An Operational Analysis of Underground Marketplaces
NOTE: this was written in 2013, the style and the content are dated.
This post will look at what issues exist for “darkweb drug markets”. The most famous such market is, of course, Silk Road, although there have been and will be others. The existing analysis of how these markets operate and what they need to do to provide effective operational security has not been comprehensive. This post aims to address that deficiency. [Ed: and falls far short of the task.]
In this post I shall attempt to examine the various organisational and operational requirements of running a secure underground marketplace. First I will decompose the underground marketplace into its constituent parts, then examine the operational requirements for each, and finally examine theoretical security plans for these operational units.
I, (the grugq), have no affiliation with any drug markets online, darkweb, offline, wherever. I do not encourage the breaking of the law, nor do I encourage the use of illegal drugs.
This is for educational purposes only, presenting an academic analysis of how an online darkweb market for anything (e.g. drugs) should operate for maximum safety.
If you actually follow these directions you will still get caught and go to jail (or worse), these will only delay the inevitable. Do not do it. Really.
You keep using that phrase, I don’t think it means, what you think it means
“Silk Road is an online underground marketplace.”
There is a lot of implicit information buried in this statement. When developing the security plan for an enterprise in hostile territory against a powerful adversary it is best to be explicit. Let’s break this down into manageable operational components.
Firstly, lets look at the primary concerns that combined to create the Silk Road
marketplace, and which must of necessity exist to some degree in future ventures.
- Infrastructure: everything that has to exist for the market to operate, all the technology, the servers, the software, everything that would fall under the IT department in a regular corporation. This includes support when databases fall over at 3am in the morning and someone has to fix it. From a security and OPSEC point of view, this contains some of the most sensitive secrets (e.g. the location of the servers).
- Business: the handling of the vendors, suppliers, accounting, the HR department the marketing department, the complaints from customers, everything that is the actual “drug market”. You need someone to deal with the vendors, keep them coming back, get them interested in the first place. You need someone to find customers and tell them where to go to find the vendors. You need an escrow service and a reputation system and analytics and all this extra stuff that people forget about when thinking about “online market”. It is a business, it needs someone to handle the business needs of any business: Marketing, Public Relations, Support, HR, Accounting, IT, and the Dread Pirate Management.
- Community: the people that are involved in the whole system, including the customers, the vendors, the administrators, the business managers/directors, the undercover law enforcement officials, the gawkers, the journalists, everyone. It is best if they have a place to manage vendor reputations, file complaints, locate educational materials and teach each other, issue and read PR statements,
There are essentially three core areas of responsibility some of which are, at least, easy to delegate (community -> forum + selected admins, done). The others require careful compartmentation by the principal(s) to prevent a break in security from leading to exposure.
And here the document ends, offering no further insight into what I was thinking 6 years ago. But, here is what I think I was getting at:
A market is a business with a lot of interlocking components. Multiple people will need to be included in the business performing various roles, from managing the community, to dealing with customer service, to running the infrastructure. Each of those roles will need elevated privileged above users (including vendors) however there is no reason that those roles should have any access or information beyond what is required to perform their job function.
One of the things that was apparent from the Silk Road business was that DPR was involved in far too many parts of the business. He did all the infrastructure work, he administered the forums, he handled customer and vendor complaints. He was heavily involved in the Silk Road “community” and he was exposed to all levels of operation. This made him vulnerable in at least two ways, one was his loss of touch with non-Silk Road reality, and two was his exposure to any penetrations of his work force (which is inevitable in drug businesses.)
This was, I suspect, an argument for strong compartmentation of roles and responsibilities within the organisation. Ideally the person at the top would be so isolated from the company that except for collecting the filthy lucre they wouldn’t need to be involved with anything. This allows for safely cauterising the parts of the business that get taken over by law enforcement.
I have no idea why I thought I needed to explain this to anyone.