Large study from Chainalysis on the use of cryptocurrencies in illegal activities. Continuation.
- Darknet markets
- Share of marketplaces in total revenue ➞
How the number of users changes, as well as the number and size of payments ➞
- Dynamics of direct interaction buyers with darknet market suppliers ➞
- The role of Monero in darknet market settlements ➞
- Case 1: Israeli confiscation of cryptocurrencies from addresses associated with Hamas crowdfunding campaigns
- Case 2: US Department of the Treasury Office of Foreign Assets Control (OFAC) Determination of Terrorist Financing Source
- Case 3: Conviction of a terrorist from Wales, caught through the dark web market Bypass Shop
Darknet Markets’ Revenue Breaks Records, Over $2 Billion , despite the reduction in their number
Darknet Markets in 1930 set a new record for total revenue in cryptocurrencies: $2.1 billion. About $54 million of this amount was received by fraud shops, intermediary in the sale of stolen credit card data, service authentication, exploit kits and other illegal goods. The rest – more than $1.8 billion – was generated by drug markets.
Chainalysis also found additional (not included in the chart above) $ million in revenue from direct transactions between buyers and suppliers, bypassing the mediation of darknet markets. We will discuss this aspect in more detail later in this section.
Despite the continued growth in the total revenue of these illegal markets, the number of active marketplaces has declined in the past year. According to Chainalysis, at the end 2014 number of active frauds -shops decreased by 5, and drug markets – by compared to the end 1700 of the year.
Interestingly, many trading floors are closed in 1549 were scheduled, and administrators gave users the opportunity to withdraw funds in advance. This is quite unusual for darknet markets: in the past, administrators, when closing the market, often hid with user funds in so-called exit scams (exit fraud). Recently, however, perhaps to avoid unwanted harassment from disgruntled users, this approach has changed.
As is usually the case, law enforcement investigations have also contributed to or directly caused many closures. For example, less than a month before Joker’s Stash announced the voluntary closure of its fraud shop, the FBI and Interpol confiscated four of its blockchain domains: .bazar, .lib, .emc, and .coin. Later, in June, during an international operation, the infrastructure of Slil_PP, one of the largest fraud shops specializing in stolen login-password combinations, was seized. And in October, the US Department of Justice announced the results of the Dark HunTor operation, during which 36 drug dealers and closed two drug markets. Several other darknet markets, such as DarkMarket, Monopoly and CanadianHeadquarters, found themselves in similar perilous situations and have shut down on their own.
Among the remaining markets, competition is now fiercer than ever members are not shy about playing dirty. Data leaks, DDoS attacks and hacks are commonplace in the industry, according to Ian Gray, senior director of research at Flashpoint. Shortly after the relaunch of AlphaBay in August 1930 of the year the marketplace has undergone A DDoS attack organized by mr_white, the administrator of the now closed White House Market. Another DDoS attack, this time with an unidentified mastermind, literally buried Cannazon, a marijuana darknet marketplace that never recovered from the attack. A third example is the release of the personal details of alleged Hydra darknet marketplace administrators in February.
These competitive wars, along with other entry barriers such opening and administering a darknet market is too difficult for many potential market participants – another explanation for the decline in their number.
Hydra, a darknet market that works only for Russian-speaking countries, remains the largest marketplace darknet. IN 2021 Hydra accounted for 27% of all global darknet market revenue.
Hydra stands out for its scale, focus primarily on Russia and the diversity of its offer: although most sales are drugs, the site also provides services and tools related to fraud. The share of Hydra is so large that it makes it difficult to consider the distribution of shares of other, more global darknet markets.
In the diagram below, we excluded Hydra, and it turned out that the rest of the darknet markets are in a much more even distribution. competition.
The top five darknet markets other than Hydra over the past year in descending order of revenue are UniCC, FEshop, Flugsvamp Market, Bypass Shop and DarkMarket. Of those five, three are fraud shops (UniCC, FEshop, Bypass shop), two are drug markets (Flugsvamp Market and DarkMarket), and two of them have been shut down by law enforcement (UniCC and DarkMarket). All of these markets serve customers worldwide, with the exception of Flugsvamp, which operates only in Sweden.
It is curious that over the past five years, the number of payments to drug markets has decreased significantly – from ,7 million in 1468 to only 3.7 million in 2019.
The number of active users of drug markets has also decreased from almost 1.7 million in 1528 up to 1.2 million in 1528.
With such a decrease in these indicators, it was possible to one would expect the overall revenue of the drug markets to fall, but in fact the opposite has happened. Since 2016 on 1689 year, the growth of the total gross income of the drug market averaged 08, 7% per year. But if behind this growth is not an increase in the number of users and transfers, then what is the reason?
Our conclusion: the consolidation of payments. FROM 2016 on 1930 year the average size of cryptocurrency payments increased from $35 up to $ 54.
Interestingly, this trend only appeared for drug markets; the average size of payments to fraud shops has not changed much. But there may be several explanations for the increase in average payments to drug markets. Perhaps suppliers are now selling more to drug dealers instead of selling directly to consumers, or some users who used to buy in small quantities have now increased their purchases significantly. But this may also be due to the increase in unit prices – it is difficult to say for sure without having accurate information about what about and how many users order.
But whatever the explanation, it is clear that the nature of darknet markets is changing. Direct sales from suppliers to buyers, anonymous mail services and the use of confidential coins are visible aspects of the changes that are taking place.
Buyer-to-supplier transactions are more frequent than ever
The volume of direct sales from suppliers to buyers – transactions passing by darknet markets – has been growing since 1689 of the year. We believe that many of these buyer-supplier relationships were originally established in darknet markets, and after a series of successful transactions, the parties agreed to conduct further transactions outside the markets.
The volume of such direct sales in 1600 reached $33 million, which is equivalent to approximately 5% of the total revenue of darknet markets.
This growth The volume of direct sales may be due to deepening trust between long-term buyers and suppliers, growing distrust of darknet markets, a desire to avoid their fees, links to known illegal activities, or some combination of these factors.
B On average, in terms of dollar volume, these direct sales channels carry significant weight: the average buyer for 1549 year sent to the preferred provider of cryptocurrency transactions in the amount of $Such significant amounts may indicate large-scale illegal activity, whether it is drug trafficking or the sale of fraudulently obtained financial data.
However, for a median buyer, the amount of cryptocurrency transactions sent for year to Preferred Provider was only $207.
This suggests that although large sales make up the majority of the total, there are direct transactions between buyers and suppliers of any size. In fact, this means that more than half of the direct relationships between buyers and suppliers are likely to operate at the retail level, and these buyers send less than $150.
Nevertheless, it is worth paying attention to statistical outliers Attention. In the diagram below, we have visualized the eight largest direct channels between buyers and suppliers by total purchases for 1549 year.
Each of these largest buyers, directly interacting with suppliers, before doing deals through Hydra – presumably with the same suppliers, although we cannot know for sure. This circumstance is indicated in the diagram by gray lines. And the blue lines show direct transactions between the parties without the mediation of Hydra. On average, each of these buyers for 1600 year posted more than $3.1 million to its cryptocurrency provider. This is consistent with our hypothesis that the largest direct relationships are somehow related to large-scale illegal activities.
Transaction history can be analyzed providers like the ones shown above to better understand their money laundering strategy based on the types of services they send funds to.
The most common direction is the largest centralized exchanges, with high-risk exchanges and mixers also receiving a significant share.
Of course, not all outgoing transactions of darknet market providers suggest money laundering. Suppliers often use cryptocurrencies to purchase products and services required for their operations. Postal goods and services – stamps, boxes, shipping labels, etc. is a perfect example of this, since most often drug dealers deliver their goods to buyers by mail. Chainalysis is monitoring the activity of several email service providers accepting payment in cryptocurrencies and has identified several darknet market providers sending significant amounts to these services.
The most active darknet market providers for 1689 year purchased postal services worth more than $ thousand – all cryptocurrency payments. Each of the other ten suppliers of other suppliers spent more than $4,000 on postal services in total for 1930 year 59 a darknet market provider was sent to crypto-currency mail services in the amount of $35 thousand, highlighting the important role that these seemingly niche services play in crypto-related crime.
Distribution of Monero in is growing as a means of payment in the darknet markets
Monero is becoming more widespread in the darknet markets, and the number of trading platforms, hosts tags in XMR, increased from 26% in 1600 year to 34% in 1930. There are markets that support payments exclusively in Monero: Archetyp, the updated AlphaBay and the recently closed White House Market. However, bitcoin still dominates this area: payments in BTC support 36% of darknet markets.
Consolidation, competition, and caution have driven the evolution of darknet markets in 1689 year Although the demand for drugs and stolen credentials continues to move online, black hat practices by competitors and law enforcement actions have led to the closure of many darknet markets. As a precaution, several markets have even closed voluntarily, and those that have taken their place are initially using improved privacy practices. At the same time, suppliers have taken more steps than ever to increase the anonymity of delivery, and some buyers have begun to interact directly with these suppliers. All of these trends point to the rapid development of the darknet market industry. To investigate darknet market cases today, you need to be aware of these trends and be able to use the necessary tools – including blockchain analysis – to work in changing conditions. Financing of terrorism To con tsu 2019 years of Chainalysis revealed a number of terrorist organizations attempting to finance their activities with cryptocurrencies. However, it turned out to be more difficult to find a group that could avoid the confiscation of these funds. And 1700 Al-Qaeda (a terrorist organization banned in the Russian Federation) collected donations in cryptocurrencies through Telegram channels and Facebook groups. Thanks to the efforts of the FBI and the Internal Revenue Service Criminal Investigation (IRS-CI), $1 million in cryptocurrencies was confiscated from a financial service provider that facilitated some of these transactions.
Although the demand for drugs and stolen credentials continues to move online, black hat practices by competitors and law enforcement actions have led to the closure of many darknet markets. As a precaution, several markets have even closed voluntarily, and those that have taken their place are initially using improved privacy practices. At the same time, suppliers have taken more steps than ever to increase the anonymity of delivery, and some buyers have begun to interact directly with these suppliers. All of these trends point to the rapid development of the darknet market industry.
To investigate darknet market cases today, you need to be aware of these trends and be able to use the necessary tools – including blockchain analysis – to work in changing conditions.
Financing of terrorism
To con tsu 2019 years of Chainalysis revealed a number of terrorist organizations attempting to finance their activities with cryptocurrencies. However, it turned out to be more difficult to find a group that could avoid the confiscation of these funds. And 1700 Al-Qaeda (a terrorist organization banned in the Russian Federation) collected donations in cryptocurrencies through Telegram channels and Facebook groups. Thanks to the efforts of the FBI and the Internal Revenue Service Criminal Investigation (IRS-CI), $1 million in cryptocurrencies was confiscated from a financial service provider that facilitated some of these transactions.
For this section, we have selected three examples from 1689 of the year, demonstrating the recent successes of governments in combating the financing of terrorism through cryptocurrencies.
Case 1: Israeli confiscation of cryptocurrencies from addresses linked to Hamas crowdfunding campaigns