Dispatch from Academia: Exit scams, hacking, violence, predation and fraud

Rasmus is a PhD student at the School of Criminology at University of Montréal. He has studied DNM’s since early 2014 and has, among other things, researched the politics of DNM’s, the demand DNM’s satisfy, how DNM’s affect global drug trafficking and much more. Currently his PHD research centers around trust and transactions on DNM’s, and he works with leading DNM researchers interviewing vendors.

Recently my colleagues, Kim Moeller and Jakob Demant, and I published an article in the American Behavioral Scientist. The article applies insights from offline drug markets to what we are witnessing on DNM’s. In light of recent events, I think we can help with some perspectives on what is going on in the dark web these recent weeks. In this post, I’ll draw on the article trying to provide a perspective (from our academic ivory tower) on what has transpired the last month on the darkweb.

There is a popular misconception that drug markets are places where violence and fraud are rampant, but that is often not the case. While violence does happen, most drug trades involve no violence. More often they are simply just trades, or they may involve some degree of fraud or predation. A dealer might “short” you, rip off new customers and so forth. Dealers might also be robbed of their money of drugs. We can think of these exchanges of money and drugs, whether they are violent, fraudulent or peaceful, as resource exchanges.

Setting the scene

Over the last few months a lot of shit has gone down on the DNM scene. Law enforcement shut down AlphaBay, let the refugees migrate to Hansa, which they were in control of, and most recently Traderoute, the most promising market after months of complaints and rumors about Dream, ran off with every single satoshi. After the fall of AlphaBay and Hansa, as we’ve seen after every marketplace exit scam or market seizure, many buyers and vendors migrated to new markets. Dream and Traderoute seemed to handle the influx of users well, and things were (sort of) calming down.

Recently, several markets began reporting DDoS-attacks, which kept them offline, and which seem to be still ongoing. Whether this was law enforcement or other actors cannot be said with any certainty as of now. October 11th, Traderoute announced that they would be going offline for maintenance, something which is not unusual for DNMs (the legendary Agora would be offline for days regularly), yet Traderoute never came back. On the 15th DeepDotWeb published the news that a hacker was likely to blame for the disappearance of Traderoute. The hacker, PhishKingz, had identified security flaws in Traderoute and allegedly obtained doxx on the admins. Seemingly, Traderoute took the money and ran as they saw themselves increasingly at risk.

Buyers are now searching for new marketplaces and scrambling to find their favorite vendors. Some vendors have lost escrow funds, others need to start over again building their reputation. The admins and moderators of the marketplaces destined to take the place of Traderoute, Dream, Aero, CGMC and so on, will have to take in thousands of refugees with all the logistical and practical challenges that carries with it. All on top of an apparently ongoing DDoS-attack.

By now, this sounds like a story we have heard before, but it is striking how much it resembles what we have seen again and again after the fall of Silk Road. Our typology of DNM resource exchange is an attempt to provide a conceptualization and insight into this recurring shitshow. Here you have the essence of it.

Violent Resource Exchange – Hacking and DDoS

DDoS attacks against DNMs have been a regular occurrence since Silk Road, and Ross, allegedly, paid off extortionists regularly. Markets being hacked or deanonymized is not a new phenomenon either, with noteworthy examples being the 2nd Dread Pirate Roberts who commissioned an attack against TorMarket, or the API leak on AlphaBay which leaked thousands of private messages. In our paper, we suggest thinking of these attacks as “system-based violent resource exchange” when there is money involved. For example, we point out that because DDoS-attacks are difficult to mitigate for hidden services, they are an excellent target for the entrepreneurial extortionist. DDoS’ing the market will grind business to a halt, might draw law enforcement attention, and buyer and vendor might seek refuge on another market. It is not surprising that Ross, allegedly, paid off his extortionists.

The motive for these acts are typically financial, or at least they have a financial reward. The 2nd Dread Pirate Roberts openly acknowledged to having ordered the hacking of his competitor, and dumped parts of the database. Shortly after, TorMarket disappeared with all funds on-site, with Silk Road 2.0 being one of the places refugees ended up. By displacing buyers and vendors, or threatening to do so through DDoS-attacks, perpetrators of this “violence” can reap large financial rewards. Here, we draw a parallel between this type of “violence” and the use of violence in traditional drug markets. In these, violence can be used to attack competitors or to take control over territory.

Fraudulent and predatory resource exchange – “The Marketplace Exit Scam”

The term exit scam has two meanings: Either it refers to a vendor scamming his customers and then bailing, or a market disappearing with all funds in wallets and escrow. We call the second version the “marketplace exit scam”, and since Silk Road, we’ve seen it again and again, with Evolution and Sheep Marketplace being probably the worst examples. It’s a well-known routine by now: A market grows to a comfortable size and then runs off with all funds in escrow and wallets. The consequences, however, can be harsh. People struggling with addiction might not be able to score, vendors can lose thousands, and people who have borrowed money on credit to score a supply they can resell offline can lose all they have. These stories are common after every marketplace exit scam.

We tried, but could not find an apt parallel for the marketplace exit scam in traditional drug markets. It’s not uncommon that drug dealers or buyers are robbed, but what separates the two is that on DNM’s, everyone with bitcoin on the site becomes a victim. If you have a suggestion for an apt parallel, we would love to hear it in the comment section.

A perspective on recent events

We point out in the article, that while we see several instances of violent resource exchange, hacking and DDoS-attacks, this is somewhat rare. These attacks draw attention to the markets and complicate everything, and it might be just as financially rewarding to allow peaceful transactions and the commission gained from them. Likewise, in traditional drug markets extreme violence, for example murder, will draw attention from law enforcement and is generally not good for business. Traderoute can be seen as an example of this, based on the information we have available.

Traderoute was subject to predatory violence. The hacker PhishKingz identified a flaw in the marketplace, and exploited it. He gained access to a trove of information, and used this to blackmail the owners of Traderoute for bitcoin and a job. Allegedly, he even found their doxx. According to PhishKingz, this unfortunately led to the administrators realizing the gravity of their situation, and running off with every satoshi. This massive marketplace exit scam therefore seems to be provoked by the violence perpetrated by PhishKingz. Of course, the administrators of Traderoute might also have planned their exit scam whole time.

Drug market violence is not good for business and the harms may spill onto those uninvolved. It has repercussions and it draws law enforcement attention. If PhishKingz is to blame for the Traderoute exit scam, what happened last week is parallel to what happens in drug markets: Violence spills over and everybody loses.