By Urszula McCormack and Jack Nelson King & Wood Mallesons’ Hong Kong office.
Recently, two major online marketplaces dealing in drugs, stolen goods and weapons were shut down through the combined efforts of international law enforcement agencies.
What happened?
On 20 July, the trap was revealed. The FBI and the Dutch police announced that they had respectively seized AlphaBay and Hansa.
That same day, the FBI unsealed an indictment naming Alexandre Cazes as AlphaBay’s alleged founder. Cazes, a Canadian, had been arrested in early July by the Royal Thai Police. Cazes was subsequently found dead in his cell in Bangkok – an apparent suicide.
In a news conference announcing the seizures, the U.S. Attorney-General said:
“Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity using the dark net. The dark net is no place to hide.” (our emphasis)
What is the dark net?
What are dark net marketplaces, and how do they work?
Many dark net marketplaces also include dispute resolution services, and allow users to review products and sellers. The real difference between dark net marketplaces and sites like eBay or Amazon is that the products found on dark net marketplaces are almost exclusively illegal. The other key difference, of course, is that they operate on the dark net.
The AlphaBay indictment continues:
“AlphaBay’s homepage allowed users to browse categories of illegal goods, with categories including: fraud, drugs and chemicals, counterfeit items, weapons … stolen credit card numbers … and malware.” (our emphasis)
One of the most infamous dark net marketplace was known as the “Silk Road”, which was seized by the FBI in 2013. At the time of seizure, Silk Road had approximately 14,000 items listed for sale. By contrast, AlphaBay had over 350,000 listings – and a far larger number of buyers and sellers.
1. Finding and accessing a dark net marketplace
You cannot simply enter a web address to access a dark net marketplace. Nor can you find dark net marketplaces using a conventional search engine. Rather, they are only accessible through “overlay networks”. In contrast to the networks we use on a daily basis (referred to as the “clear net”), these overlay networks are designed to obscure the locations and identities of users, and other data that travels across such networks (hence the term “dark net”).
AlphaBay and Hansa were only available to users of one such overlay network: the “Tor” network.
The Tor network consists of over 7,000 nodes that relay encrypted internet traffic between and amongst themselves. A Tor-enabled client computer will pick a random path through the Tor network to the destination server.
Dark net marketplaces thrive on anonymity – but how can money be transferred between unknown buyers and vendor anonymously? After all, bank account numbers are ultimately traceable back to the person or entity that opened the account.
Enter cryptocurrency. Because cryptocurrencies are transferred peer-to-peer, users can avoid using regulated financial institutions. By relying on pseudonymous cryptocurrencies such as Bitcoin for payments and commissions, buyers, sellers and operators can enjoy a degree of anonymity – especially if they use decentralised coin mixers to make tracing even more difficult (if not impossible in practice). Dark net marketplaces overwhelmingly require buyers and sellers to transact using cryptocurrencies, and receive their commissions in cryptocurrencies. This enables digital commerce to take place outside of the traditional financial system.
In the example chart below, dark net marketplace buyers and sellers use Bitcoin (“BTC”) and an escrow arrangement operated by the dark net marketplace (“DNM”) operator to transact.
Digital items and services are often delivered and coordinated using a dark net marketplace (or other Tor-based) messaging service, or one-time email accounts, greatly lowering the chances of detection.
What (and whose) law applies?
Similarly, in Australia Part 10.6 of the Criminal Code (Commonwealth) addresses the dishonest use of carriage services, as well as the use of telecommunications networks with intention to commit an offence.
Those involved in dark net marketplaces could also face charges related to criminal enterprises, money laundering, drug trafficking, weapons dealing and child pornography, as well as aiding and abetting such activity. Cazes, for example, was charged with 16 different offences, relating to racketeering, drug trafficking, identity theft, counterfeiting, credit card fraud and money laundering.
Avoiding the dark economy and mitigating risk – how?
The diagram above shows how financial institutions and internet service providers face a broad risk of becoming involved in dark net marketplace transactions. They can potentially become involved at multiple points in these transactions.
Financial institutions will often be used as the conduit by which fiat currency is transferred to cryptocurrency exchanges by both buyers and sellers. The initial purchases by sellers of the items sold on a dark net marketplace (for example, purchases of prescriptions medication from a pharmacy) may also be conducted in fiat currencies.
Internet service providers (“ISPs”) handle all of the data traffic on dark net marketplaces, and may also offer hosting and domain name services that facilitate these marketplaces.
Cryptocurrency exchanges also face a particular risk, typically being one step closer than financial institutions to transactions. In some jurisdictions, cryptocurrency exchanges also operate in a legal “grey” zone, and may be targeted by authorities not only in respect of dark net marketplace transactions, but for money laundering and taxation issues.
For example, just this week, a United States jury indicted a digital currency exchange operator and alleged criminal “mastermind”, alleging that he had use it to launder more than USD4 billion for persons allegedly involved in various forms of criminal activity, including hacking and drug trafficking.
It is easy to conflate the “bad apples” with all cryptocurrency exchanges. However, many exchanges are legitimate businesses with strong controls. This is important for financial institutions in particular to recognise, so as to avoid inappropriate de-risking.
Courier, postal and logistics companies should be aware that they may be carrying illegal items in everything from small letters to large packages. For example, a fraudulent driver’s license being sent via the postal system is virtually impossible to detect.
All businesses with potential exposure need to carefully assess their risks, and consider how to handle information requests and investigations from law enforcement (both at home and abroad).
2. Think about risk-based controls
To start with, all businesses should consider barring access to the Tor network from their computers, unless there is a genuine business need for such access. There are numerous other known dark networks – the same applies.
While keeping within relevant data privacy and protection laws, ISPs should monitor the amount of Tor/other dark network traffic that they handle. Exponential or rapid growth in Tor traffic may indicate the existence of a dark net marketplace. Steps should be taken to avoid the ISP becoming embroiled in the inevitable takedown.
On the other hand, financial institutions can rely on the current anti-money laundering / counter-terrorist financing (“AML/CTF”) controls that they have in place. They should, however, consider whether their risk assessment models adequately address risks relating to dark net marketplaces.
As cryptocurrency exchanges are particularly at risk of becoming involved in dark net marketplace transactions, they should adopt AML/CTF controls and be vigilant in identifying transactions that are associated with known dark net marketplaces, and preventing the misuse of their services wherever possible.
For postal and logistics companies, as well as underlying goods and services providers, the controls are trickier and must be tailored to the risks.
Generally, if your business operates or facilitates internet activities, you should:
- assess your risk exposure to internet crime;
- understand your obligations – including from an internet crime and AML/CTF standpoint, but also in relation to surveillance and data privacy laws; and
- develop effective controls that are commensurate with those risks.
Last word
Information in this article is based on public information. We strongly recommend obtaining appropriate professional advice before implementing any controls. Note that the authors only practice Hong Kong, Australian and English law.