A government shutdown of dark web marketplaces AlphaBay and Hansa has merchants and consumers looking for a new home.

Authorities , the largest online marketplace for illegal goods, on July 4, and took down Hansa, the third largest, on Thursday. The sites, where people could buy drugs, guns and child pornography, had flourished since 2014, when a predecessor, Silk Road, was shut down. 

Fueled by Tor browsers and cryptocurrencies that offer anonymity, AlphaBay, Hansa and other sites avoided much government detection, allowing  in the wake of Silk Road’s demise. AlphaBay replaced as the biggest, growing to be 10 times larger. 

When one dark darknet market falls, buyers and sellers just move on to the next one.

The migration of buyers and sellers comes as authorities around the world crack down on digital marketplaces that cater to growing numbers of shadowy sales. at the time it was taken offline. By comparison, Silk Road had just 14,000 when the Federal Bureau of Investigation closed it four years ago.

Many of the sites . A recent study by the University of Manchester and think tank Rand Europe found 811 arms-related listings on . The researchers found nearly 60% of the weapons came from the US and most of the sales were headed to Europe. Worryingly, one gun bought on a cryptomarket was used in a .

FBI deputy director Andrew McCabe acknowledged shutting down such markets was like playing whack-a-mole. His agency would likely have to in the future, he said.

“Critics will say as we shutter one site, another will emerge,” McCabe said at a press conference. “But that is the nature of criminal work. It never goes away, you have to constantly keep at it, and you have to use every tool in your toolbox.”

One such tool: dark markets 2023 using a captured marketplace as a trap.

After the fall of AlphaBay, Dutch police said they saw traffic heading to Hansa spike eight-fold. That was something the cops were anticipating. 

Dutch police had full control of Hansa on June 20, but waited a month before shutting it down hoping to catch the new users in marketplace chaos.

“We could identify and disrupt the regular criminal activity that was happening on Hansa market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading platform for their criminal activities,” Rob Wainwright, the Europol director, said at the press conference.

Dutch police now have the usernames, passwords and IP addresses of thousands of Hansa users, and are tracking them down.

An underground in flux

The ploy has dark web market users on edge. Many are concerned about whether the next available platform will be compromised as well. That has them questioning Dream Market, a marketplace that’s been in business since 2013 and benefitted from the shutdown of rivals. 

“After the closure of the AlphaBay market, many vendors expressed that they were moving their operations to Hansa and Dream Market,” Liv Rowley, an analyst at Flashpoint, said. “The shuttering of Hansa now leaves Dream the only remaining major option.”

Rowley noticed chatter on forums and subreddits pointing to Dream Market as the next AlphaBay, but people are wary after the Dutch police ploy.

Reddit users on several  threads have expressed concerns the website has been compromised in a similar fashion. A user who speculated Hansa had been compromised in a thread posted  returned on Thursday to warn that .

“This is a warning you will want to heed,” the user, who goes by , posted. “They are waiting to gather as many refugees from AB & Hansa as they can and then drop the hammer.”

Other marketplaces, like Tochka and Valhalla, could also rise in the vacuum AlphaBay and Hansa have left. Some smaller dark web markets are even appealing to those lost in AlphaBay’s shake-up. 

Security company was offering vendors from AlphaBay a discount if they moved to their platform.

“The entire illegal underground is in flux right now,” Flashpoint’s Rowley said.

It’ll be quiet on the dark web until people can find a reliable marketplace again, but eventually they will, said Emily Wilson, the director of analysis at Terbium Labs.

She called the busts a “sizable hiccup” but not “an irreversible blow.” 

It’s unclear who’ll emerge from the fallout. But the FBI estimates that more than 40,000 merchants are looking for a place to sell. And there are more than 200,000 customers looking for places to buy stuff they can’t get on Amazon. 

With AlphaBay, the Amazon of illegal goods, now shut down, the market is fragmenting. If you want malware, darknet market lists there’s a market for that on the dark web. The same for guns and for drugs. So business will go on, albeit less conveniently.

“For now, there are plenty of smaller and more specialized markets for vendors and buyers to continue trading,” Wilson said. 

First published July 21, 8 a.m. ET

Update, 5:04 p.m.: Adds background on scope of the markets, weapons sales. 

: Online abuse is as old as the internet and it’s only getting worse. It exacts a very real toll.

: CNET chronicles tech’s role in providing new kinds of accessibility.

, a fringe social network , resurfaced on Sunday. 

The social media site, which dark markets itself as a bastion of free speech amid censorship of extremists on Twitter and Facebook, was intermittently available late Sunday. Clicking on links to the site sometimes would produce error messages, but that didn’t seem to stop some of the site’s 800,000 users from posting celebratory messages, praising the company for coming back online. Many of them hailed the move as for .

“Through the grace of God Gab is back online,” Gab CEO Andrew Torba . “We will never give in. Free speech and liberty will always win.”

Gab’s return marks the latest turn in the unfolding debate over free speech in the modern age. Facebook, Twitter and Google’s YouTube have on bad behavior and hate speech on their services. That’s driven some of the people banned from those sites to sites like and Gab, darknet market lists a Twitter-like alternative social network founded in 2016.

Last week, Gab came under scrutiny when reports surfaced that Robert Bowers, who is charged with opening fire in , used the social network to voice . Eleven people died .

Two days later, on Oct. 29, domain provider GoDaddy . GoDaddy said it made the decision after receiving complaints and finding content on Gab that “promotes and encourages violence against people.” , Stripe, dark market url Joyent, dark web market web sites Shopify and Medium also cut ties with Gab.

Gab isn’t the only social network that’s been used by extremists. Facebook, Twitter and YouTube all have been used by terrorists and Neo-Nazis, as well. With varying degrees of success, those platforms have tried to crack down on hate speech. Gab, however, markets itself as a bastion of free speech that is more permissive than other sites, which is part of why it’s attracted extremists.

Gab also isn’t the first site to see its domain register or host pull their services because of its content. Last year, the neo-Nazi site The Daily Stormer after being booted by GoDaddy and Google. Gab, for its part, is operating on the surface web for now.

In a , Torba said Gab was able to come back online after , , and should be fully back online Monday. “This coordinate smear by the mainstream media did not work,” he said in the message. “This smear is only going to propel us into the stratosphere.”

: dark Web market list Everything you need to know about the free speech debate.

: Everything you need to know about why tech is under Washington’s microscope.

Earlier this month, hundreds of companies from the US to Sweden were entangled in the , a company that offers network infrastructure to businesses around the world.

The Kaseya hack comes on the heels of other headline-grabbing cyberattacks like the  and the . In each instance, criminals had the opportunity to make off with millions — and much of the ransoms were paid in Bitcoin.

“We have to remember the primary reason for creating Bitcoin in the first place was to provide anonymity and secure, trustless and borderless transaction capabilities,” says Keatron Evans, principal security researcher at .

As Bitcoin grows more prominent in darknet markets around the world, cybercrooks have found a vital tool to help them move illegal assets quickly and pseudonymously. And darknet market lists by all accounts, the attacks are only becoming more common. 

Ransomware on the rise

Ransomware is a cybercrime that involves ransoming personal and business data back to the owner of that data. 

First, a criminal hacks into a private network. The hack is accomplished through various tactics, including phishing, social engineering and preying upon users’ weak passwords.

Once network access is gained, the criminal locks important files within the network using encryption. The owner can’t access the files unless they pay a ransom. Nowadays, cybercriminals tend to request their ransoms in cryptocurrencies.

The FBI  ransomware attacks accounted for at least $144.35 million in Bitcoin ransoms from 2013 to 2019. 

These attacks are scalable and can be highly targeted or broad, ensnaring anyone who happens to click a link or install a particular software program. 

This allows a small team of cybercrooks to ransom data back to organizations of all sizes — and the tools needed to hack into a small business or multinational cooperation are largely the same. 

Private citizens, businesses, and state and national governments have all fallen victim — and many decided to pay ransoms.

Today’s business world depends on computer networks to keep track of administrative and financial data. When that data disappears, it can be impossible for the organization to function properly. This provides a large incentive to pay up. 

Although victims of ransomware attacks are encouraged to report the crime to federal authorities, there’s no US law that says you have to report attacks (). Given this, there’s little authoritative data about the number of attacks or ransom payments. 

However, a recent study from Threatpost  only 20% of victims pay up. Whatever the actual number is, the FBI  against paying ransoms because there’s no guarantee that you’ll get the data back, and paying ransoms creates further incentive for ransomware attacks. 

Why do hackers like cryptocurrency?

Cryptocurrency provides a helpful ransom tool for darknet market lists cybercrooks. Rather than being an aberration or misuse, the ability to make anonymous (or pseudonymous) transfers is a  of cryptocurrency. 

“Bitcoin can be acquired fairly easily. It’s decentralized and readily 

available in almost any country,” says Koen Maris, a cybersecurity expert and advisory board member at IOTA Foundation.

Different cryptocurrencies feature different levels of anonymity. Some cryptocurrencies, like Monero and Zcash, specialize in confidentiality and may even provide a higher level of security than Bitcoin for cybercriminals. 

That’s because Bitcoin isn’t truly anonymous — it’s pseudonymous. Through careful detective work and analysis, it appears possible to trace and recoup Bitcoin used for ransoms, as the FBI  after the Colonial Pipeline hack. So Bitcoin isn’t necessarily used by ransomers simply because of security features. Bitcoin transfers are also fast, irreversible and easily verifiable. Once a ransomware victim has agreed to pay, the criminal can watch the transfer go through on the public blockchain. 

After the ransom is sent, it’s usually gone forever. Then crooks can either exchange the Bitcoin for another currency — crypto or fiat — or transfer the Bitcoin to another wallet for safekeeping. 

While it’s not clear exactly when or how Bitcoin became associated with ransomware, hackers, cybercrooks, and crypto-enthusiasts are all computer-savvy subcultures with a natural affinity for new tech, and Bitcoin was adopted for illicit activities online soon after its creation. One of Bitcoin’s first popular uses was currency for transactions on the dark web. The  was among the early marketplaces that accepted Bitcoin.

Financial impact

Ransomware is big business. Cybercriminals made off just under $350 million worth of cryptocurrency in ransomware attacks last year, . That’s an increase of over 300% in the amount of ransom payments from the year before. 

The COVID-19 pandemic set the stage for a surge in ransomware attacks. With vast tracts of the global workforce moving out of well-fortified corporate IT environments into home offices, cybercriminals had more surface area to attack than ever.

According to , the organizational changes needed to accommodate remote work opened up more businesses for cybercrime exploits, with Coalition’s policyholders reporting a 35% increase in funds transfer fraud and social engineering claims since the beginning of the pandemic.

It’s not just the number of attacks that is increasing, but the stakes, too. A  from Palo Alto Networks estimates that the average ransom paid in 2020 was over $300,000 — a year-over-year increase of more than 170%.

When an organization falls prey to cybercrime, the ransom is only one component of the financial cost. There are also remediation expenses — including lost orders, business downtime, consulting fees, and other unplanned expenses. 

The  report from Sophos found that the total cost of remediating a ransomware attack for a business averaged $1.85 million in 2021, up from $761,000 in 2020. 

Many companies now buy cyber insurance for financial protection. But as ransomware insurance claims increase, the insurance industry is also dealing with the fallout.

Globally, darknet market lists the price of cyber insurance has , according to a new report from Howden, an international insurance broker. The increase is likely due to the growing cost these attacks cause for insurance providers. 

A cyber insurance policy generally covers a business’s liability from a data breach, such as expenses (i.e., ransom payments) and legal fees. Some policies may also help with contacting the businesses customers who were affected by the breach and repairing damaged computer systems. 

Cyber insurance payouts now account for  of all premiums collected, which is the break-even point for the providers. 

“We noticed cyber insurers are paying ransom on behalf of their customers. That looks like a bad idea to me, as it will only lead to more ransom attacks,” says Maris. “Having said that, I fully understand the argument: the company either pays or it goes out of business. Only time will tell whether investing in ransom payments rather than in appropriate cybersecurity is a viable survival strategy.”

Early adopters

The AIDS Trojan, or PC Cyborg Trojan, is the first known ransomware attack. 

The attack began in 1989 when an AIDS researcher distributed thousands of copies of a floppy disk containing malware. When people used the floppy disk, it encrypted the computer’s files with a message that demanded a payment sent to a PO Box in Panama. 

Bitcoin wouldn’t come along until almost two decades later. 

In 2009, Bitcoin’s mysterious founder, Satoshi Nakamoto, created the blockchain network by mining the first block in the chain — the genesis block. 

Bitcoin was quickly adopted as the go-to currency for the dark web. While it’s unclear exactly when Bitcoin became popular in ransomware attacks, the 2013 CryptoLocker attack definitely put Bitcoin in the spotlight. 

CryptoLocker infected more than 250,000 computers over a few months. The criminals made off with about $3 million in Bitcoin and pre-paid vouchers. It took an internationally coordinated operation to take the ransomware offline in 2014.

Since then, Bitcoin has moved closer to the mainstream, and ransomware attacks have become much easier to carry out.

Early ransomware attackers generally had to develop malware programs themselves. Nowadays, ransomware can be bought as a service, just like other software. 

Ransomware-as-a-service allows criminals with little technical know-how to “rent” ransomware from a provider, which can be quickly employed against victims. Then if the job succeeds, the ransomware provider gets a cut. 

Future legislation

In light of the recent high-profile ransomware attacks, calls for new legislation are growing louder in Washington.

President Joe Biden issued an  in May “on improving the nation’s cybersecurity.” The order is geared toward strengthening the federal government’s response to cybercrime, and dark web market links it looks like more legislation is on the way.

The  was recently introduced by a bipartisan group of senators. The bill aims to ramp up penalties for cyberattacks that impact critical infrastructure, so the Justice Department would have an easier time charging criminals in foreign countries under the new act.

States are also taking their own stands against cybercrime:  have proposed legislation to outlaw ransomware payments. North Carolina, Pennsylvania, and Texas are all considering new laws that would outlaw taxpayer money from being used in ransom payments. New York’s law goes a step further and could outright ban private businesses from paying cybercrime ransoms. 

“I think the concept of what cryptocurrency is and how it works is something that most legislative bodies worldwide struggle with understanding,” says Evans. “It’s difficult to legislate what we don’t really understand.”