Europol Reveals Dismantling of ‘Largest’ Underground Marketplace

Europol DarkMarket Dark Web dismantling

Europol announced a wide-ranging investigation that led to the arrest of the alleged DarkMarket operator and the seizure of the marketplace’s infrastructure, including more than 20 servers.

Europol on Tuesday announced the takedown of DarkMarket, which according to the law enforcement agency is “the world’s largest illegal marketplace on the dark web.”

DarkMarket served as a marketplace for cybercriminals to buy and sell drugs, counterfeit money, stolen or counterfeit credit card data, anonymous SIM cards and malware. According to Europol, DarkMarket had almost 500,000 users and more than 2,400 sellers at the time of closure.

“The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor’s Office, allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure – more than 20 servers in Moldova and Ukraine supported by the German Federal Criminal Police office (BKA),” said Europol in its Tuesday announcement of the dismantling.

2020 Reader Survey: Share Your Feedback to Help Us Improve

In addition to shuttering DarkMarket’s infrastructure, The Central Criminal Investigation Department in Oldenburg (a German city) over the weekend arrested an Australian citizen near the German-Danish border. Europol said this citizen is the alleged operator of DarkMarket, but did not give further details.

In the future,  “it is unclear to what extent the shutdown of this dark market will impact cybercriminal operations, beyond the near-term disruption to its current users,” Paul Prudhomme, cyber threat intelligence advisor at IntSights, told Threatpost.

He noted, new dark web marketplaces eventually emerge to replace those that have closed, and users simply migrate to those new websites and to existing competitors.

“The arrest of one of the website’s operators and the seizure of its infrastructure may nonetheless yield useful investigative leads for law enforcement with which to act against its individual users, which may have more enduring impact,” Prudhomme said. “The website’s use of infrastructure in Ukraine and Moldova is not surprising, as many criminals prefer to host infrastructure in those two countries that they perceive to be relatively safe from law enforcement.”

However, the data stored in the servers that were seized by law enforcement will give investigators new leads to further investigate moderators, sellers, and buyers, said Europol. Europol (also known as the European Union Agency for Law Enforcement Cooperation) is the law enforcement agency of the EU, which has previously aided in various cybercrime investigations and the dismantling of various hacking groups.

Involved in the international operation was Germany (which took the lead), Australia, Denmark, Moldova, Ukraine, the United Kingdom (the National Crime Agency), and the USA (DEA, FBI, and IRS). Threatpost has reached out to the FBI for further comment on the operation.

Law enforcement has continued cracking down on underground forums and platforms used for cybercriminal denizens looking to swap illegal goods. In 2019, law-enforcement agencies worldwide took down a credentials marketplace (xDedic Marketplace) and continued to take action against former users of the Webstresser[.]org DDoS-for-hire site.

Underground marketplaces in general have been skyrocketing as a result of the COVID-19 pandemic, with Flashpoint researchers recently saying that demand for malicious and illicit goods, services and data has “reached new peak highs across dark web marketplaces.” Popular goods among cybercriminals include payment cards, access to Microsoft’s Remote Desktop Protocol (RDP) and DDoS-for-hire services, researchers said.

On DarkMarket alone, 320,000 illegal transactions were made on the platform, and more than 4,650 Bitcoin transferred –corresponding to a sum of more than $170 million, according to Europol.

“Dark web marketplaces such as this now-defunct website serve as key enablers for cybercriminals,” Prudhomme told Threatpost. “They provide these criminals with places to buy and sell malware, malicious infrastructure, and compromised data, accounts, and devices. Such exchanges are critical to cybercriminal operations because few criminals rely exclusively on their own resources, and many do not actually use the data that they steal.”

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.

Suggested articles