Cybercrime , Fraud Management & Cybercrime

European Police Make Headway Against Darknet Drug Markets

Nordic Authorities Take Down Sipulitie, Dutch Police Arrest Alleged Bohemia Admins
European Police Make Headway Against Darknet Drug Markets
Image: Shutterstock

October has been a good month for European police agencies shutting down darkweb marketplaces, with Dutch, Finnish and Swedish police announcing server seizures and suspect arrests.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

A joint Nordic operation involving the Finnish customs agency in cooperation with Swedish police announced Tuesday the shutdown of a site that authorities dubbed Finland's "leading drug marketplace." The site, Sipulitie, first went live in 2023. Police additionally disrupted a chat-based contraband site called Tsätti, also run by the Sipulitie administrator that began doing business in 2022. Finnish authorities said they know the real identities of the administrator, site moderators as well as vendors and customers. Although mainly aimed at the Finnish market, Sipulitie also did business in English. Finnish and Polish police in 2019 jointly shut down a predecessor marketplace called Sipulimarket.

Dutch police on Oct. 8 announced the arrest of two administrators of the Bohemia marketplace, reportedly including a 20-year-old Englishman who appeared in Rotterdam court after being arrested at the Schiphol airport in Amsterdam on June 27. Irish police arrested this past summer a Dublin exurbs resident who Dutch police say also ran the now-shuttered site.

Bohemia, along with sister site Cannabia - unsurprisingly dedicated to marijuana products - by 2023 had become among the longest-operating darknet markets and attracted an influx of new users, Searchlight Cyber wrote in December. Launched in 2021, the sites specialized in drugs but also served as intermediaries for counterfeit IDs and currency, as well as malware.

Dutch police said around 67,000 criminal transactions took place each month on Bohemia/Cannabia, with turnover peaking in September 2023 at 12 million euros. Administrators pulled down an estimated 5 million euros. Administrators ran an exit scam late last year, shuttering the site and dividing money among themselves after having temporarily gone silent in November.

How Police Find Dark Markets Operators

It's been more than a decade since Ross "Dread Pirate Roberts" Ulbricht initiated an era of online criminal bazaars that use the anonymity-bestowing properties of the Tor network. Based on research funded by the U.S. Naval Research Laboratory, Tor delivers on its promise of hiding users' IP addresses - occasional hiccups aside (see: Tor Says Platform Is Safe After German Police Interception).

Ulbricht, serving a double life sentence without the possibility of parole in a high-security prison in Tucson, Arizona, used the network to set up the untraceable Silk Road marketplace. But just as he innovated online drugs selling, Ulbricht pioneered another criminal trend: Being arrested thanks to his digital footprints made outside of Tor.

Today's drugs marketplace administrators are cautious about their online traces. But 10 years ago, when today's administrators were still just kids, "their OpSec was probably not very good," said Trevor Hilligoss, vice president, SpyCloud Labs, SpyCloud.

Those past indiscretions - what others would call normal internet usage - involve things such as social media profiles created with real names and persistent online handles. Criminals might continue using simple variations of a favored email or passwords into adulthood. "Password reuse is a great one. Somebody finds a password or a base password that they love, and they've used it for 20 years, maybe they're still using it today," Hilligoss said.

One of Ulbricht's main blunders was using an online handle associated with Silk Road that he at one point publicly linked with "rossulbricht@gmail.com."

Today's cybercriminals tend to be more careful, but most still end up making mistakes. Many online criminals are also gamers who turn off their IP-shielding VPNs while gaming to cut down on lag, said Hilligoss. Even if they remember 99% of the time to turn it back on before going back to crime, there's still those times when they forget, exposing potentially damning network information.

Cybercriminals become complacent, said Alex Cosoi, chief security strategist at Bitdefender. The company assisted Finnish customs in shutting down Sipulitie.

"They imagine if they do a tiny mistake, that police will bust their doors the next day. Which is not the case," Cosoi said. "A month later, they do another OpSec mistake, and still, police doesn’t come. And they grow sloppy and make more mistakes."

Transactions made in cryptocoin are also not as private as cybercriminals might think. Irish police arrested the suspected Bohemia/Cannabia suspect on money laundering charges, potentially underscoring how converting cryptocurrency into currency isn't risk free. Authorities across the world have stepped up know-your-customer requirements while also investing in methods to track bitcoins across exchanges even if criminals use methods to hide their funds' origin.

It's harder now to run an online criminal marketplace than it once was, Hilligoss said. European police agencies especially are focused on disruption, he said. A shift by Russian cloud hosting providers to infrastructure inside Europe in a bid to avoid sanctions levied following the Kremlin's 2022 invasion of Ukraine is a boon for police, he added.

"If you use the technology exactly as it is intended, if you are absolutely perfect in everything you do, then, yes, it's going to be very difficult for law enforcement," he said.

"Fortunately for the good guys, humans are not perfect."


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.