Threat Intelligence

The Dark Web: a Paradise for Scammers

Introduction

Journalists and laymen of matter believe that black markets hosted on the dark web are places where criminals can do their business in total security without being tracked by the authorities. They always describe these places as crucial aggregators where it is possible to buy any illegal product and service. According to the media, a keyboard, a few bitcoins, and a couple of clicks allows anyone to buy a gun, an exploit code or any chemical drug. Is it true?

The reality is quite different; the darknets are full of scammers that try to steal money to unaware users that approach the hidden part of the web for the first time. The web is full of users that have paid for products and services purchased on the Dark Web that they never received. In other cases, they have been scammed by professionals that provided counterfeit products.

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Get Started

In this post, I will report two emblematic cases that summarize what daily happen to bold users of many darknets and underground forums

Are you searching for an AK47? Read this

The dark web is the reign of scammers; many sellers claim to have products that will never send to buyers, even when they have paid for it. Weapons are probably one of the goods that most of all suffer this kind of problems. In the vast majority of the cases when scammers get paid don't ship the weapons explaining to the buyers that law enforcement have intercepted the shipment. Of course, victims will never receive the goods and cannot sue the sellers.

Recently the producers from the German broadcaster ARD have decided to investigate the possibility to buy weapons on the dark web. They conducted an interesting experiment to understand if it is really so simple to buy this kind of goods, in particular, one journalist tried to buy an AK-47 rifle, aka Kalašnikov and paid $800 worth of bitcoin.

The German journalists were working for a show titled "Fear of terror—how vulnerable is Germany" with the intent to understand how criminals could access weapons offered for sale in the black markets.

The show was focused on the terrorism. It tried to demonstrate that it is very simple to acquire weapons on the dark web, avoiding any monitoring operated by law enforcement.

"There is this experiment at the beginning of the broadcast.#Beckmann Ordered via middleman a Kalashnikov in the darknet.At the end comes out: $ 800 paid – and get nothing." reported the German site Focus.

"Because, as a customs expert, it is not so easy to procure weapons.Sounds weird, but is so.Only that this #Beckmann not nearly as informative as "The program with the mouse."

At the beginning of the show, host Reinhold Beckmann instructed a third party to buy an AK-47 rifle. The journalist also asked to the head of the German Bundeskriminalamt (Federal Criminal Police Office) if it is possible to find weapons online and he confirmed that black markets are the right places where to buy them.

The Beckmann attempt to buy a weapon failed, but it is not clear if the package had been intercepted by law enforcement or it the seller was a scammer.

Figure 1 - Black Market Reloaded

Searching on Google is it easy to find articles that confirm that such kind of problems are very common when dealing with sellers in the black marketplaces. On November 2015, Joseph Cox from MotherBoard wrote an interesting article to explain the difficulty acquiring a weapon from the dark web.

"One impetus for that is the heavy presence of scammers, who create fake accounts to dupe gullible gun hunters out of their money." wrote Cox.

"I'm just kinda addicted to the scamming part. It's too easy," one scammer told Motherboard in an email chat. The scammer used to operate under the handle "Bartsmit" on AlphaBay, a popular market that sells stolen data, weapons, and drugs, among other goods. Today the scammer is still ripping people off, but under a different identity."

In response to the increased number of scams related to the sale of weapons, several black marketplaces have stopped stocking weapons altogether.

In July 2105, one of the most popular black markets, Agora, stopped selling guns as announced in a statement published by the site administrators:

"Starting from July 15th, 2015 Agora will no longer list lethal weapons.

Following our mission we wish such objects would be available for purchase, but the current reality of it is that the format of a market like ours does not constitute a good way to do it. Shipping weapons is hard; they are expensive and stimulate both scamming by dishonest vendors and honeypot listings by agencies looking to find buyers who might wish to obtain such weapons illegally from us."

Law enforcement warns of a growing number of scammers that operate in the weapon trade in the dark web, on the other side many operators of black markets blame authorities for infiltrating this specific trade.

Besa Mafia, a very sophisticated scam

Many users believe that the greatest risk of acquiring goods in the Dark Web is the possibility of being tracked by law enforcement, totally ignoring that this hidden part of the web is full of scammers.

In many cases, fraudsters offer products and services that are not what they claim to be. One of the most clamorous cases is the alleged hitman website Besa Mafia.

Besa is a term used by the Albanian mafia that means "trust."

The site offers "hitman" services and act as between customers and killers to hire.

Figure 2 - Besa Mafia Website

"If you want to kill someone, or to beat the shit out of him, we are the right guys," reads the hitman website. "We have professional hitmen available through the entire USA, Canada, and Europe, and you can hire a contract killer easily." The group claims to come from Albania.

The truth behind the popular hitman service was clear after the website was hacked and data leaked online. Experts from the Risk Based Security firm analyzed data posted online that includes the lists of "hitmen," photos of targets that the customers had uploaded when asked the service, the overall orders, and the messages purportedly between users and site operators.

"A few weeks ago, one such dark website going by the name "Besa Mafia" became victim of a hacker using the handle "bRpsd," who breached the site's database and posted the information online where it was accessible to anyone. The information posted is a serious potential concern as the Besa Mafia site has a reputation as being an actual hitman-for-hire service with links to the Albanian mafia." explained the experts at Risk Based Security. "Data leaked in this breach contains user accounts, personal user messages, 'hit' orders posted to the site, and a folder named 'victims' that contains additional documents within it."The original leak post also contained 250 accounts with usernames, email addresses, and passwords, however, this data was not included in the download. The two CSV files from the leak are named orders.csv and msg.csv that contain 38 'hit' orders and 2,682 personal messages to and from site administrators."

The experts have no doubt; the website was a scam, and its operators have designed it to maximize their profits considering that murder on demand ranges between $5,000 and $200,000.

The alleged killers have their price list, killing a person simulating an accident is an additional $4,000, beating an individual goes for $500 and burn his car costs $1,000.

The site allows wannabe killers to register their profile on the site, specifying their abilities (pistol or sniper rifle), military background and so on.

In reality, the unique goal for the Besa Mafia site operators is to get paid for services that they are not able to provide.

"These guys have made at least 50 bitcoins [nearly $23,000] on this," said Chris Monteiro, an independent researcher who investigated the case.

In one message from the data dump resulting from the breach, the admin admits that the site is a scam, and it also shares information to law enforcement.

"This website is to scam criminals of their money. We report them for two reasons: to stop murder, this is moral and right; to avoid being charged with conspiracy to murder or association to murder, if we get caught," the admin writes.

The scammers behind the Besa Mafia were also conducting a propaganda campaign on the web to advertise the services offered by the website and the fact that it was possible to hire a hitman through its platform. Cox explained that on April 17, someone added to the Wikipedia page for the term "Albanian mafia" that the organization operates a website on the DeepWeb. Clearly the voice was added to advertise the Besa Mafia hidden service, likely by someone of its members.

To increase the reputation of the scam website, its administrators also shared fake information about successful missions completed by the hitmen hired through the website.

They used gory images of murders bearing endorsements for the hitmen behind the site BESA Mafia

"I saw they also have hitmen who do murder for hire, and I was astonished to see that the price was very low: only $5,000," reads one of the messages posted online to increase the reputation of the website.

In February, Monteiro published a second post on the Besa Mafia website, in which he explained that an alleged administrator of the site contacted him requesting a positive review.

Below the text of the message sent Monteiro

"Helo,

I am one of the admins of the Besa Mafia website on deep web.

I saw your blog at http://pirate.london/2016/02/assassination-scams-the-next-generation/

Would it be possible for us to pay for a true and honest, positive review?

Our site is a marketplace, and we have many registered gang members, we are not like the other hitmen sites where they only have one team.

Let me know if we can prove to you that we are legit

Yura

Ps. No PGP key unless you ask for."

Monteiro refused the offer and received numerous threatening messages every time he posted something on the group.

The hack of the Besa Mafia website revealed that the site is a scam, Cox reported the existence of the videos showing burning cars were specifically crafted to increase the reputation of the website.

One of the leaked messages sent by the admins to a wannabe hitman includes detailed instructions on how to make the clip.

"For now, we can use your help to set cars on fire," wrote the admin "Take a normal car, not too cheap or expensive, to the outskirts of a city, write the Besa Mafia URL on a piece of paper, light the car on fire, move back around 10 metres, and show the paper again."

https://www.youtube.com/watch?v=KILUsa4crzI&feature=youtu.be

Conclusion

Unfortunately, the dark web is the right place where Besa Mafia-like websites can proliferate without problems. It is quite easy to find bad actors that offer swatting and hitman services on many hidden services and in the majority of cases these sites are backed by scammers.

In the Tor network, it is possible to find also alleged Human trafficking websites, but it is quite impossible to understand if they are a scam because there is no evidence of their activity, but it is also likely that these services are fakes.

Let's close reminding that scammers always try to maximize their profits by selling popular products in the criminal underground such as Skimmer devices and Skimmed Card data or electronic devices such as stolen smartphones and laptops. In conclusion, the Dark Web is full of scammers and avoiding them is not so easy to novice users.

Figura 3 - Scam Skimmed Cards (Source Stoptorscam)

References

http://securityaffairs.co/wordpress/47569/deep-web/buying-weapons-dark-web.html

http://www.focus.de/kultur/kino_tv/tv-kolumne-beckmann-beckmann-will-kalaschnikow-im-darknet-kaufen-doch-das-experiment-geht-schief_id_5542330.html

https://motherboard.vice.com/read/scams-and-undercover-cops-are-denting-the-dark-web-gun-trade

https://web.archive.org/web/20160518092011/https:/sites.google.com/site/besamafiastories/home

https://www.deepdotweb.com/2015/07/07/agora-market-to-stop-listing-lethal-weapons/

https://stoptorscam.wordpress.com/

http://pirate.london/2016/02/assassination-scams-the-next-generation/

http://pirate.london/2016/03/reputable-assassination-service-outs-pirate-london-as-law-enforcement-operation/

http://motherboard.vice.com/read/the-dark-webs-biggest-market-is-going-to-stop-selling-guns

https://www.deepdotweb.com/2016/05/20/german-tv-show-gets-scammed-trying-buy-ak47-darknet/

https://web.archive.org/web/20160518092011/https:/sites.google.com/site/besamafiastories/home

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Get Started

https://motherboard.vice.com/read/this-fake-hitman-site-is-the-most-elaborate-twisted-dark-web-scam-yet

Posted: June 1, 2016

Pierluigi Paganini

View Profile

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.