Decentralization and evolution of darknet markets

If you are a bit tech savy you can get any illegal substance you want. Doesn't matter where you are. Sinagapore? London? NYC? Tokio? You can get cocaine, cannabis, psychedelics, pharmaceuticals or anything really. Someone will ship it to you. Just pay enough crypto. It might get stopped at customs, but likely won't. It will come through. Vendor will make sure the package looks boring. They have been doing it for years. Maybe it's the same country shipment. Then nothing can stop it. There are no customs or checks for in-country parcels, no scanners or X-rays.

Can you stop this from happening? Can you win the war on drugs? Current methods are clearly not working.

Many servers in many places

So, how do you build an unstoppable darknet market? You make it decentralized, you build it like Bitcoin. Or BitTorrent. Or OpenBazaar. So every copy has the list of all transactions, reviews and vendors. You can shut down one node, but there is hundred more all over the planet. Crossing hundreds of jurisdictions. There is no practical way to take them all down. Even if you have law enforcement agencies cooperating. They will hit a blocker sooner or later. It's hard to shut down servers in Russia if you're an European agency. Or in China if you're an American one.

Darknet is a Wild Wild West

Tor hidden services are unable to combat denial of service attacks. From their perspective all requests are coming from localhost. There is no way to ban by IP address! You can't deny access to anyone. That's a well known design flaw of Tor protocol.

Additionaly those services are sitting on top of millions of dollars in crypto. So thousands of black hat hackers are coming your way to claim their ransom. They keep flooding the server and there is nothing you can do. This is the reason hidden services are unbearably slow. They are constantly bombarded with gazillion of requests and have no real way to defend themselves. This is an arms race, server with higher bandwidth and computing power will win. The only defense is to have more powerful machine.

But... where are the users?

So, we have an unstoppable backend. Now the problem is different. How do you reach people? You need to have a simple way for people to connect to your service and transact. Tor based darknet markets always struggled with this. There is too much complexity for the average user to handle. Download Tor browser, figure out how to search, learn what all those weird looking onion URLs are. Throw PGP encryption on top of that and lot of people are going to flake.

So, what illicit markets of tomorrow will do? They will transition to mobile and work to become more accessible. How? By hosting user interfaces on the clear web, for example using IPFS. This way they can be reached by regular web browsers. An order of magnitude more people will use those compared to Tor alternatives. You just need to click a link. User interfaces running client side will then either fetch data:

  • Using Tor -> from their backend hidden service API's[[ref] You can run Tor in browser, someone is reimplementing whole protocol as a javascript library -> (node-Tor). This way most of the Tor complexity can be hidden from the user.[/ref]]

  • Over clear-web -> from blockchain/bitcoin inspired networks running on botnets. This way it's harder to ban them at internet service provider level. Other option is "bulletproof" hosting providers. But those can be more easily censored.

Where is my privacy?

But but, you are taking away Tor. What about security and anonymity? Won't those people compromise their identity? Yes they will and it won't matter. Security of the users won't matter, because they won't be prosecuted. It would be difficult for judicital and law enforcement systems to process that many people[[ref]Rodrigo Duterte is trying to do this in Philippines. Their prison system looks like a giant humanitarian crisis.[/ref]]. Space in prison is limited. There are more dangerous people to lock up.

Security is important, but mostly for vendors and system administrators. There are rules and behaviours, threat models, does and donts in those communities. It's commonly known as OPSEC or operational security. It evolved over the years taking into account all the mistakes of previous market administrators, black hat hackers and everyone else that slipped and got busted. Those people know their OPSEC. They are playing a cat and mouse game with law enforcement agencies. The stakes are their lifes. Getting busted means going away for a long time, usually years and decades.

Prison? No thank you

So, now you have an unstoppable backend and an easy way for the people to reach you. How do you run this thing? It's not enough to build it. You need to operate and maintain it. Come back everyday to deal with issues. And stress. You need to be very careful. Make one stupid mistake. Hit wrong site without a VPN. Misconfigure an email server[[ref]Alphabay was one of the largest markets of recent years. In the beginning it's operator configured his PHP email server to send welcome messages with his personal email address. It led to his demise. Conclusion? Don't use PHP.[/ref]]. Post a question to the web with a nickname related to your real identity. Someone might connect the dots. Next thing you now they are kicking in your doors. Plan your every click. Everything you say publicly. It might lead back to you. Watch what you say, watch what you do. Most markets don't stay around for this very reason. Their usual life time is around 1-2 years.

What will happen here is autonomization of the operations. To avoid personal responsibility darknet market creators will build them to operate as autonomously as possible. Admins won't be making frequent connections to maintain the server. This way traffic correlation will be harder. And it will be difficult for the prosecution to convict them. Next markets will operate like Bitcoin network, with a set of rules and incentives built into them. Risks in certain areas will be counteracted with higher fees at protocol level, caused for example by bad actors scamming users. Moderators will be random people brought by built-in incentives. Changes to the code will be pushed to one node that will then propagate it through the whole network.

Lifespan of something decentralized is much longer. Take a look at BitTorrent. It's hosting content deemed illegal by very powerful institutions. And they can't take it down. Some of the oldest torrents are still around after decades. That's the power of a protocol.

My mailman is my dealer

Big problem is fulfillment. Current methods use postal services and couriers. This on one hand is convenient, but on the other is quite problematic. To post a package is risky, there are cameras and people to deal with face to face. Often times this means vendor is compromising his anonymity.

Solution here is hide-in-the-plain-sight. Package is placed in a can and hidden in a public place e.g a trash bin. Or it can be combined with neodymium magnet and sticked under abandoned vehicle. Or anywhere no one will care to look. Staircase in an apartment building? This is already happening in Russia, coordinated via instant messengers (Signal, wickr, Telegram etc.) by Hydra market[[ref]Hydra market is one of the largest Russian language markets on the darknet. Read more here -> hydra [/ref]].

Other method is bury-underground. It is only useful for non-urbanized areas. Package is buried in a remote location (e.g. forrests, croplands). Then location data is sent to the buyer for the retrieval. This includes latitude, longitude and pictures showing the exact placement of the package.

Uber for drugs

Another one coming are drone deliveries. You open up a mobile app, set drop location, pay with crypto and go wait for the package to drop on your head. Literally Uber for drugs. It requires different drones that are not commercially available yet. But. Technology is here already. They can be put together using open source e.g raspberry pi + ardupilot. Add a GSM module. Now the drone has range limited only by battery and 4G/5G coverage. Another Telegrass will use drone deliveries and become true Uber for drugs.

A problem or a symptom?

Those things are inveitable. It's only a matter of time someone builds better darknet market and takes majority of share in the "industry". Incentives to do so are out there. There is too much money to be made for people running those black IT operations. Nation states policies are creating this kind of environment, so markets keep popping up again and again. One goes down, three new come back. A never ending game of Whac-A-Mole.

Today's solutions are to prosecute and penalize everyone involved. But funnily enough, some of the substances traded illegally have a lot of healing potential. Clinical trials for MDMA, psilocybin (magic mushrooms) and ketamine show great potential in healing treatment resistent depression, anxiety and various addictions. What's the solution here? Better laws? More education? Issue is complex.

Nonetheless, one thing we can be certain. As long as there are monetary incentives to run darknet markets they will keep emerging and evolving again and again. Hydra market has it's name for a reason.

Disclaimer: I'm a long time darknet researcher. This is my analysis and predictions for illicit substance trade on the Internet today. I do not encourage nor support any of those activities. This is an educational material only.