The best darknet hit-for-hire idea I've seen is the one that uses a prediction market. You publicly bet $500k that Joe is not going to die in 1 week. Whoever takes the other side of that bet has an interest in making Joe die.
(Assume the prediction market is completely decentralized and untraceable. Assume there is an accurate way to determine the outcomes of the events in a manner compatible with being untraceable and decentralized.)
Assuming the prediction market isn't untraceable, would this be legal?
If Joe dies and someone gets $500,000 richer I'm sure the police would be very interested to investigate the transaction, but would the bet itself actually violate any laws?
It becomes really interesting once the other side of that bet can be crowdfunded.
Someone with half a million to squander already has the means to disperse of others. Whereas an enemy of the people may have 10,000 detractors, who while otherwise wouldn’t have the means, can pool together a seven figure bounty for $100 each.
It seems like an anonymous hitman system just doesn't work.
For the hitman, it's much safer to just take the down payment / etc and not do anything. That's just way more cost effective / lower risk to do that over and over again.
For the person hiring them... no reason to think the hitman won't do the logical thing and not do the hit / walk with the up front cash.... and probably limited no incentive to pay after the deed is done if in fact everyone is anonymous.
Historically speaking hitmen seem to be tied to organizations who the hitman and the employer more or less can trust / provide some level of protection / regular work / other work or at least the promise of it. And generally the the professional hitmen eventually tend to be disposed of by the next hitman after their usefulness to their employer fades...
A system where nobody trusts anyone would seem to only attract scammers and some random idiots.
Dark web marketplaces are not exactly "a system where nobody trusts anyone". They are pseudonymous, as opposed to completely anonymous, and sellers absolutely build reputation and some degree of trust. Otherwise nothing would work - the problems you point out would prevent any business at all. It's theoretically possible for a hitman to build reputation in such an environment. However, it would have to be comparatively slow and high-stakes, which I suspect is the main problem and tips the scale towards scamming.
Perhaps some multi-step smart contract that creates a prisoner's dilemma where both parties pre-commit some money. On completion of the contract if both sides submit a completion code, you get some of it back (to incentivize you to complete the transaction) and the larger part goes to the hitman (to incentivize him to do finish his job). If either side reneges the money gets burned or redistributed to random wallets.
One of the biggest takeaways from this for me is that PayPal has awful security when it comes to compromised accounts. The only reason compromised accounts would trade for prices that high is because hackers have a high success rate of stealing funds from them, and a low chance of getting caught.
Credit cards and bank credentials being worth comparatively much less means that hackers don't have easy ways to secure the funds - either there's a high risk that the transaction is reverted, or there's a high risk that the hacker gets caught and goes to jail. You can tell it's not just an effort issue because the value of the accounts barely scale as the amounts in the accounts increase.
>wouldn't there be a huge supply if their security, overall, was lax?
i don't think normal demand curve applies to stolen bank accounts. the value of a stolen account would be the average amount of money you can expect to get out of it, regardless of how many stolen accounts are available. An increase in supply wouldn't make that any different.
For the raw account details alone it probably has more to do with being able to use it as a pathway to transfer ill gotten gains into/out of US/EUR than it does w/ the contents of the account. For the transfers from stolen accounts it looks like its just discounted based on probability that the transfer won't be reversed in time maybe?
Do they? I mean, logging in is one thing, but transferring? I believe the hacked account owner can just get their funds back, and PayPal is very trigger happy at freezing accounts (especially new or idle) that get a large (a few hundred or more) sum at once.
So if you were to gain access to a stranger's account, you'd have to transfer the money to an existing, old and actively used account. Which is likely to be your own or your friend's.
Seems like a huge risk, so the hackers just sell the account to some idiot willing to try it.
It scares me that posts like this always write of Tor like it's not compromised.
I browsed Tor regularly between 2011 and 2013. Late 2012 and early 2013 brought the most precipitous drop in deviant material. Before then, you couldn't throw a stone without coming upon CP(I avoided it like the plague but knew it was there), you could buy literally any drug on the Silk Road safely, and you could easily find bomb-making and asymmetric warfare information. Nowadays? Not so much.
I agree but for different reasons. There is no financial incentive to run a TOR node-- it's expensive and opens you to real legal risks. Therefore most nodes are run by universities and unknown actors-- in any case they are almost all funded by the state. If I was a nation state it would make my job much EASIER if I corralled all of the bad actors into a network that has a handful of defined exit points more or less under my control. The entire notion is absurd. I2P is actually more secure because it routes traffic dynamically rather than trusting a centralized "authority"
> Before then, you couldn't throw a stone without coming upon CP(I avoided it like the plague but knew it was there), you could buy literally any drug on the Silk Road safely, and you could easily find bomb-making and asymmetric warfare information. Nowadays? Not so much.
I'm sure CP existed and exists on the dark web, but I think it's an exaggeration to say "you couldn't throw a stone without coming upon CP". A few years back I spent quite a bit of time on tor (research purposes), and thankfully never once just stumbled upon CP - I'm sure it's there, but you're going to have to go looking for it.
While Silk Road isn't around any more, other drug marketplaces pop up as soon as one dissappears - it's still very, very easy to buy any drug you want. Next day delivery of heroism? Easy. You've 3 big threats with buying drugs on the darkweb though:
1) The site pulling an exit scam, dissappearing with all the escrowed funds
2) Your seller pulling an exit scam, taking money for as long as possible without sending any drugs, then leaving the market
3) The site being compromised by the feds - it's actually quite difficult to run a watertight site on the darkweb, so this does happen
I spent one single night exploring the dark web in 2011, stumbled on that on the first night.
Scrubbed my drives, poured bleach in my eyes and swore off TOR forever. I'd agree that at the time, it was rampant.
However, it was during the same time that the FBI had set up their Operation Torpedo so it's quite possible those were heavily advertised on purpose as a trap.
Either way, it's sickening and another proof that we can't have nice things. Give a dark-web to mankind and the first thing they do is upload disgusting illegal porn to it (I am not talking about kinks but actual criminal activity).
Perhaps there is more money to be made via the Dark Web these days, so those people selling things have a vested interest in not making it scary to use it.
If I was a Dark Web Drug Kingpin, I would want to lessen the stigma of using the Dark Web, and that means trying to DDoS unsavory sites, convince other sites not to link to it, and the like.
Because governments are wiretapping the entire internet they can track down any server they can connect to live regardless of the protocol or number of indirections (this could be prevented with Freenet-style distributed hosting), but the actual downfall of the dark web seems to be web technology and outsourcing hosting. Last I checked Tor browser didn't disable javascript even on .onion sites (restricting HTML to a subset and requiring CSP would go a long way), and when sites share hosting they tend to go down all at once.
Do you mean that the entire system is compromised or just that individual sites are? Because it sounds like you are painting with a very broad brush here.
I consider it likely that the entire system is compromised. I saw with early Tor that if a network is both truly anonymous and advertises itself as truly anonymous, deviant material is accessible everywhere. Tor didn't stop advertising itself as anonymous yet defiant material is a lot rarer, which tells me that it may not be as anonymous nowadays as they say.
There's a lot of evidence to the contrary. I don't mean to be rude, but your assertion sounds quite hollow and baseless. I'm certainly interested in any evidence you would have that shows tor is compromised.
> Avoid public or unsecured WiFi. If you must log into an account on a network you don’t 100% trust, use a VPN to encrypt all communications. Even bank websites can be forged to be almost undetectable if an attacker has administrative access to the network you’re using.
I think we should stop fear mongering over shady wifi. In a world with HSTS and CT, these types of attacks ars incredibly difficult to pull off.
Aren’t you assuming that users are only navigating to HTTPS sites and entering information? That’s unfortunately not the case. That also ignores the fact that having information about general activity can in itself be a privacy concern, whether or not that information is readable.
I am assuming that users go to their bank website by typing it into google and then clicking on their bank as a result.
Google is HSTS. The bank may or may not be (what a sad state of affairs, but i digress) but the link from google will at least be https.
What websites do you have in mind that are not https and that average users enter personal information that could lead to identity theft on?
> having information about general activity can in itself be a privacy concern, whether or not that information is readable.
It definitely can be in some threat models. In the context of average user being the target of drive-by identity theft, i struggle to see a realistic threat model for traffic-analysis of encrypted network traffic.
Certificate transparency - chrome requires all certificates to have a public certificate transparency log which makes it very difficult for attackers to generate bad certificates undetected
You would be very hard pressed to find a cloned card + PIN anywhere. That's the holy grail and information like that would never find it's way outside of a team. Think about how easy it is to go to an ATM and use it.. Why would you sell that information for $25?
The rest of it seems fairly accurate based on jstash/unicc/etc.
Sure, you can get this data, but you also have to test what credit cards work and what don't. You can't just go to an ATM and start working through 50 credit cards you stole until one worked without something noticing. I'm assuming a lot of the cost is sunk to just testing if the credit cards even work and how well their fraud detector/max purchase limit is set up, which is very costly, so labor cost might be very high compared to the raw $25-per-number.
Some time ago I accidentally stumbled upon how some organized crime ring determined which credit cards worked. Someone in my party asked the Uber driver one night what other gigs they do for money. He said he uses this one card to get 40% cash back. Of course I asked more questions being the only one in security at this party:
He starts talking saying he goes around to different, small, local businesses - but never visiting the same place twice - and uses this card to pay for his friends' food, splitting the bill, but keeping the cash back rewards. Sometimes the card is rejected and he has to keep trying until it works finally. The actual credit card has to frequently connect to his phone by pushing a button on the card to sync with his phone to make purchases. Of course what his phone is doing is downloading a backlog of CCN's which then is sent to the credit card to change the magnetic strip dynamically - completely unknown to him he's testing if credit card numbers are working and getting paid for it. Genius scam, but that's what this one specific crime ring has to pay in order to check the availability of stolen credit card numbers.
An episode of Reply All[0] hints at another potential way of automated stolen credit card testing workflow.
In short, Domino’s across the US regularly receive strange orders for $2 Coke (and nothing else), which then no one ever picks up. The theory is, if a card doesn’t work, an automated script detects that as online order form switches to cash—and if it works, given the popularity of Domino’s this transaction might just slip by the cardholder’s attention.
Because there's almost no risk associated with it. You don't have to get a team together to hit up ATMs and extract money from those cards, which requires trust and increases complexity, you just mount a few skimmers, collect the data, remove the skimmers, and then sell it online and let someone else take the risk.
Cameras don’t do much unless the suspect has already been arrested and it’s just a matter of building up evidence.
Cameras can’t tell you the name and address of the pixel blob that is committing the crime. Cameras as a security device are overrated. My building had countless footage of people entering the bike room or parking and stealing bicycles. Resident makes a complaint to the police, proudly says “we have cctv footage!”, police shrugs and looks at cctv footage, and nothing happens because what do you do with the video of a thief stealing your bike..?
If the data is collected from a skimmer + pin pad camera then you are already in the current area of the cardholder. There are a lot of ATMs without cameras or ways to avoid your face appearing fully in a camera.
Unusual patterns and stolen cards are one of the primary reasons that they will rarely ever leave a team. It takes a great deal of work to gather stripe data + PIN. It's much easier to look for a website without PCI compliance. In-person carding is going by the wayside, but is much easier to accomplish if you have good data. You can buy dumps, but no one is turning over a PIN.
Why? Isn't that how card skimming used to work? The skimmer pulls card data,while the mechanism designed to capture PIN( video or physical keylogger). Being able to get CC details is quite a different business compared to actually using them to get goods/services.
It is. The majority of the enforcement work is around industry safeguards and customer re-imbursal from insurance pools. And very little of the work is around prosecutions because the liability is shifted and moved around very similar to a corporation, but even more distributed.
The hacker doesn't hack, but sells the information to be weaponized.
The person that weaponizes only does that to get a giant leak of data, that they sell in pieces.
The person that buys a few cards, gets 1 that works, and now we are talking about a few thousand dollars. Almost too small to care for a big investigation.
And so on and so forth.
There is rarely anyone to levy the whole force of the RICO act + CFAA + Wire Fraud + Conspiracy + Using a fake ID + etc etc
I think some readers are misunderstanding this, a cloned card in this context is actually skimmed from an ATM, which allows you to copy the physical card because you have copied the magnetic strip and also have the PIN associated with the card, though this is not the same as having the card number, expiration & CVV2 code from online phishing.
(Some chips aren't actually signing anything, they're just another way of reading the same info that's on the strip. It depends on the company issuing the card. This isn't covered in the video, but it's true.)
As the video shows, there are other vectors of extraction than ATMs.
Because selling a card online where you never have to meet anyone is much safer then taking a stolen card and start using it where you may end up on camera or police called at point of purchase. Much safer to keep your distance and just sell numbers.
If you get on torsearch or similar tor search engines, you see ads for similar stuff. You also see links in forums and such for places selling what you want. These are the types of prices the ad's themselves claim. Is the author taking all those numbers at face value? Or is this some more in-depth research where it was possible to purchase one or more services? If it's former, I don't find these numbers to mean much.
The links can be dead by the time you get to them. You don't know if it's just another honeypot. You don't know if you'll get what you pay for.
I bought an expensive T-shirt a long time ago from a rather legit looking apparel company (nice website, LTD company/bank account).
Learned the right words on Reddit, hit up Instagram and started looking for and messaging people. Got a few replies, went with the one who had the most legit looking photos.
After a few questions on WhatsApp (yeah, really, lol) got directed to the website and bought the right item... via direct debit because their payment processor was "down".
Big risk on my part, I guess, my plan if popo called was to just say "hey I only ordered a t-shirt!"... I did not think it through very well.
Got it pretty fast (Royal Mail tracked and signed) and found a gift pack of "Revels" inside. How nice of them!
It seems rather risky for them, wouldn't it take just one guy to talk? Or maybe the seller was new to the business.
Tbf, setting up a company, bank account and shipping, all while staying anonymous is extremely easy (but not legal) in the UK compared to the rest of EU.
Joking appart, my question wasn't to learn about drug prices for "practical use". I just think it's an interesting subject: how the web changes underground/illegal markets, what impact it has, etc.
There are lots of counterintuitive things in that field (look at how Portugal handles it), which makes it even more interesting to me. "war on drugs vs war on drug users".
Readit News
https://www.wired.co.uk/article/kill-list-dark-web-hitmen
(Assume the prediction market is completely decentralized and untraceable. Assume there is an accurate way to determine the outcomes of the events in a manner compatible with being untraceable and decentralized.)
If Joe dies and someone gets $500,000 richer I'm sure the police would be very interested to investigate the transaction, but would the bet itself actually violate any laws?
https://en.wikipedia.org/wiki/Assassination_market
Hacked websites, bribed operators etc.
Someone with half a million to squander already has the means to disperse of others. Whereas an enemy of the people may have 10,000 detractors, who while otherwise wouldn’t have the means, can pool together a seven figure bounty for $100 each.
In Finland, last year, young man offered his hitman services on dark web and eventually murdered another. Trial started in the beginning of June 2020.
Of course, he was not a professional hitman and outcome very scam'ish.
https://yle.fi/uutiset/3-11386629
For the hitman, it's much safer to just take the down payment / etc and not do anything. That's just way more cost effective / lower risk to do that over and over again.
For the person hiring them... no reason to think the hitman won't do the logical thing and not do the hit / walk with the up front cash.... and probably limited no incentive to pay after the deed is done if in fact everyone is anonymous.
Historically speaking hitmen seem to be tied to organizations who the hitman and the employer more or less can trust / provide some level of protection / regular work / other work or at least the promise of it. And generally the the professional hitmen eventually tend to be disposed of by the next hitman after their usefulness to their employer fades...
A system where nobody trusts anyone would seem to only attract scammers and some random idiots.
Hard to imagine it working out any other way.
Credit cards and bank credentials being worth comparatively much less means that hackers don't have easy ways to secure the funds - either there's a high risk that the transaction is reverted, or there's a high risk that the hacker gets caught and goes to jail. You can tell it's not just an effort issue because the value of the accounts barely scale as the amounts in the accounts increase.
Considering there are ~325 million active paypal accounts, wouldn't there be a huge supply if their security, overall, was lax?
And furthermore, isn't the security of a criminal getting money out of the system only equivalent to getting the money through banks?
i don't think normal demand curve applies to stolen bank accounts. the value of a stolen account would be the average amount of money you can expect to get out of it, regardless of how many stolen accounts are available. An increase in supply wouldn't make that any different.
I'll try to re-word the GP, thanks for highlighting your confusion.
So if you were to gain access to a stranger's account, you'd have to transfer the money to an existing, old and actively used account. Which is likely to be your own or your friend's.
Seems like a huge risk, so the hackers just sell the account to some idiot willing to try it.
I browsed Tor regularly between 2011 and 2013. Late 2012 and early 2013 brought the most precipitous drop in deviant material. Before then, you couldn't throw a stone without coming upon CP(I avoided it like the plague but knew it was there), you could buy literally any drug on the Silk Road safely, and you could easily find bomb-making and asymmetric warfare information. Nowadays? Not so much.
I'm sure CP existed and exists on the dark web, but I think it's an exaggeration to say "you couldn't throw a stone without coming upon CP". A few years back I spent quite a bit of time on tor (research purposes), and thankfully never once just stumbled upon CP - I'm sure it's there, but you're going to have to go looking for it.
While Silk Road isn't around any more, other drug marketplaces pop up as soon as one dissappears - it's still very, very easy to buy any drug you want. Next day delivery of heroism? Easy. You've 3 big threats with buying drugs on the darkweb though:
1) The site pulling an exit scam, dissappearing with all the escrowed funds 2) Your seller pulling an exit scam, taking money for as long as possible without sending any drugs, then leaving the market 3) The site being compromised by the feds - it's actually quite difficult to run a watertight site on the darkweb, so this does happen
It was on every single Hidden Wiki at the time.. it _was_ everywhere, and commonly linked to from sites like 4chan.
other drug marketplaces pop up
Sure, but nothing like the Silk Road. In a winner-take-all market like the online marketplace market, you would expect a top dog to emerge.
When did you do your research? The difference I noticed began late 2012.
Scrubbed my drives, poured bleach in my eyes and swore off TOR forever. I'd agree that at the time, it was rampant.
However, it was during the same time that the FBI had set up their Operation Torpedo so it's quite possible those were heavily advertised on purpose as a trap.
Either way, it's sickening and another proof that we can't have nice things. Give a dark-web to mankind and the first thing they do is upload disgusting illegal porn to it (I am not talking about kinks but actual criminal activity).
Damn, screw my "hero's journey," this sounds way more straightforward. :P
If I was a Dark Web Drug Kingpin, I would want to lessen the stigma of using the Dark Web, and that means trying to DDoS unsavory sites, convince other sites not to link to it, and the like.
Deleted Comment
There's a lot of evidence to the contrary. I don't mean to be rude, but your assertion sounds quite hollow and baseless. I'm certainly interested in any evidence you would have that shows tor is compromised.
It's nothing now like it was then.
I think we should stop fear mongering over shady wifi. In a world with HSTS and CT, these types of attacks ars incredibly difficult to pull off.
Google is HSTS. The bank may or may not be (what a sad state of affairs, but i digress) but the link from google will at least be https.
What websites do you have in mind that are not https and that average users enter personal information that could lead to identity theft on?
> having information about general activity can in itself be a privacy concern, whether or not that information is readable.
It definitely can be in some threat models. In the context of average user being the target of drive-by identity theft, i struggle to see a realistic threat model for traffic-analysis of encrypted network traffic.
The rest of it seems fairly accurate based on jstash/unicc/etc.
Some time ago I accidentally stumbled upon how some organized crime ring determined which credit cards worked. Someone in my party asked the Uber driver one night what other gigs they do for money. He said he uses this one card to get 40% cash back. Of course I asked more questions being the only one in security at this party:
He starts talking saying he goes around to different, small, local businesses - but never visiting the same place twice - and uses this card to pay for his friends' food, splitting the bill, but keeping the cash back rewards. Sometimes the card is rejected and he has to keep trying until it works finally. The actual credit card has to frequently connect to his phone by pushing a button on the card to sync with his phone to make purchases. Of course what his phone is doing is downloading a backlog of CCN's which then is sent to the credit card to change the magnetic strip dynamically - completely unknown to him he's testing if credit card numbers are working and getting paid for it. Genius scam, but that's what this one specific crime ring has to pay in order to check the availability of stolen credit card numbers.
In short, Domino’s across the US regularly receive strange orders for $2 Coke (and nothing else), which then no one ever picks up. The theory is, if a card doesn’t work, an automated script detects that as online order form switches to cash—and if it works, given the popularity of Domino’s this transaction might just slip by the cardholder’s attention.
[0] https://gimletmedia.com/shows/reply-all/z3hgd2
Why not? ATMs work at 3AM.
> but you also have to test what credit cards work and what don't
Not really, if it’s data you skimmed yourself odds are they’ll work more than half the time.
Because there's almost no risk associated with it. You don't have to get a team together to hit up ATMs and extract money from those cards, which requires trust and increases complexity, you just mount a few skimmers, collect the data, remove the skimmers, and then sell it online and let someone else take the risk.
Doesn't seem easy at all. ATMs have cameras and are monitored for abnormal transactions (stolen cards, unusual withdrawal patterns, etc).
Cameras can’t tell you the name and address of the pixel blob that is committing the crime. Cameras as a security device are overrated. My building had countless footage of people entering the bike room or parking and stealing bicycles. Resident makes a complaint to the police, proudly says “we have cctv footage!”, police shrugs and looks at cctv footage, and nothing happens because what do you do with the video of a thief stealing your bike..?
Unusual patterns and stolen cards are one of the primary reasons that they will rarely ever leave a team. It takes a great deal of work to gather stripe data + PIN. It's much easier to look for a website without PCI compliance. In-person carding is going by the wayside, but is much easier to accomplish if you have good data. You can buy dumps, but no one is turning over a PIN.
Because now you have $25, and you don't have your face on video using a stolen debit card?
The hacker doesn't hack, but sells the information to be weaponized.
The person that weaponizes only does that to get a giant leak of data, that they sell in pieces.
The person that buys a few cards, gets 1 that works, and now we are talking about a few thousand dollars. Almost too small to care for a big investigation.
And so on and so forth.
There is rarely anyone to levy the whole force of the RICO act + CFAA + Wire Fraud + Conspiracy + Using a fake ID + etc etc
In most places finding an ATM that still uses the magnetic stripe is certainly not easy.
(Some chips aren't actually signing anything, they're just another way of reading the same info that's on the strip. It depends on the company issuing the card. This isn't covered in the video, but it's true.)
As the video shows, there are other vectors of extraction than ATMs.
The links can be dead by the time you get to them. You don't know if it's just another honeypot. You don't know if you'll get what you pay for.
I bought an expensive T-shirt a long time ago from a rather legit looking apparel company (nice website, LTD company/bank account).
Learned the right words on Reddit, hit up Instagram and started looking for and messaging people. Got a few replies, went with the one who had the most legit looking photos.
After a few questions on WhatsApp (yeah, really, lol) got directed to the website and bought the right item... via direct debit because their payment processor was "down".
Big risk on my part, I guess, my plan if popo called was to just say "hey I only ordered a t-shirt!"... I did not think it through very well.
Got it pretty fast (Royal Mail tracked and signed) and found a gift pack of "Revels" inside. How nice of them!
It seems rather risky for them, wouldn't it take just one guy to talk? Or maybe the seller was new to the business.
Tbf, setting up a company, bank account and shipping, all while staying anonymous is extremely easy (but not legal) in the UK compared to the rest of EU.
Joking appart, my question wasn't to learn about drug prices for "practical use". I just think it's an interesting subject: how the web changes underground/illegal markets, what impact it has, etc.
There are lots of counterintuitive things in that field (look at how Portugal handles it), which makes it even more interesting to me. "war on drugs vs war on drug users".