ToR Black Market CyberCrime EcoSystem

gAtO tHiNkS – the Black Market in cyber space exist in both the surfaceWeb and the darkWeb. For some reason the general internet user thinks of the ToR-.onion network is for bad guys only and only because of the Black Market in the onion network which is a small part of the network… The general concession is the black market rules in ToR onionLand is a joke let me tell you why.

What is the Cyber Black Market:

A black market or underground economy is a market in goods or services which operates outside the formal one(s) supported by established state power.

From DHS CyberCrimes is a bigger threat than terrorism – From Symantec/Norton Cyber Crime Statistics in the SurfaceWeb:

Here are some quotes from their report.

1.Cybercrime cost $388 billion across 24 countries.

2.  69% of adults have been a victim of cybercrime.

3.10% of mobile phone users have experienced cybercrime, up 42% from last year.

4.Cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288B).

White Collar -Cyber Crime

In the Surface Web -CyberSpace- crime is well and dandy but we have become accustom to it – If your a Windows user how many security updates do you get a week, a month. That alone tell you that in the surface Internet we have lot’s of cyber-crime going on — and so pharmacy spam email are normal, offers from Africa millionaire that left you money come every other day. In these hard economic times offers to make big bucks $$ working from home -becoming a re-shipping mules for commercial criminals are normal offers from people looking for jobs. These are all organize cyber criminals groups. dealing in the surface web.

Blue Collar -Cyber Crime

Now take ToR-.onion Black Market: It’s a little more in your face drugs, guns, stolen goods, sex, hacked data- in the darkWeb you know that these merchants are crooks and criminals. In Silk Road or BlackMarket Reload they now verified sellers and now even buyers. To make it look more legit. What does verified mean in these .onion market-places. It usually mean that the admin of the site has somehow check that this is a real person w/real whatever. Or he has done business with someone and they write a nice review. Never thinking that the review could be the crook with another login name just like they do in the surfaceWeb. 

gAtO would not do business with any black market in the surfaceWeb or the darkWeb -If my products are bad at least I can complain to Amazon, I can’t do anything but write a bad review in BlackMarket-Reload in the darkWeb.

  -honest crooks? In the Tor-.onion Black Market you can assume everyone is a thief a crook or a criminal.

CyberCrime EcoSystem. 


Let’s look at the black market in the surface web.:

WHITE COLLAR CYBER CRIMES – cybercrime ecosystem

ATM skimming: – ATM skimming is proliferating, next to the overall availability of bank plastic cards, holograms and pretty much everything a carder needs to cash out the fraudulently obtained credit card data.

pharmaceutical e-mail spam problem: –The general public is addictive to drugs- legal – illegal – copy-drugs – fake claim drugs – and they e-mail you the consumer you seen them “Viagra” cheap -Canada – Europe – nah it from Asia or Russia.

Eastern Europe is the epicenter of the cybercrime epidemic-financially-motivated cybercrime – without question hackers in Russia and Eastern Europe are the most active, if not also the most profitable. sophisticated groups tend to be regional and stick to attacking their own (Brazil is a good example).

active malware/crimeware campaigns:

sophisticated cybercriminals:

Risk-forwarding cybercrime ecosystem

the rise of money mule recruitment

Are reshipping mules more popular than money mules 

advanced persistent threats (APT attacks)


Let’s look at the black market in the dark web.:


Selling Drugs

Selling Guns and explosives

Selling Stolen goods

Selling Hacked Data

Selling Sex

Buy an Assassin 

Rent a Hacker


So now we can see that in the Surface black market the legit merchants are watching everything you do and selling your information to the highest bidder. While the sophisticated crimes agains normal people backed by organized crimes is normal in the clearWeb. So in the Deep -Dark -Tor -.onion web the low end criminals haunt this area. The problem I have is that the same things that are in the deep dark web are the same things I can get at –EBAy- Guns – Stolen Goods, -CraigsList-  Assassin, legal/illegal Drugs, Sex, Stolen Damage Goods, Drugs, so in the surface web you can get the same as the dark web what’s the difference. Inside the matrix you have more anonymity –

No matter the anonymity gATO would not do business with the black market in the deep web or out. Use your own common sense my friends. We are judging that those people that use the ToR protocol to communicate with more privacy are all bad when only a few sites sell (bad) stuff there is some good in the network – and — bottom line —it’s all about freedom of choice  . The other thing is that the commercial cyber-criminals ecosystem in the clearWeb has not picked up on this newer technology (ToR-onion network) that is more secure and are harder to scam and gain your personal and their information while online.

The Black Market is the same or worse in the surface web than in the deep-dark web so- stay away from the black market period use the ToR network to be smarter, quiter without leaving digital bread-crums –

Below I have my notes and the ToR Cleaned Hidden Directory WiKi so you can see yourself some of the things that go into the black market Tor-.onion network- Remember that this is only a small part of the network their is millions of terabytes undiscovered in the ToR-.onion network it’s just hidden. They don’t want you too know.

Goerge Carlin said it best – Your not in the club- and they are not going to let you in – they are never going to let you in- 

They are going to scare you away from the ToR-.onion network because  “they” the powers that be –will hide their little business secrets in this network and they want to scare you away from it.  I found a great article from “Kerb on Security Interview” outlining the cyber criminal ecosystem where I drew a lot of the surface web black market anyway – gAtO oUt

lab Notes: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

lab Notes: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

lab Notes: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


ToR Cleaned Hidden Directory Wiki


Hidden services – HTTP/HTTPS

Volunteers last verified that all services in this section were up, or marked as DOWN, on: 2012-01-24

Introduction Points

OnionLand link indexes and search engines.

Hidden Wikis

Index pages in Wiki-based format.

Other indexes

Other places/directories you may be able to find links.

Search engines

Google for Tor. Search for links.

  • TORCH – Tor Search Engine. Claims to index around 1.1 Million pages.
  • Deepsearch – Another search engine.
  • Torgle – Torgle revived. Based on OnionWare’s server. Web crawler.
  • The Abyss – Administrator’s search engine. Supports submitted links.
  • – Clearnet search engine for Tor Hidden Services (allows you to add new sites to its database).
  • DuckDuckGo, clearnet – Clearnet metasearch engine with heavy filtering. Not like the aforementioned search engines to look up Hidden Services. Just searches the clearnet.

Other general stuff to see

Starting places.


See also: Marketplace Reviews – Reviews of the marketplace experience (ALL reviews go in this article, NOT in the listings below).
See also: The separate Drugs and Erotica sections for those specific services.
Remember that “feedback” can be faked in the Marketplace Reviews. Try to use escrow as much as possible to ensure you won’t be scammed.

Financial Services

Currencies, banks, money markets, clearing houses, exchangers.

  • Anonymous Internet Banking Anonymous Debit Cards with EU bank account and VCCs by A HackBB trusted vendor
  • The Bitcoin Laundry Service– Bitcoin Laundry service.
  • InstaCard – Sell your bitcoins for a virtual VISA credit card, in $25, $50, or $100 denominations. $5 fee.
  • Paypal4free – Hacked Paypal accounts for cheap, with balances
  • PayPal Store – Purchase clean, verified USA PayPal accounts with Bitcoin. (Host: FH)
  • Bitcoin Fog – Laundry service.
  • anonXchange – Ecurrency exchanger, exchange LR, Bitcoin, PSC, Ukash, Pecunix, Cash. Also doing Bitcoin washing.
  • Acrimonious – A bitcoin escrow checkout. Free if there are no disputes. Works with tor2web. (UNABLE TO REGISTER)
  • Bitcoin2CC, clearnet – Converts your Bitcoins into a virtual VISA credit card instantly.
  • The Bitcoin Washing Machine – Can launder large amounts of coins without same-coin contamination. (Host: FH)
  • Little BTC Ebook – The new way of selling and buying Bitcoin is through Second Life, more information here.

Commercial Services

Hosting / Web / File / Image

  • The Onion Cloud – Tor/ownCloud based cloud. Login/Pass: public/public. (Host: FH)
  • Accounts for BTC – sells accounts in exchange for bitcoins
  • TOR host – Host your site anonymously in deep web for free. – DOWN 2011-12-24
  • bittit, clearnet – Host and sell your original pictures for Bitcoins.
  • Mystery File a Day – Want to see something cool?
  • Blolylo – Simple file uploads. Won’t accept plain text files. 2 MiB upload limit. (Host: FH) (Blank page) – Broken 2011-06-09
  • CircleServices – Mixie’s place. Provides: Circle-Talk, TorPM, ImgZapr, SnapBBS, qPasteBin, AnonyShares, Circle-IRC. (Provider: CS)
  • Anonyshares – File upload up to 10MB. (Provider: CS)
  • qPasteBin – A pastebin. (Provider: CS)
  • 5am – File dump and Image Board. 5MB Limit. DOWN 2012-01-05
  • Potaoto – Image hosting. Generates large thumbnails. DOWN 2012-01-05
  • Onion Fileshare – 2GB Upload file size limit. Upload any files you want.
  • ES Simple Uploader – Upload images, docs and other files. 2 MiB upload limit. (Host: FH)
  • IMGuru (More info) – Fast GIF/JPEG host. No images removed. If you get the error Invalid File, retry the upload. (Host: FH)
  • TorIB – Create and run your own imageboard. (Host: FH) (Neglected status note) – Broken 2010-06-16
  • SquareBoard – Upload and share high quality images. (Moderated)
  • sTORage – Upload files. Has WebDAV support.
  • Onion Image Uploader – Image Hosting. 2 MiB upload limit. Generates medium thumbnails. (Host: FH)
  • Freedom Hosting (More info) – Hosting Service with PHP/MySQL. As of 2011-06-04, it hosts about 50% of the live OnionWeb by onion. UPDATE 2011-06-05, probably owns a lot more than that now. Invite-only.
  • PasteOnion – Paste and share text, sources, whatever. You can make your paste public or set a password. (Host: FH)
  • QicPic – Upload any type of file. Caches and compresses uploaded files to decrease loading time. (Host: FH)

Blogs / Essays

Forums / Boards / Chans


A relatively simplistic messaging board owned by Mixie. Various discussion boards. There’s lots of these, but here are a couple.

Other forums

Other forum types. Usually phpBB.


Non-CP or generally safe imageboards on Tor.

  • Torchan – /b/, /i/, programming, revolution, tons of other boards
  • Anonchan – Boards: /b/ – Random, /a/ – Anime/Manga/NSFW.
  • Hidden Image Site – HIS
  • TriChan – Revived, now only has /p/ Pokemon, /mlp/ My Little Pony, and /b/ Random
  • Lukochan – A Russian/English text discussion board in imageboard style.

Deaths (R.I.P):

  • RundaChan – Share ideas and ask or answer questions
  • Bobby’s board Channel with currently only 2 boards but growing – about 75% LOL 0% uptime

Forums Scripts Besides SnapBBS

  • PunBB 1.3.6 Forum script – During installation, you need not give your email address to create your forum! When registering you do not need feeding your e-mail! You can register without e-mail. The script does not register in the forum database your IP! nor the Administrator / Moderator cannot see your IP address gives you a much safer use of the forum because your IP is not logged anywhere in the database! Two mirrors download.

If anyone knows of anything else that provides this, send an e-mail.

Email / Messaging

See also: The compendium of clearnet Email providers.

Political Advocacy



See also: WikiLeaks Official Site and Official Submission Onion (temporarily closed).

Operation AntiSec



Hack, Phreak, Anarchy (internet), Warez, Virus, Crack.

Audio – Music / Streams

Video – Movies / TV


See also: Category:Novel – List of books on this wiki.


Noncommercial (D)

These sites have only drug-related information/talk. No sales or venues.

  • Silk Road Forums – Silk Road Forums
  • Be Here Now – The North American Laughing Buddha (Folk medical advice from a pothead). (Host: FH)
  • TorDrugResource – Drug Chemistry and Pharmacology including limited Rhodium/Hive/Synthetikal mirrors. (Host: FH)
  • Serenity Files – Community-maintained library on growing illicit substances.

Commercial (D)

See also: Marketplace Reviews and Onion Reviews – Reviews of the marketplace experience (ALL reviews go in these articles, NOT in the listings below).

  • oxiD Shop – Marijuana, Cocaine (Bitcoin)
  • Silk Road – Marketplace with escrow (Bitcoin)
  • Pot2Peer – Marijuana and cannabis products delivered safely and discreetly to your door. Always anonymous. (Bitcoin)
  • Paradoxum – Cannabis, MDMA, LSD, Mushrooms, Coke, DMT (BTC, Dwolla, Pecunix, LR, Paxum)
  • DrugSpace – Dispensary Grade Sour Diesel Marijuana and Cambodian strain Psilocybin Mushrooms. Get the URL from the Onion Reviews, people keep changing it here
  • Trees by Mail Beta – Cannabis from Northern California (Bitcoin)
  • and – Yummy edibles and other cannabis related stuff. Nothing but the best. (Paypal and Bitcoin)



Noncommercial (E)

Commercial (E)

See also: Marketplace Reviews – Reviews of the marketplace experience (ALL reviews go in this article, NOT in the listings below).



Services that defy categorization, or that have not yet been sorted.

  • Kenny – You killed Kenny! You’re a bastard! DOWN
  • Carson – Nature Boy poem. Previously The Ultimate Guide for Anonymous and Secure Internet Usage v1.0.1.
  • The LG enV2 – Very basic information and photo gallery about a wireless digital messaging phone. (Host: FH)
  • Questions and Answers – A little truth game. Ask questions and give answers anonymously. Answers also support image uploading.
  • noreason – Info and pdf files on weapons, locks, survival, poisons, protesters, how to kill. Hidden Wiki, TorDir, Steal this wiki, Telecomix Crypto Munitions Bureau mirrors. Guro, dofantasy / Fansadox Collection. DOWN D:
  • The Outlaw Project – “Free for all” – links to various files and known .onion sites. Onion address hosted an FTP service.
  • Fenergy file-server – File collection that includes books and other resources energy related.


Czech / ?eština

Danish / Dansk

  • DanishChan – Scandinavian focused imageboard. Boards include drugs and IT security as well as a Random board. Fast and clean layout, little downtime.
  • – Danish Drug Trade. (Host: CS)

Dutch / Nederlands

Estonian / Eesti

  • Vileveeb – Anonüümsete raportite esitamine. DOWN 2012-01-24

Finnish / Suomi

French / Français

German / Deutsch

Hebrew / ?????

  • Samim.onion – Selling and shipping of drugs and medicine in Israel (Bitcoin). (Host: FH)

Italian / Italiano

Japanese / ???

Korean / ???

  • ?? – ??? ?? ??? (??????)

Polish / Polski

  • Torowisko – Forum Polskiej Spo?eczno?ci Tor. Nowe ogólnotematyczne forum bez rejestracji i cenzury. Godny Nast?pca Onionforum, ju? z ponad 8000 postami (codziennie przybywaj? nowe!). (Host: FH)
  • Fundacja Panoptykon, clearnet – Strona fundacji przeciwstawiaj?cej si? coraz powszechniejszej inwigilacji oraz tendencjom nasilania nadzoru i kontroli nad spo?ecze?stwem.
  • George Orwell “Rok 1984” – polskie t?umaczenie znanej powie?ci
  • Polska Ukryta Wiki – PUW, wiki polskiej spo?eczno?ci Tor. (Host: FH)
  • FAQ – Freely Answered Questions – Portal typu Q&A, gdzie mo?esz zadawa? pytania zwi?zane z undergroundem (czyt. pytania niewygodne). (Host: FH)

Strony porzucone, nieaktywne lub ?mieciowe:

Portuguese / Portugues

Caravana Brasil

Russian / ???????

  • R2D2 – ????????? ?????, ??????? ????????????, ???????? ????????
  • Runion – ????????? ?????: Bitcoin, Tor, ????????? ?????
  • Runion Wiki – ??????? ?????? ? ????????? ? Runion ?? ???????
  • ??????? – ??????? ??????? ?????. (Host: FH)
  • ???? – ??????????? ???????? ???????? ?????????????. (Host: FH)
  • ??? – ????????? ????????????? ?????.
  • ????????, clearnet – ?????? ???????? ????????????? ????????? ????????.
  • ?????-?????? – ????? ??????? ?????? ? ???? ?? ??????? ?????. (Host: FH)
  • Russian Road – ??????? Silk Road(?????????, ??????, ?????????, ?????????)

Slovak / Slovenský

Spanish / Español

  • Abusos – Abusos judiciales en España.
  • Quema tu móvil!, clearnet – Interceptación de comunicaciones móviles. Cell phone eavesdropping techniques used by Intel agencies. DOWN 2012-01-24
  • HoneyNet, clearnet – Hacking ético, técnicas especiales de seguridad empleadas en los test de intrusión para evitar ser detectados. DOWN 2012-01-24
  • T0rtilla – Shoutox webchat. (Host: FH)
  • CebollaChan – CebollaChan, el tor-chan en Castellano.
  • T0rtilla – Shoutbox webchat. (Direct FH URL). (Host: FH)
  • Forocoches 2.0 – Torocoches – Forocoches 2.0 (Host: FH)

Swedish / Svenska

Hidden Services – Other Protocols

Volunteers last verified that all services in this section were up, or marked as DOWN, on: 2011-06-08
For configuration and service/uptime testing, all services in this section MUST list the active port in their address. Exception: HTTP on 80, HTTPS on 443.
For help with configuration, see the TorifyHOWTO and End-to-end connectivity issues.

P2P FileSharing

Running P2P protocols within Tor requires OnionCat. Therefore, see the OnionCat section for those P2P services.
IMPORTANT: It is possible to use Tor for P2P. However, if you do, the right thing must also be done by giving back the bandwidth used. Otherwise, if this is not done, Tor will be crushed taking everyone along with it.

  • The Pirate Bay – Download music, movies, games, software! The Pirate Bay – The galaxy’s most resilient BitTorrent site – Official(?)
  • GNUnet files sharing – GNUnet URI index site with forum. (Host: FH)
  • Sea Kitten Palace – Torrent site and tracker for extreme content (real gore, animal torture, shockumentaries/mondo cinema, and Disney movies)
  • AshANitY – Anonymous sharing of Humanity, torrents. (Host: FH)

Chat centric services

Some people and their usual server hangouts may be found in the Contact Directory.


See also: IRC Anonymity Guide

  • AnoNet – Each server is on its own network and connects to a chat cloud

running on: (various), ports:: plaintext: 6667 ssl: 6697

  • Federation: OnionNet – IRC network comprised of:

running on: unknown, ports:: plaintext: 6668, ssl: none


running on: (various), ports:: plaintext: 6667 ssl: 6697/7070

running on:, ports:: plaintext: none ssl: 6697

running on: unknown, ports:: plaintext: 6667 ssl: 9999

  • hackinthackint is a communication network for the hacker community.

running on:, ports:: plaintext: none ssl: 6697

running on: unknown, ports:: ssl: 6697


  • fxb4654tpptq255w.onion:706 – SILCroad, public server. [discuss/support]

XMPP (formerly Jabber)

  • xmpp:ch4an3siqc436soc.onion:5222 – public server. No SSL. Chatrooms. No S2S. – DOWN 2011-08-01
  • xmpp:okj7xc6j2szr2y75.onion:5222 – as a hidden service

TorChat Addresses

Humans are listed in the above contact directory. Bots are listed below.

  • 7oj5u53estwg2pvu.onion:11009 – TorChat InfoServ #2nd, by ACS.
  • gfxvz7ff3bzrtmu4.onion:11009 – TorChat InfoServ #1st, by ACS.

OnionCat Addresses

List of only the Tor-backed fd87:d87e:eb43::/48 address space, sorted by onion. There are instructions for using OnionCat, Gnutella, BitTorrent Client, and BitTorrent Tracker.

  • 62bwjldt7fq2zgqa.onion:8060
  • fd87:d87e:eb43:f683:64ac:73f9:61ac:9a00 – ICMPv6 Echo Reply
  • a5ccbdkubbr2jlcp.onion:8060 – mail.onion.aio
  • fd87:d87e:eb43:0744:208d:5408:63a4:ac4f – ICMPv6 Echo Reply
  • ce2irrcozpei33e6.onion:8060 – bank-killah
  • fd87:d87e:eb43:1134:88c4:4ecb:c88d:ec9e – ICMPv6 Echo Reply
  • [fd87:d87e:eb43:1134:88c4:4ecb:c88d:ec9e]:8333 – Bitcoin Seed Node
  • taswebqlseworuhc.onion:8060 – TasWeb – DOWN 2011-09-08
  • vso3r6cmjoomhhgg.onion:8060 – echelon
  • fd87:d87e:eb43:ac9d:b8f8:4c4b:9cc3:9cc6 – ICMPv6 Echo Reply

Bitcoin Seeding


  • bitcoinbudtoeks7.onion:8333 – DOWN 2011-08-20
  • nlnsivjku4x4lu5n.onion:8333 – DOWN 2011-08-20
  • xqzfakpeuvrobvpj.onion:8333
  • z6ouhybzcv4zg7q3.onion:8333

Dead Hidden Services

Main article: List of dead hidden services

Do not simply remove services that appear to be offline from the above list! Services can go down temporarily, so we keep track of when they do and maintain a list of dead hidden services.

  • In addition to an onion simply being gone (Tor cannot resolve the onion), sites that display 404 (and use a known onion/URL based hosting service) are the only other thing that is considered truly DOWN. Presumably the account is gone.
  1. If a service has been down for a while, tag it with ‘ – DOWN YYYY-MM-DD’ (your guess as to when it went down).
  2. If a tagged service on the above list of live hidden services has come back up, remove the DOWN tag.
  3. If a tagged service is still down after a month, please move it (along with the DOWN tag) to the list of dead hidden services.
  • The general idea of the remaining four service states below is that, if the Hidden Service Descriptor is available, and something is responding behind it… the service is considered up, and we track that fact on the Main Page. If any of these subsequently go offline, append the DOWN tag and handle as above.
  1. Hello world’s / statements, minimal sites, services with low user activity, etc (while boring)… are listed as usual.
  2. Broken services are those that display 404 (and do not use a known hosting service), PHP or other errors (or they fail silently)… any of which prevent the use of the service as intended. They also include blank pages, empty dirs and neglected status notes. Presumably the operator is in limbo. Broken services are tagged with ‘ (reason) – Broken YYYY-MM-DD’ (your guess as to when it went broken)
  3. Services that automatically redirect to another service (such as by HTTP protocol or script), have their redirection destinations noted in their descriptions. These are tagged with ‘ – Redir YYYY-MM-DD’ (your guess as to when it went redir)
  4. Sites that are formally closed via announcement are tagged with ‘ – Closed YYYY-MM-DD’ (your guess as to when it went closed)


Kerb on Security Interview:

Black Market : Tales from the underground

ATM skimming

ATM skimming is proliferating, next to the overall availability of bank plastic cards, holograms and pretty much everything a carder needs to cash out the fraudulently obtained credit card data. From ATM skimmers with bluetooth notification, to ATM skimmers with SMS notification, what are some of the latest innovations in this field that you’re observing?

Brian: One innovation in skimming that I wrote about recently is that crooks are starting to turn to 3D Printers to make these devices. An investigator in California shared with me some photos of was was believed to be a 3D printed skimming device, which was the news hook for that story. But as I was researching the topic, I discovered that a skimmer gang had recently been convicted of creating skimming devices made with a 3D printer they had purchased with the proceeds of their previous skimming crimes.

pharmaceutical affiliate networks

Brian: I think there are a few trends emerging, and they all have to do with the fact that it’s getting harder for rogue pharmacies to make money. One is a shift toward more generic and herbal medications. The affiliate programs seem to be looking for drugs to sell that don’t incur intellectual property violation cases, which can get them shut down in a hurry. But I think it is becoming much harder for the larger volume spam and scareware affiliate programs out there to retain reliable processing, and that’s a long overdue but welcome development.

Eastern Europe is the epicenter of the cybercrime epidemic

Brian: If you mean financially-motivated cybercrime that affects the rest of the world, I would say without question hackers in Russia and Eastern Europe are the most active, if not also the most profitable. I think there are cases where (dis)organized crime groups have and are conducting a lot of cybercrimes, but many of these sophisticated groups tend to be regional and stick to attacking their own (Brazil is a good example).

But generally speaking I think it is a mistake to try to measure cybercrime by actual losses, which almost never comes close to the real losses and damage done by cybercrime, costs incurred by software and hardware and personnel defenses, etc. Don’t get me wrong: I strongly believe that all nations should be working harder to quantify and publish data about cybercrime losses, particularly in the financial sectors. But the reality is that even some of the most active criminal groups — such as the rogue pharmacy “partnerka” programs like SpamIt and GlavMed and Rx-Promotion — employed some of the biggest botmasters with the biggest botnets, and while some of them made a lot of money, most did not. And the spam partnerkas are excellent examples of cases where there are huge asymmetries between their earnings for these activities and the tens of billions of dollars companies and individuals need to spend each year to try to block all of its attendant ills.

active malware/crimeware campaigns:

I think we can continue to expect to see Microsoft doing whatever it can to disrupt cyber criminal activity, because 95 percent of it or more is aimed squarely at their customer base. Whether the gains from those take downs and targeted actions have long or short-term consequences may not be so important to Microsoft. From my lengthy interviews with Microsoft’s chief legal strategist on this subject, it was clear that their first order of business with these actions is raising the costs of doing business for the bad guys, and I think on that front they probably will succeed in the long run if they keep going after them as they are.

cybercrime ecosystem – sophisticated cybercriminals

I consider it a badge of honor that these guys bother to thumb their noses at me. The most recent one I’m aware of was whoever was in charge of coding the Citadel Trojan added some strings in the malware that said, “”Coded by BRIAN KREBS for personal use only. I love my job & wife”. Sort of a friendly jab and a vague, nonspecific threat rolled into one. Sometimes it is just kids looking for attention, but by and large I think most of these guys truly resent having any outside light — especially from “amers” or Americans — shed on their operations. They also don’t like it when you distill their operations, norms or processes into bite sized chunks that demystify their ecosystem or forums.

I can’t speak for law enforcement activity, but as a journalist and investigative reporter, I’m always sad to see these communities go away. I think it’s safe to say that most of them are already infiltrated by several national law enforcement organizations. I’d be very surprised if they were not. Some operating right now probably were even set up by law enforcement. We’ve seen them do that a few times before. I think most of the fraudsters who’ve been doing this long enough probably understand that and act accordingly. Others do not, and that is why you tend to see lots of people come and go, but the same core group of a few hundred guys are the top dogs on most important forums.

Communities and crime forums are great places to learn intelligence about upcoming and ongoing attacks, breaches, 0days, etc. Shutting them down seems to me to be counterproductive, since you almost always force the forums to go more underground and use more security features to keep untrusted people out, and known sources of intelligence go away, or worse yet change their nicks and contact info and all of a sudden a source you have developed you may never see or hear from again.

Risk-forwarding cybercrime ecosystem

the rise of money mule recruitment

Brian: I’ve identified quite a few distinct money mule recruitment networks. I don’t know about templates, but many of them tend to recycle the same HMTL content and change the names of the fake companies. That’s handy I guess for keeping track of which group recruited which mules, but beyond that I’m not sure it tells you much. What I have noticed is that money mules are the bottleneck for this type of fraud, and often
times the cyber crooks will leave money in the victim’s account because they simply didn’t have enough mules to help them haul all of the loot. So with any one victim, it’s typical to find mules recruited through 4-6 different mule recruitment gangs, because the fraudsters who outsource this recruitment will simply go from one to the other purchasing the services of these recruitment gangs until they’ve got enough to help them haul the loot, or they’ve exhausted the available mule supply. But usually, the mule gangs don’t have any problem finding new recruits.

Are reshipping mules more popular than money mules 

Brian: I think reshipping mules tend to be more useful. Most regular money mules are one-and-done. They’re used for a single task and then discarded (although one group I am following re-uses money mules as many times as they can before the mule starts to ask for their monthly salary). Typically, a reshipping gang will get 3-5 packages reshipped per weekday per mule, and the average reshipping mule works for 30 days before figuring out they’ve been working for free and great personal risk and they’re never going to get paid, or the check they got from their employer just bounced. But several mule gangs I’m aware of do both reshipping and money mules interchangeably.

Online gambling

advanced persistent threats (APT attacks)

Brian: I think if there has been a net positive about the shift in focus (at least from the mainstream security industry) away from traditional threats to APT attacks it is in the increased attention paid to social engineering attacks, which form the basis of most successful attacks today. 0day threats get a lot of press and are frequently associated with APT attacks, but it is far more common for these attacks to leverage known vulnerabilities for which there are patches, much like exploit packs that are used in many Zeus attacks and other more traditional cyber crimes. Unfortunately, educating users about what not to click on or trust or open is always an uphill battle. There are some things that companies could be doing more on this front, and I’d like to see more firms randomly test their employees to help speed the process of learning how not to fall for phishing and social engineering scams.

scareware industry, scareware remains one of the most profitable monetization strategies within the cybercrime ecosystem

Brian: I don’t think scareware is the same scourge it used to be, although it’s clearly still a problem. I would say this problem — like the pharma spam problem — must be attacked at the payment processing point; that is where it makes the most sense. There are some things afoot in the payment processing space that I think will probably start to show major results in the coming months on this front, but the proof will be when the scareware partnerka programs start dying off completely because the business model has dried up. I think we can expect to see the costs of acquiring banks taking on this business continue to rise, and that will help make the scareware industry less profitable and less attractive for scammers.

like the pharma spam problem



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: