How do cybercriminals obtain and launder money? Why have Bitcoin, Monero, and cryptomixers become the basis of the shadow economy? How does trading access to corporate networks work and who are Initial Access Brokers (IABs)? In this article, we analyze the key financial processes of the dark web: cryptocurrency payments, money laundering methods, the market for cyber services and malware. Readers will learn about the real earning schemes of attackers, prices for exploits, and how the demand for cyberattacks is formed in 2024.
Payment and currencies “in the shadow”
Cryptocurrencies such as Bitcoin (BTC), Monero (XMR) and others have become the main means of payment on the dark web, which is due to several factors. First, cryptocurrencies provide a high level of anonymity, which is critically important for users of illegal markets. Although Bitcoin transactions are recorded on the blockchain (a public database in which all transfers are visible), users can use so-called mixers or other coins. For example, Monero and some other cryptocurrencies were originally designed to hide transaction data, which makes them practically untraceable.
In addition, some cryptocurrencies are decentralized and not controlled by states, which makes them especially attractive to users of the dark web. The use of cryptocurrencies also provides security and convenience for international transactions, as they do not require the participation of banks and can be carried out directly between participants, which reduces the risk of arrest and simplifies the conduct of business on a global scale.
Such features of cryptocurrencies play a role in the functioning of the dark web. Anonymity and lack of control help markets expand, attract new participants, and encourage them to grow. This, in turn, makes it harder for law enforcement to identify and shut down participants because the anonymity of transactions and the use of mixers make it extremely difficult.
In the future, if cryptocurrency tracking measures become more effective and begin to pose a serious threat to dark web users, it is likely that new, more secure payment methods will adapt and be sought. One possible development could be the use of cryptocurrencies such as Monero on a larger scale; or the emergence of new cryptocurrencies specifically designed to maximize anonymity. For example, new digital currencies could include advanced encryption methods and concealment of transaction information.
Another possible scenario could be the use of trustless swaps. Trustless swaps are a technology that allows users to exchange cryptocurrencies or other digital assets directly without the need to involve a third party, such as an exchange or intermediary. The solution is based on smart contracts, which ensure that the exchange will only take place if all the terms of the agreement are met. If the terms are not met, the assets are returned to the owners.
It is also possible that new payment concepts will emerge, for example using decentralized and encrypted communication networks or the implementation of payment systems based on quantum technologies, which will provide almost absolute protection against tracking.
Laundering the proceeds of cybercrime
Financially motivated criminals receive ransoms and fees for services in cryptocurrency and, accordingly, need to cash these funds. Money laundering on the dark web is the process of converting illegally obtained money into legitimate assets using various schemes and specialized services offering their services on shadowy platforms.
For example, crypto mixers are a popular tool in the underground. The essence is simple: these services mix illegally obtained cryptocurrency with the cryptocurrency of other users, creating numerous small transactions. As a result, it becomes extremely difficult (sometimes impossible) to connect the original funds with the final recipient. After using a mixer, criminals often convert their assets into other, less traceable cryptocurrencies, such as Monero. Now that the money has become virtually untraceable, it can be exchanged in many different directions.
For example, one forum offers services for exchanging cryptocurrency for fiat money (regular currencies such as the dollar or euro) or other cryptocoins. With such a withdrawal of funds, another party to the transaction appears – a dropper or money mule. A dropper is a person who participates in fraudulent financial schemes. The main role of these individuals is to transfer or cash illegal funds. This usually happens through personal bank accounts, and the mules are paid a percentage of the transactions.
Повідомлення про послугу криптоміксера
In some cases, criminals can use complex schemes to transfer cryptocurrency through multiple fake wallets to make it difficult to track.
And, of course, an important stage is the withdrawal of funds into the legal economy. Criminals can create networks of shell companies specifically to transfer funds into cash. These organizations use fictitious contracts, through which criminal money gradually flows into the legal world. Some forums have separate sections dedicated to this topic, where turnkey services are provided.
Оголошення про продаж ТОВ та ІП
Another example of withdrawing money is buying real estate using cryptocurrency. Some sites offer a wide range of real estate investments for virtual funds.
Купівля нерухомості за криптовалюту
Many criminals are actively interested in how to withdraw and legalize their earned assets. To do this, they ask for advice from more experienced representatives of the shadow business or share various schemes and articles on a given topic themselves.
Схема про відмивання нелегальних грошейСтаття про відмивання нелегальних грошей
Another interesting way to launder money is through online casinos. The scheme goes like this: cybercriminals first make deposits into online casino or betting exchange accounts using illegally obtained funds. These platforms often accept cryptocurrency, making the process even easier for criminals. The money can be withdrawn through one or more casinos to spread the funds and avoid suspicion. Once the money has passed through the online casino, the criminals withdraw the funds to bank accounts or cryptocurrency wallets.
In some cases, criminals may use guaranteed-out bets. For example, they may place bets on all possible outcomes of the same event from different accounts. In this case, they “insure” their funds, knowing that one of their accounts will definitely win, and then withdraw the money as if it were a legitimate win.
Shadow economy
Malware
Malware plays a key role in the attackers’ arsenal. For example, according to the results of the third quarter of 2024, VPO was used in 65% of successful attacks on organizations. Attackers use malware to achieve various goals, such as stealing confidential information or encrypting files with the aim of further demanding a ransom.
Розподіл типів оголошень, присвячених ВПО
Among all analyzed malware ads, more than half (53%) are for sale. This indicates that the IDP market is mainly oriented towards a commercial model, when developers and groups of attackers monetize their tools.
Purchase requests make up 41%, which reflects the high demand for ready-made solutions. Buyers often look for proven tools that should meet their requirements. For example, a RAT for Android should have real-time screen recording or a stealer with the mandatory ability to steal information from all modern crypto wallets. Distribution of malicious tools occurs in 1% of cases. This may be due to attempts to increase the author’s reputation in the community.
Розподіл типів ВПО за медіанною вартістю
The distribution of sales messages by type of IDP demonstrates a preference for certain categories of malicious tools. The largest number of ads (19%) is related to the sale of infostylers. Their popularity may not be due to the highest price: the cost starts at $20, and the median value is $400. At the same time, an attacker, having spent a small amount, can get a much higher income if he can competently use the information received.
Next come crypters and obfuscation tools, the share of which was 17%. This is due to the fact that for little money (the price starts at $10) the use of crypters and obfuscators allows cybercriminals to increase the effectiveness of their attacks, minimizing the risk of detection by antivirus programs.
The top three are closed by downloaders with a share of 16%. They are often used by attackers as an initial entry point into the victim’s system, as they help to bypass protections and deliver other types of malware, such as stealers or remote control malware. For example, according to ANY.RUN, in the third quarter of 2024, the number of bootloader detections increased by 49%. The price of such malware can start from $50, with a median value of $400.
The share of reports on the sale of remote control malware (RAT), which is popular among attackers in the first three quarters, is 12%. RAT attracts cybercriminals due to the possibility of hidden and constant control of the infected system. For example, for espionage, since such a RAT allows attackers to track the actions of the victim, collect confidential information, including passwords, personal data or commercial information. The median cost of a RAT is $1,500, and the starting price is from $80.
It is important to note that the cost of ransomware can vary greatly. It all depends on the type of malware and its set of features. And most malware is sold on a subscription basis (1 week – 1 month – 3 months – 1 year).
The most expensive type of ransomware is the encryptor. The median cost is $7,500. And prices can reach $32,0000. This is due to the fact that most sales ads concern the source code. Basically, encryptors are distributed through an affiliate program (RaaS – Ransomware-as-a-Service). And the participants themselves usually receive 70–90% of the victim’s ransom. To get into the affiliate program, the candidate must pay $5,000 – 1 BTC (≈$107,879), as well as have a high reputation on shady forums. By becoming a member of the group, the partner gets access to the current version of the builder, the ability to contact technical support, as well as various manuals dedicated to obtaining initial access to the victim’s system, etc.
But not all attackers, especially beginners, have money in the amount of 1 BTC or a reputation in the underground. And then leaks of the necessary tools and guidebooks come to the scene.
RaaS, or The Path from Beginner to Cybercriminal
As we found out, manuals are an important component of the affiliate program of extortion gangs. They can contain steps for preparing the infrastructure, obtaining initial access to the organization’s systems, or methods for increasing privileges. It is worth noting that attackers can put up manuals for sale, which is another way of monetization. For example, one of such guides was once sold on shady sites for $ 10,000. It was distributed by a partner LockBit. Inside the publication were instructions for obtaining access and much more. All the examples given in the guidebook were used on real companies. Interestingly, in one of the attacked large organizations, the password for the corporate VPN consisted only of numbers, and test accounts left by system administrators were opened.
Мануал партнера LockBit
The leaked materials of the Conti cryptojacking gang will not go unnoticed. In 2021, a disgruntled partner of the group published manuals and technical manuals on one of the shadow forums. The leaked instructions were used to train participants in the cybercriminal group’s affiliate program.
As in the case of the LockBit partner’s guide, there were detailed instructions on moving inside the perimeter, increasing privileges in the system, disabling antivirus, listing attacks using incorrect parameters or known vulnerabilities (PrintNightmare, EternalBlue and Zerologon), and also indicating, In addition, this manual described the CobaltStrike tool and, accordingly, a detailed methodology for its use.
Мануал банди шифрувальників Conti
It is also worth noting the builders. Using the builder, attackers can customize the encryptors by changing the parameters (process name, file name with the demands, text of the demands themselves), as well as specify a list of file extensions to be encrypted. Moreover, this software allows you to generate the decryptor necessary for decrypting the data.
Розширені параметри для шифрувальника
Despite the fact that the builder leaks may date back to 2022, they are still being used by cybercriminals in attacks and are therefore of interest to the underground. For example, according to the results of incident investigations, the most common type of Cybercrime attacks (attacks in this category usually use encryptors, legitimate software for encrypting information, and wipers) was the LockBit encryptor: its share was 37%. It is important that new representatives of the RaaS industry may appear based on such encryptor leaks.
Поширення білдерів шифрувальників
The emergence of manuals and encryption builders on the dark web greatly influences the cybercrime market. As a result, such publications lower the barrier to entry into the world of cyberattacks and help to “grow” criminals within the underground, which can affect their overall skill level. It is important to note that these tools can also be used by advanced attackers when attacking state-owned enterprises (their goal is not financial gain, but the complete destruction of data and infrastructure).
MalDev communities
At first glance, it may seem that all activity related to malware on the dark web is limited to the sale and purchase of ready-made tools. However, during the existence of the dark web, a MalDev community (malware development) has successfully formed in it. A much more complex ecosystem continues to develop within the community, which includes services for creating, refining, and adapting malware to meet the specific needs of customers. For example, for an additional fee, customers can ask experienced developers to modify or improve existing malware.
It is important to note that the MalDev community consists not only of experienced developers. This community also attracts less professional users who want to learn the basics of malware development. Just as many in the legal sphere seek advice on starting a career, newcomers to the dark web also seek guidance from more experienced participants. Novice developers often ask for advice on choosing a programming language (e.g. Python, C++, and others) that will be most suitable for creating different types of malware.
Рекомендація мови програмування
In addition, the underground community actively shares manuals and code examples that help beginners create simple malicious tools, such as downloaders, stealers or RATs. The publication of materials is the basis for learning basic development methods, and also helps inexperienced users understand the mechanisms of malware. This leads to the fact that each new participant can step by step immerse themselves in the practical development of IPV, learning from the examples of experienced colleagues. In this regard, the level of qualification of malware developers will gradually increase, and we will increasingly see the emergence of new representatives of the industry.
Код ВПО на тіньовому форумі
It is worth noting that not only popular programming languages (C++, etc.) are popular with attackers now, but also others – Rust and Golang (Go). Many different malicious programs are now created on Golang. Go is widely used to develop various types of such software: remote control UAVs, stealers, miners and botnets. One of the main advantages of UAVs on Go and Rust is its ability to easily attack multiple operating systems at once, including Windows, Linux and VMWare ESXi using the same code base. Crypto gangs have also actively picked up this trend that was once born and gradually switched to Rust and Go. For example, BlackCat, Hive, RansomHub and many others. We expect this trend to continue to develop among malware developers due to a number of advantages of these languages.
Vulnerabilities and Exploits
Every vulnerability in a system is a potential backdoor through which attackers can infiltrate a network, disrupt services, or steal sensitive information. Exploits are developed to exploit these vulnerabilities.
An exploit is code or a program that uses a vulnerability in software or hardware to perform malicious actions, such as launching a denial-of-service attack or installing malware.
Both attackers and cybersecurity researchers actively search for vulnerabilities. The former write exploits to exploit vulnerabilities for malicious purposes, while the latter create them as a proof of concept (PoC).
Розподіл оголошень за типами у категорії «Уразливості та експлойти»
Of all the messages analyzed, 7 out of 10 ads are dedicated to the sale of exploits. The topic “Purchase” belongs to almost a third of the messages (27%), reflecting the significant demand for such tools among attackers.
Типи експлойтів, представлених на продажРозподіл експлойтів за вартістю
Information about vulnerabilities and exploits is highly valued on shadow markets. For example, 32% of exploits offered for sale are zero-day vulnerabilities. Their value can reach millions of dollars, and often with the purchase, attackers receive detailed instructions on how to exploit them.
Оголошення про продаж експлойтів
A quarter of the announcements (25%) are dedicated to already known vulnerabilities. It is also worth noting the most dangerous vulnerabilities that often attract attackers – RCE and LPE. Their share is 26 and 12%, respectively.
RCE (Remote Code Execution) is a vulnerability that allows an attacker to remotely execute arbitrary code on the victim’s system. The RCE vulnerability can provide full access to and control over a compromised device, which makes it one of the most dangerous. It is often used in targeted attacks, as well as to distribute ransomware and other types of malware. For example, in October, attackers used the RCE vulnerability to attack more than 22,000 CyberPanel servers for the subsequent delivery of the PSAUX ransomware. As a result of the attack, almost all CyberPanel instances were disabled.
LPE (Local Privilege Escalation) allows attackers to escalate their privileges on the system, gaining access to actions that are only available to administrators, such as root access. LPE type vulnerabilities are of great value to cybercriminals and are one of the stages of exploitation. After hacking, the attacker usually gains unprivileged access with limited capabilities. Full access, which is provided by the LPE vulnerability, is required to fully capture the device and further develop the attack.
Accesses
Selling access to corporate networks is a very profitable business. In turn, this is done by individual representatives of the cyber underground, namely initial access brokers (IABs) – attackers who specialize in obtaining and selling access to compromised networks or systems of organizations. IABs use various methods, including: exploiting vulnerabilities in software, phishing messages to obtain credentials or to deliver and deploy malware, or using password selection (Brute Force – hacking accounts using common or known passwords).
According to the results of pentests 2023, as a result of external penetration testing, 56% of attack vectors aimed at gaining access to the LAN contained the Brute Force technique.
Once they have the necessary data, early access brokers provide their services to ransomware groups or other attackers, including APT groups. It is worth noting that inexperienced attackers may not always be able to complete an attack, for example, by finding a vulnerability using a legitimate vulnerability scanner. However, even if they are unable to complete it, they can sell the information (access) they have received to more experienced cybercriminals who can effectively use it.
Частка повідомлень категорії «Доступ» за типом
The largest share of messages in the “Access” category is for sale – 72%, while purchase ads account for only 14%. The vast majority of sales ads reflect the trend towards the so-called “division of labor” in the cybercriminal environment. Some attackers specialize in mining access, while others specialize in using it in attacks. The “Giveaway” type accounts for 13% of all ads and contains posts about free distribution of access.
Розподіл доступів за вартістю
Most of the ads (62%) are in the low price range, the cost of which does not exceed thousands of dollars. Usually the cost of access is influenced by the company’s profit, so there are also expensive offers (7%): the prices indicated in such ads can reach several tens of thousands of dollars. It should be noted that such accesses are usually sold to financial institutions, industrial enterprises and companies in the service sector.
Оголошення про продаж доступу до компанії
Various types of access are sold on shadow resources. A third of the ads contain offers with connection via VPN or RDP protocols. Access with the ability to connect using the Shell and remote access programs such as AnyDesk, Citrix are popular. Their share was 11 and 10%, respectively.
Типи доступів, представлених у дарквебі
Of all the ads analyzed, 20% belong to the trade sector, followed by the services sector (17%) and industry (16%).
Частка повідомлень про продаж доступів по галузях
Services
The dark web is not only a large marketplace for selling malware, exploits, and access to systems, but also a space where certain services are provided. In addition, to carry out attacks, attackers resort to the services of third parties, for example, to configure servers or develop phishing pages. Services that provide infrastructure are also of interest. These can be dedicated servers, VPNs, or proxies that are important for attacks.
Частка повідомлень про продаж доступів по галузях
Almost a third of the ads (29%) belong to the “Carding” category and contain data such as the card number, year and month of its expiration, CVV code, owner data, phone number, address and email. Criminals use this information to purchase various goods or transfer money to cash. In other words, carding often becomes the first step for beginners in the world of cybercrime due to its relative simplicity.
Next comes “Traffic redirection and installations” (download traffic), which makes up 16% of the total number of messages. Such services ensure that users are transferred to a specific resource, for example, a phishing site or a site with IDPs. It works like this: users click on the ad and are transferred to a prepared phishing resource, where they are offered to install a malicious program under the guise of legal and safe software.
Оголошення про продаж трафіку
To successfully carry out attacks, cybercriminals need a reliable infrastructure. The share of such messages was 5%. They advertise a wide range of services: from hosting and proxy servers to VPS and VPN or dedicated servers.
VPN (Virtual private network) is necessary to ensure secure and anonymous connections. When using VPN, the attacker’s traffic is encrypted, and his data and location remain hidden. The price of VPN services starts at $ 4 per month. But here the attackers are divided into preferences. Some use legal commercial products, others rent them underground, and still others create their own tool. In addition, for stealth and anonymity, cybercriminals actively use proxy servers that help hide the real IP address, but, unlike VPN, the user’s traffic is not encrypted.
An important component for cyberattacks are dedicated servers. The rental cost starts at $100 per month, and, as a rule, such servers are used to create command centers or hosting.
Оголошення про продаж виділених серверів
Yes, for a phishing site, in addition to hosting, a domain name is also needed. It allows you to add a little legitimacy to the malicious resource. And the prices for such a service start from $ 2, although the final cost depends on the domain zone. In addition, an SSL certificate 4 may be included in the package or as an additional service, which increases the level of trust in the site.
SSL certificate (Secure Sockets Layer) – a digital certificate that encrypts data transmitted between a user and a site. In the browser, such a resource is displayed with a lock icon next to the address, and the HTTPS protocol is used instead of HTTP.
Продаж доменів
Services for hacking resources are in great demand on the dark web, with ads for them accounting for a significant portion of messages — 49%. Most often, this is not related to high-profile attacks on organizations, as is commonly thought, but to simpler tasks: accessing personal data, hacking accounts in social networks and messengers, searching for vulnerabilities on websites, or compromising corporate emails. It should be noted that customers of such services can be not only fraudsters or individuals, but also companies that seek to gain an advantage, for example, access to confidential information of competitors. Prices for compromising a personal email account can start from $100, and for hacking a corporate email box you will have to pay $200.
In addition, the price may vary depending on the probability of success of the attack. For example, one of the shadow forums offered a service to hack a Telegram account for 7,000 and 9,000 rubles with a probability of success of 50 and 70%, respectively.
Growing demand for hash cracking
The request for hash cracking is becoming increasingly popular on shadow forums. For example, at the end of 2023, it reached a record high, and then decreased by 29% in the first quarter of 2024. Despite this, by the third quarter of 2024, the number of requests increased sharply again, setting a new maximum. Hashes are used for a number of tasks: checking the integrity of data during transmission or protecting files. However, the most common form of hashing for users is password storage. For example, when you create an account on a website and enter your password, the resource does not store it in plain text. Instead, it converts the password into a unique set of characters. Even if an attacker steals the database, he will not get the passwords themselves, but only these hashes.
The growth in demand for such services is due to several factors. Users use weak and predictable passwords. For example, NordPass researchers have prepared an anti-rating of passwords. They analyzed a 2.5 TB database obtained from open sources. The rating includes passwords such as “123456” or “password”, which means one thing – facilitating the process of cracking the hash.
Don’t forget about cryptocurrencies. With the growing interest of cybercriminals in them, attackers are increasingly paying attention to hashes, hacking which can lead to theft of funds from crypto wallets.
Cryptocurrencies use hashes to confirm transactions and protect access to wallets, which makes them an attractive target for attackers. The demand is associated with an increase in the number of leaks of confidential data. More than half of successful attacks on organizations in 2023 and 2024 resulted in leaks. For example, if an attacker can crack the hash and learn the public password used to access critical systems within a company, they will gain access to confidential data and resources. The cost of the service starts at $10.
Conclusion
The shadow economy of cybercrime continues to evolve, using cryptocurrencies and decentralized financial mechanisms to provide anonymity and scale illicit activities. Bitcoin and Monero have become the main means of payment on the dark web, while cryptomixers, drops and offshore companies play a key role in laundering money obtained illegally.
The demand for access to corporate networks, exploits and account hacking remains high, which indicates the growing professionalism of cybercrime groups. The market for cyber services is expanding – attackers not only buy ready-made tools, but also order unique developments, using underground programming communities.
Competition between criminal groups leads to new fraud schemes, data leaks and even attacks on each other. At the same time, the emergence of tools, builders and technical guides lowers the barrier to entry into the world of cybercrime, allowing beginners to quickly gain experience.
The shadow market continues to develop, adapting to changes in legislation and technology. It is likely that in the coming years we will see new cryptocurrency solutions to increase the anonymity of payments, further development of the RaaS model (Ransomware-as-a-Service) and even more sophisticated money laundering mechanisms.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
