Risky Business

Analysing the security behaviour of cybercriminals active on a darknet market

More Info


Cybercrime thrives and online anonymous markets, or darknet markets, play an important role in the cybercriminal ecosystem. Vendors active on darknet markets invest in security mechanisms to compromise the availability or usefulness of evidence to Law Enforcement Agencies. Therefore, difficulties arise in linking identities or machines to cybercrimes facilitated by darknet markets. As a result, many cybercrime investigations are ineffective. This thesis consists of an exploratory case study based on the full administration of the Hansa Market. The Hansa Market (2015-2017) was infiltrated and eventually taken over and shut down by the Dutch Police. The data used in this thesis originates from the server that hosted the market and is made available by the Dutch National High Tech Crime Unit (NHTCU) and the Fiscal Information and Investigation Service (FIOD). This data is used to answer the research question: “Which factors influence the security behaviour of darknet market vendors active on Hansa Market?”. To answer this question, vendors that are similar regarding a) their experience, b) the activity on other markets, c) the amount of physical items sold, e.g. drugs and d) the amount of digital items sold, e.g. stolen credit card information, are clustered into five `vendor types' using Latent Profile Analysis. It is researched whether these clusters of vendors differ in terms of the following security behaviours observed: a) authentication related security practices (password strength, password uniqueness and two-factor authentication usage), b) encryption of communication, in the form of PGP-adoption and PGP-key strengths used, c) the linkability of a vendors' pseudonym through PGP-key matching and d) a vendors' choice of Online Financial Service Providers within the bitcoin ecosystem, measured by querying a service that provides contextual information on bitcoin transactions and addresses. The findings indicate that approximately causal relationships may be inferred between on the one hand vendor types, that represent a combination of business success in terms of physical and digital sales, experience and activity on other markets and on the other hand security behaviour. Vendors offering digital items tend to behave less securely than vendors selling large amounts of drugs. This thesis explains the observed (differences in) suboptimal security behaviours by arguing that vendors on Hansa Market conduct subjective risk assessments. This implies that the probability of being targeted by LEA and the value of the vendors' assets that are at stake (e.g. informational assets containing incriminating evidence or `years of freedom') are of influence on security behaviour. Lastly, recommendations to Law Enforcement Agencies include to exploit the subjectiveness in cybercriminals' risk assessments and to consider focusing on vendors transacting digital items. Academics are recommended to extend this research by investigating cybercriminal security behaviours through improved measurement methodologies in larger and more recent datasets.