The 2021 Guide to Darknet Markets

From DIY fraud kits through to unlicensed gym candy, darknet markets are home to purveyors of all manner of illegal and semi-legal products and services. 

It seems that the darknet economy is alive and well in 2021. As always, the underground selling scene is a turbulent one, with new markets opening up just as quickly as law enforcers clamp down on existing ones. That said; certain new themes are emerging, including greater concentration of the market in the hands of fewer players, as well as more bulk buying by customers. 

Here are the key features of the darknet market environment in 2021…

What are darknet markets?

  • Darknet markets are shopping sites that are accessed via privacy networks such as Tor and I2P. They work a bit like eBay or Gumtree. Independent vendors list their products. Customers order through the website and the vendor is responsible for delivery. Payment is by cryptocurrency, often using an ‘escrow’ service: i.e. your money stays in the hands of the service provider pending confirmation of receipt of the goods.  
  • Anonymity makes this an ideal environment for the sale of illicit items. Drugs feature heavily. Other items include malware programs and other cyber-crime toolkits, surveillance tools, caches of stolen data, counterfeit goods, and even weapons. 
  • Currently at least, some of the big names include White House Market, Vice City Market, Dark0de Reborn and Yellow Brick Market, but the landscape is changing constantly.

How big is the market?

According to Chainalysis, there were 37 darknet markets operating at the end of 2020. This is down from 49 a year previously. 

Estimated revenue from these sites increased from $1.3 billion in 2019 to $1.5 billion. 

Research published in Nature in November suggests that when sites get banned, it does little to curb the trade in illicit goods overall. Buyers and vendors simply switch to other sites.

How has the pandemic affected the darknet marketplace? 

Coronavirus seems to have triggered more bulk buying. The Chainalysis report suggests that on the whole, people are placing fewer orders via darknet sites, but at a higher value. 

The pandemic has also impacted the range of products offered. One Darknet Analysis Project highlighted the proliferation of personal protective equipment for sale (e.g. masks, gowns, and test kits) as well as various purported medications, antidotes and serums. The fact that all of this is totally unregulated means you never really know what you’re buying. 

DIY fraud kits have become popular, too. The research highlighted various services available that enable purchasers to put together fake Covid-related websites, allowing them to lure their victims into disclosing personal information for the purposes of financial exploitation.

What action is being taken against darknet markets?

Closing down a darknet site is harder than you might imagine. Because they operate under a cloak of anonymity, actually tracking down the marketplace controllers can be a major forensic operation, often requiring coordination by agencies in multiple countries.  

German police claimed a major scalp in January of this year. Up until very recently, DarkMarket had emerged as one of the biggest illegal sales platforms out there, clocking up more than 320,000 transactions and a turnover of €140m. The site controller, an Australian national, was identified following forensic examination of servers based in Moldova and Ukraine. He was subsequently arrested near the German-Danish border. 

Also, when a particular selling platform has been taken down, vendors and consumers tend to just head elsewhere to new ones. If consumers happen to be in the right messaging groups, they can quickly get the intel on where their sellers of choice have moved on to. In response to this, rather than just focusing on the platform controllers, some of the biggest operations try to hone in on the vendors. 

One such operation, dubbed DisrupTor concluded in September last year. Earlier in the year, law enforcement agencies had managed to take down a big platform known as Wall Street Market. By digging deep into that platform’s data, German and Dutch police, Europol and various US agencies managed to track down and arrest 179 vendors of illicit goods in Europe and the US. They also bagged 500 kilograms of drugs, along with over $6.5 million in cash and crypto.

A health warning

It goes without saying that purchasing via a darknet market is a risky business. There are three specific risks you need to know about… 

First off; you never really know what you’re buying. If that game-changing hacking kit on sale for $100 seems too good to be true, it probably is. 

Second; beware the exit scam. Most often, this happens when the platform controller suspects law enforcement are closing in. They pre-empt the move by taking down the platform, running off with any customer funds they happen to hold at the time.  

Third; don’t assume that it’s only platform controllers and vendors that investigators are interested in. As prosecutors stated following the recent DarkMarket takedown: “Investigators expect to use the data saved to launch new probes against the moderators, sellers and buyers of the marketplace.”

The market isn’t going anywhere soon, but it remains a case of buyer beware!

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • B says:

    Exciting and informative, thank you. I’m considering doing a dark web crawl on a Whonix VM with the max recommended security settings in your course, on an additional VPN. Do you see the possibility for any VM escape attacks or other malware affecting the external system while undertaking this process?

    • Nathan House Nathan House says:

      There is always a small possibility but you are using good protection there. Unlikely.

    • Cristobal says:

      What bothers me is your implication that using the Onion node network from Tor is inherently hazardous. The article quite rightly only mentions the risk of PURCHASING something on the darkweb. Facebook has Onion sites, the search engine DuckDuckGo has an Onion site, the New York Times has an Onion site that you can navigate with Tor. Even in the markets, the vast majority of people there are interested in providing a safe place to buy and sell goods on an ongoing basis, and will, in fact, insist you register, use strong passwords, and use good security hygiene. Let me be clear, the anonymous overlay Onion network has legitimate uses. Don’t fall for the hype from media. There’s no need to use Whonix or a VPN just to browse with Tor. The reason for scaremongering; neither Google nor Facebook nor all the usual “clear web” businesses and advertisers can track you there, and therefore will greatly exaggerate risks.

      • Nathan House Nathan House says:

        Using Tor in and of itself is not hazardous in most countries. It is though in the countries where Tor is banned.
        You say “There’s no need to use Whonix or a VPN just to browse with Tor” Blanket statements like this do not apply to all threat models. The need to use security controls (Whonix/VPN etc) is based on the threat model. If for example you are wanted by the Iranian government and they are your adversary. You may well want Whonix or Tails for Tor.

      • B says:

        The risk isn’t when browsing to well-known sites like the ones you specified, nor is it inherently with the TOR network. It’s when interacting with links on websites that are not well-known and could very well be risky.

        • Nathan House Nathan House says:

          That is one possible risk. What about the risk that your adversary is trying to see what sites you are visiting? The risks are based on the threat model. Think about the wider world and uses of Tor.

  • Troy says:

    Great article love the continued updates your the best Nathan appreciate what you are doing.

  • D says:

    Cool article. You always have interesting topics, makes a great read when I get a chance to read.. Have you any professional opinions regarding recent enough solarwinds articles regarding their security breach?

  • Clive says:

    Thank you for the interesting article and got my knowledge up-to-date. Appreciated.

  • >