Репост второй части анализа российского сегмента сети Даркнет американцами из DarkOwl:
We are the darknet experts. Our mission is to be the world’s leading darknet content and tools provider and to empower our clients to continually improve their cybersecurity defenses.
[EN] Russians on the Darknet - часть 1
[EN] Russians on the Darknet - часть 2 (Даркмаркеты и Форумы)
Со временем постараюсь сделать перевод статей
Russians on the Darknet Part II: Marketplaces & Forums
January 25, 2019
In our previous Russian darknet focused blog post, we discussed some of the tools and techniques the Russians were discussing and using in offensive cyber operations against US and international organizations. Russian criminals are also notorious for selling malicious software, e.g. digital goods, on darknet marketplaces that could be used in an attack against government and corporate networks and infrastructure, e-mail lists for phishing, along with a myriad of illegal drugs and counterfeit.
A Historical Look Back
Russia’s presence on the Tor network is most well-known for the historical darknet forum & marketplace, RAMP -- Russian Anonymous Marketplace -- which was reportedly seized last July after a surprising effort by the Russian Ministry of Internal Affairs-which historically has turned a blind eye to online crimes.
Coincidently, the RAMP marketplace, active since September 2012, shut down around the same time as international authorities conducted Operation Bayonet, shutting down key centralized Tor marketplaces Alphabay and Hansa, amid concerns about possible law-enforcement’s use of denial of service attacks to expose the real IP address of the marketplace.
What Happened to the RAMP Community?
Similar to the after effects of shutting down AlphaBay and Hansa, the RAMP marketplace closure caused little disturbance to the Russian segment of darknet cryptomarkets. RAMP vendors successfully shifted to other key marketplaces while a hidden service called Consortium attempted to create an “ex-RAMP Verified Vendor Community” specifically for reconnecting with known verified RAMP vendors. DarkOwl Vision has successfully archived over 9,000 results from Consortium’s hidden service domains. Consortium was formed in late 2017 shortly after the RAMP marketplace closure, and active through May 2018. The Consortium hidden service featured 15,000 users, including more than 100 verified RAMP dealers who confirmed their identity with a PGP key. This archive provides an excellent investigative referential database for prominent darknet vendors and their aliases.
When RAMP disappeared, legendary Russian marketplace, Hydra witnessed an increase in user registrations and vendor activity while and near clone of RAMP, called MEGA surfaced only earlier this year.
Hydra has been an active darknet marketplace catering to the Russian Tor community since the Silk Road days. It resurfaced with a new Tor URL in the summer of 2016, less two years after law enforcement claimed it had arrested and charged the 26 year old market admin and Hungarian resident in November 2014 as part of Operation Onymous. Hydra is a centralized marketplace featuring many individual vendor-shops similar to RAMP with offerings including drugs, digital goods, and even mobile phone SIM cards.
Hydra prefers serious Russian drug vendors, only allowing sellers who are willing to pay “rent” for their shops and requiring a monthly payment of over $100 USD for use of the service. This reduces the likelihood of vendors who are actually scammers or law enforcement utilizing the site for entrapment and exploitation.
MEGA has a wide range of illicit drug offerings in their market catalog including items ranging from marijuana to opiates with delivery across the Eastern Slavic language countries of Russia, Ukraine, and Belarus. Similar to other anonymous centralized markets, MEGA also supports vendors selling digital goods such as databases, carding and counterfeit related products, and ready to use hacking software. MEGA features a hidden service layout very similar to RAMP, with over 200 links to unique vendor shops from the landing page and many of the same drug vendors that once traded on RAMP also advertise on MEGA.
For example, one drug vendor on MEGA who uses the moniker, Aeroflot openly states in their MEGA vendor profile that they were also active on RAMP. Cross referencing the nickname against DarkOwl Vision revealed that Aeroflot also has their own personal vendor Tor hidden service where they offer popular drugs such as amphetamines, hashish, and psychedelic mushrooms directly without the marketplace interface. The Aeroflot vendor shop was first indexed by DarkOwl Vision in January 2018.
Surprisingly, there is little information on the surface web about Russia’s MEGA marketplace, as most open source darknet cryptomarket reporting features Hydra instead. Despite this, MEGA also has a Clearnet proxy of their site via the website URL http://www.mega2web.com.
Both MEGA and Hydra hidden services emphasize trusted vendor-buyer relationships before the market will facilitate the crypto-transaction and goods exchange. For example, on Hydra, before an order from the buyer is processed, the vendor and buyer must communicate and trust each other. The market even offers a “transaction chat” platform to communicate securely about the order. The classical process for browsing, selecting, and ordering a product on the platform are used to communicate to the vendor that you intend to buy from them, referred to on Hydra as a “reservation.” The vendor’s confirmation and order approval are required before payment for the item is disbursed and shipping commences. This approach theoretically reduces the likelihood of scamming and law enforcement operations.
Hydra’s formidable return after such a large-scale joint-international law enforcement effort seizure and vendors trading on the RAMP clone-MEGA reinforces theories that shutting down darknet markets only yield a mild, temporary deterrent effect on the affected darknet community and does not have near the impact the media conveys. This supports arguments from social scientists, Décary-Hétu and Giommoni in October 2016 after analytical review of the effectiveness of police crackdowns on cryptomarkets where they stated:
Police crackdowns, as is the case for traditional drug markets, are not effective measures to lower the volume of sales on online illicit drug markets. Cryptomarket participants have been shown to have a minimal reaction, or one that is temporary, to overtly large shows of force and to have the ability to adapt through displacement techniques.
In Darknet Forums that Include Marketplace Features
There are a number of Russian-specific forums and bulletin boards across the Darknet. DarknetMarkets.co advertises Russia’s Wayaway forum as one of the oldest darknet marketplace, available since 2009, while the Tor hidden service title translates to “First Drug Forum.” Unlike centralized markets, Wayaway presents contents in a bulletin board layout with a range of topics, mostly drug-trafficking in nature, such as Shipping in Russia, Trade with CIS (Commonwealth of Independent States) Countries, Jobs, and Laboratory, where questions regarding home-based personal drug manufacturing are answered. Coincidentally, Hydra is listed as a Wayaway Partner on the forum’s footer along with Hydra logos, market links, and various digital advertising scattered across the forum. Wayaway serves also a gateway to Russian darknet drug vendors with a large section of the forum dedicated to connecting site visitors with individual drug vendors (i.e. “Trusted Stores in Russia”) including customer feedback and a question and answer section on transacting and shipping related concerns.
Wayaway topics have thousands of views and hundreds of comments indicating the forum serves as a high-volume resource for the Russian Tor community. Many of the most active users on Wayaway also trade in other drug and illegal goods forums on Tor.
Another popular Russian forum and marketplace on Tor is RuTor. RuTor has been an active Tor hidden service since 2015 and has quickly established itself as a reliable information resource for Russian hacking, darknet education, and project collaboration. RuTor’s landing page has several distracting advertisements at the top of the site similar to the previously popular RAMP marketplace.
Utilizing a bulletin board format similar to Wayaway, RuTor has established sections for Vendor Shop Fronts, Security, and News. The cryptomarket portion of RuTor is tightly controlled by the site administrator who must be contacted before submitting a deposit in a user’s market wallet. Most centralized marketplaces have an automated system for all market crypto-wallet deposits and withdrawals. RuTor has extensive threads covering cybersecurity related news, corporate data breaches, and technical tips and techniques for network infiltration and tracking.
“Protecting the interests and rights of your paranoia” is another key Russian darknet forum, Runion, or the Russian Onion Union. Runion does not have the marketplace focus, but instead covers a wide range of darknet criminal specific topics such as Operational Security, Cryptocurrencies, Weapons, Finance and Law, Breaking and entering, Psychology, Hacking as well as Substances and Health. Example threads include in-depth technical conversations around potential Telegram hacking techniques, Dismantling and Shooting an RPG-22, and modifying smartphones for increased telecommunications security.
Administered by one who goes by Zed, Runion lists over 69,000 members, almost 20,000 topics, and over 300,000 messages posted on their forum since 2012. The nickname Zed is active across other hidden services, specifically moderating other well-known Tor carding forums.
Intelligent Hidden Services
The Russian darknet marketplaces and forums featured in this article have had a persistent Tor presence for several years and many include intelligent bot-detection code to prevent automation collection of their content. Captchas, formally known as Completely Automated Public Turing test to tell Computers and Humans Apart, are often present on many of the hidden services to detect if the website user is human or not. DarkOwl Vision’s authenticated crawl routine specifically targets services containing high value intelligence with such authentication protocols. In order to successfully view the content of a hidden service that includes such bot-detection methods with Professional Tools, search the domain along with the search pod, “GROUPS->AUTHENTICATED SITES” to reduce result noise.
Источник - https://www.darkowl.com/blog/2019/russians-on-the-darknet-marketplaces-amp-forums