How to explore the Darknet
The darknet is the dark side of the internet. It offers opposition and whistleblowers the possibility of secure communication, but it is also used for illicit trafficking in drugs, weapons and identity cards. Researchers of the BFH are investigating this marketplace and analyzing the sales, as our author Emmanuel Benoist writes.
We are a team of the RISIS institute of the BFH-TI, and we are conducting research on the Darknet markets. We use all possible traces, from crawling of the web site to blockchain analyze of the Bitcoin transactions to evaluate the transactions on the Darknet.
Hashish, MDMA, Cocaine, counterfeited notes, credit card numbers or fake passports, Darknet markets offer plenty of illegal goods. Forensic investigators and researchers want to know exactly what happends on those networks. We want to see what is sold, who are the sellers, what is their turnover, and how the markets work. Therefor, we need to gather data about the exchanges and to analyze them to measure the turnover of the different Darknet markets and sellers.
Bitcoin is the method of payment
Sellers and buyers on Darknet markets use mainly crypto-currencies like Bitcoin. Since the blockchain of Bitcoin is totally public, anybody can see any transaction done using Bitcoin. The researchers have tried to follow money transfer from one person to a market and then to a seller. Even in Bitcoin, where all the transactions are publicly accessible, this is not possible since anybody can create as many Bitcoin accounts as they want. So in reality, buyers and sellers do use anonymization techniques (for instance tumblers) to hide the sources and destinations of transactions. Persons active in the Darknet will try not to reuse the same account twice, they will create new accounts each time the anonymity could be endangered. Following transactions directly is hence not possible.
By visiting the sites, we can see the mass of offers. On Dream Market, the largest of the Darknet markets, there are 86’000 offers for drugs, more than 60’000 digital goods (data, ebooks, hard core pornography, tutorials for hackers, \dots), and around 6000 offers for services (fraud, fake IDs, counterfeit notes, \dots). Having an overview and finding the best sellers and what they sell is not possible. The amount of pages is way too large to be covered manually.
BFH’s RISIS department developed systems to visit automatically all pages of the most important Darknet markets. We faced difficulties, since markets do use anti-crawling measures. We have to solve captchas at the login (sometimes even before the login). We have to limit the number of visits per minute, otherwise, the site will kick our user out, or even ban this account for a long time.
Figure 1: Statistics showing the transactions per hour on Wall Street Market
We are looking for information on the turnover of the different sellers and the quantity of goods they sell. This information is normally not accessible directly. We can evaluate with different means the different turnovers. Reputation mechanisms play a central role in Darknet markets, where each buyer should evaluate the seller for each transaction. On some sites, this is mandatory, on other ones, this is only optional. Afterward, any user can see the number of transactions of a user and the number of evaluations, the buyers can also read the evaluations of items directly. Crawling the pages gives us access to that information: for each seller, their reputation, their number of transactions and for each item the different reviews. We will use this information to try to evaluate the turnover of sellers. We use the following figures: for each item sold, the number of comments; for each a user, the number of transactions and the number of comments. Using a simple proportional calculation, we can guess the number of transactions for each item. Since we know the price of the items, we can evaluate for each item the turnover. We can find for each market and each category, which sellers and which items have the larges turnover. We have found that reputation plays a central role and that a small number of actors play a central role in each of the categories, and that most of the big sellers are active mainly in one single category.
When most transactions take place
We have seen that following Bitcoin transfers is useless because of the different anonymization techniques used by Darknet users. We found a solution to mark transactions. On some Darknet markets, to compensate the lack of trust, people use multisig transactions. A multisig transaction is created by three persons (vendor, buyer, market) using their public keys. It needs the use of two of the corresponding private keys to release the money, since two of the tree persons need to sign the corresponding transaction. The Darknet market «Wall Street Market» offers this possibility. We succeeded in following some keys that are reused. With some more investigations, we found some addresses used to collect the fees payed for each transaction. We can now see all the transactions of this market and analyze them. We have the turnover of this market for all Bitcoin transactions. We can make statistics to see at what time or which day the more transactions are done. The statistic presented hereunder shows that the transactions are not evenly distributed over the day. The transactions are overrepresented during the day time in Europe with a peek in the evening. This contradicts our first intuition, where we supposed that a large part of the transactions are done on the west coast of the USA (since everything in the IT-world starts on the west coast). We were surprised to see that according to the actual values of the transactions, the largest part of the transactions is done in the European time zone.
Further research needed
We are looking for more information. Some transactions are using another cryptocurrency Monero. Monero has been designed for its privacy preserving properties. Following transactions in Monero will be much more difficult than in Bitcoin. We are still investigating to see if some information can be leaked out of Monero. We also need long time data to show trends in the Darknet market industry.