The impact of criminal usage of the internet is growing dramatically with the emergence of the Tor network, where darknet marketplaces are taking the shape of legal online marketplaces, such as Amazon and Ebay. Consequently, even offline crimes can now benefit from this novel modus operandi and the innovative routes to ship illegal products and services, which force law enforcement agencies (LEAs) to develop more advanced investigative techniques.
A recently published paper analyzes the products and services categories of 14 Tor darknet marketplaces and their associated vendors. The paper also proposes a new investigative technique based on PGP key inter-relations. With the rapid growth of Tor marketplaces, vendors are adopting more advanced technologies, such as PGP, which can be exploited to leak information including relationships between various users. Let’s take a look at some of the interesting data presented via this paper.
Product categories on the studied Tor marketplaces:
Analysis of the included Tor marketplaces reveals that 44% of all sold items represented various drug items. Out of the 25,360 observed product listings in 2015, 11,057 belonged to the drug category. The types of drugs that make up this market are illustrated in figure (1).
Figure (1): Drug categories on Tor marketplaces
As shown in the figure, stimulants, prescription drugs, ecstasy, light drugs, cannabis, and hashish represent 60% of the whole drug market. The drug category on Tor marketplaces is highly fragmented, as the top 10 vendors do not exceed 11% of the whole market share, and the top vendor holds a quota of 1.99, as shown in figure (2).
Figure (2): Drug category quotas
The identity category represented around 15% of all product listings on the studied marketplaces. This category includes various items that can be used in cybercrime or real-world offline crimes, such as terrorism. For example, you can buy a new passport, driver license, or identification documents to cross country borders and deceive customs officials. Figure (3) illustrates subdivisions of the identity category. In brief, the identity category is much less fragmented than the drug category. The top vendor is linked to 8.5% of the listings in this category.
Figure (3): Identity categories on Tor marketplaces
3- Digital goods and services:
The items that can be categorized as “digital goods” represent around 14% of all product listings on the studied Tor marketplaces. This category includes technology products and threats such as exploits, botnets, and items that can threaten business profits including credit card codes or DRM violations. Figure (4) shows the different types of items within the category of digital goods. The category is fragmented similarly to the identity category, yet the top vendor holds only around 2.4% of the product listings within the category.
Figure (4): Digital goods category on Tor marketplaces
Using PGP keys to analyze relationships between identities:
The research study analyzed the relationship between different identities on Tor marketplaces. Authors of the paper detected the authorities, nodes with zero-out degree, hence receiving only signatures. The study proves that on an anonymous platform, a link between the dark web and the surface web can be found via the information leaked via exploitation of PGP keys.
Via integration of publicly accessible data on the surface web (keyservers) with information found on darknet services, including websites, marketplaces, stores, forums, and others, we can link a KeyID to a UserID (name, email, alias), and this data can be used as a starting point for more thorough analysis using other tools (such as Maltego or Cyber Intelligence platforms), in addition to content enrichment services.
Moreover, using this technique, there exists some past exploitation including the context throughout which the identity was found, simply via analyzing the built relationship – for instance, a KeyID used to sign five other keys linked to drug vendors. Furthermore, by researching the drug items sold by these vendors, we can obtain additional information including the intersection between the offered items, e.g. in the cannabis category. As such, we can conclude that items from the digital identity category is associated with a cannabis user or any individual interested in this product category.
The study found many interesting results, e.g. several vendors use different aliases on different Tor marketplaces while maintaining the same PGP key. Also, multiple aliases were found to be linked to the same vendor.