The best darknet hit-for-hire idea I've seen is the one that uses a prediction market. You publicly bet $500k that Joe is not going to die in 1 week. Whoever takes the other side of that bet has an interest in making Joe die.
(Assume the prediction market is completely decentralized and untraceable. Assume there is an accurate way to determine the outcomes of the events in a manner compatible with being untraceable and decentralized.)
Assuming the prediction market isn't untraceable, would this be legal?
If Joe dies and someone gets $500,000 richer I'm sure the police would be very interested to investigate the transaction, but would the bet itself actually violate any laws?
Laws aren't programs and judges and juries aren't required to interpret them like a robot. Odds are that a reasonable jury would find you had hired a hitman and just convict you and move on.
Please see people who are convicted on limited or circumstantial evidence because everyone is pretty sure they did it. Example Hans Reiser.
> Laws aren't programs and judges and juries aren't required to interpret them like a robot.
I understand that HN and Reddit like to repeat this fact, but it's really not a useful answer to the question I asked. I think you're saying "no, it's not illegal", but you've masked that opinion with trivia.
> limited or circumstantial evidence [...] Hans Reiser
Reiser plead guilty to murdering his wife and disclosed the location of her shallow grave. I'm not sure how limited or circumstantial that is.
Reiser pled not guilty and successfully eliminated all conclusive evidence of his guilt. After they convicted him anyway he disclosed the location of her shallow grave.
I don't think it's masking the issue with trivia at all. If you conspire to kill someone or indeed to commit any crime and your defense rests on a cute use of the law to remain technically on the side of the law while obviously trespassing beyond it you are only as safe as you can convince the jury you are.
If you are more interested in the actual law we could look at justice.gov
Section 1958 renders it illegal: 1) to travel or use facilities of interstate or foreign commerce; 2) with intent that a murder in violation of State or Federal law be committed;
Looking at my state WA states law
RCW 9A.32.030
Murder in the first degree.
(1) A person is guilty of murder in the first degree when:
(a) With a premeditated intent to cause the death of another person, he or she causes the death of such person or of a third person;
If you in effect arranged for someone to die by betting a large sum of money on a prediction market no judge or jury will pick nits and disregard your intent while placing such a bet.
Maybe in their mind, if they think they're very clever. But the judicial system is pretty clever in itself, I'm sure it would see right through the ruse.
It's important to remember that "beyond a reasonable doubt" means exactly that: no "reasonable" person would doubt it. (The definition of reasonable is left to the jury.)
Some people seem to think "beyond a reasonable doubt" means the same as "beyond any shadow of a doubt" - but they are very different standards!
You don't actually have to. You just have to convince 12 people that you did it. If this were so trivial to get away with people would you know actually be doing it.
It would have to use some type of "untraceable" cryptocurrency like Monero because of that way to expose the hitman. Using traceable money (e.g. dollars in bank accounts or Bitcoin), the police can just plainly see the destination of the funds from the prediction market's wallet (which, if decentralized, must be known or, if centralized, could be discovered through espionage).
The question is moot since if it wasn't, and you made such a market, it soon would be. Realistically, the FBI would find a way to get you for something even in the meantime.
I don't know why, but it never quite hit me what the point of that thought experiment was until now. I heard about it in the context of predictions markets where people wanted to know the outcome of negative events and how it could encourage someone to take matters into their own hands. I hadn't thought of it as a way of actually back-door hiring a assassin without having to know who that assassin was.
It becomes really interesting once the other side of that bet can be crowdfunded.
Someone with half a million to squander already has the means to disperse of others. Whereas an enemy of the people may have 10,000 detractors, who while otherwise wouldn’t have the means, can pool together a seven figure bounty for $100 each.
It seems like an anonymous hitman system just doesn't work.
For the hitman, it's much safer to just take the down payment / etc and not do anything. That's just way more cost effective / lower risk to do that over and over again.
For the person hiring them... no reason to think the hitman won't do the logical thing and not do the hit / walk with the up front cash.... and probably limited no incentive to pay after the deed is done if in fact everyone is anonymous.
Historically speaking hitmen seem to be tied to organizations who the hitman and the employer more or less can trust / provide some level of protection / regular work / other work or at least the promise of it. And generally the the professional hitmen eventually tend to be disposed of by the next hitman after their usefulness to their employer fades...
A system where nobody trusts anyone would seem to only attract scammers and some random idiots.
Dark web marketplaces are not exactly "a system where nobody trusts anyone". They are pseudonymous, as opposed to completely anonymous, and sellers absolutely build reputation and some degree of trust. Otherwise nothing would work - the problems you point out would prevent any business at all. It's theoretically possible for a hitman to build reputation in such an environment. However, it would have to be comparatively slow and high-stakes, which I suspect is the main problem and tips the scale towards scamming.
Except the dark net reputation system is completely broken.
It's trivially easy to create new accounts and maintain parallel alternate accounts on dark net marketplaces, even going so far as giving yourself fake reviews to pump up reputations.
This is such a common scam on dark net markets that it has a name, known as exit scamming. A vendor will build themselves up a good reputation (usually fake) and then scam everyone who transacts with them, cashing out on the reputation. Wash, rinse, repeat with new accounts.
You also run a risk when leaving a bad review. Even if you never buy from that vendor again, you could buy from one of their alternate accounts, and they'll send you fentanyl in your product as retaliation.
I think the flip side to the nobody trusts anyone is once you out yourself as a hitman with a good reputation ... I think you can assume any customers will be cops pretty dang fast.
Aye. With hitmen there are bodies, a capital crime, and no statute of limitations. Drug laws are often much more lenient, not as far reaching, and some random guys Silk Road order is a drop in the bucket compared to the serious importing and production of said drugs.
Plus you order your goods to the wrong address or use a fake name, and when the heat comes around you say "it wasn't me" and flush your drugs -- they're not going to chase you for months the way they might a murder case.
Obviously exceptions for the guys ordering kilos of coke every quarter, but as long as you put a little bit of effort into CYA no one is going to kick down your door for $80 worth of Molly.
Perhaps some multi-step smart contract that creates a prisoner's dilemma where both parties pre-commit some money. On completion of the contract if both sides submit a completion code, you get some of it back (to incentivize you to complete the transaction) and the larger part goes to the hitman (to incentivize him to do finish his job). If either side reneges the money gets burned or redistributed to random wallets.
One of the biggest takeaways from this for me is that PayPal has awful security when it comes to compromised accounts. The only reason compromised accounts would trade for prices that high is because hackers have a high success rate of stealing funds from them, and a low chance of getting caught.
Credit cards and bank credentials being worth comparatively much less means that hackers don't have easy ways to secure the funds - either there's a high risk that the transaction is reverted, or there's a high risk that the hacker gets caught and goes to jail. You can tell it's not just an effort issue because the value of the accounts barely scale as the amounts in the accounts increase.
>wouldn't there be a huge supply if their security, overall, was lax?
i don't think normal demand curve applies to stolen bank accounts. the value of a stolen account would be the average amount of money you can expect to get out of it, regardless of how many stolen accounts are available. An increase in supply wouldn't make that any different.
For the raw account details alone it probably has more to do with being able to use it as a pathway to transfer ill gotten gains into/out of US/EUR than it does w/ the contents of the account. For the transfers from stolen accounts it looks like its just discounted based on probability that the transfer won't be reversed in time maybe?
Do they? I mean, logging in is one thing, but transferring? I believe the hacked account owner can just get their funds back, and PayPal is very trigger happy at freezing accounts (especially new or idle) that get a large (a few hundred or more) sum at once.
So if you were to gain access to a stranger's account, you'd have to transfer the money to an existing, old and actively used account. Which is likely to be your own or your friend's.
Seems like a huge risk, so the hackers just sell the account to some idiot willing to try it.
It scares me that posts like this always write of Tor like it's not compromised.
I browsed Tor regularly between 2011 and 2013. Late 2012 and early 2013 brought the most precipitous drop in deviant material. Before then, you couldn't throw a stone without coming upon CP(I avoided it like the plague but knew it was there), you could buy literally any drug on the Silk Road safely, and you could easily find bomb-making and asymmetric warfare information. Nowadays? Not so much.
I agree but for different reasons. There is no financial incentive to run a TOR node-- it's expensive and opens you to real legal risks. Therefore most nodes are run by universities and unknown actors-- in any case they are almost all funded by the state. If I was a nation state it would make my job much EASIER if I corralled all of the bad actors into a network that has a handful of defined exit points more or less under my control. The entire notion is absurd. I2P is actually more secure because it routes traffic dynamically rather than trusting a centralized "authority"
> Before then, you couldn't throw a stone without coming upon CP(I avoided it like the plague but knew it was there), you could buy literally any drug on the Silk Road safely, and you could easily find bomb-making and asymmetric warfare information. Nowadays? Not so much.
I'm sure CP existed and exists on the dark web, but I think it's an exaggeration to say "you couldn't throw a stone without coming upon CP". A few years back I spent quite a bit of time on tor (research purposes), and thankfully never once just stumbled upon CP - I'm sure it's there, but you're going to have to go looking for it.
While Silk Road isn't around any more, other drug marketplaces pop up as soon as one dissappears - it's still very, very easy to buy any drug you want. Next day delivery of heroism? Easy. You've 3 big threats with buying drugs on the darkweb though:
1) The site pulling an exit scam, dissappearing with all the escrowed funds
2) Your seller pulling an exit scam, taking money for as long as possible without sending any drugs, then leaving the market
3) The site being compromised by the feds - it's actually quite difficult to run a watertight site on the darkweb, so this does happen
Can corroborate, 2012 is when I stopped using Tor for anonymity because a lot of busts happened all in a row. Every bust had some sort of Silk Road style clearnet mistake associated with it, but parallel construction felt like the real answer. A bunch of sites that had been fine for years don't suddenly all make tiny fatal mistakes at the same time.
I'm sure any operators that didn't get busted realized the heat had showed up and chose to shut down. When you are facing 20 years in jail you don't need hard evidence that Tor is broken to decide to walk away.
I spent one single night exploring the dark web in 2011, stumbled on that on the first night.
Scrubbed my drives, poured bleach in my eyes and swore off TOR forever. I'd agree that at the time, it was rampant.
However, it was during the same time that the FBI had set up their Operation Torpedo so it's quite possible those were heavily advertised on purpose as a trap.
Either way, it's sickening and another proof that we can't have nice things. Give a dark-web to mankind and the first thing they do is upload disgusting illegal porn to it (I am not talking about kinks but actual criminal activity).
Perhaps there is more money to be made via the Dark Web these days, so those people selling things have a vested interest in not making it scary to use it.
If I was a Dark Web Drug Kingpin, I would want to lessen the stigma of using the Dark Web, and that means trying to DDoS unsavory sites, convince other sites not to link to it, and the like.
Because governments are wiretapping the entire internet they can track down any server they can connect to live regardless of the protocol or number of indirections (this could be prevented with Freenet-style distributed hosting), but the actual downfall of the dark web seems to be web technology and outsourcing hosting. Last I checked Tor browser didn't disable javascript even on .onion sites (restricting HTML to a subset and requiring CSP would go a long way), and when sites share hosting they tend to go down all at once.
Do you mean that the entire system is compromised or just that individual sites are? Because it sounds like you are painting with a very broad brush here.
I consider it likely that the entire system is compromised. I saw with early Tor that if a network is both truly anonymous and advertises itself as truly anonymous, deviant material is accessible everywhere. Tor didn't stop advertising itself as anonymous yet defiant material is a lot rarer, which tells me that it may not be as anonymous nowadays as they say.
This isn't proof of anything except that the makeup of content there has changed over time. You can find write ups of how people like Dread Pirate Roberts or other large Marketplace players were caught and it doesn't seem like it was due to compromises in Tor, naturally if there are backdoors that 3 letter agencies are using they wouldn't advertise it but that doesn't seem to be the case.
It might be compromised, but there is alternative explanation, people who don't agree with defiant content do there best to shut it down. (eg. over time there are more people attacking hosting with some defiant content for fun)
There's a lot of evidence to the contrary. I don't mean to be rude, but your assertion sounds quite hollow and baseless. I'm certainly interested in any evidence you would have that shows tor is compromised.
> Avoid public or unsecured WiFi. If you must log into an account on a network you don’t 100% trust, use a VPN to encrypt all communications. Even bank websites can be forged to be almost undetectable if an attacker has administrative access to the network you’re using.
I think we should stop fear mongering over shady wifi. In a world with HSTS and CT, these types of attacks ars incredibly difficult to pull off.
Aren’t you assuming that users are only navigating to HTTPS sites and entering information? That’s unfortunately not the case. That also ignores the fact that having information about general activity can in itself be a privacy concern, whether or not that information is readable.
I am assuming that users go to their bank website by typing it into google and then clicking on their bank as a result.
Google is HSTS. The bank may or may not be (what a sad state of affairs, but i digress) but the link from google will at least be https.
What websites do you have in mind that are not https and that average users enter personal information that could lead to identity theft on?
> having information about general activity can in itself be a privacy concern, whether or not that information is readable.
It definitely can be in some threat models. In the context of average user being the target of drive-by identity theft, i struggle to see a realistic threat model for traffic-analysis of encrypted network traffic.
Certificate transparency - chrome requires all certificates to have a public certificate transparency log which makes it very difficult for attackers to generate bad certificates undetected
You would be very hard pressed to find a cloned card + PIN anywhere. That's the holy grail and information like that would never find it's way outside of a team. Think about how easy it is to go to an ATM and use it.. Why would you sell that information for $25?
The rest of it seems fairly accurate based on jstash/unicc/etc.
Sure, you can get this data, but you also have to test what credit cards work and what don't. You can't just go to an ATM and start working through 50 credit cards you stole until one worked without something noticing. I'm assuming a lot of the cost is sunk to just testing if the credit cards even work and how well their fraud detector/max purchase limit is set up, which is very costly, so labor cost might be very high compared to the raw $25-per-number.
Some time ago I accidentally stumbled upon how some organized crime ring determined which credit cards worked. Someone in my party asked the Uber driver one night what other gigs they do for money. He said he uses this one card to get 40% cash back. Of course I asked more questions being the only one in security at this party:
He starts talking saying he goes around to different, small, local businesses - but never visiting the same place twice - and uses this card to pay for his friends' food, splitting the bill, but keeping the cash back rewards. Sometimes the card is rejected and he has to keep trying until it works finally. The actual credit card has to frequently connect to his phone by pushing a button on the card to sync with his phone to make purchases. Of course what his phone is doing is downloading a backlog of CCN's which then is sent to the credit card to change the magnetic strip dynamically - completely unknown to him he's testing if credit card numbers are working and getting paid for it. Genius scam, but that's what this one specific crime ring has to pay in order to check the availability of stolen credit card numbers.
An episode of Reply All[0] hints at another potential way of automated stolen credit card testing workflow.
In short, Domino’s across the US regularly receive strange orders for $2 Coke (and nothing else), which then no one ever picks up. The theory is, if a card doesn’t work, an automated script detects that as online order form switches to cash—and if it works, given the popularity of Domino’s this transaction might just slip by the cardholder’s attention.
My mother had her credit card info stolen online somewhere - the first two fraudulent hits were exactly $5k with payment memo saying it was going to some county's bail system (yeah, sure it was Visa, whatever you say). The third fraudulent payment was to the Hillary Clinton campaign for $15 which was flagged by the fraud detection.
My parents' experience suggests donating to charity probably isn't as effective any more.
If I was in fraud detection there would be fraud flag contagion: If 25% of them started out as blocked and you tested them all, afterwards 100% would be blocked.
I'm no expert in these things, but I'd imagine there would be a soft flag for possible fraud, that triggers something like text messages to customers confirming their purchases.
If within X minutes you see Y cards and Z of them are known to be stolen, you set the soft fraud flag on all of them. Values of X, Y and Z would be set based on historical data.
You could still test your stolen cards, of course - but 5 at a time, not 50 at a time.
I couldn't tell 100% if he was "in" on the scam or not - has he really never thought of why they tell him to go to distant restaurants, never returning, and why the card is always declined multiple times, and why the cash back is THAT HIGH? He did give me a referral as if he was trying to sell this idea but I didn't get very far in their signup (first question: my full name. pulled the plug there) and he introduced this topic as if he was "working" on this "technology" that I had to ask a dozen questions to pry open before he even got us introduced to his "credit card" (either he was really working on it and wanted to keep it secret from us actual techies, or knew something was sketchy and didn't want people to know he was doing shady stuff, or he genuinely thinks he is beta testing some legit technology and getting rewarded for it but didn't want to immediately go into detail)
But if he isn't in on the scam and does pay off his card, funny enough, that must mean all of his money is going directly to the crime ring. Two birds with one stone!
The bill to pay off the card goes to the original cardholder. Then the mob bills him for his purchase (this is where the mob makes money), and then the mob gives him 40% cash back.
Because there's almost no risk associated with it. You don't have to get a team together to hit up ATMs and extract money from those cards, which requires trust and increases complexity, you just mount a few skimmers, collect the data, remove the skimmers, and then sell it online and let someone else take the risk.
It's not "much work" but it is a lot of extra risk, because after you empty someone's credit card they'll quickly find out and alert the bank, which will alert the authorities, while skimming can go undetected much easier.
Same goes for the skimmer, bank will see all the cards used in location x being emptied.
It’s really not a lot of extra risk, it’s not like the authorities could respond at the ATM in a timely manner. All the thief needs to do is cover their face.
That is after you've downloaded the data. Skimmers these days can be read out remotely. You don't need to do anything obvious. You don't need to come back to the atm once you've got what you came for.
There is so much fraud the police can't keep up. Customers are told to contact 'Action Fraud', which is staffed by people on minimum wage and undercover filming shows them basically laughing at victims as they type up another pointless report that goes into the bin.
If you're the police and you have the option of spending resources on burglary or muggings (which cost an absolute fortune in police time, generally low value, but in the public's eye very important) or payment fraud, the police will put time into "in person" crime every time.
Given how many news stories about arrested people (both local and foreigners) in a nearby city (which is small, third-world, and has very primitive security overall); I think the police does a rather pretty good job.
Cameras don’t do much unless the suspect has already been arrested and it’s just a matter of building up evidence.
Cameras can’t tell you the name and address of the pixel blob that is committing the crime. Cameras as a security device are overrated. My building had countless footage of people entering the bike room or parking and stealing bicycles. Resident makes a complaint to the police, proudly says “we have cctv footage!”, police shrugs and looks at cctv footage, and nothing happens because what do you do with the video of a thief stealing your bike..?
I’d say it goes for any kind of cctv footage. It’s always too low quality to identify an individual, and doesn’t show anything else than the crime happened. It’s useless to identify a suspect unless you already have the suspect in custody and can match time/location/clothes. When has anyone ever been arrested from being identified from cctv footage?
We're not that far from a world where people can be tracked back to their home/car using cctv. Places like London and china have that level of coverage already, they can follow you from one cctv to another, it's just a question of effort.
>Cameras can’t tell you the name and address of the pixel blob that is committing the crime.
Given sufficient resolution, software, and access to data they can with some degree of accuracy.
>My building had countless footage of people entering the bike room or parking and stealing bicycles
With bicycle theft you have an individual with an incentive to recover the bike approximately equal to the retail value of the bike, and few resources at their disposal. Law enforcement is not going to pay much more than lip service to a stolen bike, because they don't have any tangible incentive to recover it, while it's probably a lot of work to even try. Depending on the building, it's possible the landlord is sufficiently incentivized to increase security to mitigate tenant complaints, but that won't extend to the search for a bike that has already been stolen.
By contrast, with bank fraud you have, for example, a $300 bn company like JPM with a strong incentive to protect their network's security and consumer trust, cameras everywhere, and good working relationships with law enforcement at many levels of government. It is much more likely to be taken seriously and acted upon, and is therefore riskier than bike theft.
In my opinion, police won't budge much unless a higher authority is pressing on them. It's not that they can't find the bike thief, they definitely can (and in a timely fashion). They simply do not care.
Banks seems to have lots of influence and move things around. Bank thefts (where I live) net for thieves around 10-20k USD. They get lots of police action. Other thefts with even higher amounts go unnoticed.
If the data is collected from a skimmer + pin pad camera then you are already in the current area of the cardholder. There are a lot of ATMs without cameras or ways to avoid your face appearing fully in a camera.
Unusual patterns and stolen cards are one of the primary reasons that they will rarely ever leave a team. It takes a great deal of work to gather stripe data + PIN. It's much easier to look for a website without PCI compliance. In-person carding is going by the wayside, but is much easier to accomplish if you have good data. You can buy dumps, but no one is turning over a PIN.
Why? Isn't that how card skimming used to work? The skimmer pulls card data,while the mechanism designed to capture PIN( video or physical keylogger). Being able to get CC details is quite a different business compared to actually using them to get goods/services.
It is. The majority of the enforcement work is around industry safeguards and customer re-imbursal from insurance pools. And very little of the work is around prosecutions because the liability is shifted and moved around very similar to a corporation, but even more distributed.
The hacker doesn't hack, but sells the information to be weaponized.
The person that weaponizes only does that to get a giant leak of data, that they sell in pieces.
The person that buys a few cards, gets 1 that works, and now we are talking about a few thousand dollars. Almost too small to care for a big investigation.
And so on and so forth.
There is rarely anyone to levy the whole force of the RICO act + CFAA + Wire Fraud + Conspiracy + Using a fake ID + etc etc
I think some readers are misunderstanding this, a cloned card in this context is actually skimmed from an ATM, which allows you to copy the physical card because you have copied the magnetic strip and also have the PIN associated with the card, though this is not the same as having the card number, expiration & CVV2 code from online phishing.
(Some chips aren't actually signing anything, they're just another way of reading the same info that's on the strip. It depends on the company issuing the card. This isn't covered in the video, but it's true.)
As the video shows, there are other vectors of extraction than ATMs.
Because selling a card online where you never have to meet anyone is much safer then taking a stolen card and start using it where you may end up on camera or police called at point of purchase. Much safer to keep your distance and just sell numbers.
If you get on torsearch or similar tor search engines, you see ads for similar stuff. You also see links in forums and such for places selling what you want. These are the types of prices the ad's themselves claim. Is the author taking all those numbers at face value? Or is this some more in-depth research where it was possible to purchase one or more services? If it's former, I don't find these numbers to mean much.
The links can be dead by the time you get to them. You don't know if it's just another honeypot. You don't know if you'll get what you pay for.
I bought an expensive T-shirt a long time ago from a rather legit looking apparel company (nice website, LTD company/bank account).
Learned the right words on Reddit, hit up Instagram and started looking for and messaging people. Got a few replies, went with the one who had the most legit looking photos.
After a few questions on WhatsApp (yeah, really, lol) got directed to the website and bought the right item... via direct debit because their payment processor was "down".
Big risk on my part, I guess, my plan if popo called was to just say "hey I only ordered a t-shirt!"... I did not think it through very well.
Got it pretty fast (Royal Mail tracked and signed) and found a gift pack of "Revels" inside. How nice of them!
It seems rather risky for them, wouldn't it take just one guy to talk? Or maybe the seller was new to the business.
Tbf, setting up a company, bank account and shipping, all while staying anonymous is extremely easy (but not legal) in the UK compared to the rest of EU.
Joking appart, my question wasn't to learn about drug prices for "practical use". I just think it's an interesting subject: how the web changes underground/illegal markets, what impact it has, etc.
There are lots of counterintuitive things in that field (look at how Portugal handles it), which makes it even more interesting to me. "war on drugs vs war on drug users".
What makes malware "low quality", "high quality", "premium", 70% reliability, etc. Sounds like it's all low quality to me, because outside on the regular market zerodays can be 100k-1M or more. If I remember correctly, Alphabay used to be where darknet zerodays were listed before it was taken down.
Zero days also aren't malware necessarily. Zero days are usually bought and sold by those that use them to create malware they don't sell (to keep the 0day secret).
Paid malware isn't all necessarily low quality, but most of it out there is. If you want something high quality I'd imagine you wouldn't see the listing for a particular malware that is high quality, but for someone who can write something high quality. Something custom developed will always be less detected than something being traded around.
Yes, not only is it very risky to attempt to withdraw money from them, often times you won't manage to get the full amount out before fraud systems go off. Same with credit cards.
This was my thought, admittedly knowing little about this world. E.g. a stolen item's street value is a fraction of it's actual used goods value. It's only worth what you can get in cash within hours.
Follow up question, if they are so important why has no-one created a scheme of scamming the scammers. Just create lots of new arbitrary Gmail accounts and sell them on the dark web? How do they prevent that?
A hacked Gmail account and an empty new account both have commercial value, but with very different applications. For the quoted price (~$150), a hacked real email account would have to be full of personal information useful for identity theft type fraud, or able be used to gain further control of other accounts that support password reset by email. An empty new account ("PVA", phone-verified account) is good only for spamming, registering fake accounts with services that require an email address, etc., with typical pricing in the tens of cents. PVAs are closer to commodities, while the pricing for a hacked real account would vary a lot with the victim (child vs. college student vs. investment banker vs. careless cryptocurrency enthusiast vs. ...).
Of course nothing stops an anonymous seller from defrauding an anonymous buyer in a one-off transaction. But sellers operate under some kind of semi-stable pseudonym, so they do care about their reputations. They might also be selling on a market where some third party would look at the goods provided and adjudicate a dispute.
I haven't explored the darknet in over 5 years, but some of these prices seem a bit high. Around 2014-2015 I saw PayPal accounts listed for $3 a piece ($5 if you bundled it with SOCKS proxy access). Which could mean a couple things: PayPal security has gotten tighter, restricting the supply of accounts; PayPal security has actually gotten worse, increasing the actual value of the accounts; or maybe these guys are doing "market" research and determined that their profit margins were higher charging $25 for the same product. It could also mean that the writers of this article didn't do enough digging to find a "better" deal. Interesting read but I'm not sure how much I trust their numbers
> The “quality” [counterfeit money] tend to cost around 30% of the banknote value.
This was the most surprising to me. Seems like it’s extremely high priced. You get a 30% discount for using counterfeits and potentially getting the secret service on you? Maybe that is a reflection of its quality but... Yea, no thanks.
Edit: Ohhhh My bad read it wrong. 70% off... better but these would have to be amazing quality.
So $6 actual for a $20 bill. I see how that could be tempting to someone but I’m pretty sure it would have to be somewhere outside the US, you don’t mess with fake money here.
That's my guess. On twitter/ig, advertising deals would be done directly between accounts and advertisers, so the social media provider itself wouldn't really care; fraudulent engagement numbers are third-party. YouTube is different, where the host also provides the advertising service, and fake numbers hurt Google's bottom line. So they're probably both harsher on fakes and better at detecting them
A large percentage of followers that don't engage in watching videos hurts you in the YouTube algorithm. Twitter and Instagram likely just want to show high user numbers.
Can anyone point me to some of the 'how to cash out' guides mentioned? Doing some research in this area and quite interested to learn about techniques used in practice and how they compare to those proposed in academic literature.
People are not using the cards to get service from AAA, they're likely using them as fake forms of non-photo identification. The same goes for the fake bank statements.
Let's say I decide to pay $800 for ddos attack. Provider pockets the $800 and doesn't carry out the attack. What's my recourse? Contact customer service? Nope. Contact the police? Hmm. You see the whole thing is a scam. There are plenty of articles online about it.
It's not a scam. Those scenes live by reputation alone. If you need something as a once in a lifetime service you are well advised to use a trusted third party within the scene. Those are either trade mods or well known veterans.
If you become familiar and known in the scene the risk of being scammed is very low and if it happens it's more like a "one last money grab and I am done thing" where the person offering the service will disappear. But since this works once per online persona this really doesn't happen that often.
how does one even begin to become known in a scene if you don't even know where (or if) it exists?
Not that I'm planning to purchase any of those services of course, I'm just curious because it sounds like there's no possible starting point, unless by pure chance one of your personal friends happens to be already involved in the area and lets you know.
Dark web markets have escrow systems as well as review systems which show how much each customer paid for the service. One can see if a vendor is well reviewed and it's unlikely the reviews are astroturfed if they are on large transactions because the fees on these markets are relatively high.
you start working through an established escrow service, and gain positive feedback on darknet platforms.
You can also do what above-ground companies do and promote yourself via ads, branding and so forth. At the very least that signals you've invested serious money into your image and are therefore unlikely to disappear overnight.
You pointed out the possible starting point yourself: one of your acquaintances is already involved with the scene. That seems quite sufficient for the scene to keep existing.
Online reputation is very easy to build. These people are scammers they're hardly going to worry about giving themselves good reviews. It's done all over amazon, trip advisor etc yet somehow the darkweb has a full proof online reputation system - don't make me laugh.
Dark Web reviews are linked to purchases. you can't just had a load of fake reviews without completing a transaction which means you have to pay a fee to the darknet site. So it is possible but it can be expensive, the easy option is to run a legitimate service and then at some point you could just start taking people's money and not providing the service. Of course this has a limited shelf life, because new reviews are going to be a positive
Your concern is a reasonable one: Ross Ulbricht was literally the founder of Silk Road and so should have been able to make darknet transactions as well as anyone - and yet he (allegedly) engaged in six different murder-for-hire attempts spending $730,000 - and none were successful [1].
For more mundane services, though, most 'darknet markets' like Silk Road have a seller account reputation system, like ebay; and a payment escrow system. So you can choose a seller who has 100 previous transactions and a 99.5% positive reputation. And if they don't deliver, they don't get paid.
You can also ramp your purchases up gradually, buying the $10 1-hour DDOS and the $60 1-day DDOS, thus confirming the supplier can deliver before spending more than you can afford to lose.
And of course it's traditional for every bitcoin/darknet service to eventually fold with some insider making off with everyone's money. For that, I don't know what the common mitigations are, apart from not carrying an account balance larger than you can afford to lose.
Presumably, the most efficient markets are operating on a trust-based model. Reputation on the dark web is probably extremely valuable, and so vendors and buyers change their behavior based on each other’s ratings. Buying from a new vendor with no rep is extremely risky, so the buyer should expect a steep discount or otherwise for taking the risk.
Well, depending on how you find them, they still usually want to preserve their reputation. It'd be risky paying a completely anonymous person for a service, but if the darkwebsite indicates that there are 100 people who have said, "A+++++, would do cyberattacks with them again", then it might be safe to do crimes together.
If you're in a "law enforcement free-zone" and can bank a recurring service fee versus a one-time scam running these kind of services, why not engage in such behaviour?
A ddos attack is something that can be scaled. Someone could pay a small amount for something small and keep making payments to extend it or scale it up.
One thing I hate about the underground is the blatant racism to deny service, and then having to pretend that this is not a reflection of the general society but not being able to talk about it.
From forgers to illegal sex workers. Even the rationales are flimsy.
This seems like an interesting comment, but I don't really understand it, probably from lack of context. Are you saying darknet sellers discriminate based on race for reasons that don't make a lot of sense? Or am I misunderstanding?
some darknet sellers and illicit marketplaces discriminate against certain races, while I never see other certain races singled out at all.
there are easy rebuttals to help justify why different kinds of service providers discriminate in those specific trades if I elaborated at all, but the rationales behind them still don't make sense.
I only posted as it might be a shared experience for some people passing through here, and insightful to people that haven't experienced it. If you are in the habit of questioning the validity of a reality you personally haven't perceived, then this comment just isn't for you.
I'm probably missing something here, but I don't really understand how service providers in an anonymous marketplace can discriminate based on race - how would they know the race, gender or any other attribute of their buyer?
well in the two examples I mentioned, you would get some kinds of forgeries to use in person, whereas an illicit sex worker would also require being in person.
these are not merchant consumer relationships, these are service providers that have to follow instructions with clients and deliver the service requested.
This is one of the most bizarre comments I have ever seen. Mind boggling. Are you going to start a petition to get the Crips to let white people join or the Aryan Brotherhood to let in PoC? lol
Which is the most sheltered comment I've ever seen. We are talking about online marketplaces, not gangs and terror groups, I know the narrative is media driven but you should be able to tell the difference.
I don't believe any of this. $20 for a credit card that has up to $5000 on it? Which criminal would sell something worth $5000 for $20? Even PayPal accounts with over $3000 selling for $100? Makes absolutely no sense. The other line items about Malware with "slow spread" is absurd. This is BuzzFeed level cyber journalism.
It's not a card with $5000 on it though. It's a card that you can commit a crime potentially spending $5000 with, potentially going to jail for, and struggling to launder the proceeds into something you can spend yourself. If the odds of that working out are less than 0.5%, maybe it's overpriced.
But you have already committed a crime by skimming a credit card and stealing a PIN. Why not go all the way then? Is it somehow riskier to interact with an ATM than to install a skimmer on it?
Because of more prison time. The moment you start pulling money off of someone else's card either an automated system will trigger an alert or the owner of the card will get a push notification about a withdrawal and the authorities will get alerted.
Just skimming can remain undetected for quite a while, but the moment you start stealing money, your risk will go up dramatically.
I have no idea how these prices were calculated, but I can tell you that the prices for the credits cards are quite correct (at least approximately). $20 for a credit card with $5k limit is not worth $5k - you've got to actually get value from it, usually by trying to buy goods or bitcoin with it, which is very risky, time consuming, requires a lot of skill and effort, and you won't get the full $5k from it. The people selling them are presumably "hackers" looking to make money off of stolen PII/FI.
Couldn't you use card credentials to get a cash advance at an ATM? I am assuming a chip-less card's magstripe just has the credentials on it, so it should be easy to copy? I guess the banks fraud systems would catch an unusual withdraw.
- You could, but you'd be exposing yourself, so you'll want to send a mule in your place.
- That adds extra risk, so you might have to pay someone to scare that mule into doing their part.
- You'll want to get that laundered somehow, so you'll want to arrange some nice path that leaves no trail to you, maybe through Western Union?
And so the costs keep increasing and your margin goes down. The key of the game is to setup this kind of stuff at scale. Then it doesn't really matter if you're making only 60$ from each card, as long as it covers the cost.
A lot of cards are going to have low limits or blocks on cash advances. Withdrawals from overseas are particularly likely to fail. And the card owner might realise his credentials have been stolen by the time the card hits the market .
Depends on the bank but most in the US now have additional security mechanisms for non chip transactions. I ran into it when the chip on my card broke. The bank declines the initial ATM transaction, then sends me an SMS asking to confirm it's me and retry the transaction.
Try buying Bitcoin even with a card that is in your name.
I've never tried it, but I'm almost certain my bank would block the transaction -- either for authorization by SMS (if the Bitcoin-selling site supports this), or by denying it until I phone the bank myself.
I think this would be normal for most European cards. I was surprised not to see a separate price for EMV / no-EMV cards in the table.
CC info was always selling for similar amounts. People who can steal CC info by hacking into e-commerce websites don't necessarily have skills, connections or resources to extract the money from those accounts. Imagine you get a list of 10K credit cards. What would you do? Buy stuff on Amazon? Maybe try to setup some shady payment processing that'd take card details and transfer to your bank account? Where would you open a bank account that wouldn't be triggered after you've done 25th payment and so on. I could probably teach myself how to hack websites but I'm not sure I'd have skills to find a corrupt banker who can sort out an account for me with no questions asked.
You're right, but in the wrong direction. Major card shops will have varying prices based on BIN. standard/classic/gold/platinum/premium/world level cards all go for different amounts based on issuing credit provider. You pay more for the billing phone number associated with it.
$9-$25 each and depending on provider you get discounts based on number of pieces purchased at once & possibly historical spend.
https://www.wired.co.uk/article/kill-list-dark-web-hitmen