Analysis: Dark Web Arrests Also Led to Ransomware DisruptionCoveware Says 'Dream Market' Site Shut Down, Hampering Ransomware Attackers
Last week, Europol, the FBI and other law enforcement agencies made 61 arrests of individuals suspected of selling illegal goods on the dark web. Researchers at Coveware, an incident response firm, say the raids also apparently led to the closing of the "Dream Market" dark web site - seen as a successor to the infamous Silk Road marketplace.
Coveware analysts believe that the closure of the Dream Market has, in turn, disrupted ransomware attacks that leveraged Dream Market as a platform, forcing attackers to use alternatives.
The law enforcement crackdown apparently has sent some distributors of ransomware, as well as victims seeking further instructions, into a scramble to re-establish contact, according to Coveware's analysis. Some attackers and ransomware distributors have turned to Google Adwords as an alternative to reconnect with victims, the company reports. Coveware reports that it saw messages between attackers and incident response firms attempting to make a deal and connect with victims.
Europol, the European law enforcement agency, announced the arrests March 26. In the U.S., the FBI and the Drug Enforcement Administration participated in the takedown. Also involved were Canadian authorities as well as several European law enforcement agencies.
As part of the raids, authorities who made the arrests in several countries, including the U.S. and Germany, seized 299,5 kilograms, or 6.6 pounds, of illegal drugs; 51 firearms; and more than $6.9 million in cash, cryptocurrency and gold, according to Europol.
While not mentioned in the Europol or FBI reports on the international takedown, Coveware says the target of the investigation appears to have been Dream Market. This dark web site was one of the last remaining successors to the infamous Silk Road marketplace, which specialized in illegal narcotics and was closed by U.S. law enforcement in 2013.
The other dark web sites associated with Silk Road - AlphaBay, Hansa Market, and RAMP - were seized and shut down by U.S., European and Russian law enforcement in 2017.
How Dream Market Functioned
Like other dark web sites, Dream Market could only be reached by using the anonymizing Tor browser, with buyers and sellers using cryptocurrency.
The Dream Market site functioned as an escrow service between buyers and sellers, according to Coveware. In addition to serving as a marketplace for the selling of drugs, weapons and other illegal goods, the site facilitated the buying and selling of malware kits and ransomware, including the strain known as Dharma, Bill Siegel, the CEO of Coveware, tells Information Security Media Group.
"Actors could have been doing a number of things on this site," Siegel says. "They could use it to purchase malware kits used in their actual attacks. They could also be using the site to exchange their cryptocurrency for other goods either for their own consumption or as part of a cash-out process."
Moving Around the Dark Web
Around the same time as the March 26 raids, the administrators of Dream Market announced that they planned to close the site and move to a different platform due to a series of distributed denial-of-service attacks targeting the site. In a post on Reddit, the apparent administrators claim a new site will open on April 30.
Coveware suggests that law enforcement may have gained control of the Dream Market site and used it as a way to gather evidence against those who were arrested. This would be similar to the Hansa Market shutdown in 2017 after Dutch law enforcement seized the site, kept it running and collected details about the site's users before announcing arrests.
The announcements about last week's raids "sent dark market users rushing to cover their tracks [and led to] the security community speculating if law enforcement had actually been running the [Dream Market] site in order to glean as much incriminating evidence as possible," according to the Coveware analysis.
The Coveware analysis also notes that a similar takedown of xDedic , a notorious Russian language cybercrime marketplace and forum, in late January caused a disruption in ransomware schemes.
Once the Dream Market dark web site shut down, Siegel and his researchers began seeing ransomware distributors requesting help re-establishing contact with ransomware victims. If these victims began searching the internet for answers about what had happened, using Google Adwords could help the victims re-establish the lost connection to the attackers, he says.
With Dream Market closed, Siegel believes that buyers and sellers of illegal goods, stolen data and ransomware will soon find another dark web marketplace to use.