The Evolution of the Dark Web

Darknet markets are nothing new but they have grown considerably in popularity since the highly publicized take down of the Silk Road marketplace in October of 2013. Since then users around the world have flocked to these sites in search of drugs and other illicit services. Due to the high demand and availability for these items many marketplaces began to spring up across the Darknet. Most of these marketplaces feature drugs, but after the Silk Road takedown, marketplaces began offering items Silk Road wouldn’t allow. These items included weapons, credit cards and other malicious services like malware, DDoS-as-a-service and data dumps.

Today, there is an estimated 2 million daily users on the Tor network alone. This popularity is largely due to the amount of funding and academic review that the network has received over the years. Accessing the Onion network is also extremely easy and does not require an expert’s knowledge. The same goes for hosting and running a hidden service on the Onion network. But with this ease of access comes real life consequences. Many people look to the Onion network for anonymity and obfuscation. They use these tools so they can carry out their activities with little to no trace. But this is not always the case. Criminals are humans too and they are prone to mistakes just like an average user.

So far, 2017 has been an eventful year for the Onion network. Raids and takedowns have become common on the Dark web as federal agents across the world step up enforcement. In parallel, market operators and vendors are not only targeted by law enforcement but they are also being targeted by competition, rogue users, vigilantes and extortionists looking to profit by exposing the administrators’ personal details and vulnerabilities in their marketplace.

Freedom Hosting 2 takedown

At the beginning of February this year, a vigilante hacker took down over 10,000 hidden services, a fifth of the Onion network, that was running on Freedom Hosting 2. Freedom Hosting 2 was one of the largest Dark web hosting providers and a hacker discovered that it was hosting child pornography. The hacker not only took the hosting provider offline but also leaked the databases and private keys in a public dump.

[You might also like: Darknet 101: An Introduction to The Darkest Places Online]

Freedom Hosting 1 had a similar issue in 2013 when law enforcement took over the network due to child pornography. Agents at the time had deployed a network investigation technique using a piece of malware designed to obtain a user’s real IP address. Normally law enforcement does not immediately take down a marketplace. Agents normally seize and take control of Darkweb sites or hosting providers so they can identify more users and build a bigger case.

This is exactly what we saw in the global takedown of the Hansa and AlphaBay marketplaces. On July 20th Hansa was shut down following the takedown of AlphaBay on July 4th. During a press interview on July 20th it became known that Hansa was originally taken over on June 20th but law enforcement officials did not immediately take the market offline. Instead they operated Hansa for several weeks, quietly collecting login user names, passwords and activities of the users and vendors.


At the same time, agents around the world worked on compromising AlphaBay and on July 4th the marketplace went offline. The trap was set. Users and vendors began frantically searching for a new marketplace, and in the process used Clearnet sites like Reddit to advertise their new markets. Vendors and buyers quickly began moving to Hansa as suspected, which was under control by law enforcement at the time.


Agencies around the world worked together to make this possible. The intel gathered from such an operation gave law enforcement a deeper insight into the threat landscape. Agents were able to capture credentials and monitor activity. During the Department of Justice’s press release, Attorney General of the United States, Jeff Sessions, said that the Darknet is not a place to hide. He is correct. The Darknet is not a silver bullet for keeping you out of jail. It’s simply a tool used in a series to help protect your identity. But at the end of the day, humans are still susceptible to error and the marketplaces were ultimately taken down due to failures in personnel and operational security.

[You might also like: Cyber Attack Market Place]

As a result of these failures, the largest Darknet marketplace in history was taken down. Shortly after his arrest, the alleged founder was found dead in his jail cell in Thailand. Currently the alleged founder of Silk Road is serving a life sentence in the United States for computer hacking, laundering and the conspiracy to traffic narcotics and fraudulent identities. It was reported that AlphaBay was ten times larger than Silk Road and generated a billion dollars in sales in its three-year history. AlphaBay at the time of its takedown had over 200,000 users and 40,000 vendors selling everything from drugs to attack services. AlphaBay’s forum was also a hotbed of illicit activity involving users buying and selling leaked databases and stolen credit cards.

These kind of takedowns are digital perp walks meant to generate media attention. They are also designed to send a message to the community that agencies are paying attention to a verified problem. It also shows how active these agencies are in targeting the marketplaces themselves. In my opinion these takedowns are great for a number of reasons on the surface, but what is the end result? Unfortunately, this is only going to motivate vendors and operators to evolve through trial and error, making marketplace and forums harder to gain access to.

Old Forum – GroundZero

Marketplaces will soon begin incorporating trust tests seen in the previous version of GroundZero, a Darknet hacking forum. To gain membership on this forum, you were required to target a site and send the site’s credentials to the administrators of GroundZero. Once the hack was verified, the user was granted access. This technique is similar to mafia trust tests and will slowly edge researchers out as they become more widely adopted by marketplaces and forums on the Darknet.

Vendors and operators are going long because business is profitable and within an acceptable level of risk for them. They are looking to evolve these hidden services into becoming secure and resilient to takedowns. They are also looking for ways to prevent researchers and law enforcement agencies from entering their marketplaces in the future.

In the end, another Darknet marketplace will rise to the top and become bigger than AlphaBay. And again, in the future this marketplace will also be taken down. Someone is always going to rebuild when there is this much money on the table. They will evolve through trial and error until someone figures out a temporary recipe for success, but they too will be targeted. Not only by law enforcement and researchers but also by criminal hackers looking to extort administrators.


Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center