The article surveys how major dark Web drug markets have become a multi-hundred-million-dollar ecosystem, with a shift toward mobile apps and instant messaging for buying, selling, and coordinating deliveries. It highlights ongoing wars for market share (Hydra-era markets vs. newer platforms) and the increasing use of Telegram IMs, bespoke mobile apps, and decentralized platforms like Kraken, as well as notable hacks and disinformation campaigns aimed at shaping the illegal drug trade online.
#Hydra #KillNet #RuTor #OMGOMG #WayAway #Kraken #BlackSprut #Solaris #Nemesis #AnonMarket
#Hydra #KillNet #RuTor #OMGOMG #WayAway #Kraken #BlackSprut #Solaris #Nemesis #AnonMarket
Keypoints
- Dark Web drug markets are collectively valued at about $315 million annually.
- Post-Hydra, markets shifted to alternative channels (Telegram, custom Android apps) and new ecosystems emerged around 2022–2023.
- Android-based mobile apps (often using the M-Club CMS) enable orders, courier instructions, and geo-coordinates sharing for pickups.
- Major marketplaces analyzed include RuTor, OMG!OMG!, BlackSprut, WayAway (and its Kraken/ Solaris tensions), Nemesis, Legalizer, Mega, and Anon Market.
- Criminal actors engage in cartel-like moves, domain hijacking, DDoS campaigns, and disinformation to influence market dynamics and deter rivals.
- Geopolitical tensions (Russia/Ukraine) and enforcement actions continue to shape but not stop the dark Web drug economy, with law enforcement needing new monitoring approaches.
MITRE Techniques
- [T1499] Denial of Service – KillNet has attracted a lot of attention because of past DDOS attacks against NATO, U.S. law enforcement, and multiple EU government agencies during the peak of war in Ukraine. Quote: “KillNet has attracted a lot of attention because of past DDOS attacks against NATO, U.S. law enforcement, and multiple EU government agencies during the peak of war in Ukraine.”
- [T1583.001] Acquire Infrastructure – Domains – Solaris hijacked RuTor’s onion domains. Quote: “the Solaris DNM then hijacked RuTor’s onion domains.”
- [T1566.001] Phishing – Compromised or phished accounts used to sow panic and manipulate market participants. Quote: “they published phished and previously registered accounts to instill panic.”
- [T1071] Application Layer Protocol – IM/Telegram used as communication and coordination channels for illicit trade. Quote: “Multiple groups registered on Telegram facilitating sales of illegal drugs were identified.”
Indicators of Compromise
- [Domain] Dark Web drug marketplace domains – deadpool-shop.top, https://deadpool-shop.top/index.php?r=public%2Fproducts&branch=26&q0a1c30b6da466bc143263dd4c2d61946=…