Last week, in Darknet Drama, we discussed the increase of disappearing admins of darknet markets. Recently, we’ve found an abundance of evidence confirming our predictions for more casualties in the darknet. First, one of the most valued sources of leaked intel, “Intel Repository”, went down, as confirmed by this thread on darknet cybersecurity location “Torum”:
Figure 1: Chatter of Intel Repository being down
An actor discussing the incident states that they hope “Spectre is okay”, implying that the well-known admin of “Intel Repository”, “spectre”,has disappeared. Another reputable actor, “D1sgruntl3”, known in the darknet for his seriousness, ultimately suggests that the problem is with “spectre”’s hosting provider and that “Intel Repository” should soon reappear. However, as of 2019-10-10, “Intel Repository” is still down:
Figure 2: Intel Repository still down
Similar fate has befallen the currently oldest, and probably biggest darknet market – “Berlusconi Market”. A week ago, the DDoS protection of the market was malfunctioning, preventing access. This week, a few messages appeared throughout the darknet, foreshadowing the end of Berlusconi Market. First, on Deep Paste, we encountered the following PGP-signed message by the chief moderator of “Berlusconi Market”, “Emmanuel Macron”:
Figure 3: Admins no where to be found
The moderator states that the “Admins” have disappeared “two weeks ago (before this problem)”. He was referring to the malfunctioning DDoS protection on Berlusconi Market. Additionally, “Emmanuel Macron” speculates that the admins “may have been arrested, dead, or anything else”. Again, on Deep Paste, we witnessed attacks of opportunity – an unknown actor distributing phishing links to what now seems to be a dead Berlusconi Market:
Figure 4: Phishing link for Berlusconi Market
As another anonymous actor states below the paste, this is a phishing link, which is not amongst the mirror addresses for Berlusconi Market. What’s more, as of 2019-10-10, the phishing link still works, while the actual Berlusconi Market links are dead:
Figure 5: Real Berlusconi Market links
Figure 6: An example for a formerly official Berlusconi Market link
Finally, today (2019-10-10), we detected a short but quite informative message on DarkDotFail, a darknet location monitoring the health of darknet markets and services. The message simply states: “WARNING: Berlusconi Market’s admin disappeared. Assume that they exit scammed.”
Figure 7: Message telling users to assume an exit scam
These new findings affirm the 2019 trend for darknet admins and popular threat actors to disappear. This time, however, the disappearances have occurred immediately after the raid on “CyberBunker 2.0”. Chaos, doubt, and paranoia follow in the wake of such events. This, combined with our previously published analysis on the events from the spring of 2019, lead our research team to predict further disappearances of cyber criminals, power struggles in the darknet, and the continuation of the overall darknet drama.
This post was contributed by Dimitur Elchinov of the GroupSense research team.