Cover Article

Fraud for sale

How dark-web criminals have turned fraud into a business like any other — and what this means for CFEs



For many, the dark web conjures up images of poorly lit rooms where lone fraudsters scam victims behind the veil of encrypted messaging. But the reality is more akin to an open marketplace, like an Amazon for criminals — where they sell multiple fraud products and focus on branding, marketing and the bottom line. That may be frightening, but it also presents an opportunity for law enforcement. Here’s why.

In 2022, law enforcement officials in Germany seized and took control of “Hydra,” the world’s largest and longest-running dark-web marketplace that primarily catered to Russian-speaking consumers. This virtual bazaar allowed individuals to anonymously trade in contraband such as narcotics, pilfered financial data, counterfeit IDs and services for obscuring the origins of ill-gotten money. For some time, all of this occurred beyond the grasp of legal authorities, so Hydra’s closure, albeit with few arrests, was significant.

Like most dark-web sites, Hydra relied on the so-called Tor browser, which hides IP addresses and browsing activity from law enforcement, and on what were thought to be untraceable cryptocurrencies to facilitate these under-the-table deals. In turn, Hydra took a percentage-based fee for each exchange that occurred on its platform. (See “What is the dark web? How to use Tor to access the dark web,” by Nicole Kobie, Wired, May 19, 2019.)

But what distinguished Hydra most from earlier darknet marketplaces was its advanced infrastructure and focus on user-friendly experiences. The creators of Hydra followed brand and reputation management fundamentals to grow their business, taking a “business first” approach to their dark dealings. They understood the need for a seamless and secure platform where people could effortlessly trade a wide variety of illegal goods. This focus on user experience and security contributed to the platform’s rapid growth. (See “Justice Department Investigation Leads to Shutdown of Largest Online Darknet Marketplace,” U.S. Department of Justice, April 5, 2022 and “German Police Take Down Hydra Market, a Major Dark Web Marketplace,” by Michael Kan, PC Magazine, April 5, 2022.)

In its formative years, Hydra prioritized building a strong reputation within the dark-web ecosystem. As news of its dependability and diverse product range spread, the platform grew its product mix from narcotics to providing fraudsters and other customers with stolen data from credit cards and SIM cards, as well as counterfeit documents and IDs. It also offered money laundering and cyberattack services. (See “Russian dark web marketplace Hydra cryptocurrency transactions reached $1.37bn in 2020,” by Charlie Osborne, ZDNET, May 25, 2021 and “How Hydra, a Russian dark net market, made more than $1 billion in 2020,” by Tim Starks, Cyberscoop, May 25, 2021.)

Attracted by the potential for significant earnings and a large, ready-made customer base, sellers were drawn to Hydra in droves. And business boomed, with transaction volumes leaping from $9.4 million in 2016 to $1.37 billion in 2020, according to threat intelligence company Flashpoint. (See “Investigating Hydra: Where Cryptocurrency Roads All Lead to Russia and Go Dark,” Flashpoint, May 25, 2021.)

Hydra’s success soon had fraudsters and other criminals looking at similar business models to hawk their wares much in the same way that any legitimate business sells its products. Indeed, the stereotypes of dark-web marketplaces — solitary fraudsters sitting in dark basements in front of a computer — may have been true in the past, but the reality is now very different.

“It’s not dark, it’s not deep. It’s actually really well organized, this cybercrime underground,” says Michael DeBolt, chief intelligence officer of cyber threat intelligence company Intel 471, in an interview with Chainalysis.

“I would say the best way to conceptualize the cyber underground is by looking at it through a business lens. … So, if you think about it from a business lens and this whole supply and demand reality that we live in, this comes with go-to-market competition, it comes with the need for brand recognition and innovation and partnerships and quality assurance, the types of goods and services offered on darknet customer service.” (See “Examining The Crypto Dark Web And Cyber Underground: Podcast Ep. 74,” Chainalysis, Sept. 19, 2023.)

Fraud as a commodity

The dark web has long been a haven for illicit activities, from drug trafficking to illegal arms dealing. However, in recent years there’s been a noticeable shift in markets. While narcotics and weapons still have their place, a new breed of cybercrime — Fraud-as-a-Service (FaaS) — is rapidly gaining ground. FaaS represents a burgeoning sector within the dark web, where cyber criminals offer ready-made tools and services to facilitate various fraudulent activities. Much like legitimate Software-as-a-Service (SaaS) models, FaaS provides customers with easy access to resources such as phishing kits, credit card cloning software and ransomware deployment tools, often accompanied by customer support and regular updates. The rise of FaaS on the dark web underscores the commercialization of cybercrime, with fraud now being packaged and sold as standardized services. And combined with new technologies, such as artificial intelligence, FaaS can now provide tools to fraudsters who in the past lacked any computer know-how at all, a trend that some are calling the “democratization of fraud.” (See “Ambitious Cybercriminals are Going Big with FaaS: Fraud as a Service,” Chargeback Gurus, June 16, 2021 and “What is the democratization of fraud?” Security Boulevard, Aug. 10, 2023.)

For Certified Fraud Examiners (CFEs), this evolution presents both challenges and opportunities. On one hand, the accessibility of FaaS means a broader range of individuals can engage in sophisticated fraud without needing advanced technical skills. On the other hand, the standardized nature of these services can offer patterns and vulnerabilities that, when recognized, can aid in detection and prevention of fraud. As FaaS continues to grow, it’s imperative for fraud examiners to stay abreast of these services, adapting their investigative techniques to the ever-evolving landscape of cyberfraud.

“Investigating dark-web platforms that employ advanced infrastructure presents several daunting technical challenges,” Ritesh Bhatia, CFE, cybercrime and forensics investigator and founder of V4WEB Cybersecurity, tells Fraud Magazine.

“The foremost issue is the pervasive anonymity maintained by users through tools like Tor, making it exceptionally difficult to trace and identify individuals involved in illicit activities,” says Bhatia. “Encrypted communications further exacerbate this problem, as intercepting and deciphering messages becomes an intricate task ... Investigating dark-web platforms with advanced infrastructure demands a high level of technical proficiency and poses a range of formidable challenges.”

The commercialization of fraud

In the past, fraud was often considered the work of lone wolves or small groups operating in the shadows. However, the landscape has dramatically changed. Today, fraud has become a highly commercialized industry, complete with customer service, marketing strategies and even subscription models.

The business-like operations of darkweb marketplaces have led to a level of professionalism among fraudsters that parallels legitimate industries. There’s a hierarchy and specialization within these illicit organizations, with roles ranging from developers and hackers to customer service representatives, each aimed at maximizing the efficiency and profitability of their fraudulent endeavors. And like any job market, there are postings for a wide range of positions for cyber criminals seeking individuals with different skill sets. (See “Exploring the Dark Web Job Market,” SOCRadar, June 28, 2023.)

The commercialization of fraud is further showcased in the marketing strategies employed by dark-web vendors. Using tactics such as search engine optimization (SEO), digital advertising, and even social media marketing to promote their illicit services, these fraudsters are able to attract a broader customer base and present a façade of legitimacy. This level of marketing sophistication is indicative of a mature, organized industry. (See “The Digital Economy of Disinformation on the Darknet: Controlling the Narrative,” DarkOwl.)

In a bid to ensure steady revenue streams, some fraudsters have adopted subscription models for their services. Much like Software-as-a-Service (SaaS) models, these subscription-based fraud services provide continuous access to tools, data or platforms necessary for conducting various types of fraud. This model also provides fraudsters with a more predictable income, enabling them to further invest in and expand their operations. (See “Malware For Sale: Analyzing Malware-as-a-Service On Dark Web Markets,” BrightTALK, June 8, 2023 and “Cybercrime black markets: Dark web services and their prices,” by Matías Porolli, Jan. 31, 2019.)

Bringing branding to the dark web

Brand recognition is also important for fraudsters. When you make a purchase online, say from Amazon, you rarely doubt that you’ll get your item. Sure, things get lost in the mail, but they have processes in place to try to mitigate that, and if all else fails, they refund you, and you just place a new order. This comfort comes partly from brand recognition (along with protections we have due to agencies like the U.S. Federal Trade Commission). You know you’ll get your package because it’s Amazon — of course you’ll get it. It isn’t a great leap for dark-web consumers to be worried that the scammers will scam them. So, they also rely on brand recognition of their own. Much like mainstream e-commerce platforms, dark-web marketplaces have developed their own systems of vendor verification, albeit unofficial. Forums and review platforms exist where users vet and verify different vendors, akin to customer reviews on clear-web marketplaces. This peer-based vetting process helps build a reputation for vendors, which is crucial for attracting and retaining customers. (See “Dark Web Vendors: Who They Are and Who They Serve,” ZeroFox, Jan. 21, 2022.)

In a realm filled with scammers ready to exploit the uninformed, a recognized brand serves as a beacon of relative trustworthiness. This allure of familiarity in the unknown is a psychological tether, offering a semblance of assurance in the otherwise treacherous dark-web marketplaces. The assurance of quality often accompanies a recognized brand, where vendors are perceived to offer superior or more reliable products and services. Whether selling illicit drugs or fraudulent services, maintaining a level of quality and customer satisfaction is paramount for these vendors to uphold their brand reputation. (See “What is the dark web? How to access it and what you’ll find,” by Darren Guccione, CSO, July 1, 2021.)

To truly grasp the significance of these branding efforts, one must understand the competitive landscape these dark-web vendors operate in. Their primary competition? Street dealers, who rely on personal networks and word-of-mouth. Such dealers seldom face direct comparisons, and given the challenges in finding alternatives, their clientele often tolerate subpar experiences. Against this backdrop, a dark-web vendor with a plethora of positive reviews and comprehensive safety assurance becomes an incredibly enticing option. (See “Class of 2017: The students turning to the Dark Web for their drug fix,” by Alec Fullerton, Independent, Feb. 14, 2017.)

Furthermore, to stand out and attract a larger clientele, some of these operators have ventured into promotional activities, engaging in outreach or soliciting feedback. Some groups have even taken to creating commercials for their offerings. David Maimon, criminologist and professor at Georgia State University, unearthed last year a video from Mega Darknet Market, a dark-web organization and marketplace. Mega Darknet Market released the video with members clad in black suits and skull masks obscuring their faces. The video focuses on one character, known as “Sanchez,” who speaks to the camera with their voice modulated. “We started with my partner four years ago; now we are 30 people in one office.” They brag about the scale of their business while looking down at the camera filming from a grave. Sanchez walks with the cameraman, explaining how they and their team had to take a break as they had worked for a year straight and needed time off. Sanchez assured his viewers and potential customers that an “update” with aged Chase bank accounts will be available in the coming weeks. These bank accounts are commonly used as mule accounts for money laundering, spending the funds available in the account and converting currency. (See “Criminal enterprise flaunts AI in creepy ‘fraud-for-hire’ commercial meant for dark web,” by Chris Eberhart, Fox News, Sept. 5, 2023.)

With the growth of their operations, many fraudsters have recognized the need for better customer relations, leading to the establishment of customer service channels. Yet while they see this as a means to build trust, for CFEs, it’s a potential goldmine of information, an opportunity to gather intelligence directly from the source.

Leaving clues for fraud examiners

The commitment to branding can sometimes border on the absurd, and in turn help law enforcement nab criminals hiding behind the encrypted dark web. Take the case of Ryan Burchard, for instance. In a move that blurred the lines between audacity and oversight, Burchard registered the trademark for his dark-web drug venture, “Cali Connect,” using his real name. When authorities descended upon his residence, they discovered merchandise emblazoned with his brand. (See “Pro-Tip: If You’re a Suspected Dark Web Drug Dealer, Don’t Trademark Your #Brand,” by Joseph Cox, Vice, March 30, 2016.)

Indeed, as fraudsters who once operated as isolated entities now embrace more traditional business models that require an open engagement with their customers, there are greater opportunities for law enforcement and fraud examiners to gather evidence about their criminal activities.

In the bustling dark-web marketplaces, as these illicit operators refine their methods, they inadvertently establish patterns. These aren’t mere random acts of deception; they’re systematic and methodical. For the trained eyes of CFEs, these patterns provide valuable insights, offering avenues to trace and understand the underlying operations.

Each of these actions offers clues and data points. For CFEs, these are crucial pieces of a larger puzzle, providing insights into the operations and potential vulnerabilities of fraudsters. As these operators delve deeper into structured business practices, they inevitably leave behind more clues as to where their marketplaces are hosted, who they may be and how their services are performed. Decoding the psychology of dark-web consumers and understanding the dynamics of brand recognition could unlock new investigative pathways. By studying how trust is built and leveraged in the dark web, CFEs can devise novel strategies to unmask fraudulent operators hiding behind the veil of anonymity. This deeper insight into the human element of dark-web transactions can be a crucial asset in law enforcement’s relentless pursuit to unravel and dismantle illicit online marketplaces. The dark web, despite its nefarious nature, holds a mirror to the clear web, especially in the realm of consumer behavior and brand trust. This reflection offers a vantage point that, if studied closely, could provide a wealth of knowledge in combating fraud and cybercrime in the digital age.

The illusion of anonymity and its impact

Behind the cloak of the Tor browser and what was thought to be untraceable cryptocurrency transactions, dark-web sellers have been emboldened to engage in audacious acts of cyberfraud with apparent impunity. The psychology behind this brazenness is rooted in the dissociation between actions and consequences. The digital realm provides a buffer, distancing perpetrators from their victims and the repercussions of their actions. This detachment often desensitizes them to the moral and ethical implications of their deeds, enabling them to rationalize their criminal activities as merely exploiting the system.

“They are people who live double lives,” Andy Greenberg, a Wired reporter who covers cybercrime, told Fraud Magazine last year. “They are unassuming nerds in their day-to-day lives, but on the dark web, this secret digital world, they are living lives as kingpins and crime lords and, in some cases, the masterminds of vast networks of child abuse and terrible things like that.” (See “Sleuths on the cyber trail,” by Paul Kilby, Fraud Magazine, March/April 2023.)

Yet this illusion of anonymity is a double-edged sword. On one hand, it facilitates a thriving marketplace for illegal activities, from selling stolen financial data to offering hacking services. On the other hand, it sows the seeds of overconfidence, which can eventually lead to their downfall.

The surge in illicit transactions on the dark web hasn’t gone unnoticed by global authorities. In response, nations are bolstering their domestic law enforcement capabilities to counteract these cyber threats. A prime example is the FBI, which has refined its tactics to pierce the veil of anonymity that the dark web offers. One of its notable strategies involves infiltrating the Tor network by setting up nodes through which web traffic is directed. This allows the FBI to unveil the identities and locations of certain concealed Tor-based sites. (See “The Truth About The Dark Web,” by Aditi Kumar and Eric Rosenbach, International Monetary Fund, September 2019 and “The Dark Web Browser: What Is Tor, Is It Safe, and How to Use It,” by Deepan Ghimiray, Avast, Aug. 4, 2022.)

A landmark moment in this battle against dark-web criminality was the FBI’s dismantling of “Silk Road,” one of the first dark-web marketplaces, and its short-lived successor “Silk Road 2.0.” This notorious marketplace became a hub for thousands of illegal vendors, peddling vast quantities of illicit drugs and other prohibited goods to clientele exceeding 100,000. The platform not only facilitated these transactions but also played a pivotal role in laundering vast sums, with sales exceeding 9.5 million in bitcoin — equivalent to roughly $1.2 billion at that time. (See “The FBI’s Plan For The Millions Worth Of Bitcoins Seized From Silk Road,” by Kashmir Hill, Forbes, Oct. 4, 2013.)

Filings in 2014 during the trial of Silk Road’s founder Ross Ulbricht, who worked under the pseudonym “Dread Pirate Roberts,” revealed that the FBI located the platform’s server by playing with the website’s login page. The agency found its internet protocol (IP) address and the server’s location by typing in “miscellaneous” characters, according to a Wired magazine report. Ulbricht argued that the FBI had used illegal means, suggesting the National Security Agency helped law enforcement. (See “The FBI Finally Says How It ‘Legally’ Pinpointed Silk Road’s Server,” by Andy Greenberg, Wired, Sept. 5, 2014.)

While the FBI and other law enforcement officials have been reluctant to reveal all the investigative techniques they have used in such cases, some old-fashioned policing and human error were certainly involved. For instance, in the case of Silk Road 2.0, which emerged after Ulbricht’s arrest, it was an undercover agent who helped uncover the fraud. Once the FBI found the server, they noticed emails were sent to a particular Gmail account. The FBI then subpoenaed Google for the user’s account and found it was registered to Blake Benthall, who was later convicted for running the site. (See “Silk Road 2.0 Agent Within: How The FBI Infiltrated Illegal Drug Website and Shut it Down,” by Alistair Charlton, International Business Times, Nov. 7, 2014; “Key Player in ‘Silk Road 2.0’ Sentenced to Eight Years in Prison,” United States Attorney’s Office, June 3, 2016; and “ How the FBI busted Silk Road 2.0 before it even launched,” by Kevin Collier, daily dot, updated May 30, 2021.)

It’s a similar story with Hydra, whose downfall began with a simple tipoff suggesting its infrastructure might be located in Germany. German authorities, with insights from U.S. officials monitoring darknet activities, embarked on a meticulous investigation starting in mid-2021. After several months, they pinpointed a “bulletproof hosting” company in Germany that was hosting Hydra. Such companies are known for their reluctance to cooperate with police requests and for not auditing the content they host. [See “BulletProof (DMCA ignored) hosting,” Hostings.info.] Armed with this evidence, German investigators secured permission from a judge to approach the server company and issue a takedown notice. Prior to Hydra’s closing, several other dark-web sites had closed down either voluntarily or because of police investigations. (See “Hydra: How German police dismantled Russian darknet site,” by Joe Tidy, BBC, April 6, 2022.)

And yet, much like the Greek myth of Hydra — the nine-headed water serpent whose one decapitated head became two — while law enforcement struck down the dark-web marketplace of the same name, new ones are likely to emerge or take its place. After all, there are many such sites, whose administrators are all too happy to welcome Hydra’s customer base. A quick Google search reveals all sorts of dark-web marketplaces that specialize in a whole range of illicit products and services. (See “ The unseemly world of Darkweb marketplaces,” by Ryan Francis, CSO, Jan. 17, 2017.) The power vacuum that existed after Hydra’s fall facilitated the promotion of low-lying criminals eager to take advantage of the lack of a centralized market. While criminals compete to be the next “big thing,” they also benefit from the overextended purview of law enforcement. Where do you aim when the rats have scattered?

Maimon analyzes the reconstruction of market networks that displace dark-web platforms taken down by law enforcement. And his “findings reveal a highly interconnected ecosystem created by vendors’ mobility across digital marketplaces, with nearly all markets being directly or indirectly linked,” he tells Fraud Magazine.

“Importantly, these network characteristics remain robust even in the aftermath of a law enforcement operation, as prior vendor flows can predict subsequent vendor movement following interdiction.”

Even so, law enforcement has had considerable success in taking down these dark-web marketplaces. Following Silk Road 2.0’s demise, two major dark web marketplaces, AlphaBay and Hansa, rose to prominence but met a similar fate in 2017, further underscoring the relentless pursuit of law enforcement agencies. (See “Justice Department Takes Down AlphaBay ‘Dark Web’ Marketplace,” by Tim Ryan, Courthouse News Service, July 20, 2017.)

Tracing cryptocurrencies

That success came in no small measure from a group of law enforcement officials, academics and technologists, who in recent years busted the myth that bitcoin was untraceable and showed, in fact, that bitcoin movements could be traced across the internet. The allure of cryptocurrencies for dark-web operators largely stemmed from their perceived anonymity and untraceability. However, this veil of anonymity is not as impenetrable as it may seem. As blockchain technology underpins most cryptocurrencies, every transaction leaves a digital footprint on a public ledger. (See “Tracers in the Dark,” by Andy Greenberg, Penguin Random House and “Investigate This” column.)

Recent successful law enforcement operations have demonstrated the effectiveness of cryptocurrency tracing in combating dark-web fraud. For instance, in the takedowns of dark-web marketplaces like AlphaBay and Galaxie, blockchain analysis played a crucial role in tracing the funds back to the operators, thereby establishing a vital link between the illicit marketplace operations and the individuals running them. However, the cat-and-mouse game continues as dark-web operators explore new cryptocurrencies with enhanced privacy features and employ mixing services to obfuscate their transaction trails. This evolving landscape demands continual adaptation and innovation from CFEs and blockchain analysis platforms.

Taming the beast

Navigating the shadowy corridors of the dark web, one can’t help but consider the regulatory mechanisms that could potentially tether this wild, digital frontier. The dark web, with its notorious reputation for harboring cyber criminals, necessitates a robust, global regulatory framework to mitigate its multifaceted threats. The challenge, however, lies in the very essence of the internet itself — its boundless, borderless nature.

“Jurisdictional complexities come into play as these servers can be scattered across multiple jurisdictions, each with varying levels of cooperation with international law enforcement,” says Bhatia. “The need to navigate data privacy laws and address the challenge of securing evidence without compromising privacy further complicates investigations.”

In the realm of cybersecurity policies, nations often find themselves entwined in a complex web of jurisdictional dilemmas and international cooperation. Hydra, while primarily serving Russian-speaking consumers, was dismantled by German officials, underscoring the international character of dark-web operations and the consequent necessity for global collaboration in regulatory efforts.

But how does one regulate an entity that thrives on anonymity and operates beyond conventional legal boundaries? The answer may lie in a unified, international approach to cybersecurity policy. A global framework that harmonizes legal definitions, establishes cooperative enforcement mechanisms and facilitates information sharing could potentially disrupt the seemingly invulnerable operations of dark-web marketplaces.

“Governments and regulatory bodies can play a significant role in setting standards for cybersecurity and privacy, mandating security measures and penalizing noncompliance,” Bhatia adds. “These frameworks create a strong deterrent against misuse.”

Moreover, the role of cryptocurrency in facilitating dark-web transactions cannot be understated. Regulatory bodies worldwide grapple with the dichotomy of embracing blockchain technology and mitigating its misuse. Striking a balance between fostering innovation and preventing illicit financial flows demands a nuanced, informed approach to cryptocurrency regulation that many lawmakers lack.

The ACFE was founded based on the need to bridge the gap between law enforcement and accounting, and our purview must continue to expand as cyber criminals delve into deeper and more complex operations and tactics to defraud. As fraudsters adopt more sophisticated evasion techniques, CFEs must stay updated with the latest in cybersecurity and digital forensics. There’s a growing need for collaboration with cybersecurity experts, data scientists and even behavioral psychologists to understand and predict cybercriminal behavior. Training in emerging technologies, such as quantum computing and advanced encryption, will also be crucial as these technologies become more prevalent in cybercrime.

The proliferation of dark-web marketplaces like Hydra and the rise of the FaaS model signify a new epoch in the realm of cybercrime — an era marked by the commercialization of fraud and a business-like approach to illicit activities. The sinister genius of these dark realms lies in their ability to mimic legitimate marketplaces, offering customer-centric services, building brand trust and ensuring a seamless user experience. This evolution not only amplifies the threat landscape but also challenges traditional law enforcement methodologies.

The disquieting growth of the dark web underlines an urgent call for a robust, global response. The international character of dark-web operations, as evinced by the takedown of Hydra by German officials, accentuates the necessity for a unified, cross-border approach to cybersecurity policy. The boundless, borderless nature of the internet demands a harmonized legal framework, cooperative enforcement mechanisms and a shared ethos of global cybersecurity to effectively combat the burgeoning threat of dark-web criminality.

Rihonna Scoggins is the content manager at the ACFE. Contact her at rscoggins@ACFE.com.