minute read
Download the full version of the report (PDF)
Hundreds of deals are struck on the dark web every day: cybercriminals buy and sell data, provide illegal services to one another, hire other individuals to work as “employees” with their groups, and so on. Large sums of money are often on the table. To protect themselves from significant losses, cybercriminals use regulatory mechanisms, such as escrow services (aka middlemen, intermediaries, or guarantors), and arbitration. Escrow services control the fulfillment of agreements and reduce the risks of fraud in nearly every type of deal; arbiters act as a kind of court of law for cases where one of the parties of the deal tries to deceive the other(s). The administrators of the dark web sites, in turn, enforce arbiters’ decisions and apply penalties to punish cheaters. Most often, these measures consist in blocking, banning, or adding to “fraudster” lists available to any member of community.
Our research
We have studied publications on the dark web about deals involving escrow services for the period from January 2020 through December 2022. The sample includes messages from international forums and marketplaces on the dark web, as well as from publicly available Telegram channels used by cybercriminals. The total number of messages mentioning the use of an escrow agent in one way or another amounted to more than one million, of which almost 313,000 messages were published in 2022.
Dynamics of the number of messages on shadow sites mentioning escrow services in 2022. Source: Kaspersky Digital Footprint Intelligence (download)
We also found and analyzed the rules of operating escrow services on more than ten popular dark web sites. We found that the rules and procedures for conducting transactions protected by escrow on various shadow platforms were almost the same, and the typical transaction pattern that involved escrow services was as follows.
Besides the posts relating to escrow services, we analyzed those relating to arbitration and dispute settlement. We found that the format for arbitration appeals was also standardized. It usually included information about the parties, the value of the deal, a brief description of the situation, and the claimant’s expectations. In addition, parties sent their evidence privately to the appointed arbiter.
What we learned about dark web deal regulation
- About half of the messages that mention the use of an escrow agent in one way or another in 2022 were posted on a platform specializing in cashing out and associated services.
- Cybercriminals resort to escrow services—provided by escrow agents, intermediaries who are not interested in the outcome of the deal—not just for one-time deals, but also when looking for long-term partners or hiring “employees”.
- These days, dark web forums create automated escrow systems to speed up and simplify relatively typical deals between cybercriminals.
- Any party may sabotage the deal: the seller, the buyer, the escrow agent, and even third parties using fake accounts to impersonate official representatives of popular dark web sites or escrow agents.
- The main motivation for complying with an agreement and playing fair is the party’s reputation in the cybercriminal community.
- A deal may involve up to five parties: the seller, the buyer, the escrow agent, the arbiter, and the administrators of the dark web site. Moreover, further arbiters may be involved if a party is not satisfied with the appointed arbiter’s decision and tries to appeal to another.
The reasons to learn how business works on the dark web
Understanding how the dark web community operates, how cybercriminals interact with one another, what kinds of deals there are, how they are made, and what roles exist in them, is important when searching for information on the dark web and subsequently analyzing the data to identify possible threats to companies, government agencies, or certain groups of people. It helps information security experts find information faster and more efficiently without revealing themselves.
Today, regular monitoring of the dark web for various cyberthreats — both attacks in the planning stages and incidents that have already occurred, such as compromise of corporate networks or leakage of confidential documents, is essential for countering threats in time, and mitigating the consequences of fraudulent or malicious activities. As the saying goes, forewarned is forearmed.