As China has continued to pass cybersecurity laws that give greater control to the state, this has inversely affected cybercrime as the companies that are usually targeted are being required to better secure personally identifiable information (PII) data. Nonetheless, PII data (of both Chinese nationals and international entities) is still being widely compromised and sold on dark web marketplaces, special-access forums, and Telegram channels. Furthermore, new laws banning cryptocurrency trading, the tightening of banking regulations, and a renewed crackdown on telecommunications (telecom) and online fraud continue to make it tougher for cybercriminals to operate in China. As a result, cybercriminals have moved their operations abroad and devised novel ways to weaponize PII data to perpetrate fraudulent activities.

Cybercrime update: Big trouble in dark markets

We analyzed new Chinese-language dark web marketplaces that have emerged in the past year as well as popular Chinese-language Telegram channels devoted to cybercrime. We surveyed Chinese- and Taiwanese-related PII and access offerings on English- and Russian-language special-access forums and analyzed how they could provide initial access to ransomware threat actors. We also examined some unique scams in the Chinese cybercrime landscape and how they could be traced back to aforementioned dark web marketplace offerings. Finally, we provided some analysis on how geopolitical tension between China and Taiwan might shape cross-strait cyber conflicts in the coming years.

Our previous reporting on the Chinese cybercrime landscape covered the Chinese-language dark web markets, clearnet hacking forums and blogs, and messaging platforms. We analyzed the features of these sources and the tactics, techniques, and procedures (TTPs) of Chinese-speaking threat actors within the context of their distinct cultural, political, and legal characteristics. In our reporting on Chinese cybercrime in neighboring countries, we uncovered the trend of well-resourced Chinese cybercrime syndicates moving their operations abroad, especially to Southeast Asian countries where the laws are more relaxed, which has enabled them to perpetuate fraud (such as online romance scams using the CryptoRom malware) on a global scale. As China marches toward a digital economy and enacts new laws and regulations to tighten data security and crack down on telecom fraud and cybercrimes, the environment becomes increasingly challenging for cybercriminals. However, new socioeconomic and technological developments present opportunities for cybercriminals who are constantly updating their TTPs to survive and thrive in the new landscape.

All Chinese-language dark web markets operate on cryptocurrency such as Bitcoin, Tether, and Ethereum. As detailed later in the dark web marketplace section, while we observed a number of such marketplaces going offline, new ones emerged to take their place. As a result of both government crackdowns in China and the issuance of the digital yuan, cryptocurrency trading will be pushed further into the underground and increasingly conducted on dark web marketplaces.

While we did not identify any postings on cybercriminal markets that directly mention this database, advertisements for car-owner information are often found on Chinese-language dark web marketplaces. For example, we found this posting of detailed information about General Motors car owners in China. We cannot ascertain if the data offered here came from the exposed database mentioned above, as it is a common practice for Chinese threat actors to parse large leaked databases into smaller sizes based on certain attributes in order to monetize it more easily.

Since our last report on the Chinese cybercrime landscape in 2021, there have been noticeable changes in the makeup of dark web marketplaces. Several of the marketplaces have gone offline, including Loulan City Market, Tea Horse Road Market, Ali Marketplace, and Dark Web Exchange. However, some of the accompanying Telegram channels for these marketplaces continue to operate. There could be a number of reasons for these dark web marketplaces going offline, which include but are not limited to law enforcement actions, exit scams, and internal disagreement between threat actors.

Hydra Market (Hydra), one of the world's largest and longest-running darknet markets, was seized by the Justice Department in April 2022 [*]. Since 2015, Hydra has received approximately $5.2 billion in cryptocurrency, accounting for 80% of all darknet market transactions in 2021.

In our dark web research report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, we explored the impact of these dark web marketplace seizures. While a large chunk of cybercrime (especially Russian-speaking) was largely undisrupted, a breach of trust occurred in dark web criminal trade. This breach of trust caused criminals to consider new ways for generating trust in the underground.

While dark web markets, such as Tochka and Empire, certainly still exist, no market has yet risen to the prominence of Silk Road, AlphaBay, or Hansa. New criminal marketplaces continue to crop up, but they struggle to grow or decide to tread lightly with the growing fears of law enforcement disruptions and takedowns. To grow, these criminal marketplaces need a solid reputation, financing to scale, security to maintain current users, and trust to gain more traction.

There are some interesting candidates, however. Market.ms Marketplace, run by the former administrator of the prestigious Exploit[.]in hacking forum, who coincidentally now leads the emerging XSS forum (formerly Damagelab), is an up and comer in the dark web market. Focused purely on cybercrime; MarketMS is near peerless.

Gift card fraud is another common activity conducted by online fraudsters. Over the past six months, there have been thousands of gift cards traded across criminal forums, dark web markets, dark web pages, IRC, and Telegram.

The potential role of the dark web in facilitating trade in firearms, ammunition and explosives has gained increased public attention following recent terrorist attacks in Europe. However, the hidden and obscure parts of the web are used also by criminals and other types of individuals to procure or sell a wide range of weapons and associated products through cryptomarkets and vendor shops.

The overall aim of the study was to estimate the size and scope of the trade in firearms and related products on cryptomarkets, including the number of dark web markets listing firearms and related products and services for sale, and the range and type of firearms and related products advertised and sold on cryptomarkets.

Moreover, many cybercrime marketplaces operate alongside hacking forums. Sellers advertise their products on these forums along with a description of the product features, price details, payment methods, terms of services, and contact information of the seller. For the latter, sellers and buyers tend to use other encrypted communication media such as private messaging apps or direct messaging features included in the forum [14]. Dark Web marketplaces play a significant role in providing hacking-related items. From the existence of markets for hackers, one can infer that the focus of such business on the Dark Web is financial gains, which are sometimes monopolized by the professional minority that dominates the market [20].

German police have seized servers powering the infamous darknet marketplace Hydra and confiscated the equivalent of $25 million in bitcoin as part of a US-led crackdown on cybercrime and money laundering.

Cryptocurrency-based ransomware introduced: Outside of dark net markets, malware developers sought to acquire cryptocurrencies. Prior to 2013 the primary method to maliciously acquire coin was through mining. Less effective methods included scams, such as TOR-clone sites, fake markets, or Trojans designed to steal private keys to wallets. By late 2013 malware developers and botnet owners sold their malware at a premium by including mining software alongside the usual items such as credit cards and password scrapers. However, at a cost of around $250 per coin, Bitcoin miners did not immediately see higher profits than they could manage with focused scraper malware. Criminals needed more reliable ways of acquiring coins.

Cybersex trafficking is the transportation of victims and then the live streaming of coerced sexual acts or rape on webcam.[23][24][25][26] Victims are abducted, threatened, or deceived and transferred to "cybersex dens".[27][28][29] The dens can be in any location where the cybersex traffickers have a computer, tablet, or phone with an internet connection.[25] Perpetrators use social media networks, videoconferences, dating pages, online chat rooms, apps, dark web sites,[30] and other platforms.[31] They use online payment systems[30][32][33] and cryptocurrencies to hide their identities.[34] Millions of reports of its occurrence are sent to authorities annually.[35] New legislation and police procedures are needed to combat this type of cybercrime.[36]

Darknet markets are used to buy and sell recreational drugs online. Some drug traffickers use encrypted messaging tools to communicate with drug mules or potential customers. The dark web site Silk Road was the first major online marketplace for drugs, starting operation in 2011. It was permanently shut down in 2014 by the FBI and Europol. After Silk Road 2.0 went down, Silk Road 3 Reloaded emerged. However, it was just an older marketplace named Diabolus Market, that used the name for more exposure from the brand's previous success.[53]

Darknet markets have had a rise in traffic in recent years for many reasons, one of the biggest contributors being the anonymity offered in purchases, and often a seller-review system.[54] There are many ways in which darknet markets can financially drain individuals. Vendors and customers alike go to great lengths to keep their identities a secret while online. Commonly used tools are virtual private networks, Tails, and the Tor Browser to help hide their online presence. Darknet markets entice customers by making them feel comfortable. People can easily gain access to a Tor browser with DuckDuckGo browser that allows a user to explore much deeper than other browsers such as Google Chrome. However, actually gaining access to an illicit market is not as simple as typing it in on a search engine like one would with Google. Darknet markets have special links that change frequently, ending in .onion as opposed to the typical .com, .net, and .org domain extensions. To add to privacy, the most prevalent currency on these markets is Bitcoin. Bitcoin allows transactions to be anonymous, with the only information available to the public being the record that a transaction occurred between two parties.[55] 2ff7e9595c