Black hat hackers on the dark web are mostly on the borderline between being online libertarians and cybercriminals. Apart from the debate over their rightfulness, it is inarguable that it is highly important to thoroughly understand the organizational workings within their online communities.
A recently published paper conducted a study of a black-hat hacker forum hosted as a Tor hidden service. Even though most studies on the dark web have focused on the technical aspects of its infrastructure and its association with criminal activities, this study aimed at analyzing a black-hat dark web community through a communicative perspective, namely focusing on means via which users react during a “crisis” period.
The study aimed at analyzing how black-hat hackers cumulate “community intelligence” in order to overcome anxieties and uncertainties during a period of a crisis. The researchers analyzed user conversations taking place on a darknet forum specializing in sharing information on various darknet marketplaces. The study was conducted during the shutdowns of two darknet marketplaces. A marketplace shutdown represents one of the most distressing crisis events for black-hat hackers, since they incur financial losses, and shutdowns can result in arrests by law enforcement agencies.
The studied site: The “W” forum:
“W” is a Tor based forum specializing in sharing information and news on various darknet marketplaces that was launched in 2011. At the time of publishing of the study, it included around 41,000 registered users who submitted more than 135,000 posts across 36 different discussion boards. The most active period since the launch of the forum was in October 2017.
The crisis event: shutdown of two cryptomarkets:
The study analyzed means via which members on “W” interacted with each other during period of a crisis, represented by two cryptomarket shutdowns. Users’ interactions were analyzed during the month of February 2014, when two cryptomarkets were shutdown, one following the other. These two cryptomarkets were “Utopia” and “Silk Road 2,” which were both hosted as Tor hidden services with illicit drugs representing most of the sold items.
Utopia is one of the shortest lived cryptomarkets ever on Tor, as it was launched on February 3rd, 2014, only to be seized by the Dutch police a week later, with all onsite bitcoins totaling around $610,000 at the time. Silk Road 2 was launched on November 3rd, 2013 and continued operating despite the arrest of its original owner a month following its launch, until it was hacked and taken down on February 13th, 2014. The compromise of Silk Road 2 led to loss of bitcoins which were worth $2.7 million at the time.
Users’ posting activities during the crisis period:
The study retrieved all posts on the forum over the period between January 2014 and March 2016, via a special cyber intelligence system that used a data extraction parser in combination with machine learning classifiers. However, the study’s analysis focused on the period between February 11th, 2014 and March 12th, 2014, during which 1,693 posts were contributed. This period covered the crises of shutdown of Utopia and Silk Road 2. As one might expect, posting activities on the forum skyrocketed in February 2014, which involved the shutdown of both cryptomarkets.
Of the 1,693 posts contributed during the crisis period, 143 posts discussed the Utopia shutdown, while 449 were explicitly about the Silk Road 2 shutdown. The Utopia seizure ignited discussions about the security of hidden services. Also, the takedown of Silk Road 2 drove users to discuss potential alternative cryptomarkets. Posts including personal narratives about cryptomarket shutdowns were mainly negative, which ignited anti-social replies that included questioning, blaming, name calling, and finger pointing.
Even though the forum was filled with pro-community posts, during the crisis, the number of anti-social interactions increased dramatically. The anti-social interactions expressed suspicion, distrust, and retaliatory messages.
Implications of the results of the study:
This study considers black hat communities on the dark web as a form of hidden collectives, whose success mainly depends on user anonymity and efficient management of social visibility. Crisis events, such as darknet marketplace shutdowns, can compromise these communities due to not only financial losses, but also to failure in protecting user anonymity.
The study’s results identified potential distrust soaking the forum’s interactions during the crisis period. Anti-social behavior recognizably increased throughout posts discussing the crisis events. The increased level of distrust and offensive posts boosted the tension between the significant losses associated with these crises and the limited crisis remedial resources that entirely depend on internal, anonymous means without reaching out to help outside the borders of the community. Moreover, as users are anonymous to one another, this might have aggravated the level of distrust even more.
The vulnerability of the forum worsened as bitter users reacted via violating the community’s rule of anonymity to serve their self interests. For example, during the Utopia crisis, one member stole the identity codebooks and databases of other members and offered them for sale for retaliation. Similarly, even though rational processing was evident during the Silk Road 2 crisis (e.g. deliberation, uncertainty, and information providing), such effort was namely associated with suspicions, paranoid behavior, and conspiracy theories. Discussions involving Silk Road 2 were mainly focused on questioning the trustworthiness of administrators of this cryptomarket. These interactions were mostly aggressive and spread skepticism towards the developer team of Silk Road 2 with threats of doxing (posting personally identifiable info), which represents a violation of the community’s anonymity rule.
Nevertheless, such vulnerability and distrust could be applied only to a fraction of the forum members. Furthermore, there was significant evidence that many members helped each other in a friendly manner. Black hat hackers were motivated to boost forum security via sharing of concealment strategies. Both during crisis and non-crisis periods, OpSec messages spread in a central manner, along with other communication activities. Users moved on quickly to alternative cryptomarkets, more secure networks, or new routes to communicate with vendors.
Black hat communities over the dark web can be resilient to potential crisis events, thanks to their unique OpSec strategies and fragmented network framework, as shown via this study. However, crisis events ignite anti-social behavior which can drive some users to break the community’s anonymity rules. Further research is needed to identify if anti-social behavior can negatively affect the responses of black-hat hackers during periods of a crisis.
by: Tamer Sameeh