The Evolution of Cryptocurrency Crime in the Darknet

London, 12th October – The darknet, that hidden niche stretched through the deep web. Accessible only through p2p communication encryption protocols such as The Onion Router or ‘Tor’, a common phrase said about the darknet in relation to the ‘surface’ internet is that when viewing the surface – one is really just looking at the tip of the iceberg.

Many accessing the darknet may have good reason to seek anonymity such as whistleblowers, activists and journalists. But within the darknet are also housed domains purpose-built for illicit activity, such as ‘marketplaces’.

Darknet marketplaces (DNMs) are simply online black markets which were made famous by the Silk Road, the first DNM to gain popularity. The Silk Road was shut down just over 7 years ago by the FBI, thereby starting a war between the law and DNM providers. 

Sold on these platforms are criminal services, espionage, illegal collectibles or animals, human trafficking, credit card numbers, drugs, guns, counterfeit money, stolen goods, password lists, cybercrime software, cracked credentials, and any other disreptuable, lethal and illegal item one could imagine. 

Due to the heightened risks involved in this trade, darknet markets tend to have relatively short life cycles.

No AML/KYC, Naturally

Being the darknet, there are naturally no AML or KYC policies implemented. It is, after all, the darknet. 

This leaves the space open to ‘exploration’. For instance, there are mirror sites where one wrong character sends a visitor to a replica site that is a scam, administrators of markets running off with funds (so-called exit scams), the natural danger that comes from transacting with cybercriminals and a plethora of further risks. It is not wise to make one wrong keystroke here.

‘Exit scams’ are the most detrimental risk to the life cycle of a DNM after that of law enforcement infiltration. This is where administrators of the darknet markets withdraw all funds from the exchange’s escrow accounts and ‘exit’. And with the average darknet transaction being $1,123, according to Coinfirm’s data, proceeds can add up quickly.

The biggest exit scam is recent. Empire, a previously large DNM which had captured a significant segment of online illicit trade, exit scammed on the 22nd of August 2020 with $30 million taken from patrons. Users and vendors typically keep money in ‘escrow’ similar to legal marketplaces to enable site administrators to settle disputes, which places them in a position of power over funds on the DNM. 

As the darknet has matured, divergences have also occurred. 

There are now ‘auto shops’ as well as ‘marketplaces’, the differences in illicit material being bought and sold is that ‘auto shops’ are where users go to purchase or sell malware en mass whilst ‘markets’ are where patrons go to transact with drug and gun sellers. Software and hardware.

Nefarious actors are able to purchase trojan horses and other scam-related technology from auto shops for as a little as $50, which may seem small but the estimated annual revenue generated by criminals deploying cybercrime in 2019 was $1.5 trillion.

Unfortunately for blockchain fanatics, Bitcoin is blamed for facilitating the sale of illicit material owing to its quasi-anonymity factor. Almost all transactions on the darknet are conducted through cryptocurrency. 

But it would be wrong to blame the majority. As ever, a handful of bad apples spoils the pie.

According to data compiled by Coinfirm, a total of just 1.2% of Bitcoin wallets are associated with darknet markets. This figure shows that the view of cryptocurrency’s main usage of purchasing drugs and guns off the darknet – is a fallacy. 

But taken in conjunction with the percentage of crypto exchanges that have received funds from darknet markets, more than a third (35%), it is clear that although the DNM-associated wallets are in the very small minority – they are particularly active wallets.

Exchanges should be able to prevent those wallets connected to DNMs from accessing their platforms if using the right technology.

Coinfirm’s industry-leading AML Platform encompasses 270+ risk indicators including those that are able to associate transactions related to darknet illicit goods points-of-exchange. The firm has a department dedicated to monitoring darknet flows from more than 1,500 cryptocurrencies and protocols.

Privacy Protocols Evolve

Whilst Bitcoin is still the most used cryptocurrency in the darknet, Monero has been gaining more traction due to its in-built privacy protocol. This is clearly a cause of concern for regulators as the IRS recently offered a bounty for ‘cracking’ the Monero code.

The IRS were not the only ones to voice a concern. Europol’s 2020 Internet Organised Crime Threat Assessment (IOCTA) report named ‘conjoin’ wallets (those with innate mixing/tumbler abilities such as Wasabi and Samourai) as being top threats to law enforcement efforts as more DNMs integrate with them for their heightened anonymisation techniques. 

Alongside conjoin wallets Europol pinpointed privacy coins, certain decentralized marketplaces and cryptocurrency mixers as additional hurdles.

The Europol report noted that “Samourai, for example, offers remote wipeSMS commands when under distress. These wallets do not necessarily remove the link between the origin and destination of the funds but certainly make cryptocurrency tracing much more challenging.”

As well as the update on wallet encryption technology, the RegTech market has watched as the evolution of privacy coin technology has also taken off.

“The anonymity of Monero has evolved to a large extent in the recent few years,” noted the authors of a Carnegie Mellon University report entitled ‘Alt-Coin Traceability’. “Compared to the version three years ago, current Monero transactions can be conducted with superior anonymity with the introduction of new techniques like RingCT.”

RingCT was a change to the Monero protocol which enabled users to obfuscate the amount of Monero (XMR) in a given transaction. By utilizing privacy coins with privacy-centric wallets whilst running VPNs – criminals believe that there are sufficient layers of anonymity between themselves and the sale of stolen credit card details to evade law enforcement agencies.

Crackdowns on Criminals

But while vendors may feel as though they are safely hidden, their digital fingerprints are able to be traced. 

The US DOJ and Joint Criminal Opioid and Darknet Enforcement team joined Europol for ‘Operation DisrupTor’ in recently apprehending 179 individuals across 7 countries and seizing $6.5m, 64 firearms, and 500 kilograms of drugs, including fentanyl, oxycodone, hydrocodone, methamphetamine, heroin, cocaine, ecstasy, MDMA, and medicine containing addictive substances.

“Following the Wall Street Market takedown in May 2019, US and international law enforcement agencies obtained intelligence to identify Darknet drug traffickers,” stated the U.S. Department of Justice last month. “Darknet vendor accounts were identified and attributed to real individuals selling illicit goods on Darknet market sites such as AlphaBay, Dream, WallStreet, Nightmare, Empire, White House, DeepSea, Dark Market and others.”

In other recent vendor-related cases around the world two Costa Rican residents were charged for selling drugs worth $270 million on the darknet and 7 are being charged in connection with Germany’s largest narcotics DNM ‘Chemical Revolution’. 

Not only are drug pushers found and arrested, administrators of DNMs are also commonly ensnared by the long arm of the law. The moderator of AlphaBay has just received 11 years in prison, whilst a programmer who looked after the backend of the Silk Road may get up to 5 years.

Whilst there is speculation that further evolution of the darknet will involve the ‘sneakernet’ (where cryptocurrency is transported more by USB stick as payment) and ‘dead-drops’ (through encryption messaging and where patrons and vendors do not list their addresses), what is certain is that Coinfirm will continue to trace cryptocurrency transacted in the space.


Coinfirm’s Reclaim Crypto service does not service retail users affected by DNM exit scams owing to the inherent illicit nature of these marketplaces.


About Coinfirm

Coinfirm is a global leader in AML and regulatory technology for blockchain and cryptocurrencies. It offers the industry’s largest blockchain coverage, supporting over 1,500 cryptocurrencies and protocols including Bitcoin, Ethereum, Hyperledger, and many more. Coinfirm’s solutions are used by market leaders globally, ranging from crypto exchanges such as Binance, and protocols like XRP, to major financial institutions like PKO BP. The company’s services also include Reclaim Crypto, as well as Trudatum, a standalone regtech platform that allows any file to be registered, signed, and verified with 100% accuracy. For more information, please visit: https://www.coinfirm.com/