Searchlight Cyber Analysts

Three Notable Dark Web Law Enforcement Takedowns of 2024 So Far

In this blog we discuss three of the biggest dark web takedowns of 2024 and look at how law enforcement tactics have succeeded in disrupting criminal behavior on markets and forums.

 

A New Era of Cyber Crime Investigation

The landscape of the dark web has changed a lot over the last six months, in part driven by the actions of law enforcement. In spite of cybercriminals using the dark web to remain anonymous, law enforcement agencies have been increasingly successful in collaborating to identify some of the most notorious actors, orchestrating takedowns, and seizing their infrastructure. What are law enforcement doing right?

In this blog, we discuss three of the biggest cyber crime investigations of 2024 so far to identify some of the common trends. Read on to hear how law enforcement agencies caught up with the likes of Nemesis, Incognito, and BreachForums.

Law enforcement vs dark web markets

In 2023 dark web markets saw revenues rise to $1.7b after the markets bounced back following the takedown of the largest marketplace, Hydra. A dark web market is a website on the dark web that functions as a black market, selling drugs, weapons, counterfeit currency, stolen credit card details, and a whole host of other illegal goods (as well as legal products). There are two main types of marketplaces that you’ll find on the dark web; autoshops and escrow Markets.

Autoshops specialize in the sale of digital products – such as financial data, login credentials, remote access, and cookies. The sale of these products is automated, meaning there is little to no contact with the seller. This means they typically have a high turnover of listings, sometimes into the millions. On the other hand, Escrow marketplaces are where anyone with enough money to pay the “vendor bond” can sign up and start selling. Think of them as the dark web equivalents of Amazon or eBay.

The Nemesis marketplace takedown

Founded in 2021, Nemesis was an escrow market that was noteworthy for focusing more on cybercrime and fraud related products, as opposed to drugs. Nemesis sold a plethora of illegal goods, including compromised data, hacking services and tools to conduct cyber attacks.

From its conception, Nemesis grew rapidly, with over 26,000 listings and more than 700 vendors on the dark web marketplace last year alone. The administrators operated a wallet-less market, removing the need for buyers to deposit funds to their account in an attempt to reduce fears of losing balance in the event of an exit scam or takedown. 

However, this year, Nemesis’ nearly three-year run ground to a halt. On March 21, 2024, German authorities announced the takedown of the Nemesis marketplace, with the Federal Criminal Police Office confirming that it had seized the digital infrastructure associated with the marketplace located in Germany and Lithuania, and confiscated $120,107 in cryptocurrency assets. The German law enforcement agency worked in collaboration with agencies in Lithuania and the U.S. 

Working across borders with other law enforcement agencies has been the key to success for a lot of dark web site takedowns, not just Nemesis. Increasingly, cybercriminals can now no longer use their ability to operate in other countries to evade arrest. By collaborating and sharing information on cybercriminals, agencies are able to widen the net, giving the likes of the Nemesis less room to hide. The users of marketplaces are also under the spotlight, with German authorities saying further investigations against criminal buyers on Nemesis are ongoing.

Law enforcement catches up with Incognito in retirement

Established in 2020, Incognito was a marketplace on the dark web that made its name by introducing innovative features. For example, the marketplace had a community governance section where users could make proposals related to the market and vote on ideas for new features. Plus, users were able to donate funds to the Incognite Foundation that were claimed to be distributed to organizations such as Tor Project, Monero and Medecins Sans Frontieres. The marketplace exclusively sold drugs, and buyers could use the escrow system to purchase items using cryptocurrency. 

In March 2024, the Incognito admins perpetrated an exit scam with a twist. On March 6, users of Incognito reported that they were unable to withdraw their cryptocurrency from the site and on March 11, the homepage of the marketplace displayed a message boasting “one final little nasty surprise.” The message read: “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito said it planned to publish all 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May. This message included a “payment status” page that listed their top vendors, and any vendor names in green were those who had already opted to pay the blackmail. The cost each vendor would need to pay was based on their status level within the marketplace. Level 1 vendors could pay a $100 fee, while level 5 vendors would need to pay up to $20,000.

Although the administrators behind Incognito probably thought the site’s closure meant they could live off the money it stole from its vendors in peace, law enforcement soon caught up with them on May 18, 2024 at JFK airport. The combined efforts of the FBI, Homeland Security Investigations, Drug Enforcement Administration, Food and Drug Administration, and the NYPD resulted in Rui-Siang Lin (known online as Pharaoh) being arrested in relation to his ownership of Incognito Market. 

Lin is charged with one count of a continuous criminal business, one count of narcotics conspiracy, one count of money laundering, and one count of conspiracy to sell contaminated and misbranded pharmaceuticals. The narcotics conspiracy offense carries a mandatory minimum sentence of ten years and a maximum possible sentence of life in prison. The remaining two offenses have a total potential sentence of 25 years in jail. 

This case shows that – even once a dark web site is closed – that does not mean that the operators behind it have escaped the reach of law enforcement. FBI Assistant Director in Charge, James Smith, said that “For nearly four years, Rui-Siang Lin allegedly operated ‘Incognito Market,’ one of the largest online platforms for narcotics sales, conducting $100 million in illicit narcotics transactions and reaping millions of dollars in personal profits.”

 Law enforcement vs dark web forums

A dark web forum is similar to forums on the clear web. It is a platform where users can freely discuss information and topics connected to illicit goods or services such as:

  • Drug sales, synthesis and consumption.
  • Child Sexual Exploitation and Abuse (CSEA) content.
  • Hacking.
  • Data leaks.
  • Extremism.

As with most of the dark web, the anonymity provided by these forums makes them attractive to cybercriminals, especially when exchanging information, resources, and services to facilitate cybercrime.

The seizure of BreachForums

BreachForums specializes in trading leaked databases and other cybercrime, with its users sharing exploits, tips, and tools. The dark web forum acted as an alternative to RaidForums, following its closure in 2022. BreachForums facilitated discussions on various illicit hacking activities and also served as a marketplace for the distribution of data breaches, hacking tools, and other illegal services. The forum gained notoriety for its high-profile incidents, including the sale of a database containing information of FBI-affiliated individuals, and a breach of a Washington D.C. health insurance marketplace.

In March 2023, the forum was temporarily taken down following the arrest of one of its administrators, Conor Brian Fitzpatrick (alias pompompurin). But in June 2023, the forum re-emerged, with ownership of the site transferred to ShinyHunters, a hacking group responsible for numerous high-profile breaches since 2020 including Tokopedia, Wattpad, and Animal Jam.

Then, on May 15, 2024, BreachForums displayed a message stating that the FBI had taken control over its infrastructure. The message read: “This website has been taken down by the FBI and DOJ with assistance from international partners. We are reviewing this site’s backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us.” Along with the dark web and clear web sites, the FBI also seized BreachForum’s Telegram channel, and other channels owned by the forum administrator Baphomet.

However, a turn in events saw the forum return just two weeks later on May 29, 2024, with admins regaining control of its clear web domain and launching a new dark web onion service. Since its return, ShinyHunters has posted an advertisement on the forum for an alleged database of 560m Ticketmaster customers. The details of the database are said to include:

  • Names.
  • Addresses.
  • Emails.
  • Phone numbers.
  • Details of ticket sales.

This case shows that, while the collaboration and coordination of agencies around the world has been key to taking down the likes of Nemesis and Incognito, law enforcement still have a difficult job on their hands to make takedowns stick. BreachForums has proved one of the most stubborn sites in surviving law enforcement action but each operation does create challenges for the forum and – as the arrest of pompompurin demonstrated – the administrators behind these sites are always at risk of being identified and brought to justice. For some sites, it is just a matter of time.

The future of marketplaces and forums on the dark web

The past few months have been especially turbulent for the dark web. How will it be impacted over the rest of the year? 

The unfortunate reality is that – while forums and marketplaces are being taken down – new sites will always emerge to take advantage of the gaps left behind. However, these three law enforcement operations – and many more besides – increasingly demonstrate that criminal forums and markets are not free to act with impunity. Even the largest, most established sites, are facing the possibility of a takedown and – as the case of Incognito demonstrates – early retirement is no guarantee for administrators that they won’t be brought to justice for their crimes.

Law enforcement agencies are applying more pressure and having a greater impact on criminal organizations operating on the dark web. Their net is widening, and the “safe spaces” for criminal activity are getting harder to come by.

To find out more about the components of a successful cyber crime investigation on dark web markets and forums, visit our CRIMINAL INVESTIGATION page.