iOCATA 2015

Open image in new tab Darknet Vendors

A small fraction of criminals active in the Darknet manage to operate successful businesses generating significant profits. Recent research established that the top 1% most successful vendors were responsible for 51.5% of all transactions1.

Investigations into hidden services on anonymising overlay networks such as Tor are becoming commonplace for EU cybercrime units. Over half of EU Member States have investigated drug or payment card related activity on the Darknet and over one third have investigated criminal activity related to intellectual property, weapons or compromised bank accounts. Almost a third of EU law enforcement actively monitors marketplaces, although largely in relation to specific operations rather than general intelligence gathering.

2014-2015 has been a turbulent period for criminal services on the Darknet.

In November 2014, 21 countries participated in Operation Onymous which saw the seizure of 619 .onion domains along with bitcoins worth EUR 900 000 and EUR 180 000 in cash, drugs, gold and silver. Thirty-three high profile marketplaces and forums were taken out of action and 17 individuals were arrested. It is estimated that the seized sites represented approximately 37% of the market share on the Darknet.

A consequence of Onymous was the displacement of customers and vendors to the remaining marketplaces, the two largest and most successful of which were Agora and Evolution. Several new marketplaces also opened to fill the vacuum left by the operation. Additionally the prices of illegal goods on many of the remaining services were seen to increase2.

In March 2015, Evolution shut down as a result of an exit scam. Its administrators left, taking with them over EUR 11 million3 in Bitcoins belonging to vendors and customers which had been held in escrow. This was the second such major exit scam to occur following the Sheep Marketplace which folded in November 2013 along with over EUR 36 million of members' Bitcoins. On most if not all criminal forums or marketplaces there is undoubtedly a degree of paranoia that the site has been infiltrated by law enforcement. Whether this paranoia is unwarranted or not, exit scams such as these create an additional dimension of distrust that law enforcement could not hope to achieve and further undermines confidence in these marketplaces.

Following the exit of Evolution, the Agora marketplace, along with several smaller markets such as Abraxas, Alphabay, Black Bank, and Middle Earth have absorbed the displaced vendors and customers4. On top of additional security measures in the wake of Onymous, such sites are now also implementing protocols to help prevent or mitigate potential exit scams such as multi-signature escrow and early finalisation of payments. Together these will not only reduce the amount of Bitcoin sitting in escrow but also prevent a single person having full control over the funds.

Post Onymous, the Agora, Outlaw and Nucleus marketplaces are the highest priority marketplaces for EU law enforcement, with a number of Member States also targeting sites hosted in their native language.

Future threats and developments img

Future threats and developments

Between Operation Onymous and the growing number of large scale exit scams, confidence in underground markets has undoubtedly been shaken. Onymous was a strong statement by law enforcement that these services are certainly not beyond their reach. Yet, despite this message, hidden services continue to grow, multiply and evolve.

The prospect of services moving from Tor to I2P is still real, however research carried out to date suggests that Tor is still by far the preferred network5. A more concerning prospect (for law enforcement) is the development of decentralised marketplaces such as the OpenBazaar. OpenBazaar is a BitTorrent-style peer-to-peer network which allows direct contact between customers and vendors and uses Bitcoin as a payment mechanism6. As the 'market' is peer-to-peer there would be no website or server to be targeted by investigating law enforcement and intervention is a considerable challenge, mirroring the issues law enforcement currently has with investigations involving Bitcoin. Payments on the OpenBazaar use a multi-signature approach involving a third party 'notary' to control the release of funds. This means that there is no possibility of performing an exit scam with customers’ and vendors’ funds.

  1. TNO research
  2. Openbazaar,, 2015
Recommendations img


  • Law enforcement should proactively gather intelligence relating to hidden services; however this requires a coordinated approach in order to prevent duplication of effort.
  • Member States should provide intelligence relating to hidden services to Europol's EC3 to allow it to build a comprehensive intelligence picture of hidden services across Europe. There needs to be greater engagement from non-cybercrime law enforcement in tackling hidden services. The sale of drugs or firearms in these marketplaces is as much, if not more, of an issue for these crime areas as it is for cybercrime.
  • Further intelligence gathering is required on the use of I2P and other peer-to-peer networks as hosts for illegal online marketplaces.
  • Law enforcement should collaborate with private sector and academia to explore investigative and research opportunities related to emerging technologies such as decentralised marketplaces like OpenBazaar.
  1. Carnegie Mellon University, Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem,, 2015
  2. The Impact of Operation ONYMOUS; Europol 2015
  3. DEEPDOTWEB, Evolution Marketplace Exit Scam: Biggest Exit Scam Ever?,, 2015
  4. The Impact of Operation ONYMOUS; Europol 2015