This article is a free excerpt from inCOMPLIANCE, ICA's bi-monthly, member exclusive magazine. To gain access to more articles like this, sign in to the Learning Hub or become a member of ICA.
A working knowledge of the Dark Web is critical to thwarting the criminals who use it, says Mark Johnson
The Dark Web (sometimes referred to as the ‘Darknet’) has for many years been a key feature in a wide range of online frauds, data breaches and cybercrimes, including ransomware attacks. In this article, I will briefly explain the nature of the Dark Web, the key types of crime it facilitates – with relevance to financial services compliance teams – as well as some of the open-source opportunities for investigators.
Please note that visits to Dark Web pages are inherently risky and usually require the use of special browser software. You should not undertake these activities on work devices without line and IT management approval. It is customary to use dedicated machines for investigations on the Dark Web, due to the elevated security risks. Always remember that you are ultimately responsible for your searches and clicks.
The Tor Darknet
The terms ‘Net’ and ‘Web’ refer to different facets of online technology. In the case of the ‘Darknet’, what is being described is the network of physical devices and software used to facilitate hidden services. When you connect to your broadband service, for example, you are using the ‘Net’.
The Darknet is a part of the ordinary Internet, but it consists of a network of adapted servers. In general, a ‘server’ provides a service, such as email, web page hosting, streaming, etc. Tor Darknet servers provide access to hidden services, by running a special version of standard Internet software.
The key features of this free network are:
- it has been funded in large part by the US government
- the modified approach routes users via relays in various countries; these routes change dynamically for each new visit to one of more online resources, such as web pages or forums
- the connections between user’s devices (‘clients’) and Darknet servers are encrypted, except for the first stage in the connection, and
- IP addresses are not shared and the users and visited locations remain anonymous to each other.
The Dark Web
‘Web’ refers to a web of hyperlinked web of pages and services hosted on the Net. When you open an Amazon page in your browser, you are using the Web to visit a page hosted on an Amazon server. The Dark Web is a network of hidden, hyperlinked web pages that receives a few million visits daily. These pages have a few additional features worth understanding.
- Their URLs are encrypted and don’t provide any useful information about the person operating the page. Here’s a fictitious example of a Dark Web page URL: http://jaz45aabn5vkemy4jkg4mi4syheisqn2wn2n4fsuitp
ccdackjwxplad.onion/ - Tor is by far the best known Darknet/Dark Web service and web pages on the Tor web always have the ‘.onion’ extension. This is useful to know. Anywhere you come across an onion address, or the ‘.onion’ extension itself, this will usually be a reference to some form of Dark Web activity.
- Most illicit transactions on the Dark Web are conducted using Bitcoin, thus adding another layer of security to the ‘onion of security’ that the Dark Web exemplifies.
Other key Web layers
It’s also worth noting that Internet users typically use the two layers of the Web that sit above the Dark Web:
- the Surface Web, where they visit public web pages, conduct Google searches, or just browse in general, and
- the Deep Web, where they can access resources that require some form of log-in, and which are often not included in Google search results. Examples include Companies House in the UK, the US Library of Congress and many other resources.
It is estimated that about 96% of all information held on the global Web lives in Deep Web pages. Search engines like Google, Yahoo or Bing only account for about 4% of online data, while the data on the Dark Web represents less than 1% of the total.
Practitioners must have a clear understanding of the different categories of data in each online resource if they are to conduct effective reviews and searches.
One infamous example is Joker’s Stash, which was a prolific and highly regarded criminal site that retailed stolen payment card data for over six years, until it closed down in 2021. The person behind the site is estimated to have earned billions of pounds in Bitcoin fees by selling the stolen data to fraudsters.
It is estimated that about 96% of all information held on the global Web lives in Deep Web pages.
Dark Web: A criminal starting point
Joker’s Stash serves as a model for a multitude of other carding sites. If you enter the search term ‘card shop’ in the Ahmia search engine, you will see hundreds of results (952 on the day of my visit).
Card-not-present fraudsters, and other classes of criminal, often begin their activities by purchasing stolen data from Dark Web sites. The Dark Web is their entry point.
Data thieves (criminal hackers) are the prime example of criminals for whom the Dark Web represents the end point of their activities: the point at which they turn stolen data into cryptocurrency. The key stages of their activities are as follows.
- Initial breach: cybercriminals gain unauthorised access to corporate databases or systems.
- Data extraction: valuable information is extracted from these systems and compiled into database dumps.
- Quality assessment: data is evaluated by the thieves for completeness, accuracy, and commercial value.
- Packaging: information is organised into sellable packages of varying sizes and quality.
- Market listing: data is advertised across multiple Dark Web and social media platforms to maximise exposure (you can search for ‘CVV Dump site:tiktok’ in Google to see numerous examples of accounts that point visitors to Dark Web selling pages).
- Transaction completion: sales are completed via Dark Web pages, using cryptocurrencies to maintain anonymity.
These criminals will often conduct some crypto laundering before converting their proceeds of crime into fiat money. This is usually done via Dark Web ‘Mixer’ services, where crypto coins are swapped between holders to further anonymise the provenance of each coin. There were 991 matches on the day of writing for the term ‘mixer’ in Ahmia.
Impact on financial services
The financial services industry bears significant costs from card fraud facilitated by the Dark Web. Global credit card fraud losses are estimated by one research firm to reach $43 billion by 2026, with the Dark Web being a key distribution channel for stolen card data.
In 2020, 115 million stolen debit and credit cards were posted to Dark Web marketplaces, and while statistics are hard to verify, the current number of search hits for Dark Web carding sites suggests that the problem is only growing.
Payment card data theft is demand driven. Without fraudsters wanting to purchase stolen data, there would be little incentive for hackers to steal data in the first place. Consequently, the solution lies not only in more secure payment mechanisms and databases, but also in addressing the online distribution of this data.
The financial services industry bears significant costs from card fraud facilitated by the Dark Web.
Clearly, given the current scale of activity, a lot more could and should be done to close these services down. Criminals will always find a way to share data, but there’s no reason to make it easy for them, particularly when this ease of access is likely to encourage more offenders to join in the attack.
The future
There are already Tor Project Dark Web alternatives, including I2P and the blockchain-based service, ZeroNet. More such services can be expected to arise, given the way in which Tor is funded and the focus international law enforcement has had on that service.
The future of the Dark Web can be expected to encompass further fragmentation, greater levels of security and anonymity, stronger encryption, support for wider cryptocurrency usage and expanding levels of geographic segmentation, with different services being blocked in some countries and allowed in others.
At the same time, law enforcement will be expanding its investigative capabilities, essentially leading to a Dark Web arms race.
With the expanding use of the Dark Web for fraud, money laundering, bribery and ransomware payments, financial services compliance teams will need to expand and update their knowledge of how this technology functions and how it’s being used.
It is not enough for us to operate reactively, waiting for a service like ZeroNet to become the new Tor Dark Web. We need to establish collective efforts to proactively identify risks in these, and other, emerging service models to ensure that our own offerings are sufficiently robust to counteract them.
In parallel, we must equip staff with the appropriate tools and training they need to search for evidence of data breaches and evolving challenges online, including on the Dark Web, educate other stakeholders on emerging threats, and ensure that governance, counter fraud, security, and audit frameworks address this class of risk.
This all begins with awareness, and the ability to describe the challenge coherently in the context and lexicon of risk and compliance.
Criminals will always find a way to share data, but there's no reason to make it easy for them.
About the author
Mark Johnson has over 45 years experience in a variety of security and counter-fraud roles, ranging from drug trafficking interdiction and telecoms fraud management , to cybercrime, open source intelligence, and adversarial AI risk consulting and training.