In response, darknet market vendors are increasingly shifting their financial activity toward decentralized platforms. According to Chainalysis’ 2025 Crypto Crime Report, darknet market (DNM) vendors are adapting their money laundering tactics. Chainalysis data shows that about 0.14% of all transactions in crypto, some $50 billion, involve illicit activity, with a rise in stablecoins as an illicit payment mechanism. Jardine emphasized that illicit cryptocurrency transactions represent only a minor share of total crypto activity.
Transactions made in cryptocoin are also not as private as cybercriminals might think. Cybercriminals become complacent, said Alex Cosoi, chief security strategist at Bitdefender. Administrators ran an exit scam late last year, shuttering the site and dividing money among themselves after having temporarily gone silent in November. Dutch police said around 67,000 criminal transactions took place each month on Bohemia/Cannabia, with turnover peaking in September 2023 at 12 million euros. Finnish and Polish police in 2019 jointly shut down a predecessor marketplace called Sipulimarket. Although mainly aimed at the Finnish market, Sipulitie also did business in English.
Emerging Darknet Marketplaces Of 2025 Anatomy Tactics & Trends
ICIJ worked with experts to independently confirm the path of these funds. “My family and I were left financially shattered and emotionally broken,” he wrote in a March email to a Minneapolis-based FBI victim specialist that he shared with ICIJ. The man, who asked to remain anonymous to protect his family’s privacy, said he contacted more than a half-dozen law enforcement agencies, begging for help. Della Santa described investigating numerous frivolous-seeming cases involving tiny sums of money, which made it difficult to devote sufficient resources to reviewing more-serious ones.
Darknet marketplaces in 2025 illustrate a resilient and evolving underground economy. Focusing intelligence collection on specialised marketplaces yields better ROI for threat detection and proactive defence. They used “free data dumps” and emotional marketing to build trust before vanishing—an enduring lesson in the risks of social engineering. BidenCash and other exit-scam markets such as Torzon and Kingdom Market collapsed between 2022 and 2024. At the time, it had over 600,000 users, 17,000 listings, and approximately €250 million in transactions. Privacy-focused operators are shifting to Monero due to its default anonymity, compared to Bitcoin’s transparent ledger Darknet markets see BTC inflow drop to $2B.
Illegal Drugs
To buy and sell cryptocurrency, you need to use a digital wallet. She sent payments, first through remittance services like Western Union and World Remit, then to cryptocurrency wallet addresses he supplied. In early August, ICIJ sent OKX detailed questions about Weber’s case, including the OKX cryptocurrency wallet addresses where we found her scammers had deposited most of their funds. In the majority of cases, ICIJ found that funds from the alleged scammers’ wallet addresses were channeled to accounts at major cryptocurrency exchanges, including Binance, OKX, HTX and Bybit. Operation Destabilise was a rare triumph for law enforcement in the fight against cryptocurrency-related crime.
Telegram Emerges As New Dark Web For Cyber Criminals
DiLello and his wife aren’t sure if they will have to pay taxes on the retirement funds DiLello withdrew. An ICIJ analysis shows his funds were moved into an OKX deposit wallet a day after he made his “investment.” Before long, he had cashed out his IRA and pulled additional money from a separate savings account and invested it in OnChain. (This platform is not the same as the crypto service Onchain, owned by Crypto.com.)
UNC2891 Money Mule Network Reveals Full Scope Of ATM Fraud Operation
In 2012, it was closed and several operators and users were arrested as a result of Operation Adam Bomb, a two-year investigation led by the U.S. In the 2000s, early cybercrime and carding forums such as ShadowCrew experimented with drug wholesaling on a limited scale. One of the better-known web-based drug forums, The Hive, launched in 1997, serving as an information sharing forum for practical drug synthesis and legal discussion. Though e-commerce on the dark web started around 2006, illicit goods were among the first items to be transacted using the internet, when in the early 1970s students at Stanford University and Massachusetts Institute of Technology used the ARPANET to coordinate the purchase of cannabis.
Similarly to surface web markets, most darknet markets allow users to write textual feedback (reviews) about products and vendors (Brinck et al., 2023). The steady increase can be explained by the reliable operation of darknet markets, affected by community-building trust factors reducing the risks during the process of the darknet drug trade. Amid the global opioid crisis, the volume of drug trade via darknet markets has risen to an all-time high. The operators of several darknet markets with total sales of over a billion dollars have retired over the past year – marking a shift from the typical law enforcement takedowns and “exit scams”. In 2025, darknet markets continue to provide a secure and efficient platform for the trade of pharmaceuticals and digital products.
The past few months has seen a surge of darknet market closures, but few of them have been the result of takedowns or exit scams. Enable compliance services on your network by joining the world's only unified crypto financial system As the darknet continues to grow, its markets are expected to adopt even more sophisticated tools for secure trading, further enhancing the user experience and solidifying their role in modern commerce.
In 2025, the landscape of darknet markets has evolved significantly, offering users enhanced security, reliability, and a streamlined experience for drug trade. This paper provides an in-depth analysis of darknet markets, their functionality, and the implications of illicit transactions on global security. For years, Garantex was a major enabler of financial crime, facilitating money laundering for ransomware groups, darknet markets (DNMs), and other sanctioned entities. Personally identifying information, financial information like credit card and bank account information, and medical data from medical data breaches is bought and sold, mostly in darknet markets but also in other black markets. They function primarily as black markets, selling or brokering transactions involving drugs, cyber-arms, weapons, counterfeit currency, stolen credit card details, forged documents, unlicensed pharmaceuticals, steroids, and other illicit goods as well as the sale of legal products.
How The Dutch National Police Helped Genesis Market Victims
This increases both the size of stored databases and the potential damage in case of their disclosure, alteration, or deletion. For example, Slim CD, the American payment service provider behind Slim CD Payment Gateway, suffered a cyberattack resulting in a data breach affecting nearly 1.7 million payment cards in June 2024. Let's examine the potential consequences of cyberattacks, explore hypotheses of non-tolerable events for different financial institutions, and provide examples based on real incidents. Each financial organization independently determines which events are categorized as non-tolerable based on maximum acceptable levels of damage. Non-tolerable events triggered by a cyberattack on commercial financial institutions can result in serious reputational and financial consequences, including decreased business profitability and competitiveness. For example, in the first half of 2024, VPN access to a major bank in Ecuador and shell access to a bank in the UK were offered on dark web forums for the same price of $10,000.
Cybercriminals actively sold access with privileged local administrator rights (36%) and Active Directory domain administrator rights (26%). More than half (55%) of the listings are for access via RDP, VPN, and command shells, as these allow commands to be executed directly in the operating system environment of the compromised host, typically located within the organization's internal infrastructure. We classify such posts as ransom announcements, which, according to our data, appear in one out of every five posts on dark web forums. They announce that a certain company has been hacked and warn that the data will be made public if the ransom isn't paid. QuoteWizard later sent notifications to their clients regarding the breach of their personal data. The hacker provided a few sample records from the database and demanded a ransom of $2 million.
- Evidence suggests that warning darknet market users about a potential scam can reduce vendor and customer activity in the given market (Howell et al., 2022).
- In addition to that activity, markets like these host vendors that advertise their own cashout or swapping services, resulting in tens of millions of dollars in laundered funds.
- This paper examines the structure, operations, and impacts of darknet markets, exploring their role in global cybercrime.
- This study contains information on current global cybersecurity threats based on Positive Technologies own expertise, investigations, and reputable sources.
- The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) specifically cited the market's role in the fentanyl trade as a reason for the bust.
- These topics identified in the customer reviews suggest that the community of the selected darknet market implemented a safer form of drug supply, reducing risks at the payment and delivery stages and the potential harms of drug use.
How Xanthorox Helps Cybercriminals Generate AI-Powered Malware
While the true volume of illicit activity linked to Garantex is likely much higher — as illicit addresses continue to be identified — the available data provides a clear picture of its role in enabling cybercrime. Garantex was among the most prolific money laundering platforms in the crypto ecosystem, facilitating cybercrime on a global scale. The takedown marks a significant victory as international efforts escalate to disrupt illicit crypto activity. Department of Justice (DOJ), in coordination with authorities in Germany and Finland, announced the disruption of Garantex — a Russia-based cryptocurrency exchange deeply embedded in the global cybercrime economy. In Grand Theft Auto Online, players who purchase warehouses and garages for illicit cargo and stolen cars can buy/steal and sell them through trade on the "SecuroServ" syndicate website. The results of these markets are higher quality and lower prices of psychoactive substances as well as a lower risk of violent incidents.
Research Reports Download Report
Although each marketplace may have its own specialty, most focus on a few well-known categories. Today, they are still active and have evolved considerably in terms of security and sophistication. Transactions there are made with cryptocurrencies to keep everything as secret as possible.Want to explore more about how to enter safely? To access them, you need to use special browsers like Tor, which allow you to browse anonymously.
- You’ll get stolen credit cards, remote desktop account info, personal details, and various logs.
- Drug traffickers active on Nemesis sold fentanyl around the world, both on its own and surreptitiously laced into other drugs.
- Reviewers also shared information about the originality of the drugs, i.e. whether the product delivered matched the product advertised.
- Additionally, financial organizations accumulate significant capital, making them prime targets for attackers seeking to obtain direct financial gains—for example, by transferring funds from the accounts of the organization itself or its clients.
The U.S. Department of Justice indicted him on major narcotics and money laundering charges. At its peak it handled an estimated 80% of all dark web transactions. Shortly after, police in Germany and the U.S. charged the men with narcotics and money laundering.
Continued Evolution And Law Enforcement Efforts
Using data from Arkham Intelligence and Tronscan, blockchain data sources, ICIJ examined the flow of tether funds sent from three of these addresses to more than 35,000 deposit addresses used by Binance or OKX to collect funds from their clients. In reality, thieves are already laundering the target’s funds, often using major crypto exchanges to do so. Posing as love interests or tech support, the scammers steer their targets to sleek websites masquerading as legitimate cryptocurrency platforms, promising lucrative investment opportunities.
As far as financial recourse for victims, some banks and insurance companies have provided payouts and will include those funds as damages in lawsuits against Genesis Market cybercriminals. Though Genesis Market domains and servers were seized and antivirus programs have been updated, cybercriminals have already rebuilt illicit services like these. As it retrieved data from malware-infected computers, Genesis sold victims’ online footprints — which it called “bots” — on its market. To them and others, Genesis sold forms of stolen PII like credentials for email and social media accounts, as well bank accounts and crypto service accounts, and in its lifetime received tens of millions of dollars in crypto, mostly Bitcoin.
This set the legal precedent that even Tor hidden markets are prosecutable. Hundreds of kilograms of drugs and millions in Bitcoin were recovered. Dark web marketplaces have come and gone in a long running cat and mouse game. Vendors now vet markets for trustworthiness, often requiring invites or deposits. Even Hydra’s 2022 fall led to smaller Russian language markets trying to fill the gap, some suspected ones being Abacus or Drughub. They may hop to smaller markets, switch to privacy coins, or use encrypted messaging.
