US guns make up as much as 60 percent of the weapons on sale on the dark web, dark markets new research has found.

Weapons, drugs and stolen identities are readily available on the dark web market web, a . To investigate where guns, ammunition and guides to their use come from, the UK’s University of Manchester and think tank Rand Europe — or cryptomarkets — and found 811 listings relevant to the study, published Wednesday.

Most weapons were from the USA, where , and most sales were destined for dark web darknet market list Europe. A gun bought from the dark web sites web was used in a .

“The dark web is both an enabler for the trade of illegal weapons already on the black darknet market and a potential source of diversion for weapons legally owned”, darknet market markets said Giacomo Persi Paoli, the report’s lead author. “The ability for criminals and terrorists, as well as vulnerable or fixated individuals, to make virtually anonymous purchases is perhaps the most dangerous aspect.”

On Thursday, US and European law enforcement agencies the , two of the three largest dark web markets. 

The history of technology is riddled with unintended consequences. As William Gibson wrote in Burning Chrome, “…the street finds its own uses for things.” Though Bitcoin may not have been originally conceived as a medium for ransom payments, it’s quickly become a central tool for online criminals.

Ransomware, a category of “,” blocks access to a computer or network until a ransom is paid. Despite the evolving efforts of governments to  and , the attacks keep coming. 

Cryptocurrency ransomware payments totaled roughly $350 million in 2020,  — an annual increase of over 300% from 2019. And because US companies are legally required to report cyberattacks only if customers’  is compromised, that estimate may be far too conservative.

Read more: 

Below, we tally up the damage of some of the highest-profile episodes.

Kaseya (2021)

On July 2, 2021, Kaseya announced its systems had been . Kaseya provides IT solutions for other companies — an ideal target which, darknet markets in a domino effect, ended up impacting approximately in multiple countries. REvil, a cybercriminal outfit, claimed responsibility for the attack and demanded ransoms ranging from a few thousand dollars to multiple millions, . 

It’s unclear how many individual businesses paid up, but REvil demanded from Kaseya. Kaseya declined to pay, opting to cooperate with the FBI and the US Cybersecurity and Infrastructure Agency. On July 21, 2021, Kaseya a universal decryptor key and dark web darknet market urls distributed it to organizations impacted by the attack.

JBS (2021)

On May 31, 2021, JBS USA, one of the largest meat suppliers in the US,  a hack that caused it to temporarily halt operations at its five largest US-based plants. The ransomware attack also disrupted the company’s Australia and UK operations. JBS paid the hackers an in Bitcoin to prevent further disruption and limit the impact on grocery stores and restaurants. The the hack to REvil, a sophisticated criminal ring well-known in ransomware attacks. 

Colonial Pipeline (2021)

On May 7, 2021, America’s largest “refined products” pipeline after a hacking group called Darkside infiltrated it with ransomware. Colonial Pipeline covers over 5,500 miles and transports more than 100 million gallons of fuel daily. The impact of the attack was significant: In the days that followed, the average price of a gallon of gas in the US increased to more than $3 for  as drivers rushed to the pumps. 

The pipeline operator said it paid the hackers $4.4 million in cryptocurrency. On June 7, 2021, the DOJ announced it had  part of the ransom. US law enforcement officials were able to track the payment and take back $2.3 million using a private key for a cryptocurrency wallet.

Brenntag (2021)

On April 28, 2021, German chemical distributor learned it was the target of a cyberattack by Darkside, which stole 150GB of data that it threatened to leak if ransom demands weren’t met. After negotiating with the criminals, Brenntag ended up negotiating the original ransom of $7.5 million down to , which it paid on May 11.

CNA Financial (2021)

On March 23, 2021, CNA Financial, the commercial insurer in the US, it had “sustained a sophisticated cybersecurity attack.” The attack was by a group called Phoenix, which used ransomware known as Phoenix Locker. CNA Financial eventually paid in May to get the data back. While CNA has been tight-lipped on the details of the negotiation and transaction, but says all of its systems have since been fully restored. 

CWT (2020)

On July 31, 2020, US business travel management firm CWT disclosed it had been impacted by a  that infected its systems — and that it had paid the ransom. Using ransomware called Ragnar Locker, the assailants claimed to have stolen sensitive corporate files and knocked 30,000 company computers offline. 

As a service provider to of S&P 500 companies, the data release could have been disastrous for CWT’s business. As such, the company paid the hackers about $4.5 million on July 28, a few days before Reuters the incident. 

University of California at San Francisco (2020)

On June 3, 2020, the University of California at San Francisco that the UCSF School of Medicine’s IT systems had been compromised by a hacking collective called Netwalker on June 1. The medical research institution had been working on a cure for COVID.

Apparently, Netwalker had researched UCFS, hoping to gain insights into its finances. Citing the billions of dollars UCFS reports in annual revenue, Netwalker demanded a $3 million ransom payment. After negotiations, Netwalker the bitcoin equivalent of $1,140,895 to resolve the cyberattack. According to the BBC, Netwalker was also identified as the culprit in at least two other 2020 ransomware attacks targeting universities. 

Travelex (2019)

On New Year’s Eve 2019, London-based foreign currency exchange Travelex was by a ransomware group called Sodinokibi (aka REvil). The attackers made off with 5GB of customer data, including dates of birth, credit card information, and insurance details. Travelex took down its website in 30 countries in an attempt to contain the virus.

In the wake of the ransomware attack, Travelex struggled with customer services. Sodinokibi initially demanded a payment of $6 million (£4.6 million). After negotiations, Travelex paid the cybercriminals  (285 BTC at the time, roughly £1.6 million) to get its data back.

WannaCry (2017)

In May 2017, a ransomware called infected computers across the globe by exploiting a vulnerability in Windows PCs. The WannaCry vulnerability was revealed during a massive leak of NSA documents and hacking tools engineered by a group called Shadow Brokers in . 

Though the exact number of WannaCry victims remains unknown,  around the world were infected. Victims included Spanish telecommunications company Telefónica and thousands of hospitals in the UK. Computer systems in 150 countries were affected by the attack, with a total estimated loss of around $4 billion globally.

The attackers initially demanded to unlock infected computer systems. The demand was later increased to $600 in bitcoin. However, some researchers claim that no one got their data back, even if they met the demands.

WannaCry attacks to this day. In February 2021, the DOJ  three North Korean computer programmers for their alleged role in the WannaCry outbreak.

Locky (2016)

Discovered in February 2016, Locky is notable due to the incredibly high number of infection attempts it’s made on computer networks. Attacks typically come in the form of an email with an invoice attached from someone claiming to be a company employee. On February 16, 2016 identified more than 50,000 Locky attacks in one day. 

Locky has , but the goal is largely the same: Lock computer files to entice owners to pay a ransom in cryptocurrency in exchange for a decryption tool, which would allow users to regain access to their locked files. The majority of Locky victims have been in the US, and , but Canada and France experienced significant infection rates as well. 

TeslaCrypt (2015)

 an earlier program called CryptoLocker, the earliest TeslaCrypt samples were circulated in November 2014 but the ransomware was not widely distributed until March of the following year.

TeslaCrypt initially targeted gamers. After infecting a computer, a pop-up would direct a user to pay a for a decryption key to unlock the infected system. report the requested ransoms ranged from $250 to $1000 in Bitcoin. In May 2016, the developers of TeslaCrypt a master decryption key for affected users to unlock their computers.

CryptoWall (2014)

Widespread reports of computer systems infected from the CryptoWall ransomware emerged in 2014. Infected computers were unable to access files — unless the owner paid for access to a decryption program. impacted systems across the globe. The attackers demanded payment in the form of prepaid cards or bitcoin. CryptoWall caused roughly $18 million in damages, . Multiple versions of CryptoWall were released, with each version making the ransomware more difficult to trace and dark darknet market onion combat.

CryptoLocker (2013)

The first time much of the world heard the term “ransomware” was during 2013’s outbreak. Discovered early in September 2013, CryptoLocker would cripple more than 250,000 computer systems during the following four months. Victims were instructed to send payments in cryptocurrency or money cards to regain access. The ransomware delivered at least  to its perpetrators. 

A in 2014 succeeded in taking down the Gameover ZeuS botnet, darknet market list which was a primary distribution method for CryptoLocker. The DOJ indicted Russian hacker Evgeniy Mikhailovich Bogachev, as the botnet’s ringleader. Bogachev is still at large — and the FBI is currently  of up to $3 million for information leading to his arrest and/or conviction. 

AIDS Trojan/PC Cyborg (1989)

Widely considered the template for all subsequent attacks, the AIDS Trojan (aka PC Cyborg) is the  of a ransomware attack. In 1989, more than a decade before the creation of bitcoin, a biologist named Joseph Popp distributed 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. The floppy disks were labeled “AIDS Information – Introductory Diskettes” and contained a trojan virus that installed itself on MS-DOS systems.

Once the virus was on a computer, it counted the times the computer booted up. Once the computer booted up 90 times, hid all directories and encrypted filenames. An image on the screen from the ‘PC Cyborg Corporation’ directed users to mail $189 to a PO address in Panama. The decryption process was relatively simple, however, and security researchers released a free tool to help victims.

The history of technology is riddled with unintended consequences. As William Gibson wrote in Burning Chrome, “…the street finds its own uses for things.” Though Bitcoin may not have been originally conceived as a medium for ransom payments, darknet market links it’s quickly become a central tool for online criminals.

Ransomware, a category of “,” blocks access to a computer or network until a ransom is paid. Despite the evolving efforts of governments to  and , the attacks keep coming. 

Cryptocurrency ransomware payments totaled roughly $350 million in 2020,  — an annual increase of over 300% from 2019. And because US companies are legally required to report cyberattacks only if customers’  is compromised, that estimate may be far too conservative.

Read more: 

Below, we tally up the damage of some of the highest-profile episodes.

Kaseya (2021)

On July 2, 2021, Kaseya announced its systems had been . Kaseya provides IT solutions for other companies — an ideal target which, in a domino effect, ended up impacting approximately in multiple countries. REvil, a cybercriminal outfit, claimed responsibility for the attack and demanded ransoms ranging from a few thousand dollars to multiple millions, . 

It’s unclear how many individual businesses paid up, but REvil demanded from Kaseya. Kaseya declined to pay, opting to cooperate with the FBI and the US Cybersecurity and Infrastructure Agency. On July 21, 2021, Kaseya a universal decryptor key and distributed it to organizations impacted by the attack.

JBS (2021)

On May 31, 2021, JBS USA, one of the largest meat suppliers in the US,  a hack that caused it to temporarily halt operations at its five largest US-based plants. The ransomware attack also disrupted the company’s Australia and UK operations. JBS paid the hackers an in Bitcoin to prevent further disruption and limit the impact on grocery stores and restaurants. The the hack to REvil, a sophisticated criminal ring well-known in ransomware attacks. 

Colonial Pipeline (2021)

On May 7, 2021, America’s largest “refined products” pipeline after a hacking group called Darkside infiltrated it with ransomware. Colonial Pipeline covers over 5,500 miles and transports more than 100 million gallons of fuel daily. The impact of the attack was significant: In the days that followed, the average price of a gallon of gas in the US increased to more than $3 for  as drivers rushed to the pumps. 

The pipeline operator said it paid the hackers $4.4 million in cryptocurrency. On June 7, 2021, darknet market the DOJ announced it had  part of the ransom. US law enforcement officials were able to track the payment and take back $2.3 million using a private key for a cryptocurrency wallet.

Brenntag (2021)

On April 28, 2021, German chemical distributor learned it was the target of a cyberattack by Darkside, darknet Marketplace which stole 150GB of data that it threatened to leak if ransom demands weren’t met. After negotiating with the criminals, Brenntag ended up negotiating the original ransom of $7.5 million down to , which it paid on May 11.

CNA Financial (2021)

On March 23, 2021, CNA Financial, the commercial insurer in the US, it had “sustained a sophisticated cybersecurity attack.” The attack was by a group called Phoenix, which used ransomware known as Phoenix Locker. CNA Financial eventually paid in May to get the data back. While CNA has been tight-lipped on the details of the negotiation and transaction, but says all of its systems have since been fully restored. 

CWT (2020)

On July 31, 2020, US business travel management firm CWT disclosed it had been impacted by a  that infected its systems — and that it had paid the ransom. Using ransomware called Ragnar Locker, the assailants claimed to have stolen sensitive corporate files and knocked 30,000 company computers offline. 

As a service provider to of S&P 500 companies, the data release could have been disastrous for CWT’s business. As such, the company paid the hackers about $4.5 million on July 28, a few days before Reuters the incident. 

University of California at San Francisco (2020)

On June 3, 2020, the University of California at San Francisco that the UCSF School of Medicine’s IT systems had been compromised by a hacking collective called Netwalker on June 1. The medical research institution had been working on a cure for COVID.

Apparently, Netwalker had researched UCFS, hoping to gain insights into its finances. Citing the billions of dollars UCFS reports in annual revenue, Netwalker demanded a $3 million ransom payment. After negotiations, Netwalker the bitcoin equivalent of $1,140,895 to resolve the cyberattack. According to the BBC, Netwalker was also identified as the culprit in at least two other 2020 ransomware attacks targeting universities. 

Travelex (2019)

On New Year’s Eve 2019, London-based foreign currency exchange Travelex was by a ransomware group called Sodinokibi (aka REvil). The attackers made off with 5GB of customer data, including dates of birth, credit card information, and insurance details. Travelex took down its website in 30 countries in an attempt to contain the virus.

In the wake of the ransomware attack, Travelex struggled with customer services. Sodinokibi initially demanded a payment of $6 million (£4.6 million). After negotiations, Travelex paid the cybercriminals  (285 BTC at the time, roughly £1.6 million) to get its data back.

WannaCry (2017)

In May 2017, a ransomware called infected computers across the globe by exploiting a vulnerability in Windows PCs. The WannaCry vulnerability was revealed during a massive leak of NSA documents and hacking tools engineered by a group called Shadow Brokers in . 

Though the exact number of WannaCry victims remains unknown,  around the world were infected. Victims included Spanish telecommunications company Telefónica and dark market url thousands of hospitals in the UK. Computer systems in 150 countries were affected by the attack, with a total estimated loss of around $4 billion globally.

The attackers initially demanded to unlock infected computer systems. The demand was later increased to $600 in bitcoin. However, some researchers claim that no one got their data back, even if they met the demands.

WannaCry attacks to this day. In February 2021, the DOJ  three North Korean computer programmers for their alleged role in the WannaCry outbreak.

Locky (2016)

Discovered in February 2016, Locky is notable due to the incredibly high number of infection attempts it’s made on computer networks. Attacks typically come in the form of an email with an invoice attached from someone claiming to be a company employee. On February 16, 2016 identified more than 50,000 Locky attacks in one day. 

Locky has , but the goal is largely the same: Lock computer files to entice owners to pay a ransom in cryptocurrency in exchange for a decryption tool, which would allow users to regain access to their locked files. The majority of Locky victims have been in the US, and , but Canada and France experienced significant infection rates as well. 

TeslaCrypt (2015)

 an earlier program called CryptoLocker, the earliest TeslaCrypt samples were circulated in November 2014 but the ransomware was not widely distributed until March of the following year.

TeslaCrypt initially targeted gamers. After infecting a computer, a pop-up would direct a user to pay a for darknet market a decryption key to unlock the infected system. report the requested ransoms ranged from $250 to $1000 in Bitcoin. In May 2016, the developers of TeslaCrypt a master decryption key for affected users to unlock their computers.

CryptoWall (2014)

Widespread reports of computer systems infected from the CryptoWall ransomware emerged in 2014. Infected computers were unable to access files — unless the owner paid for access to a decryption program. impacted systems across the globe. The attackers demanded payment in the form of prepaid cards or bitcoin. CryptoWall caused roughly $18 million in damages, . Multiple versions of CryptoWall were released, with each version making the ransomware more difficult to trace and combat.

CryptoLocker (2013)

The first time much of the world heard the term “ransomware” was during 2013’s outbreak. Discovered early in September 2013, CryptoLocker would cripple more than 250,000 computer systems during the following four months. Victims were instructed to send payments in cryptocurrency or money cards to regain access. The ransomware delivered at least  to its perpetrators. 

A in 2014 succeeded in taking down the Gameover ZeuS botnet, which was a primary distribution method for CryptoLocker. The DOJ indicted Russian hacker Evgeniy Mikhailovich Bogachev, as the botnet’s ringleader. Bogachev is still at large — and the FBI is currently  of up to $3 million for information leading to his arrest and/or conviction. 

AIDS Trojan/PC Cyborg (1989)

Widely considered the template for all subsequent attacks, darknet market the AIDS Trojan (aka PC Cyborg) is the  of a ransomware attack. In 1989, more than a decade before the creation of bitcoin, a biologist named Joseph Popp distributed 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. The floppy disks were labeled “AIDS Information – Introductory Diskettes” and contained a trojan virus that installed itself on MS-DOS systems.

Once the virus was on a computer, it counted the times the computer booted up. Once the computer booted up 90 times, hid all directories and encrypted filenames. An image on the screen from the ‘PC Cyborg Corporation’ directed users to mail $189 to a PO address in Panama. The decryption process was relatively simple, however, and security researchers released a free tool to help victims.

A government shutdown of dark web marketplaces AlphaBay and Hansa has merchants and consumers looking for a new home.

Authorities , the largest online marketplace for illegal goods, on July 4, and took down Hansa, the third largest, on Thursday. The sites, where people could buy drugs, guns and child pornography, had flourished since 2014, when a predecessor, Silk Road, was shut down. 

Fueled by Tor browsers and cryptocurrencies that offer anonymity, AlphaBay, Hansa and other sites avoided much government detection, allowing  in the wake of Silk Road’s demise. AlphaBay replaced as the biggest, growing to be 10 times larger. 

When one dark market falls, buyers and sellers just move on to the next one.

The migration of buyers and sellers comes as authorities around the world crack down on digital marketplaces that cater to growing numbers of shadowy sales. at the time it was taken offline. By comparison, Silk Road had just 14,000 when the Federal Bureau of Investigation closed it four years ago.

Many of the sites . A recent study by the University of Manchester and think tank Rand Europe found 811 arms-related listings on . The researchers found nearly 60% of the weapons came from the US and most of the sales were headed to Europe. Worryingly, one gun bought on a cryptomarket was used in a .

FBI deputy director Andrew McCabe acknowledged shutting down such markets was like playing whack-a-mole. His agency would likely have to in the future, he said.

“Critics will say as we shutter one site, another will emerge,” McCabe said at a press conference. “But that is the nature of criminal work. It never goes away, you have to constantly keep at it, and you have to use every tool in your toolbox.”

One such tool: using a captured marketplace as a trap.

After the fall of AlphaBay, Dutch police said they saw traffic heading to Hansa spike eight-fold. That was something the cops were anticipating. 

Dutch police had full control of Hansa on June 20, but waited a month before shutting it down hoping to catch the new users in marketplace chaos.

“We could identify and disrupt the regular criminal activity that was happening on Hansa darknet market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading platform for their criminal activities,” Rob Wainwright, the Europol director, said at the press conference.

Dutch police now have the usernames, passwords and IP addresses of thousands of Hansa users, and are tracking them down.

An underground in flux

The ploy has dark market onion web market users on edge. Many are concerned about whether the next available platform will be compromised as well. That has them questioning Dream Market, a marketplace that’s been in business since 2013 and benefitted from the shutdown of rivals. 

“After the closure of the AlphaBay market, many vendors expressed that they were moving their operations to Hansa and Dream darknet market,” Liv Rowley, an analyst at Flashpoint, said. “The shuttering of Hansa now leaves Dream the only remaining major option.”

Rowley noticed chatter on forums and subreddits pointing to Dream Market as the next AlphaBay, but people are wary after the Dutch police ploy.

Reddit users on several  threads have expressed concerns the website has been compromised in a similar fashion. A user who speculated Hansa had been compromised in a thread posted  returned on Thursday to warn that .

“This is a warning you will want to heed,” the user, who goes by , posted. “They are waiting to gather as many refugees from AB & Hansa as they can and then drop the hammer.”

Other marketplaces, like Tochka and darkmarket link Valhalla, could also rise in the vacuum AlphaBay and Hansa have left. Some smaller dark web markets are even appealing to those lost in AlphaBay’s shake-up. 

Security company was offering vendors from AlphaBay a discount if they moved to their platform.

“The entire illegal underground is in flux right now,” Flashpoint’s Rowley said.

It’ll be quiet on the dark web until people can find a reliable marketplace again, but eventually they will, said Emily Wilson, the director of analysis at Terbium Labs.

She called the busts a “sizable hiccup” but not “an irreversible blow.” 

It’s unclear who’ll emerge from the fallout. But the FBI estimates that more than 40,000 merchants are looking for a place to sell. And there are more than 200,000 customers looking for places to buy stuff they can’t get on Amazon. 

With AlphaBay, the Amazon of illegal goods, now shut down, the darknet market is fragmenting. If you want malware, there’s a market for that on the dark web. The same for guns and for drugs. So business will go on, albeit less conveniently.

“For now, there are plenty of smaller and more specialized markets for vendors and buyers to continue trading,” Wilson said. 

First published July 21, 8 a.m. ET

Update, 5:04 p.m.: Adds background on scope of the markets, weapons sales. 

: Online abuse is as old as the internet and it’s only getting worse. It exacts a very real toll.

: CNET chronicles tech’s role in providing new kinds of accessibility.