant data privacy and protection laws, ISPs should monitor the amount of Tor/other dark network traffic that they handle. Exponential or rapid growth in Tor traffic may indicate the existence of a dark net marketplace. Steps should be taken to avoid the ISP becoming embroiled in the inevitable takedown.
On the other hand, financial institutions can rely on the current anti-money laundering / counter-terrorist financing (“AML/CTF”) controls that they have in place. They should, however, consider whether their risk assessment models adequately address risks relating to dark net marketplaces.
As cryptocurrency exchanges are particularly at risk of becoming involved in dark net marketplace transactions, they should adopt AML/CTF controls and be vigilant in identifying transactions that are associated with known dark net marketplaces, and preventing the misuse of their services wherever possible.
For postal and logistics companies, as well as underlying goods and services providers, the controls are trickier and must be tailored to the risks.
Generally, if your business operates or facilitates internet activities, you should:
- assess your risk exposure to internet crime;
- understand your obligations – including from an internet crime and AML/CTF standpoint, but also in relation to surveillance and data privacy laws; and
- develop effective controls that are commensurate with those risks.
Cleary, the growth of dark net marketplaces presents a challenge to law enforcement – but these latest takeovers and takedowns show that users and operators of dark net marketplaces are not immune from action. Law enforcement agencies around the world are working together to identify targets, coordinate investigations, make arrests, and provide evidence for prosecutions.
The spotlight is firmly on the dark net.
Information in this article is based on public information. We strongly recommend obtaining appropriate professional advice before implementing any controls. Note that the authors only practice Hong Kong, Australian and English law.