In the wake of police action and drug market closures this year, dark web users are now turning toward secretive mobile services and traditional messaging apps, research suggests.
Some criminals lurking on the underground internet are even building dedicated marketplaces for Android users, typically masked by the anonymity provided by Tor’s “Orbot” application.
The claims were published in a report released this week (25 October) by US enterprise security firm Intsights.
The analysis was based on data taken from thousands of black markets, hacking forums, messaging apps and social media between July 2016 and July 2017.
“While the use of messaging apps for illicit activity has been on the rise for some time, the closure of Alphabay, Hansa and suspected compromise of Dream Market […] has shaken confidence in more traditional dark web channels,” the report said.
The Intsights team found mobile dark web activity was spiking, with many people using mainstream services like Discord, Telegram and WhatsApp to trade illicit goods – including credit cards, breached records, hacking tools and illegal drugs.
“Our findings suggest Discord is becoming the go-to-app for mobile dark web discussions,” the team said, referencing the chat service typically used by gamers.
The messaging groups – much like the bigger dark web markets – are closed off and secretive. The firm said they are often “small and distributed networks” which can be destroyed quickly.
“The anonymity promised by dark web networks such as TOR and i2p was the key reason for their popularity among cybercriminals,” said Guy Nizan, IntSights co-founder and CEO.
“Now that the dark web is no longer safe for hackers they are moving to messaging platforms and conducting their illicit activities on the same apps that millions use every day.”
Yet mobile devices are not only being used for chatting, as the research claimed that some enterprising cybercriminals are taking full advantage of Orbot – the Android browser maintained by anonymity service Tor – to launch new black markets. One recent example was called “Matanga”.
The report stated: “On July 2017, a wide advertising campaign for a new Russian black market was conducted via Jabber – a messaging XMPP-based application that is popular among hackers.
Android market ‘Matanga’ launched. Image shows three panels of the app. Intsights
“The new black market offers its users an unprecedentedly easy-access via a dedicated Android app. The market sells a variety of drugs, stolen credit cards, sim cards and other illegal merchandise.
“It also features a ‘Wanted’ section for what appears to be questionable tasks.
“[Matanga] offers its mobile-first clients easy access to the services of the dark web from their mobile device and we expect to see more dark web vendors creating similar apps in the future.”
It remains unclear how secure – or anonymous – the application is, in reality.
Javvad Malik, expert at cybersecurity firm AlienVault, said: “As some of the popular channels have been taken down, it is only natural that criminals will migrate onto different platforms.”
Earlier this year, a coordinated police operation dismantled the aforementioned Alphabay and Hansa markets – two highly-popular marketplaces. The dark web, which is protected by anonymity technology, including Tor, is increasinly accused of aiding criminality and terrorism.
The Tor Project is managed by a group of technologists and privacy advocates who argue that the system is mostly used for communication purposes and safe internet access.