Malware Wholesale and Retail: What’s New in Darknet Markets


Darknet is a favorite place for cybercriminals who want to find like-minded people, share experiences and sell or acquire new technologies to carry out their attacks. On trading floors in this segment of the Internet you can easily find stolen logins and passwords from user accounts and almost any malware – from botnets to viruses for IoT. The dynamics and the main trends of such “supermarkets” for hackers are the subject of a new study by Trend Micro, which we will discuss in this article.

In the dark

In 2015-2016 Trend Micro has published a series of reports that share a common theme: the economics of the cybercrime world. In 2020, we returned to the analysis of darknet / darkweb and its markets in a study Shifts in Underground Markets: Past, Present, and Future (“Dynamics of changes in clandestine markets: past, present, and future”). Its purpose is to show how technology development and the current situation in the world have influenced pricing, the mechanisms of interaction between participants in underground darkweb markets, and the popularity of certain categories of goods and services. We also wanted to know what the future holds for these markets and what to expect for ordinary users and IT security professionals from their “customers”.

This interest is not least due to the fact that in terms of profitability, cybercrime leaves far behind multinational corporations. For example, the average annual profit of cybercriminals is about 1.5 trillion US dollars, and giants like Apple and Amazon in 2019 received “only” 260 and 290 billion dollars, respectively. In addition, darkweb markets respond extremely quickly to global trends. Almost immediately after the onset of the coronavirus pandemic, proposals related to COVID-19 appeared on clandestine forums – from innocent ones like wholesale of respirators and toilet paper to completely malicious ones – software and tools for attacks using social engineering methods.

Distrust and “legalization”

In the years that have passed since our last research in this area, serious changes have occurred in the way of thinking of the “inhabitants” of underground trading floors and their infrastructure. First of all, they touched on the methods of interaction between sellers and buyers, as well as reducing confidence in DarkWeb and the forums where cybercriminals publish their ads. Also, one cannot fail to note the growing influence and interference of law enforcement agencies in the activities of darkweb.

In 2019, the administrators of one of the major underground markets, Wall Street Market, tried to close their business by escaping with funds that buyers had deposited with them until sellers fulfilled their obligations. This attempt was connected with the increased attention of law enforcement agencies to darkweb and the large trading floors in it, which eventually resulted in the arrest of the administrators of this and two other portals. Toward the end of 2019, Italian police successfully closed another popular forum, the Berlusconi Market. Both of these factors (and the administration’s attempt to “rob the loot,” and the closure of several large forums) were the reasons for the decrease in the confidence of darkweb users in clandestine markets. In addition, the remaining popular forums, for example, Empire, faced another problem in 2019 – constant DDoS attacks, which, according to rumors, were authorized by the same law enforcement agencies.

As a result, hackers are gradually mastering the “legal” channels for communication and trade, which in the current conditions are more convenient and safer for them than the usual darkweb sites. For example, not so long ago we discovered a popular platform for online trading, registered in the name of a company from the Middle East. On this site, any user can register to sell digital goods and services. In December 2019, she even hit the top 15,000 sites in the world and the top 5,000 in the United States (according to Alexa analytics).

At first glance, everything on this resource looks absolutely legal, and even in the conditions of using the platform, you can find information about the ban on the sale of illegal materials. But judging by the same analytics data, more than half of the site’s traffic is referrals from the popular underground forum, and another underground forum,, explicitly states that its administrator is associated with the platform’s management. And all the stores on this platform, links that can be found on clandestine forums of cybercriminals, continue to function despite the fact that they clearly violate its conditions.

Also, the Discord application is starting to gain popularity, which is actively displacing Telegram from the position of an ideal messenger for communication and conducting transactions between cybercriminals. This is primarily due to a certain degree of anonymity for users that the application provides, and the ability to create your own servers. Judging by the fact that during the study we repeatedly found servers that offer the same goods and services as on underground sites, many hacker forums from darkweb have already taken advantage of this opportunity.

What, where, how much?

During the study, we divided all the goods and services in the underground markets into 18 fairly broad categories, which included various offers – from credit card and drug data and drugs to encryption programs. You can find their complete list in the very study text, and in this post we will focus on the five most interesting categories.

Stolen Accounts – We found almost five million posts in clandestine forums related to this category. It includes a huge number of different types of accounts, including logins and passwords for online banking, online stores, food delivery services, entertainment portals and services (Netflix, Amazon, Hulu, Spotify, and even Disney +, although this service has appeared on the market in total only in November 2019). It is worth noting that the maximum popularity of the category does not mean maximum profitability for cybercriminals. The price tag for most accounts starts at $ 1, and access to a user’s bank account can be obtained for only $ 5, and this situation has not changed much since our previous market analysis.

Gaming software and accounts. Games have long become a part of the modern way of life, but the scale of interest in them by hackers (and their clients) brought this category to second place in our study. In clandestine forums, nearly 3 million posts are devoted to gaming. In this case, we are talking not only about traditional tools for hacking multiplayer and competitive games – aimbots or wallhacks – but also about access to rare accounts with a large number of in-game items or trading skins for popular games. For example, Fortnite account credentials can cost $ 999, which is understandable given the popularity of the game and the fact that many Asian gamers spend huge amounts on purchases in in-game stores (especially MMORPGs).

Credit card details. Nearly two million posts in clandestine forums relate to stolen user card data. The cost of this data directly depends on the balance on the card, and credit cards with a confirmed large balance or credit limit can cost more than 500 US dollars. In general, we can say that interest in cards remains stably high, but prices in this category have fallen sharply in recent years. In 2015, they asked for $ 20 for one card, and now the starting price for credentials from a card with an unverified balance is about $ 1.

Spam software. Automatic spam mailing is mentioned in more than 600,000 messages. Prices for goods in this category have not changed much since 2015 and start at about $ 20. Curiously, most of the proposals do not concern sending spam via e-mail, but an even more traditional channel – SMS. Mass mailing through this channel will cost from 25 to 50 US dollars.

Tools for creating fake news. This category is gaining popularity quite actively, but appeared not so long ago, so now about half a million posts on underground forums are devoted to it. We noted the interest of cybercriminals in it in our study of 2017, and since then, “like factories”, fake comments and the promotion of a buyer of interest have not disappeared. The lowest prices for such tools are traditionally offered by the Russian-speaking segment of the dark web – from $ 1 for 10,000 likes, and prices have been at a stable level for several years. The bot for social networks will cost you $ 25, and 1000 likes on YouTube – from $ 26.

As a “bonus” category, it is worth mentioning ransomware programs, about which we found only about 80,000 references in clandestine forums. Despite the huge losses that tools from this category have brought to enterprises around the world, and about $ 1 billion in profit for cybercriminals in 2016 alone, their starting cost remains quite low – from $ 5. At the same time, successful and well-established “malware” can cost more than 1000 or even 3000 dollars. The most popular on the market is Jigsaw, in second place is the acclaimed WannaCry.

Source: Trend Micro

Darknet trends and future trading

We looked at the current situation in the world and made a number of assumptions about what awaits the underground markets and ordinary users suffering from the actions of cybercriminals.

1) The growing popularity of MaaS. Not only developers of anti-virus solutions are able to sell their software by subscription. The MaaS model (malware as a service, ie “malware as a service”) is actively gaining popularity in a cybercrime environment. Hacker forums offer not only the source code of their software or ready-made builds of “malware”, but also technical support and timely updating of tools, that is, they use the technology of large companies to ensure stable monthly or annual income.

2) Deepake – The popularity of this technology is constantly growing, and the potential for its use for illegal purposes is simply huge. Fake snapshots and videos simulated using neural networks (and even voice recordings) will be used for attacks using social engineering, creating fake news and sextortion (blackmail with threats to publish real or fake sexual material relating to the user), including with technology elements that are used in ransomware programs, for example, with a timer that counts the time until publication.

3) Blockchain for cybercriminals. Already, there are active discussions on automating the settlement process between buyers and sellers in clandestine forums related to the drop in confidence in the administration and security of the dark web as a whole described above. One of the ideas was the use of “smart” contracts and blockchain elements to completely eliminate the possibility of fraud on the part of transaction participants.

4) Entering Emerging Markets. In our 2017 research, we predicted that cybercriminals would activate in Africa – this prediction was fully justified. Also in Africa, their own cybercriminal groups have already appeared, which operate not only on its territory, but also around the world. In the next 3-5 years, the situation will only worsen.

five) Globalization. Clandestine markets are moving away from dividing into local communities. For example, many announcements from the Russian-language segment can already be found on the English and Arabic forums, which was not 5 years ago. In the future, this trend may well continue, although part of the goods remains unique for specific markets and regions.

6) Internet of Things and Fitness Gadgets It has long been used by hackers to create botnets and DDoS attacks, but with the development of 5G networks and the gradual increase in the performance of IoT devices, including fitness trackers, it can be expected that cybercriminals will be able to use them for more sophisticated attacks, including collecting user data and subsequent blackmail.

7) SIM Cloning. Many companies already use two-factor authentication with access to an account after receiving a special code on a mobile device. Judging by reports on clandestine forums, cybercriminals are quite actively interested in the theft, substitution or cloning of such cards, especially when it comes to management accounts. Such an operation will allow them to access the infrastructure of the company without having to hack it from the outside.

In conclusion, I would like to note once again that, despite the efforts of law enforcement agencies and the constant development of cybersecurity systems, cybercrime and underground markets on the darknet will not disappear anywhere in the coming years. Therefore, the best that ordinary users and IT professionals can do is to take care of the effective protection of their system and network infrastructure, otherwise in one of our next reports, their data runs the risk of replenishing the ranks of offers from hackers in one of these forums.

Similar Posts

Leave a Reply