For cybercrime community last summer was remarkable for two reasons. The first reason was the shutting down of Alphabay, and the second one - the closing of Hansa. Both websites used to be leading dark web marketplaces but they were taken down by law enforcements, just like well-known Silk Road before. But nature abhors a vacuum and new leaders loom large on the horizon.

To determine who is the Alphabay and Hansa’s successor we did some research in Deep Web. Black markets on the dark side of the Internet are known for selling illegal goods like drugs, weapons, etc. But we were interested in “cybercrime” goods like exploits and malware.

We imagined that we were wannabe hackers with low skills but great ambitions. What should we do? Is it real to start your own cybercrime business from scratch? We had Tor browser installed and VPN activated on our machines. Search requests pointed us to news website DeepDotWeb dedicated to Tor hidden services and all the things happening in dark web. It has its own list of dark net marketplaces and we can see most recent changes in a changelog.

On the time of writing the top markets on DeepDotWeb were Dream Market, The Trade Root and Tochka, which don’t require invites from other subscribers. The registering process on these websites turned out very simple. You just need to choose username and password as you would do with regular online store and enter captcha. No email needed, but for Dream Market you would also set up a withdrawal PIN.

If you are new to Dream Market, you have to read an instruction. “Dream Market is a feature rich escrow marketplace supporting the bitcoin currency and the tor network. The market has been operating for 3 1/2 years now and has been proven to be reliable and secure. You might find products which are not available legally in your country”, says the instruction.

What’s interesting, Dream Market welcomes new users with security advices – not much of clear net online stores do the same. Marketplace administrators warning their customers about potential phishing scam. They recommend checking URL, regular changing password and using PGP.

After reading all the instructions the most interesting part begins. For those interested in buying malware, dark web is a Holy Grail. After tapping “exploits” in a search bar we got everything wannabe hacker wants – from “noob-friendly” tutorials and guides to professional forensic tools.

For example, only for $10 you can get a package for phone and iCloud hacking. According to description of the item, buyer will get software “only government uses”. One of them is MOBILedit Forensic Express which promises the ability to “extract all the data from a phone with only a few clicks”. From the description of the product on vendor’s website: “This includes deleted data, call history, contacts, text messages, multimedia messages, photos, videos, recordings, calendar items, reminders, notes, data files, passwords, and data from apps such as Skype, Dropbox, Evernote, Facebook, WhatsApp, Viber, Signal, WeChat and many others”.

The Trade Root also has its own security mechanisms. Unlike Dream Market, it doesn’t welcome new users with security advises but instead the site links every new subscriber with unique picture (for us it was a sunflower with clear blue sky on the background). In case user was tricked to visit a phishing page, the picture wouldn’t show up. For us it means that if we don’t see a sunflower, we are on a fake page mimicking the original one.

Searching for exploits didn’t give us many tools but we found a lot of hacking tutorials, guides, cookbooks and handbooks. We also found a former “star” of the cybercrime – Blackhole exploit kit. This crimeware used to be very popular among hackers in 2010-2012. At that time the price of renting the Blackhole ran from $500 to $700 per month. The creator of the kit is Russian hacker Dmitry “Paunch” Fedotov. He was sentenced in April 2016, and now everyone can buy Blackhole exploit kit on The Trade Root market only for $1,1. At the time of writing we couldn’t confirm it was genuine.

Regarding the forensic tools we found only six items. Only for $4-6 everyone can buy “FBI hacking and forensic toolkit” or “Ultimate package of computer security”. 

The Tochka market is much more useful for wannabe hackers than previous two. You can find here ransomware packs, RATs (Remote Access Trojans), keyloggers, cracking tools, ID theft software etc.

You can also find the whole package for skimming and carding. For $2500 you can get all pack or separate items. Vendor offers 25 blank cards (for $150), card maker (for $400), skimmer with PIN reader ($500) and even PDF tutorial for beginners.

Tochka market allows you to hire professional hackers. If someone wants to change his or her school grades or track somebody else’s phone – the team of professional hackers can do that. “Give us any task and we assure you we get your work done within no time”, promise hackers.

On Tochka market we even found hacking tool Galileo, initially created only for governmental usage. Galileo is a spyware for any cell phone from Italian-based Hacking Team, a company known for creating forensic tools for law enforcement and intelligent agencies.Galileo’s source code was leaked by hacker with moniker Phineas Fisher in 2015.

As we can see, dark web is Mecca for wannabe hackers. Hidden services admins are doing good job providing security measures, and clearnet websites should take lessons from them.

Update (14.09.2017): On September 12^th Dream Market went offline. Users who tried to visit the marketplace were greeted with a note which said that the website was on maintenance. The day after, some users reported that their money were stolen from their Dream Market accounts. Some people quoted Dream Market admins and said that it was just a wallet error. On the time of writing this Update Dream Market was online.

By Natalia Galadzhyants
Analyst at Cybersecurity Help