Europol's Internet Organized Crime Assessment - Dark Web and Crypto Currencies
Table of Contents
As every year, Europol published it’s organized crime assessment reports, which exposes the new trends when it comes to cybercrime, and what are the emerging challenges law enforcement are running into.
The report is split into five parts, and mention the cyber-crime facilitators and challenges for law enforcement, cyber-depend crimes, child sexual exploitation, payment fraud, and finally, the dark web usage for criminal abuse. The document is a good read but is quite long (64 pages). In this article, we will focus on summarizing Europol’s findings related to the dark web and cryptocurrencies.
Crypto currencies #
The report highlights that the abuse of cryptocurrencies continues to play an essential role as a payment facilitator across all areas of cybercrime. It emphasises that the reason is that cryptocurrencies transactions are reliable, irreversible, and provide some degree of anonymity.
No precise numbers regarding the values or number of transactions are communicated. Still, it is said that around 2011, about 20% of transactions (considering the timing, probably 20% of Bitcoin transactions) were linkable to cybercrime directly, but now that figure is only 1.1%.
The report also highlights that cryptocurrencies are methods of choice for extortion and scam activities. While ICO and Ponzi’s scams are accounting for most of the volume, most of the crimes reported to law enforcement concerns extortion. However, the general public seems to not fall into sextortion emails that easily. A study analyzed 4 million sextortion emails, found 12,500 Bitcoin addresses, and observed than 245 of them received some payment.
The number of thefts is also on the rise, with ten confirmed hacks of cryptocurrencies exchanges in 2019, for a total of EUR 240 million. The total value is, however, EUR 510 million smaller than the previous year.
The number of cryptocurrencies ATMs is reported to be growing and surpassed 9,000 this year. While ATMs are often seen as an excellent way to sell/buy cryptocurrencies without tracks, ATM operators are more and more scrutinous, notably by requiring customer identification.
Finally, as cryptocurrencies investigations are on the rise, Europol partnered with Centric to launch Cryptopol in October 2019. The game aims to train law enforcement agents to investigation techniques.
The report highlights a high level of volatility on the dark web in 2019 and early 2020 that was followed by protective measures implemented by the multiple market places. The darkweb is proving to be difficult for LE to disrupt because it is challenging for them to anticipate its various developments.
The decrease of large-scale marketplaces led to an increase of smaller marketplaces, sometimes limited to specific user needs (e.g., selling only cannabis).
The report noted that as users tend to keep using stable markets and vendors with high rankings, websites such as DarkNet Trust (website verifying vendors’ reputation by searching through usernames and PGP keys - about 10,000 vendors listed) became more popular.
The centralisation of information on Darknet market has reportedly stabilised after the shutdown of DeepDotWeb in 2017. Users are now trying to make navigation through the darknet more user friendly, and websites such as dark.fail and darknetlive.com took over DeepDotWeb as information hubs. Dread, a forum active for about three years now is also widely popular.
In regards to the navigation, some alternatives to Grams emerged, users can now use Kilos (from November 2019) and Recon (launched by Dread). Grams was the biggest search engine for the darkweb when it closed in 2017. It was operated by the same team as Helix mixer, the most prominent Bitcoin laundering service at that time.
Europol also noticed two recent trends making investigations difficult. Firstly, markets are trying to improve their operational security, notably by switching to being user account-less and wallet-less. Secondly, some markets have short lifecycles (due to shutdowns decided by staff). Europol believes it is due to the administrators wanting to stay under the radar.
Another trend is the collaboration between the various actors to keep the ecosystem safe. For instance, all the markets can use Endgame (Dread’s DDOS prevention mechanism) for free. Another example of that, which we learned from a post in Dread recently, is that actors of various markets are reported to have a private sub in Dread, and also coordinated some donations to the Tor project in 2019.
While Tor remains the most popular option, some decentralized alternative such as OpenBazaar and Particl.io are starting to emerge.
As for the contents traded, it seems that digital services (such as RDP access to compromised systems), as well as ransomware and false documents, are becoming more popular. Fraudulent documents are often used to commit financial fraud or citizenship claims. False passports seem to have a better quality than before, and can pass several authentification tests. It is also said that some sites promote guides on how to use cryptocurrencies for money laundering, but according to my experience, this has been around for a long time. The more dangerous drugs such as fentanyl are reportedly still significantly present, but the number of listings is said to have decreased. Europol also noticed more organized crime groups selling drugs on the darkweb and as an effort to expand their distribution mechanism.
Europol also mention some success regarding firearms purchases, as it became more challenging to buy some on the darkweb after Berlusconi market was shut down by Italian authorities at the end of 2019.
Finally, the agency mentions that Hydra is planning to develop an English speaking community and that it would make law enforcement investigations harder and pose a significant threat to the EU. For more context, the service that Hydra plans to launch is named Eternos and is expected to launch this month (it was expected to launch earlier this year but it was delayed).