Threat Intelligence

Intellectual Property Crimes in the Dark Web

Pierluigi Paganini
December 12, 2017 by
Pierluigi Paganini

An Intellectual Property (IP) crime is committed every time someone uses an intellectual property right without the owner's authorization. According to the Europol, counterfeiting and piracy are the main categories of IP crimes.

Organized Crime Groups (OCGs) are increasingly involved in the violation of IPR and darknets play a vital role in the criminal ecosystem.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Intellectual property crimes pose a serious threat to the consumer health and safety. Let's think about the health dangers associated with counterfeit food or pharmaceutical products, substandard clothing, and dangerous toys. IP crime could also affect the environment; counterfeit chemical substances often contain prohibited, polluting and toxic substances.

IP crimes, of course, have a dramatic impact also on the revenues of the affected businesses.

The illicit goods and services are increasingly advertised and sold online, and the darknets offer a privileged environment to trade a wide range of illicit commodities (i.e., Drugs, firearms, malware, Child Sexual Exploitation Material (CSEM), counterfeit currency, and goods infringing IPR).

The most common products infringing Intellectual Property Rights available on the darknets are:

  • Clothes, textiles, and accessories (e.g., sunglasses, belts, bags, pens);
  • Electronics including mobile phones;
  • Jewelry;
  • Pirated software (e.g., Adobe Photoshop, Microsoft Office Suites, games, various antivirus software);
  • Pirated e-books;
  • Pharmaceutical products (especially lifestyle medicines, steroids, and hormones);
  • Subscriptions to TV channels, music platforms, online game accounts;
  • Watches

Officials from Europol believe the growing online trade, including in IPR infringing products, is closely related to the increasing use of parcel and postal services to import and distribute such goods.

High-frequency and low-volume traffic characterize intellectual property crimes.

Experts, trying to link the source of IPR infringing material to specific regions, reported that China is known for counterfeit clothes while India, US, UK, or Canada for counterfeit medicines or steroids.

Most of the IPR infringing products are shipped from Hong Kong, followed by Germany, Netherlands, Poland or Ukraine.

The average delivery time advertised by vendors on the principal black marketplaces was 4-9 work days.

"Criminal vendors sometimes even offered discounts for the next purchase or an extra free shipment should the parcel be lost or seized by the law enforcement authorities. No reimbursements were offered for deliveries to specific countries, suggesting higher risks of seizures," states the report.

Figure 1 - Dark Web (Europol)

In June and July 2017, two of the most significant Darknet markets, AlphaBay and Hansa, were shut down by an international operation, led by the FBI and the US DEA and the Dutch National Police, with the support of Europol other partners.

"Prior to its takedown, AlphaBay, the largest market, reached over 200 000 users and 40 000 vendors. There were over 250 000 listings for illegal drugs and toxic chemicals, and over 100 000 listings for stolen and fraudulent identification documents (IDs), counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services."

Experts estimated that since its creation in 2014, transactions concluded in the AlphaBay market netted USD 1 billion.

IPR infringing products sold on the Darknet are not grouped into specific categories. Usually, the operators place them under generic categories together with genuine goods. According to the report published by the Europol, counterfeit products alone are estimated to account for between 1.5% and 2.5% of listings on Darknet markets.

The most commonly listed counterfeit products available on the black marketplaces are counterfeit banknotes and fake IDs.

"The majority of counterfeit and pirated products continue to be sold on the surface web, on major, widely available and trusted platforms, or by online pharmacies. The sellers present them as, or mix with, genuine products, aiming to reach out to a large number of potential customers," continues the Europol.

Vendors involved in Intellectual property crimes are mainly lone offenders, trading in small amounts, and members of Organized Crime Groups.

Vendors tend to maximize their advertising profits on multiple Black marketplaces and on the surface web, typically their activity is vertical and focused on a single category of counterfeit goods (i.e., pharmaceutical products or counterfeit luxury goods).

Which are the overall profits stemming from the trade in IPR infringing material?

It is difficult to provide an answer due to the large number of vendors offering different odds on multiple channels. The price for counterfeit goods is typically 1/3 lower than for the original products; the cost reduction can reach about 1/6 of the price charged for the original product when dealing with pirated software or e-books.

A report published by the Europol cited the case of a lone identified vendor that sold large amounts of (possibly counterfeit) Xanax, earning roughly EUR 152 000.

"Some criminal vendors on Darknet markets were reported to have sold on average between 500-1,500 products since they joined the market, with top vendors reaching over 6,000 sales," continues the report. "Payment is prevailingly done by bitcoin, but other cryptocurrencies are also used."

What will happen in the near future?

Experts have no doubts; intellectual property crimes will continue to increase, and darknet black markets will continue to be attractive to both criminal vendors and buyers.

Another factor to consider is the contrast of law enforcement against this specific kind of crimes, that may force crooks to hide their activities in the Darknet.

"In addition, certain measures taken on the surface web against the IP crime, such as frequent monitoring of online marketplaces, may prompt criminals to move the trade into the Darknet.  Future trade on the Darknet may increasingly migrate from large marketplaces into new, often smaller ones," concludes the report.

"Illicit goods, including counterfeit goods, will continue to be distributed via parcel and postal services; however, the concealment and shipment methods may become more sophisticated to increase anonymity and avoid detections."

A rapid tour in a black marketplace

Let's start with the most popular black marketplaces, Dream Market that has been active since around Nov/Dec 2013. The marketplace is available on the Tor network at the following onion address:

http://tmskhzavkycdupbr.onion/

Like many other similar markets, it implements a rating mechanism based on feedback and offer the escrow service.

Searching for categories related to IP crimes, it is possible to notice that the category "Other" includes the subfolder titled "Counterfeits."

Under this category, we can find any kind of counterfeit product, including counterfeit currency, clothes, and luxury watches.

Figure 2 - Dream Market Counterfeit products

Exploring the product categories available on the Dream Market we can also find pharmaceutical products (i.e., Viagra, Cialis) for which there is no information about their origin and anabolic medicines.

Figure 3 - Pharmaceutical products (Dream Market marketplace)

Figure 4 -Anabolic Drugs (Dream Market)

Black markets are the right places where to find also Electronics such as a mobile device (i.e., iPhone) or pirated software (e.g., Adobe Photoshop)

Figure 5 - Mobile phones and Pirated software (Dream Market)

Digging the black marketplace, it is also possible to buy a subscription to TV channels and music such as Netflix or Spotify.

Figure 7 - Netflix and Spotify accounts

The Response of law enforcement - Op In Our Sites

Law enforcement worldwide are always involved in the fight against criminal organizations specialized in the sale of counterfeit products.

In November 2017, a joint operation conducted by Europol and other law enforcement agencies resulted in the seizure of more than 20,520 domains for selling counterfeit products.

The operation, dubbed "In Our Sites (Project TransAtlantic VIII)," allowed to seize domains that were offering for sale any counterfeit product, including luxury products, sportswear, electronics, pharmaceuticals and online piracy on e-commerce platforms and social networks.

This is the eighth edition of this global operation against online counterfeiting and IP crimes.

Figure 6 - Seized Domain

The "In Our Sites (Project TransAtlantic VIII)" operation was conducted by the Europol in association with the Interpol, the US National Intellectual Property Rights Coordination Centre (NIPRCC), FBI, Department of Justice (DOJ), and law enforcement authorities from 27 European Member States.

According to the International Trademark Association, around $460 billion worth of counterfeit goods were bought and sold in 2016.

"Targeting copyright-infringing websites that market dangerous counterfeit goods to consumers and engage in other forms of intellectual property theft will continue to be a priority for law enforcement," said acting IPR Center Director Nick.

"Strengthening our collaboration with police authorities around the world and leaders of industry will reinforce the crackdown on IP crimes, and demonstrate that there is no safe haven for criminals committing these illicit activities."

Europol has not disclosed the list of seized domains that now display the official seals from the law enforcement agencies that participated in the operation.

Below the message presented by the visitors:

"This domain name has been seized.

Operation in Our Sites-Project TransAtlantic VIII is a coordinated effort by the U.S., European, South American and Asian law enforcement agencies targeting websites and their operations that sell counterfeit goods.

"This excellent result shows how important and effective cooperation between law enforcement authorities and private-sector partners is, and how vital it is if we are to ultimately make the internet a safer place for consumers. Through its Intellectual Property Crime Coordinated Coalition (IPC³), Europol will continue to work closely with its partners to strengthen the fight against intellectual property crime online and offline,'' said Rob Wainwright, Executive Director of Europol.

According to data published by the Europol, the agency has seized a total of 7,776 websites in previous "In Our Sites" (IOS) editions.

"A total of 7776 websites have been seized in the previous editions. This year's operation IOS VIII has seen a remarkable increase of up to 20 520 seized domain names that were illegally selling counterfeit merchandise online to consumers,reads the press release issued by Europol. "This can be explained by the holistic approach which Europol followed with the aim of making the internet a safer place for consumers, by getting, even more, countries and private-sector partners to participate in this operation and provide referrals."

References

https://www.europol.europa.eu/publications-documents/intellectual-property-crime-darknet

http://securityaffairs.co/wordpress/40933/cyber-crime/dark-web-cybercrime.html

http://securityaffairs.co/wordpress/35888/cyber-crime/fake-nypd-badges-dark-web.html

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

http://securityaffairs.co/wordpress/66074/cyber-crime/europol.html

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.