Cybercrime , Fraud Management & Cybercrime
Darknet Markets Using Custom Android Apps for FulfillmentM-Club Used by at Least 7 Drug-Focused Russian-Language Markets, Researchers Report
E-commerce markets offering illicit substances, digital contraband, fraudster tools and other criminal wares continue to thrive.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
Many buyers and sellers of such goods and services rely on darknet markets. But no market lives forever, and whenever a major player gets disrupted, users scatter. Some flock to rival services, others start up new options, and underground chatter intensifies over how to better camouflage activities using encrypted chat apps or services (see: Why Darknet Markets Persist).
To better safeguard administrators and users from law enforcement, multiple drug-focused darknet markets last year began testing new strategies: only displaying items for sale to pre-vetted members and providing them with Android apps built using the M-Club engine. So far it's counted seven drug shops using that engine; they may all be working with the same developer.
Over the past year, cybersecurity firm Resecurity reports it has seen multiple "underground drug shops" pursue these strategies.
M-Club was developed "specifically for drug traffickers and is currently marketed on major underground communities," Resecurity reports. "Some of these mobile apps have been recently observed by our experts on seized mobile devices by law enforcement - they belong to several suspects involved in drug trafficking and other illegal operations."
Discussion of M-Club started to appear in cybercrime forum chats by last April, according to underground chatter tracked by threat intelligence firm Kela. As of last week, an advertisement was running on Russian-language forum Legalize, devoted to so-called research chemicals, aka RC. It touts the M-Club's "24/7 user support" and ability to calculate salaries for couriers - aka drug mules - as well as its "multifunctional Telegram bot" designed to improve the customer experience.
The apps are built to support the Russian-language market. "The mobile apps provide the ability to transfer details about successful drug orders, and they can also send geographical coordinates of the 'package' left by the courier for further pick-up," which often gets sent not as text but rather an image, together with any pertinent notes, such as how far below ground the package might be buried, Resecurity reports.
Unlike Western counterparts, Russia-language darknet markets often fulfill orders not by using international or domestic postal or courier services, but instead leaving the goods in a predetermined dead drop location, reports blockchain intelligence firm TRM Labs.
Unlike many Western offerings, many Russian-language darknet markets only accept bitcoin and rarely monero. They also don't shy away from striving toward local domination, which Western darknet market operators avoid "due to the resulting pressure, attention and risk of law enforcement action that such dominance could bring," TRM Labs says.
Russian Scene Remains Fragmented
Use of the Android apps comes at a time when the wider Russian-language darknet market scene remains fragmented. The dominant player was formerly Hydra market, founded in 2015 as a merger of Russian-language narco forums WayAWay and LegalRC, according to threat intelligence firm Flashpoint. The Russia-based service accounted for 80% of all darknet market activity and generated $1 billion in revenue annually, TRM Labs says.
"Hydra not only facilitated drug sales, but also offered money laundering services to cybercriminals, including ransomware attackers," says blockchain intelligence firm Chainalysis.
A confidential source tells Resecurity: "Hydra created an ecosystem. Everything you needed could be found there." But after Hydra went dark last April due to an international law enforcement operation led by German police, the source said there's now "an oversupply of goods."
As Flashpoint reported last August: "Hydra's demise predictably resulted in seismic shifts in the Russian-language underground." Rival RuTor surged in popularity, backed by marketplace OMGOMG - aka OMG!OMG! - with a pro-Ukrainian slant, while a pro-Russia faction began coalescing last May around Kraken, backed by WayAWay, which proponents promise will serve as a drugs-only marketplace that will become Hydra's replacement, it said.
TRM Labs reports that these four Russian-language offerings now account for 80% of all darknet market revenue: Blacksprut, Mega Darknet, OMGOMG and Solaris.
Kraken has yet to launch. But once unleashed, security experts say widespread backing and user demand for the service could help deliver on its darknet market monopoly ambitions.