Darknet vendors who rely on the marketplaces to sell drugs and other goods have begun adding alternative contact methods besides email to their vendor profiles. This is likely due to the cloud that hangs over every centralized marketplace: the risk of a market exit scam.
The alternative communication options normally include an encrypted chat app available on a cell phone, one such as Wickr.
While this might be more convenient than the rather cumbersome PGP encryption standard through email or pushing a PGP messages through the marketplace’s internal messaging system, there may be new risks in this form of contact: the necessity to “trust” more devices and software, and ultimately placing more trust in the vendor themselves.
What These Apps Actually Do
End-to-end chat programs essentially assign a phone number or an account with a “PGP style” public and private key.
These keys are used to seamlessly pass messages back and forth without having to manually encrypt each of the messages yourself.
This might be seen as minor convenience, and anyone making any purchases on a marketplace should take a step back to consider the implications of their actions.
The information they’re sending is basically passing through a honey pot server for law enforcement.
Every darknet marketplace should be considered a major honey pot for law enforcement. Last year, Dutch law enforcement officers obtained physical access to Hansa Market’s servers—they then ran the marketplace for a short window before officially shutting it down, attempting to collect valuable evidence on high-value suspects.
The reality is that these apps themselves are quite good. They are generally open-source and employ high standards of encryption. A risk may enter into it in the form of the device the application is on. Android phones are notoriously unsecure. And a malicious attacker might be able to gain control over the whole handset, including the messaging application.
The Age-Old Trade-Off
Security vs convenience. It’s the never-ending battle, each side with merits, each side with issues. And it’s impossible to have both perfectly.
That’s where risk assessment and threat modelling enter the picture. If you’re a vendor of a dark web marketplace, you are at a significantly higher risk than one of your customers.
You likely have much higher standards for security, because you would hold more goods in your possession.
Yet, by adding an alternative contact method, it can be a way of protecting yourself further.
So long as the app like Wickr is on a separate burner cell phone (which, if you’re a vendor, it probably is) then it can actually be seen as a safer method of contact. This is because it’s data being sent through a second “service,” away from the uncertified onion site that is the darknet market.
Now take it from the buyer’s perspective. As a purchaser, you’ll likely want to keep everything within the confines of the marketplace, to keep things simple.
You probably have less operational security than a vendor, since you’re at significantly lower risk (unless you’re purchasing significant items or quantities).
What’s the Big Deal? Does It Matter?
It’s difficult to say. These apps are now on vendor profiles because of the bigger problems that the dark web marketplaces, and the users, have as yet failed to address.
Multisig wallets should be the absolute norm for all marketplace purchases, but they simply aren’t. There shouldn’t be an alternative, because there isn’t a better alternative yet.
Why isn’t this the standard and required form of payment? Perhaps because the marketplaces want the option to “exit scam” if the heat gets too close and they need to close up shop.
Operating a darknet market can get you into a ton of trouble, with a ton of unsavory people. Think back to last year, when the Canadian co-founder of AlphaBay was found dead in a Thai prison. You’d be a piece of a supply chain that contains a decent bit of illicit goods and services: dangers are incredibly real.
With a multisig wallet created for the sole purpose of the transaction, a backup communication channel should be utilized. It’s all about fail-safes and backups. It’s about preparing for “the end,” for the dreaded yet insanely common “exit scam.”
Enter the third-party communication app. Having this will certainly allow you to contact the vendor, should something happen. But this communication is outside of the scope of the marketplace.
Forget a moderator getting involved if something goes wrong. You need to place a huge amount of trust in a vendor if you have an issue and need to get a refund or need the product resent.
But, arguably, you need to place this trust in the vendor regardless, in every purchase.
Is This Trend a Good Thing?
The additional means of communication between buyer and vendor is an overall positive step. It provides a fail-safe, albeit one that relies on significant trust between all parties.
Regardless, this is like a Band-Aid stuck on a gunshot. It simply isn’t enough to raise the standards of operation on the darknet markets.
It’s something we’ve seen over and over again, but it rings true—the markets desperately need full adoption of multisig support for every single transaction.
All users once had no idea how PGP worked. Then they had no idea how Whonix or Tails worked.
And now another hurdle, seemingly, for the significant userbase, is for the full use of multisig support. The additional channel for communication, overall, is positive, regardless of the device concerns.
The problem is that it is the rabbit being pulled out of a hat, while the “left” hand continues to watch what is in a darknet market escrow.
Latest posts by Con (see all)
- Latest News on Cryptocurrencies of the Dark Web - July 3, 2018
- Essay: A Brief History of Kim Dotcom, the Internet’s Architect of Revolution - June 26, 2018
- Op-Ed: Going Dark—Encryption and the Dark Web - June 22, 2018