Dark Web Marketplaces Dissolve Post-AlphaBay, Hansa Takedown

Cybercrime marketplaces reshape into smaller forums and individual chats as threat actors find new ways to evade law enforcement.

One year after Operation Bayonet took down AlphaBay in 2017, the marketplace model of cybercrime continues to decline -- but its not a sign for security teams to sit back and relax. The risk to businesses and consumers is alive and well. Its simply taking a different form.
The
operation that shuttered
AlphaBay and Hansa led to multiple subsequent arrests, says Rafael Amado, strategy and research analyst at Digital Shadows. For a period of time after the takedown, many people didnt understand what was going on. When they did, they panicked.
They thought it was an exit scam, or technical difficulties, he says. There were all these different rumors flying about … it started to sow the seeds of mistrust, suspicion, cynicism.
AlphaBays seizure meant thousands of vendors and buyers in the English-speaking cybercrime community had to look elsewhere to conduct their illicit business. The marketplace consisted of more than 40,000 vendors and generated more than $1 billion in trade, Digital Shadows reports in Seize and Desist?, a new report examining cybercrime marketplaces post-AlphaBay.
It cemented the issue of mistrust in the cybercriminal community … it made people really, really suspicious of established marketplaces, and new ones as well, he continues.
AlphaBays demise left a gap, though it wasnt as large as experts expected -- the marketplace was just one player among many on the underground. However, other markets like Dream and Olympus failed to capitalize on the gap. Instead, cybercriminals found new and stealthier means of continuing their businesses while evading the watchful eye of law enforcement.
Find Me on the Forums
Cybercriminals, increasingly suspicious of marketplaces, began to retreat into older and specialized platforms to buy and sell. Peer-to-peer networks and chat channels have grown more popular, a trend that predates Operation Bayonet but has evolved in its wake.
Over the past six months, Digital Shadows researchers
have observed
more than 5,000 Telegram links shared across criminal forums and Dark Web sites. Of these, 1,667 were invitation links to join new groups. Discord, another private messaging app, is seeing greater adoption but to a lesser extent, with 743 invites shared within the same timeframe.
The centralized marketplace has dissolved into a decentralized model as wary threat actors err on the side of caution, opting for subtle transactions over markets that require plentiful resources to operate. New tech, processes, and peer-to-peer (P2P) communication give cybercriminals greater anonymity and make them even harder to pin down.
Your account information and payment card details, along with counterfeit documents, ID scans, banking Trojans … those things are still being traded, Amado explains. Theyre not being sold on marketplaces, theyre being sold on forums.
Specialized forums cater to buyers and sellers in the market for specific purposes: credit card numbers, malware, hacking tools. Buyers post what theyre looking for; sellers post what they have. They share Telegram, Discord, or Jabber info and slip into private messages. People generally want to directly communicate with the actors theyre buying from, he adds. Forums serve as a complete log of conversation and are easier targets for law enforcement.
The future of Telegram as hackers preferred tool is uncertain, Amado points out. It recently came to light that Apple
has blocked
updates since April, when Russia blocked Telegram and demanded its removal from the Apple App Store because it refused to provide decryption keys for users communication with Russian security agencies.
Well see if Telegram will be forced to comply and if they are, youll see people move away from Telegram as a communication method of choice, he expects.
Hackers Buckle Down on Forum Security
Forum administrators have been integrating processes to facilitate trust among their users. Blockchain DNS, user vetting, site access restrictions, and domain concealment supplement the use of P2P networks to build a sense of security.
Tralfamadore is an example of a decentralized market that uses blockchain to store databases and code to support front-end user interfaces. Transactions are done in cryptocurrency and are permanently recorded; this way, if one user attempts to scam another, it can be identified.
Cybercriminals using forums are wary of law enforcement posing as users. Some forums regulate activity with forum lifecycles, which limit new users access and set posting restrictions until they reach a certain level of activity. New users might require positive feedback from other members until these limitations are lifted.
Some forums require members to pay for premium subscriptions or have multiple referral invitations from established participants. Others create a hierarchy: the longer youre a member and more you prove your legitimacy, the more youre allowed to post.
Amado advises businesses to know what type of data they hold, how it could be monetized, and how an attacker might gain access to it, to prevent their information being trapped in the cybercrime web. With a better idea of how the cybercrime ecosystem is adapting, they can better monitor where stolen data might flow.
Related Content:
The Breach Disclosure Double Standard
10 Open Source Security Tools You Should Know
Researcher Succesfully Hacked In-Flight Airplanes - From the Ground
Building a Safe, Efficient, Cost-Effective Security Infrastructure

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for
more information

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Dark Web Marketplaces Dissolve Post-AlphaBay, Hansa Takedown