06.03.2025
22 min
414
You will learn how the dark web works, what services are most popular there, and how much hacking, exploits, and access to corporate networks cost. The article reveals the real earning schemes of cybercriminals, their methods of competition, and the role of Telegram in selling illegal services. It also analyzes new trends in the shadow market: the growth of demand for infostylers, millions in prices for zero-day exploits, and the impact of moderation changes in messengers on criminal business.
The study analyzes the interests of cybercriminals and the development of the illegal cyberservices market from 2023 to Q3 2024. The most popular topics, key trends and forecasts for further development are highlighted. The cost of goods and services, as well as the initial costs required to carry out attacks, are considered. Special attention is paid to the shadow economy: the dark web ecosystem, the motivation of its participants, mechanisms for regulating transactions, competition and strategies for attracting customers.
The analysis covers 40 sources, including the largest shadow platforms (forums, marketplaces) and Telegram channels of various topics and languages. In total, more than 20,000 messages were examined, containing discussions of malware, vulnerabilities, exploits, access to corporate networks, as well as cybercriminal services: resource hacking, traffic redirection, the spread of IDPs, carding, infrastructure and DDoS attacks.
The material will be useful to information security specialists, threat intelligence analysts, as well as organizations and individuals interested in current aspects of cybercrime.
Shadow business borrows a lot from legal ones: reputation maintenance, marketing, methods of combating competition (including aggressive ones), bug bounties, employee support.
The most popular type of malware on the dark web is infostyler (19%).
The most expensive type of malware is an encryptor (median cost – $7,500).
A third of exploits presented for sale are zero-day vulnerabilities (0-day, zero day).
The cost of exploits can reach several million dollars.
More than half of all available accesses (62%) are estimated at up to $1,000.
The largest number of messages about the sale of accesses is related to the service sector (20%).
Almost half of the messages (49%) are devoted to resource hacking.
The net profit from a successful cyberattack can exceed the costs of organizing it five times.
A vulnerability in software that was not known to the developers. The term zero day describes the fact that developers have zero days to fix the problem because it has already been discovered by attackers.
The darknet is a hidden part of the global Internet that cannot be accessed through standard and well-known search engines. The “dark web” is not regulated by the state, which allows users to remain anonymous thanks to special encryption and routing methods. This makes the darknet attractive to various cybercriminals. The anonymity feature in it also means that users can avoid responsibility for their actions, which contributes to the spread of illegal operations. Shadow resources include various forums, proprietary search engines and sites that offer a wide range of goods and services: from the sale of stolen data and malicious software (MW) to custom hacking.
As technology evolves, the “open internet” is becoming more controlled, which has led to a growing interest in alternative spaces such as the dark web. This dark corner of the internet is home to a diverse range of users, from criminals to the curious. Each is attracted to the unique features of the network.
Broadly speaking, shadow market participants can be divided into two categories: sellers and buyers. Sellers play a key role in the world of criminal markets, filling high demand with their offers. Playing by the same rules as in legal business, they aim to retain and attract new audiences and, accordingly, increase their income. Buyers are the ones who create demand, and are often motivated by financial gain. Both can be called cybercriminals.
Cybercrime encompasses a wide range of illegal activities carried out using digital technologies, such as phishing or malware attacks. The goals of such attacks can vary from financial gain to disrupting systems for personal or political reasons. There are different types of cybercriminals (hacktivists, novice attackers, APT groups, and others), and each has its own unique methods and motives.
Cybercriminals who use cyberattacks to express their political, ideological or social beliefs, as well as to draw attention to various issues. Their activities go beyond personal gain and are aimed at changing public opinion or political processes. This group of individuals often oppose governments and organizations that they consider to be violators in one way or another.
Using shadow resources and some legal ones (including Telegram), they organize attacks on government systems, publish stolen data or distribute compromising information about targets. Hacktivists also offer their own courses (for example, on deface: attackers change the content of a site for the purpose of political protest and other motives) or DDoS services.
Inexperienced attackers use already created and available tools to carry out cyberattacks. Unlike professionals, novice cybercriminals do not have deep technical knowledge, but despite this, they can access various malicious programs that are distributed on shadow markets. This allows them to participate in cyberattacks with minimal effort.
Using the dark web, they can buy or download malicious tools to attack websites, networks, and other resources, and then brag about their successes. For beginners, the underground is a platform where they communicate with more experienced cybercriminals, presenting themselves to them. For many such attackers, participating in cyberattacks is a way of entertainment, rather than a purposeful malicious activity.
APT groups (advanced persistent threat) are organized and well-funded groups of hackers that engage in long-term and targeted cyberattacks. Groups are often associated with state structures or receive support from national governments, which allows them to use advanced technologies and resources to achieve their goals.
It is important that APT groups often remain unnoticed in the victim’s network for months or even years. The main goals of their attacks are to collect information for espionage, disrupt the operation of KII systems, and damage corporate systems. Here are some examples of such groups: Lazarus, APT32. On shadow resources, representatives of these groups can purchase various accesses (we will talk about them below) to penetrate corporate networks and other services.
Ransomware gangs are cybercriminal groups that specialize in attacks using malware that encrypts victims’ data and then demands a ransom to restore access. The dark web is a key platform for such groups, where they publish the names of victims, post stolen data, search for affiliates, and sell ransomware on a subscription basis (RaaS).
Malware developers occupy a prominent place in the shadow ecosystem, creating the necessary software to carry out cyberattacks. Such developers strive to write programs that will be commercially successful in the underground world. They also aim to gain authority and reputation on shadow platforms or among other attackers, which has a positive effect on increasing demand for the product provided.
Although shadow resources are usually associated with criminal activity, they are also used by those who do not have illegal goals. This group of people includes information security specialists, students, and various researchers. Each of them has a goal, but it all comes down to collecting and studying data. For example, some people visit shadow forums to satisfy their personal interest in cybersecurity and hacker culture. They may be enthusiasts who want to learn more about attack methods, but they do not intend to apply the knowledge gained to criminal activity. And their goal is no more than to expand their knowledge or view discussions and debates.
Like any area where goods and services are bought and sold, the shadow market is a profitable business, but an illegal one. The markets of the “dark web” are a breeding ground for cybercriminals, stimulating the development of demand and supply for illegal goods and services. Ways to generate revenue on the dark web include not only direct sales, but also such methods of earning money as affiliate programs, fraud schemes, custom malware creation, as well as the sale of instructions and consultations for conducting various cyberattacks.
For example, analysts at Chainalysis showed in a recent study that although dark web markets’ revenues from cryptocurrency declined significantly after their peak in 2021, they began to recover in 2023. Despite the closure of the largest dark web market, Hydra, in 2022, other illegal shops and platforms increased their revenues to almost two billion dollars in 2023, which is almost 25% more than in 2022. The growth is due to the emergence of new players that have begun to fill the vacuum after the closure of Hydra, as well as aggressive marketing methods and the integration of anonymous cryptocurrency payment processors, such as UAPS (Universal Anonymous Payment System).
Essentially, these payment processors provide a white label service for darknet markets, ensuring a seamless checkout experience for customers of these services.
In addition, in July 2024, TRM Labs, a company specializing in cryptocurrency analysis and security, published a report. It states that the three largest darknet markets processed transactions worth $1.4 billion, while Western platforms processed $100 million in transactions over the same period.
The darkweb has its own unique ecosystem of shadow resources that allow users to exchange information, sell and buy illegal goods, and coordinate cyberattacks. This ecosystem consists of specialized forums where criminals can discuss new attack methods, marketplaces that function as online markets, and messengers like Telegram. The combination of these resources forms the foundation of a shadow economy hidden from the eyes of ordinary Internet users.
Dark web forums are platforms where users can communicate, exchange information, and offer a variety of illegal goods or services. For example, they can find stolen credit card information, malware, hacking tools, and access to compromised accounts.
They also discuss news, methods of attacking computers and networks, and share experiences in the field of anonymity (including how to remain undetected for longer). Shadow forums are hidden from regular search engines and require special software to access the resources. However, some sites dedicated to discussing hacking activities may also exist on the open Internet (clearnet).
Many of these resources are organized into sections to make it easier for users to navigate. There are also “Web Application Vulnerabilities,” a separate section for IDPs, and so on.
As in any other commercial ecosystem, shadow platforms have their own structure and hierarchy that ensures their functioning. At the heart of it are administrators, guarantors, and arbitrators (we’ll talk about them later). The first are the “top” of underground forums. They own the platform and are responsible for its technical and organizational work. Their task is to maintain trust in the platform, as this aspect directly affects its popularity. Then come moderators — trusted representatives of administrators who monitor compliance with the rules on the forum, moderate content, and check reports of fraud. In addition, they can enter into various discussions, for example, discussing recommendations for anonymity.
Those who create demand and supply are sellers and buyers. Verified sellers acquire the status of approval of the platform by making a deposit into their account. Buyers are the core of the underground. Beginners and experienced attackers create demand for the offered goods. Next come privileged members and regular users. Privileged members earn special status on the forum due to high engagement and high reputation (or simply pay to upgrade their account). It is worth noting that they can gain access to closed sections of the forums. In turn, regular users make up the bulk of the audience of shadow platforms.
Shadow resources have their own hierarchy and strict internal rules aimed at regulating communication among participants. There are also norms governing the trade in goods and services. In general, there are standard prohibitions on shadow resources: spam, toxic behavior, publishing malicious links and files (aimed at infecting the participants themselves), doxing (disclosing personal data).
Advertising ransomware or seeking cooperation to distribute it is also prohibited. But even this prohibition is successfully circumvented. For example, representatives of cryptojacking gangs hide the search for affiliates under the pretext of hiring pentesters for the team or looking for access providers to corporate networks.
Dark web marketplaces operate in a similar way to legitimate e-commerce platforms. They provide a platform for sellers and buyers of illegal goods and services, such as stolen data, the sale of IDPs, or custom-made system hacking. Like marketplaces in real life, shadow marketplaces make money on commission: they take a percentage of each sale. Some dark web marketplaces require payment to gain access.
Telegram occupies an important place in the organization of cybercriminal goods markets, allowing to implement several functions at the same time: communication, marketing and conducting transactions. It is worth noting that cybercriminals often discuss the detailed terms of transactions in person, without indicating all the details in the ads. The main channels for negotiations are messengers (Telegram, Tox, Element, Briar).
Telegram has become popular among cybercriminals not only for communication, but also for advertising and distribution of services. Sellers create channels to promote their products. There they can publish information about important updates, discounts and promotions. Such channels also allow you to maintain contact with customers, for example, quickly respond to the unavailability of services or read customer reviews to improve the product. Accessibility and a wide user base make it easy to attract customers and spread information about your services. After all, unlike the darknet, access to Telegram does not require the installation of specialized software.
In addition, in 2021, the cybercrime market expanded its influence, partly moving to Telegram. The range of services presented in the messenger was quite significant. This was due to the closure of large platforms on the darknet. In turn, Telegram as a means of distributing goods only flourished.
It is worth noting that on September 23, 2024, Pavel Durov (CEO of Telegram) stated that the platform would strengthen moderation and transfer user data at the request of the authorities. Meanwhile, attackers on shadow resources began to discuss the search for alternative communication channels, such as Tox, Signal, Matrix. Perhaps soon cybercriminals will switch back to forums or create their own alternatives (Telegram or forums).
Most platforms, be it forums, marketplaces or Telegram, follow similar general rules. However, the details may differ, for example, if we are talking about a platform focused on a specific region.
Shadow platforms are often perceived as an illegal world without rules. However, in their work, one can notice principles familiar to anyone who has encountered business: reputation, marketing and customer service. On underground sites, for example, bug bounty programs are found that help protect platforms from unacceptable events.
In the world of underground markets, reputation and status play an important role. Competition on shadow resources is high, and to successfully work on these sites, sellers are forced to take into account many factors in order to stand out. They strive to maintain a high level of trust, since their success depends on it. If a seller has a good reputation, he can afford to set higher prices for goods or services and count on a stable flow of customers.
Meeting the needs of buyers and timely responses to their questions (many sellers provide support almost 24/7) contribute to the formation of a loyal customer base. With the development of the service model, support goes beyond customers and also applies to team members. Along with technical support, psychological support has now appeared. Criminals, striving to create effective teams, begin to build a structure where caring for the group members becomes part of the overall strategy for success. The business model increasingly resembles an internal corporate culture, where important elements are not only professional skills, but also emotional support.
Users can leave feedback expressing their wishes and suggestions for improving products or services, such as requesting updates or improving functionality. Developers often respond to such feedback by making the necessary changes to meet customer expectations and increase customer satisfaction.
Creating landing pages to attract customers has become an important element of a successful competitive strategy. A competent design and well-structured landing page can play a crucial role in keeping the buyer’s attention and encouraging them to make a purchase.
Additionally, having a user-friendly interface has become almost mandatory. With a user-friendly and beautiful interface, customers spend less time learning often complex tools and are more likely to use the product. Providing a user-friendly interface is also becoming an important way to differentiate themselves from competitors.
Products that are easier to use (even if they offer more limited functionality) are gaining popularity faster than complex tools. This is all due to marketers targeting less technically savvy customers. The bottom line is that the easier a product is to use, the more customers are willing to buy it. When it comes to advanced attackers, ease of use is not as important as functionality and stability.
An interesting advertising move was the action of the LockBit extortion group. They offered to pay a reward of $ 1,000 to anyone who would get a tattoo with the name and logo of the group on their body. The person who did this simply had to publish a photo to receive money.
Such a unique marketing strategy helped create an image of the group as a powerful and influential player. Such a move increases brand recognition, and is also a mechanism for attracting new partners and distinguishing themselves from other crypto gangs, which provides a competitive advantage. A recent example of a possible rebranding of the now defunct BlackCat group is noteworthy.
Cryptocurrency gangs often rebrand, but this particular change is a good example of how attackers target brand recognition and quickly gain traction. In June 2024, the extortion gang began advertising their services on a shadowy forum.
Competition in the world of underground markets often goes beyond the boundaries of conventional business methods. In an environment where reputation and success directly affect profits, some market participants resort to aggressive methods of combating competitors. One such method is conducting cyberattacks. For example, DDoS attacks aimed at loading servers have become a common weapon in the hands of some players. These actions are aimed at undermining the work of a competitor and reducing customer trust.
Everything indicates fierce competition in shadow markets, where everyone is trying to maintain their position and leave rivals behind. However, cyberattacks are not a guarantee of victory. Many underground sellers are technically savvy specialists and are able to quickly resume their work, minimizing the consequences of attacks.
Of course, attacks do not end with a simple DDoS. Competing platforms can use other methods to disrupt services. For example, in June 2023, the data of 4,000 participants of a shadow forum was leaked. As it turned out later, another competing platform took responsibility (sharing the news on one of the social networks). Such actions are designed to undermine the reputation of the forum among attackers, it can also threaten to reveal the identities of participants, which will simplify their tracking by law enforcement agencies.
The shadow market is taking over a lot from legal businesses, and bug bounty programs are no exception. Various shadow resources are implementing their own bug bounty programs, where payment is, of course, in cryptocurrency. This practice has become a response to the need to protect the data of participants and the platforms themselves from external threats, such as competing criminal groups. The main motive for implementing such programs is to increase the stability of platforms, which allows avoiding information leaks or hacks that can lead, for example, to the theft of cryptocurrency from users’ deposits.
For example, a well-known cryptojacking group has been running a bug bounty program since 2022, offering ethical and unethical hackers the opportunity to find vulnerabilities in the infrastructure. As for the website bugs, the LockBit gang was particularly interested in hearing about XSS vulnerabilities that could allow third parties to access the decryption tool or victims’ chat logs, as well as bugs in Locker (malware designed to block access to a system) that could allow victims to recover their files without paying for the tool. The rewards ranged from $1,000 to $1 million.
As in the legal world, there is also fraud on the dark web. For example, affiliates can be deceived or IDPs can be distributed under the guise of legitimate ones (for example, the notorious Pegasus spyware). To minimize risks and ensure at least a minimum of transaction purity, cybercriminals often resort to the services of guarantors or guarantor services.
A guarantor service is a third party that acts as an intermediary between the buyer and the seller. They temporarily hold the buyer’s funds until the buyer confirms receipt of the goods or services, and then transfer the money to the seller.
In addition, many forums practice a deposit system (which is often a mandatory condition): the seller must deposit a certain amount as a deposit to confirm his honesty and seriousness of intentions. In the event of fraud, these funds can be withheld and transferred to the injured party.
With the development of shadow forums, automated guarantor systems began to appear. These systems allow you to speed up the process of conducting typical transactions by automating the stages of depositing funds.
In most cases, dark web resources have their own official guarantors: someone from the forum administration or a user with a good reputation as an intermediary. For their services, the guarantor receives from 4% of the transaction amount (the cost may vary, since the final price is directly influenced by the site administration).
When disputes arise, arbitrators come into play. We can safely say that they are a local regulatory body. Arbitrators help resolve disputes and problems that arise between the parties to the transaction, making decisions on the distribution of funds or compensation in the event of conflicts. Their role is critical to maintaining trust and stability in shadow markets, where they serve as the main available dispute resolution mechanism. To resolve conflict situations, the injured party provides the necessary evidence to confirm the fact of fraud. The arbitrator, in turn, checks all this and makes a verdict. In this case, the final decision is made by the site administration.
On shadow resources, prices are formed in two main ways: through fixed prices or auctions. Fixed prices are set by the seller and are not subject to negotiation. This is a convenient way of mass trading when you need to sell a product quickly without lengthy negotiations. At the same time, auctions provide an opportunity for buyers to offer their price for the product, and the seller can choose the most favorable offer. Auctions are often used for rare or unique goods, such as zero-day exploits or exclusive data sets, as well as access to the infrastructure of organizations. For example, an attacker can set the starting price of a lot and indicate the steps of increasing the price.
A study of the cybercrime market shows that the shadow economy is increasingly resembling legal business, adapting classic approaches to marketing, competition, and customer service. The darknet has become not only a platform for selling illegal goods, but also an ecosystem that has developed its own rules, guarantee systems, loyalty programs, and even dispute resolution mechanisms.
Anonymity and the lack of state control stimulate the development of criminal schemes, including the sale of exploits, malware, and access to corporate networks. At the same time, competition between cybercriminals is intensifying – aggressive methods of struggle are used, including DDoS attacks and compromising competitors.
Financial flows in the darkweb remain significant, and cryptocurrencies ensure the anonymity of payments. However, even in this area, mechanisms are emerging that resemble traditional financial instruments: a system of deposits, guarantor services, and even bug bounty programs to increase security.
However, the development of the darknet faces challenges: stricter moderation policies of messengers, the closure of popular platforms and increased control by government agencies are forcing criminals to adapt and find new ways to do business.
This is just the first part of our dive into the shadowy world of cybercrime. In the second part, we will look at even deeper aspects of the darknet economy, criminals’ revenue models and methods of combating cyber threats.
