What’s Next for Law Enforcement in Disrupting Dark Markets

July 25, 2017

On July 20, the U.S. Department of Justice announced the takedown of the two largest dark web markets, AlphaBay and Hansa Market. News of the take-down began circulating in early July after AlphaBay went offline without warning. Reporting from The Wall Street Journal later confirmed a coordinated effort involving partners in at least the U.S., Canada, and Thailand, and the arrest of the site administrator, Alexandre Cazes, a Canadian citizen who died shortly after his arrest in Thailand. While successful, this latest effort raises questions about the current approach to disrupting online criminal networks. 
 
Monitoring and halting the growing breadth of activities taking place on dark web criminal markets is time and resource intensive. U.S. officials estimate that AlphaBay alone was responsible for at least $1 billion in sales since 2014, allowing over 40,000 vendors to traffic illicit commodities to over 200,000 users. AlphaBay was primarily a hub for narcotics—at the time of the takedown, approximately two-thirds of the listings were drug-related—but AlphaBay’s user base also advertised the sale of firearms, stolen credentials, malware, and other illegal goods. The challenge for law enforcement is that dark web markets are highly decentralized and resilient. For large dark web markets, identifying and arresting all vendors and users is unrealistic, leading law enforcement to focus their efforts on prosecuting site administrators and seizing their supporting infrastructure to deter would be cyber criminals. 
 
In 2013, U.S. law enforcement took down the then-largest online marketplace for illicit goods, Silk Road, and arrested its administrator following a two-year law enforcement investigation. Following the highly publicized takedown, dark market activities grew in popularity. AlphaBay was estimated to be ten times larger in volume of sales than Silk Road was at its peak. Site administrators and users have also grown more sophisticated in their adoption of new techniques, such as encrypted communications, anonymous browsing tools, and digital currencies to mask their location and activities. These tools and the growing professionalization of cyber criminals have frustrated efforts by law enforcement to monitor ever-shifting dark web marketplaces and attribute activities to specific domains.
 
Less than a month after Silk Road was shut down, administrators launched Silk Road 2.0, which remained active until U.S. law enforcement officials seized the site in 2014. Both sites remained active while law enforcement gathered additional intelligence, evidence, and developed a coordinated response. All the while, vendors continued to generate revenue and market their illegal products. Researchers estimated that AlphaBay generated between $600,000 - $800,00 a day in revenue. As was the case with Silk Road, law enforcement action against AlphaBay and Hansa will likely result in a temporary pause and disruption in the underground criminal markets. Indeed, officials reported that traffic to Hansa increased by eightfold following the immediate takedown of AlphaBay, demonstrating the ease with which cyber criminals maneuver to find new platforms for their illicit goods and activities.
 
Sharing of forensic information among international partners and coordinating attempts to take down illicit dark web markets and arrest site administrators has been the favored approach. Law enforcement agencies must now consider whether this approach is achieving the intended effect of deterring cybercrime, and whether the amount of time and resources spent on large takedowns is worth a temporary pause in activity. The next iteration of AlphaBay and Hansa is inevitable, a point noted by the DEA acting Deputy Administrator during the July 20 DOJ press conference. U.S. and international law enforcement entities should first consider how the market will respond to this latest disruption and adapt accordingly. 
 
One question is whether the next online market for illicit goods will take the form of a large clearinghouse that mirrors AlphaBay, or whether niche markets such as those used by hackers to traffic vulnerabilities and exploits will emerge. As such, law enforcement efforts to better understand key players and incentives driving activity in these markets should be intensified throughout the course of an investigation. 
 
Researchers at Carnegie Mellon University published a widely-used data archive on dark web markets, products and vendors, and the “lifetime” of sellers and the markets themselves. Security vendors have also completed analyses of cybercrime trends in key countries. Mapping physical locations and assets by crawling forums and collecting data on vendors and transactions may also yield evidence that allows law enforcement to take more aggressive action by seizing physical goods at their source. At the time of the AlphaBay takedown, for example, officials announced that the investigation resulted in new leads relevant to investigations in 37 countries. Expanding the use of intelligence collected with the assistance of private companies on dark web markets can help fill the gaps in resourcing and technical expertise until law enforcement can develop long-term strategies to cultivate more of those assets in-house. 
 
Cyber criminals are agile and will continue to find new ways to evade law enforcement, either through the greater adoption of encryption or by migrating to new platforms to conduct illicit activities. The AlphaBay and Hansa takedowns demonstrate that law enforcement agencies too are becoming more sophisticated in their ability to take joint action and coordinate responses to transborder cybercrime. Still, the temporary interruption of market infrastructure does not deter new players from entering these markets. Improving law enforcement’s capacity to understand dark web market dynamics will allow law enforcement entities to develop new areas of expertise, make better use of limited resources, and deter illicit activity online.