The size of the deep web is estimated to be five hundred times that of the surface web. The dark web comprises around 6% of the deep web and involves all forms of illegal activities including illicit drug trading, weapons trafficking, counterfeiting, and trading of malicious and hacking products. Dark web marketplaces, or crypto markets, represent unique forms of platforms hosted on the Tor network that facilitate the trading of illicit products. Identification and analysis of goods and products traded on crypto markets can yield essential implications of cyber threat intelligence and online security applications. The volatility of the dark web renders it extremely difficult to study. Practically speaking, darknet marketplaces are not adequately referenced and accessing them requires some level of technical skills. Additionally, these marketplaces are regularly shut down by law enforcement agencies, or white hat hackers, or change their URLs to evade being targeted by governments.
Multiple studies have been conducted to analyze the patterns of drug trading taking place on darknet marketplaces. However, very few studies have been conducted to analyze the trading of hacking related products on crypto markets. Most black hat hackers depend on malwares and software exploits offered on various darknet marketplaces to successfully launch their malicious attacks. A recently published research study aims at presenting a thorough analysis of illegal hacking related trading taking place on various crypto markets in order to formulate a clear understanding of cyber threats that can harm individual users, organizations, and industries.
Authors of this paper offer a unique insight regarding hacking-related trading products on the darknet. The study concludes that the main motivation of vendors is generating the maximum possible profit. Actually, this market was found to generate around $26 million during the period of the study. The inexpensiveness of the offered products represents an alarming factor, as the study shows that 85% of the offered products were sold for less than $150, which renders cyber crimes relatively easy to commit. It also shows that one cell had control over most of the market, which denotes that there exists a well organized infrastructure supporting this market.
Exploring the hacking market communities on the dark web:
The study utilized a novel method based on machine learning techniques and social network analysis to visualize communities of vendors of malware and exploits on crypto markets. Authors of the paper obtained data regarding malware and various product offerings of hacking related products on 20 different darknet marketplaces. The obtained data was used to develop a similarity matrix of the marketplace vendors. To develop this matrix, unsupervised learning was utilized to group vendor’s sold products into 34 different hacking categories.
Thereafter, the authors quantified the similarities existing between vendors via analysis of the number of product listings’ categories in addition to the number of listings in each category. The study explored approximately 40,000 hacking related product listings grouped into 34 different categories. Thereafter, they measured the similarity of vendors of hacking related products via four different metrics, based on their product categories along with their matching number of products, in order to identify the connections existing between them. The authors of the paper also conducted social network analysis (SNA) and machine learning in order to organize communities of vendors of hacking related products into two groups of marketplaces. Following identification of the communities as well as the vendors in each group, the authors made a final analysis of the vendors’ distribution within both groups. They intended to identify whether or not the development of agreements between both groups could not be easily done in a random manner. To achieve this, they got the number of vendors within each community and applied the exact same distribution to a community assignment method, conducting the experiments for both groups.
The results of this analysis were validated via checking the overlap between the two marketplace groups. The authors of the paper obtained an Adjusted Rand Index (ARI) achieving 0.445 via their used method, yet random assignment of individual vendors to communities yielded an ARI of -0.006. The method used in this study represents another step towards understanding hackers’ social networks established on the dark web, which can help cyber threat intelligence agencies in their mission to track networks of vendors of hacking related products on the dark web.