Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Vincenzo Ciancaglini (Senior Threat Researcher)

    Mention the “Deep Web” and most people will instantly associate it with the part of the Internet used for nefarious and illegal activities. For others, it is this inaccessible side of the Web, the one that requires a lot of technical skill and know-how to reach. Although these assumptions are somewhat correct, they only cover a small portion of the Deep Web as a whole.

    For over two years, Trend Micro’s Forward-Looking Threat Research Team (FTR) has done extensive exploration of the Deep Web, collecting and analyzing its contents and keeping tabs on ongoing activities. The result is Below the Surface: Exploring the Deep Web, a research paper that aims to give its readers a better understanding of what truly goes on in the Deep Web and darknets, and the effects these could have in the real world.

    Two sides of the coin

    Anonymity is the main feature of the Deep Web, and there are plenty of people who would want to use and abuse that. For example, people who want to shield their communications from government surveillance may want to take refuge in darknets. Whistleblowers, like Edward Snowden, can share vast amounts of insider information to journalists without leaving a paper trail. Dissidents in restrictive regimes may need anonymity in order to safely let the world know what’s happening in their country.

    On the flipside, those with malicious intentions can also greatly benefit from this anonymity. For example, drug sellers wouldn’t want to set up shop in an online location where law enforcement can easily determine their IP address. The same could be said for those engaged in other illegal activities like selling contraband and stolen goods.

    Digging into the Deep Web

    We decided to look further down the rabbit hole to get more information about the illegal activities and services offered in the Deep Web. To get information, we employed our system, called the Deep Web Analyzer (DeWa). DeWa is responsible for collecting URLs linked to the Deep Web, including TOR- and I2P-hidden sites and Freenet resource identifiers, and trying to extract relevant information tied to them like page content, links, email addresses, HTTP headers, and so on.

    So far, we’ve collected more than 38 million events that account for 576,000 URLs, 244,000 of which bear actual HTML content.

    DeWa also has a feature that alerts us if hidden services get a lot of traffic or if there is a large hike in number of sites. This is especially helpful in finding new malware families of cybercriminals who use TOR-hidden services to hide the more permanent parts of their infrastructures.

    Cybercrime in the Deep Web

    Among our observations was the fact that light drugs (read: cannabis) were the most-exchanged goods, followed by pharmaceutical products like Ritalin and Xanax, hard drugs, and even pirated games and online accounts.


    Figure 1. Drugs are revealed to be the most popular merchandise in the Deep Web

    The Deep Web is also home to Bitcoin and money-laundering services. Bitcoin offers a level of anonymity for users. As long as they don’t link their wallet code to their real identities, they are, to some extent, anonymous. Nonetheless, Bitcoin transactions are public, which means investigators can still examine them. Numerous services have sprouted in the Deep Web, offering to move Bitcoins through a network via micro transactions. Paying a handling fee will result in the customer getting the same amount of money but with the added bonus of having transactions that are harder to track or pin down.

    Figure 2. An example of a Bitcoin-laundering service offered in the Deep Web

    The challenge of the Deep Web

    Anonymity in the Deep Web will continue to raise a lot of issues and be a point of interest for both law enforcers and Internet users who want to circumvent government surveillance and intervention. Right now, there seems to be a race between “extreme libertarians” and law enforcement agencies, with the former trying to find new ways to become even more anonymous and untraceable.

    As such, security defenders like Trend Micro need to continue keeping tabs on the Deep Web as its role in the Internet and the real world grows.

    For full details about this Deep Web investigation, read our paper Below the Surface: Exploring the Deep Web (which you can find by clicking the thumbnail below). The results of our other inquiries into the Deep Web may be found in the Deep Web section of the Threat Intelligence Center.


    2014 was a year in flux for the Deep Web. We briefly discussed this in our annual security roundup, but this is a topic worth exploring in some detail.

    In late 2013, the operator of the Silk Road marketplace, Ross Ulbricht (also known as Dread Pirate Roberts) was arrested, and recently he was convicted on various charges by a US federal court. Naturally, because the market abhors a vacuum, replacement marketplaces have shown up. Of course, many of these have led short – and colorful – lives before collapsing.

    Figure 1. Timeline of the Deep Web

    This was not the only factor that led to chaos and disorder within the Deep Web. Law enforcement actions also shut down multiple market places, and technical developments in anonymity and cryptocurrency technology have also changed the Deep Web in 2014.

    Law enforcement strikes back – Operation Onymous

    Ulbricht may have been one of the first high-profile arrests related to the Deep Web, but he was far from the last. In what was called Operation Onymous, 17 people were arrested and 414 different .onion domains seized by various law enforcement authorities from various countries. The seized sites included underground marketplaces as well as money laundering sites.

    Law enforcement has not said how they were able to locate the servers and persons involved in these underground sites. One of the developers of Tor, Jacob Applebaum, has stated the he believes that the arrests were due to confessions from at least one Deep Web site operator.

    One side effect from the Operation Onymous may be the emergence of businesses specifically tailored for Deep Web site hosting. Merely hosting a site on the Deep Web is no guarantee of anonymity and safety on the part of users (a single Bulgarian ISP was responsible for hosting 129 of the seized domains). Some hosting providers and e-commerce platforms may choose to provide advanced services to Deep Web clients such as cryptocurrency support, escrow services, and two-factor authentication.

    Let a hundred marketplaces bloom

    Even before Operation Onymous took place, multiple marketplaces had appeared in the Deep Web offering all sorts of (mostly illegal) wares. Not all of these marketplaces proved to be particularly enduring. Sheep Marketplace shut down after claiming that they had been robbed of bitcoins, but users alleged that far more money had been stolen by site owners. Atlantis Marketplace shut down, citing security concerns.

    Much as had happened before, the shutdown of high-profile Deep Web marketplaces sent users scurrying to various replacement sites. One key difference with the post-Onymous cycle was where these marketplaces were “located”.  Some of these sites used the Invisible Internet Project (I2P) network, in addition to or supplementing Tor.

    Some of the most popular marketplaces today are Agora, Evolution, WhiteRabbitmarket (present on I2P), Themarketplace (exclusively on I2P), Tortuga (present on I2P) , and an I2P-exclusive version of Silk Road.

    New technology and cryptocurrencies

    The technology used in the Deep Web has also evolved. We’ve already noted the adoption of I2P by some deep web sites. In addition to this, we have also seen new cryptocurrencies that attempt to use blockchain technology in interesting ways that add features.

    One of these new currencies is Cloakcoin, which claims full anonymity and untraceability of the transaction chain. It scrambles requests across various open wallets (similar to Tor’s onion routing). To entice users to keep their wallets open, a 6% annual interest fee is offered. Cloakcoin also natively includes an escrow function; this allows two parties to securely perform a commercial transaction using a third-party escrow wallet that guarantees money only gets transferred when both sides of the transaction are satisfied.

    Another emerging project was OpenBazaar, which was aimed at building a platform for anonymous, untraceable marketplaces. It also used blockchain technology to implement escrow, order management, user identities, and reputation management.


    2014 was a year of much turmoil in the Deep Web. Law enforcement took down many high-profile sites, doubts about Tor’s actual anonymity grew, and new tools were deployed by Deep Web actors. We can only expect to see more of the same in the months to come. The arms race between law enforcement and threat actors will only continue to intensify, and we can expect more marketplaces and tools to make their appearance and advance the state of the art in this field.

    Posted in Bad Sites | Comments Off on The Deep Web: Shutdowns, New Sites, New Tools

    While Ross Ulbricht, the accused operator of the first Silk Road Marketplace, remains in trial in New York, a new version of the deep web site, named Silk Road 2.0, has been launched yesterday. The launch was announced through the Twitter account of Dread Pirate Roberts, the pseudonym Ulbricht allegedly used while operating the site.

    Figure 1. Twitter announcement of the new Silk Road

    The new site has a new login page which parodies the FBI seizure page of the old Silk Road site.

    Figure 2. Login page of the new site

    According to its new front page, the new Silk Road offers users the additional option of being able to use their PGP keys to secure their communications.

    Figure 3. Silk Road main page

    In an official announcement published on the Silk Road Forums, a separate site hosted in the TOR network, Dread Pirate Roberts explains that the launch will take place over several days, starting with an initial launch on the 5th of November, and ending on the 9th of November, when the marketplace is supposed to regain full functionality.

    Figure 4. Silk Road announcement.jpg

    News of the resurrection of Silk Road has been immediately picked up by the mainstream media, with some speculation that the newly launched site may be just a honeypot setup to catch the remaining user base of the old Silk Road.

    More Deepweb Marketplaces Online

    However, relaunched Silk Road is not alone, as other marketplaces have also sprouted online. A new marketplace, named Pandora, was spotted. According to its creator, Pandora features better security for customers because it has a stronger verification process for sellers and high fees for first time vendors, discouraging possible scammers. Pandora currently has more than 2,000 active users, with most activity revolving around narcotics.

    Figure 5. Pandora home page

    The Black Market Reloaded, a Silk Road competitor, is also back online after being shut down after the Silk Road arrest. Currently, there are more than 6,000 posts related to narcotics and more than 1,000 posts about services such as coding, hacking, and counterfeiting money or documents.

    Figure 6. Black Market Reloaded home page

    These marketplace launches and relaunches show just how active and vibrant the deep web is. Such activity is the reason why Trend Micro is actively involved in analyzing and monitoring activities related to the deep web.

    Our Forward Looking Threat Research Team recently published a detailed report covering all the technologies related to deep web sites and the kind of transactions that take places, focusing on the kind of goods such as credit cards, counterfeit moneys or e-crime services. You may read the paper, Deepweb and Cybercrime: It’s Not All About Tor.

    Posted in Bad Sites | Comments Off on The Boys are Back in Town: Deep Web Marketplaces Back Online


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice