Wednesday 29th May 2019

Rude Awakening: Dream Market set to shut down

On 26 March, the operators of Dream Market, currently the most prominent dark web marketplace, posted to announce they are shutting down the site next month and “transferring its services to a partner company”. The unusual nature of the post took users by surprise, prompting speculation that law enforcement authorities had seized control of the site. However, other factors may be at play, each with their own potential ramifications for the broader cybercriminal landscape.

Figure 1: According to a message posted on Dream Market’s front page, the website is shutting down on 30 April and transferring its services to a “partner company”.

History: Making Dreams Reality

Dream Market was founded in 2013 by a user with the handle SpeedStepper. This was the same year that the FBI shut down Silk Road, which was the first modern dark web marketplace and, prior to its closure, the largest of its kind. The disappearance of this key player helped Dream Market’s growth, with former Silk Road vendors and users seeking alternative marketplaces. However, the emergence in late 2014 of the AlphaBay market may have stunted this growth. By October 2015, AlphaBay could boast 200,000 users. By the time the marketplace shut down in July 2017, this number had reached 400,000.

AlphaBay’s demise in July 2017 was the result of Operation Bayonet. This coordinated law enforcement operation first compromised AlphaBay, before chasing users over to Hansa, which it had also compromised, allowing it to collect vendors’ details, which resulted in a string of arrests. Although this left Dream as one of the largest remaining marketplaces, it failed to reach the same dizzying heights as AlphaBay had. The psychological impact of Operation Bayonet – which seriously undermined trust in dark web marketplaces – should not be underestimated in this regard, though repeated exit scams (where a market owner shuts down a website and absconds with the users’ cryptocurrency funds) have also eroded this user trust.

Nevertheless, Dream Market has still managed to occupy a prominent position within the cybercriminal economy. Its longevity and popularity is in part due to the sheer diversity of goods and services it offers, ranging from drugs to stolen data, malware and fake ID. The volume of individual listings also contributes, as does the ease with which users can sign up: unlike certain other markets, it is not invite-based. These factors combined to produce their own momentum, consolidating Dream’s position as a market leader.

Figure 2: A graph, based on Orpheus’ collection data, comparing the volume of listings for several dark web marketplaces. As this shows, Dream Market is the most active of the sites.

Dreams Become Nightmares: Law Enforcement Takedowns and DDoS Attacks

Dream Market’s success therefore begs the question why its owner is deciding to close up shop, which has prompted speculation of another law enforcement operation.

Figure 3: Users on Twitter are paranoid that Dream Market’s closure is a repeat of what happened to Hansa in 2017, which involved law enforcement seizing the site and collecting data on its visitors.

The post on Dream Market claims obliquely that it is simply being transferred to a “partner company”. SpeedStepper, tired after running the site for six years and mindful of the sometimes-grisly fate of previous dark web marketplaces and their administrators, may be selling the site and going clean. However, a subsequent post on the dark web discussion portal Dread purporting to come from a Dream Market moderator claims the site has been subjected to persistent DDoS attacks over the past seven weeks, with the attacker demanding a USD 400,000 ransom.

Figure 4: A Dream Market moderator claims the site is not being shut down and downplays fears that it may have been compromised. They also claim the site has been subjected to persistent DDoS extortion attacks. 

This explanation corresponds with recent outages to Dream, and has been supported by HugBunter, a respected figure in the cybercriminal community and the creator of Dread. HugBunter claims that the DDoS extortionist had previously targeted Dread and was exploiting a vulnerability in TOR to conduct persistent attacks with few mitigation options.[1] 


Prophetic Dreams: The Future of Dark Web Marketplaces

Whatever the reasons, the closure of Dream Market, at least in its current form, has various ramifications. In the short term, the site’s user base will likely migrate to rival marketplaces, such as Wall Street Market. However, this may be offset by the paranoia that Dream Market’s unexpected closure has contributed to. Fearing law enforcement takedowns and exit scams, many users may reject the traditional dark web marketplace model altogether. This sentiment could be exacerbated if Dream Market’s successor is itself an exit scam. Dark web marketplaces which trade on their predecessor’s identity often turn out to be scams, as Silk Road 3.1 demonstrated.

Cybercriminals may shift away from traditional dark web marketplaces, but they will still want a place to trade illicit goods and services. We accordingly expect to see a further growth in dedicated shops operated by single vendors, which cater to a specific demand, such as stolen credit card data or compromised RDP (remote desktop protocol) servers. While part of the appeal of traditional dark web marketplaces is the breadth of services they offer, this can also make their existence more precarious. Dream Market’s shutdown came shortly after multiple law enforcement agencies announced operations against dark web drug vendors,[2]which may have played a part in SpeedStepper’s decision to close the site. Cybercriminals only interested in digital goods and services might therefore see the appeal in dedicated shops, which represent a less conspicuous target.

Figure 5: A graph showing cybercriminal chatter surrounding OpenBazaar. Although interest has increased in recent years – including a spike after Operation Bayonet – it remainds somewhat sporadic.

Another much-touted successor to traditional marketplaces is OpenBazaar, which is based on a decentralised peer-to-peer hosted model instead of a central marketplace. This lack of central infrastructure means that there are no servers for law enforcement to seize or cryptocurrency wallets to raid in an exit scam. Despite this sound theory, the model has yet to take off in practice. Understanding the future dynamics of these marketplaces will prove crucial to understanding the threat that they pose to companies and organisations in practice.

[1]https://www.reddit.com/r/darknet/comments/b3qvbq/this_ddos_is_massive_its_gotta_be_multiple/ej1jwzc/

[2]https://www.europol.europa.eu/newsroom/news/global-law-enforcement-action-against-vendors-and-buyers-dark-web

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.