The darknet is under attack by law enforcement and even those within its own community. There seems to have been a never-ending stream of darknet incidents since the beginning of 2019. The year began with DDoS attacks on rich darknet markets, most likely from different sources, and with different goals. After Dream Market succumbed and shut down, the second biggest market, Wall Street Market (WSM), saw its admins engage in an exit scam. WSM was later subsequently seized by authorities.
Continuous and powerful DDoS attacks achieved great success. Rumors said they came from a TOR network exploit. The end of spring marked a ceasefire and relative silence, interrupted by updates to various forums’ security measures. Then, on the Torum darknet community, the hacker collective known as “evildevil666” announced they can destroy any darknet site, confirming the rumors of a TOR network vulnerability.
Figure 1: evildevil666 claims the ability to “destroy any site.”
They brought down Torum on the same day in order to demonstrate their capabilities; Torum’s admins confirmed the event publicly.
Figure 2: Confirmation of the effectiveness of evildevil666’s DDoS attack.
At this point, fear, uncertainty and doubt took root in darknet communities. TOR exploit-based DDoS attacks were no longer theoretical – they were successfully demonstrated, worsening the fear of deanonymization attacks of opportunity. Autumn began with the news of Cyberbunker, a huge storage facility for illicit darknet content, being raided by the German police. The author of the Mariposa Botnet and admin of crime forum Darkcode, “Matjaž “Iserdo” Škorjanc”, was arrested in Germany. Though the arrest’s relation to the raid on Cyberbunker is unconfirmed, the temporal correlation is undeniable and Cyberbunker’s fall is a good explanation for the arrest.
Then an interesting claim about Cyberbunker caught our eye.
Figure 3: A news article discussing the shutdown of Wall Street Market and arrests of several people involved with it.
Servers in Cyberbunker hosted WSM, the former darknet market mentioned above. Cyber security journalist Brian Krebs, along with others, confirmed the information. To see the significance of this, let’s return to the events of Spring 2019 and more specifically, the aftermath of the arrest of the WSM admins.
Figure 4: HugBunter attempts to explain what happened to WSM.
The above screenshot from May 2019 shows the admin of the darknet portal Dread, known as HugBunter, explaining another Med3l1n, the “community and support manager” of WSM, suffered a breakdown after the authorities arrested three WSM admins. Eventually, he started sharing his support panel login data and the admin panel’s IP address, which in turn (according to HugBunter) led to law enforcement having full remote access to the data stored on WSM servers.
This might have been the beginning of the operation against Cyberbunker, provided WSM data supplied law enforcement with suggestions on where and how to conduct the operation. We speculate Med3l1n’s information betrayal must have led to serious consequences for vendors, clients and, potentially hosting services. We do not claim the only lead on Cyberbunker was the leak of WSM admin data.
The leak was a peculiar event surrounding the seizing of WSM and one easily correlated with further acquisition of sensitive information on criminal activities on the darknet. Indeed, it is rare for a threat actor to supply law enforcement with login data. This may be why law enforcement decided to raid a criminal haven like Cyberbunker.
This would also explain the arrest of the admin of Darkcode and any future sudden arrests of previously undetectable darknet actors. Our prediction is more arrests and more crime websites will get shut down or destroyed by DDoS attacks carried out by paranoid cyber criminals in the near future.
As of this writing, the darknet drama continues to unfold, confirming our expectations. Dread is down again (as of 3 October 2019), and speculations on whether its admin HugBunter is now assisting law enforcement agencies are rampant. These go together with similar accusations against another serious darknet actor, Witchman05, who recently created the Envoy Forum, a darknet location for discussing darknet services, attack methods, fraud and illicit drugs. The current Dread predicament began around ten days ago, when the site was shut down for updates. Less than a week ago, 27 September 2019, the Dread moderator known as Paris announced “HugBunter’s Deadman has been Switched.”
Figure 5: First mention of engaging a cyber deadman switch on HugBunter.
Engaging the “deadman switch” is a tactical response from admins or moderators after losing contact with an admin, cutting the privileges of the admin account and deleting all related website content in case the admin does not appear and confirm his identity with his PGP key. Paris claimed HugBunter’s own instructions were to act in this manner under such circumstances. A little more than 24 hours ago, HugBunter reappeared and wrote a message on the reactivated Dread that all is fine. This was also reflected on other forums, such as Witchman05’s Envoy Forum, which copied the original message from Dread.
Figure 6: Repeat of the deadman switch message on the Envoy Forum.
The “splendid” news was not interpreted in the same manner by other darknet actors. For instance, in the comments sections of DarknetLive’s post “HugBunter’s Deadman has been Switched,” an actor claims their sources have confirmed that HugBunter was captured.
Figure 7: “BearerOfBadNews” confirms HugBunter has been arrested by law enforcement.
This additional version of what happened to HugBunter, namely that law enforcement might try to use Dread as a honeypot, is consistent with HugBunter’ s happy return to his darknet kingdom. HugBunter may have been forced or coerced into cooperating with law enforcement by confirming his identity to the darknet community. Though this claim is speculative, since Dread was reopened on 1 October 2019, the site seems to be under continuous DDoS attack, which have most probably led to Dread’s current unavailability. Such attacks might have been prompted by many other darknet actors’ opinion that Dread is now a honeypot. The possibility of a fake return for HugBunter is also stated in a slightly different manner by Witchman05 on the Envoy Forum, where they claim Dread is now controlled by the moderator known as Paris.
Figure 8: Witchman05 claims HugBunter is compromised.
Whatever the case, “Witchman05” was the object of doubt on another new and serious darknet forum, Torigon.
Figure 9: Torigan actor Stupid expresses his doubts on Witchman05.
It is unclear whether Witchman05 and HugBunter’s disappearances are related to the raid on Cyberbunker, especially with the idea that both disappeared prior to the operation in Germany and despite HugBunter’s return after the incident. However, both actors did not specify the reasons for their disappearance which, among other things, prompted the doubt of their fellow brothers in crime.
After this series of events, we will continue to closely watch the illegal darknet businesses still currently earning billions from illicit trade and fraud and inform the public on any developments.
This post was contributed by Dimitur Elchinov of the GroupSense research team.