Cyber Crime and the Underground Economy

16 11 2012

by Anurag Bhatt

On a bulletin board inaccessible without a Tor browser bundle, a user identified only as “admin” asks, “so I want to ddos attack my buddies ip address for just like 20 minutes, enough to keep his internet down for just a little bit. [C]ould he find out, or could I face penalties?” A user calling himself “rolf” replies, “You can’t DDoS someone on your own. bbye.”[1]

This is an example of one of the more innocuous exchanges that take place on these boards far removed from the familiar confined of the Internet that people access every day. Few people are aware that under the reasonably well-protected and censored Internet that they are used to, lies a thriving bazaar of illegal trade, where botnets and stolen Paypal accounts are bartered in the same casual manner that one would adopt when purchasing a bestseller on

This dark corner of the Internet, called the “deep web” or the “underground,” is not indexed by conventional search engines and cannot be accessed without using Tor, the anonymous browsing software that operates on the principle of onion routing[2]. Items exchanged within the cyber underground are a mishmash of cyber-attack tools, stolen identities, stolen credit card information and in many cases, drugs and child pornography. Noah Shachtman, contributing editor at Wired refers to this underground market as, “South Bronx circa 1999.’’[3] Mr. Shachtman refers to the underground as a “real, serious crime problem” which he estimates leads to tens of billions of dollars in profits for the perpetrators involved. He also blames both state actors and people looking to make a profit for the proliferation of cybercrime, while stating that the reward to risk ratio for cyber criminals is very high, due to the low cost of committing such attacks and the low probability of getting caught.

The Cyber Underground

The Merriam-Webster online dictionary carries this as one of the definitions of “underground” – an unofficial, unsanctioned, or illegal but informal movement or group; especially: a usually avant-garde group or movement that functions outside the establishment. [5] In this context, the cyber underground refers to illicit, informal and often illegal exchanges of information, goods and money which take place through the Internet.

In general, Internet traffic is not difficult to trace due to the inherent nature of the protocols that govern information exchange. The Internet, by design, is not made for anonymity. This has led to a slew of anonymization techniques, of which the most resilient and effective is called Tor.

Tor is an acronym for “The Onion Router.” It operates on the principle of “onion routing,” wherein each packet is sent via a different path and is encrypted by the contents from its last hop. The distributed nature of the paths that the packets take make it nearly impossible to trace them back to individual users[2].

The effectiveness and simplicity of Tor has given rise to a parallel Internet far removed from the conventional Internet that people are accustomed to browsing. Pages within this parallel Internet have the domain extension “.onion” instead of the more familiar “.com”, “.net”, “.edu” and other domains that are commonly found on the conventional Internet. Onion links are also designed to be difficult to remember, with the names often being random combinations of letters and numbers.

Within the underground, many services and goods are traded illegally. These include, but are not restricted to, buying and selling botnet space, stolen bank accounts, Paypal accounts and credit card information, zero-day exploits (extremely valuable exploits, usually in new software, which have not yet been patched), hacking tools, drugs and hitman services.

The Economy of the Underground

For any illegal transaction, the most desirable property of the currency exchanged is that it should be decentralized (not issued by a central authority) and untraceable. Fortunately for cyber criminals and unfortunately for law enforcement agencies, the introduction of the cryptographic currency Bitcoin (BTC) in January 2009 provides these very features. The completely decentralized and P2P nature of Bitcoin makes it difficult to trace Bitcoin transactions, making it the currency of choice throughout the cyber underground. As of 28th October 2012, one BTC is valued at $10.4, which represents a slight drop in value from its average value of $11.63[6].

An example of a thriving underground market is the Silk Road, where illegal drugs are routinely bought and sold through a reputation based system not unlike the one found on eBay[7]. The reputation based system helps to protect buyers from potential scammers. Silk Road only allows transactions to be completed via Bitcoin to protect user anonymity. Another website called The Farmer’s Market was shut down after its administrators were traced via transaction records and months of infiltration by police forces from the United States, Colombia and the Netherlands. This website offered Paypal and Western Union as alternative modes of payment, which are easier to trace and detect[8].

Other services that can be accessed within the underground include the infamous Rent-a-Hacker[9]. On this page, a self-confessed “technical expert” encourages potential customers to send a random number of Bitcoins to his account before he would deign to reply. Services which he claims to offer include DDoS attacks on various websites, social engineering organizations, “ruining” personal lives and economic espionage.

However, Bitcoins themselves are not fully anonymous, and can be traced by sophisticated network analysis attacks. According to Jeff Garzik, a part of Bitcoin’s developer team, “Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb.”[8]


The extent of the cybercrime problem is thrown into stark relief by 2012 statistics. So far in 2012, U.S. companies have suffered an average damage of $8.9 million from cybercrime and malware[10]. Norton estimates that cybercrime has cost U.S companies a cumulative $110 billion so far this year[11].

The relative anonymity provided by a combination of Tor and Bitcoins makes underground cybercrime extremely difficult to crack down on. One of the few methods which seems to be effective in combatting this menace is systematic infiltration of the trust networks within the online markets.

Based on the ease of hopping onto the Tor network and purchasing Bitcoins, however, it is likely that cybercrime through these illicit, underground channels will continue to proliferate.


[1] DDoS question. Web. Oct. 27 2012. <http://4eiruntyxxbgfv7o.onion/snapbbs/1b133305/showthread.php?&threadid=c9085adba44e9a6a316770ed284e28bf>

[2] Goldschlag, Reed, Syverson. ”Onion Routing for Anonymous and Private Internet Connections.” DTIC. Web. Jan. 1999. Oct. 27 2012 <>

[3]”Shachtman: Cyber Threats Akin to South Bronx, Not Pearl Harbor.’’ International Peace Institute. Web. May 2012. Oct. 27 2012. <>

[4]Bruce Schneier. “Identifying Tor Users Through Insecure Applications.” Schneier on Security. Web. Mar. 2011. Oct. 27 2012. <>

[5]”Underground.” Merriam-Webster. Web. Oct. 27 2012. <>

[6]”Bitcoin Charts.” Bitcoin Charts. Web. Oct. 2012. Oct. 28 2012. <>

[7]Adrian Chen. “The Underground Website Where You Can Buy Any Drug Imaginable.” Gawker. Web, Jun. 2011. Oct. 28 2012. <;

[8]Dan Goodin. “Feds shutter online narcotics store that used TOR to hide its tracks.” Arstechnica. Web. Apr. 2012. Oct. 28 2012. <>

[9]”Rent-a-Hacker.” Web. Oct. 28 2012. http://ugh6gtz44ifx23e7.onion/

[10]Robert Lemos. “Cybercrime Costs Jumped 6 Percent in 2012.” eWeek, Web. Oct. 2012. Oct. 28 2012. <>

[11]” 2012 Norton Study: Consumer Cybercrime Estimated at $110 Billion Annually.“ Symantec. Web. Sep. 2012. Oct. 28 2012. <>




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: