Over the past week, Vigilante has observed an uptick in Deep and Dark Web (DDW) communities experiencing an increase in scams targeting DDW users, overwhelmed DDW moderators, and degraded webpage performance of popular DDW forums and marketplaces. This behavior highlights the idea that even the DDW is beholden to the same economic principles and pressures to which we Clearnet (regular Internet) folks are beholden.

For example, the moderators on popular Dark Web marketplace, Empire, are swamped because many of its users have fallen prey to phishing attacks and have been reaching out to them for help and
remediation. We highlight one such case below pulled from a post on Dread showing a message from an Empire moderator on 22 March:

“We apologize for the delay getting to this ticket, our support staff is working hard to catch up after a surge of tickets this past month. Many people are getting phished. For an overview of how phishing works, read the FAQ at dark.fail/pgp and learn to verify Bitcoin addresses and onion links before accessing them or sending funds. Once your account is phished, a hacker has your username, password, and PIN forever. All site functionality works normally through a fake URL, including support tickets, because these fake Empire phishing sites are very advanced. Here is an FAQ of the most common issues we are seeing this month. If your issue is not answered by the FAQ below, please re-open this ticket and be sure to mention any cryptocurrency addresses and TXIDs if applicable.

Q: I deposited and have not seen my balance increase.
A: We are very sorry to hear this. It is very likely that you were phished. Log into an official URL
using Tor Browser. The only source of official URLs is https://dark.fail/. Once you have logged in,
compare the Bitcoin deposit address on the official URL with the address you sent your funds to.
If it matches it is likely that you double-deposited. If it does not match, you sent your money to a
hacker running a fake Empire site and there is nothing we can do.
Q: I withdrew but never saw funds arrive.
A: This is another common phishing tactic. Look at your withdraw history, it is very likely that the
phisher withdrew your funds to their Bitcoin address rather than to the address you intended.
There is unfortunately nothing we can do to reverse a Bitcoin transaction.
Q: I see withdraws that I did not authorize.
A: Someone has your username, password, and PIN. There is nothing we can do to reverse a
Bitcoin transaction. If you used a fake Empire phishing link even one time, ever, then the phisher
was able to withdraw your funds.
Q: I was scammed.
A: Please open a dispute.
Q: Nobody has responded to my ticket or dispute.
A: We are working hard to respond to all tickets. Do not create multiple tickets, it slows us down.

Reply to your existing ticket rather than creating a second. Disputes are also being worked on as fast as we can, we will get to your dispute soon. We apologize again for the delays and are working long hours to get the ticket queue down to zero. Re-open this ticket if the FAQ above did not answer your questions. If you are asking about a cryptocurrency related issue, always tell us the Bitcoin/Litecoin/Monero address in question so that we can assist you. Thank you for choosing Empire.“

Additionally, some threat actors are proliferating the pain caused by the shortage of access to legal and illegal substances triggered by the economic slowdown by scamming people who may have turned to DDW forums and marketplaces as an alternative to legal and legitimate Clearnet sources. Some actors are offering “bulk sales” of drugs in case deliveries become more infrequent or packages inspected more often; others are even claiming that consumption of their product will help protect against the COVID-19 virus.


(Source: Whitehouse Market)

Vigilante also highlights that not even high-profile Ransomware groups are immune from being scammed. On 24 March, an individual behind the REvil/Sodinokibi Ransomware group publications got
scammed for USD $170,000 by the official middleman of a large hacking forum.

(Source:— Under the Breach 🦠 (@underthebreach) March 24, 2020