1

Plug and Prey?Measuring the Commoditization of Cybercrime via Online Anonymous Markets

Rolf van Wegberg1, Samaneh Tajalizadehkhoob1, Kyle Soska2, Ugur Akyazi1, Carlos Gañán1, Bram Klievink1, Nicolas Christin2, and Michel van Eeten1

1 Delft University of Technology, 2 Carnegie Mellon University

2

3

§ Which parts of cybercrime value chains are successfully commoditized and which are not?

§ What kind of revenue do these criminal business-to-business services generate and how fast are they growing?

Commoditization of cybercrime

4

5

§ Characteristics of commodities are highly congruent with characteristics of online anonymous marketplaces.

§ The one-shot, anonymous purchases require suppliers to offer highly commoditized offerings.

§ If cybercrime offerings can be commoditized, online anonymous markets should be a highly attractive place to sell.

Online anonymous markets

6

1. Develop a conceptual model of the value chain components in dominant cybercriminal business models.

2. Collect and parse longitudinal data on eight online anonymous marketplaces, between 2011 and 2017.

3. Classify cybercrime-related listings to these components to track trends in listings and transaction volumes.

4. Identify the best-selling clusters of listings and compare these offerings to the capabilities, resources and services needed.

Measuring commoditization

7

Cybercriminal business models

8

§ Leveraged the parsed and analyzed dataset of Soska and Christin (2015) on seven prominent online markets.

§ We then extended this data with 16 complete and parsed scrapes of AlphaBay between 2014 and 2017.

§ This resulted in a longitudinal dataset covering eight prominent markets between 2011 to 2017.

Data collection

9

§ Leveraged the parsed and analyzed dataset of Soska and Christin (2015) on seven prominent online markets.

§ We then extended this data with 16 complete and parsed scrapes of AlphaBay between 2014 and 2017.

Data set

Market #Listings #Vendors #Feedbacks

Agora 27,974 1,961 234,372

AlphaBay 101,999 6,262 2,223,992

Black Market Reloaded 9,075 980 62,876

Evolution 35,015 2,352 464,146

Hydra 2,343 133 43,701

Pandora 7,674 459 89,065

Silk Road 1 24,363 2,336 605,744

Silk Road 2 22,174 1,201 662,497

Total 230,617 15,684 4,386,393

10

11

§ Categories:- Benzos- Cannabis- Digital Goods- Dissassociatives- Drug Paraphernalia- Electronics- MDMA- Miscellaneous

Pre-filtering

- Opioids- Other- Prescription drugs- Psychedelics- Sildenafil- Stimulants- Tobacco- Weapons

§ Prediction from Soska & Christin (2015).

12

§ For labeling ground truth, we randomly selected 1,500 items from all Digital Goods or Miscellaneous listings (n=44,060).

§ We excluded JavaScripts, web-injects, and customer service. For these products we found no listings in our random sample.

§ We did find business-to-consumer (B2C) cybercrime listings, so we added additional categories to map these.

§ We implemented a Linear Support Vector Machine (SVM) classifier to predict ten B2B and seven B2C product classes.

Classification approach

13

Classifier performance

rat

app

botn

etca

shou

t

emai

l

expl

oit

host

ing

mal

war

e

othe

rot

her -

acc

ount

ot

her -

cus

tom

othe

r - fa

keot

her -

gui

deot

her -

pira

ted

othe

r - v

ouch

erph

one

web

site

websitephone

other - voucherother - pirated

other - guideother - fake

other - customother - account

othermalwarehostingexploitemail

cashoutbotnet

apprat

0 0 0 0.14 0.07 0.07 0 0 0.07 0 0 0.07 0 0 0 0 0.570 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0 0.9 00 0 0 0.05 0 0 0 0 0.1 0.24 0 0 0 0 0.57 0.05 00 0 0 0.04 0.04 0 0 0 0.12 0.04 0 0 0.28 0.48 0 0 00 0.02 0 0.08 0.02 0 0 0 0.1 0.04 0 0 0.68 0.06 0 0 00 0 0 0.03 0 0 0 0 0.03 0 0.03 0.86 0.06 0 0 0 00 0 0 0.02 0 0 0 0 0.08 0 0.83 0.03 0.05 0 0 0 00 0 0 0.02 0 0 0 0 0 0.8 0 0.02 0.07 0.07 0.02 0 00 0.01 0 0.04 0.01 0 0 0 0.73 0 0.06 0.01 0.08 0 0.01 0 0.03

0.07 0 0 0.07 0 0 0 0.71 0 0 0 0 0.14 0 0 0 00 0 0 0 0 0 0.75 0 0 0 0 0.25 0 0 0 0 00 0 0 0.12 0 0.62 0 0 0 0 0 0 0.12 0.12 0 0 00 0 0 0.03 0.87 0 0 0 0 0.07 0 0 0.03 0 0 0 00 0 0 0.77 0.02 0 0 0.01 0.01 0.07 0 0.03 0.09 0 0 0 0.010 0 0.92 0 0 0 0 0 0 0 0 0 0 0 0 0 0.080 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0.92 0 0 0 0 0 0 0 0 0 0 0 0.08 0 0 0 0

0.0

0.2

0.4

0.6

0.8

1.0

14

Classifying listings to cybercrime components

15

Active vendors on markets over time

0

1,000

2,000

3,000

4,000

5,000

2012 2013 2014 2015 2016 2017

Date

Nr.

of

act

ive

ve

nd

ors

Agora

AlphaBay

Black Market Reloaded

Evolution

Hydra

Pandora

Silk Road 1

Silk Road 2

16

Listings, feedbacks and revenue over time

0

2500

5000

7500

10000

2012 2013 2014 2015 2016 2017

Date

Tota

l mo

nth

ly c

ou

nt

# listings

# feedback

0

200

400

600

2012 2013 2014 2015 2016 2017

Date

Tota

l mo

nth

ly r

eve

nu

e (

1,0

00

s U

SD

)

17

Total revenue per category per month

0

200

400

2012 2013 2014 2015 2016 2017

Date

Ave

rag

e m

on

thly

reve

nu

e(1

,00

0s

US

D)

RAT

App

Botnet

Cash−out

E−mail

Exploits

Hosting

Malware

Phone

Website

18

Number of active vendors per month

0

2,000

4,000

6,000

2012 2013 2014 2015 2016 2017

Date

Nr.

of

act

ive

ve

nd

ors

RAT

App

Botnet

Cash−out

E−mail

Exploits

Hosting

Malware

Phone

Website

19

Cumulative percentage of listings across vendors

0.00

0.25

0.50

0.75

1.00

0 500 1000 1500 2000

Number of vendors

Cum

ula

tive d

istr

ibutio

n funct

ion

Listings

Revenue

20

Product portfolios of markets

0

25

50

75

100

Agora

AlphaBayBMR

Evolutio

nHydra

Pandora

Silk Road 1

Silk Road 2

% o

f to

tal n

r. o

f lis

tings

(logged)

RAT

App

Botnet

Cash−out

E−mail

Exploits

Hosting

Malware

Phone

Website

21

§ Identify the three best-selling clusters within each category

§ Only partial fulfillment of cybercriminal demand- Credit cards dominant in the cash-out category- Office exploit dominant in the exploit category- Ransomware dominant in the malware category

§ Outsourcing not trivial, given- Niche supply- Broad demand

Best-selling clusters

22

§ There is evidence of commoditization, but outsourcing options are restricted and transaction volume is often modest.

§ Similar to narcotic sales, a significant amount of revenue is in retail cybercrime, rather than business-to-business.

§ We conservatively estimate the overall revenue for cybercrime commodities on online anonymous markets to be at least US $15M between 2011-2017.

§ While there is growth, commoditization is a spottier phenomenon than previously assumed.

Takeaways

23

Plug and Prey?Measuring the Commoditization of Cybercrime via Online Anonymous Markets

Get in touchr.s.vanwegberg@tudelft.nl@RolfvanWegberg

Open dataAll data is publicly available in anonymizedand non-anonymized form through IMPACT (https://www.impactcybertrust.org/)

See also web interface at https://arima.cylab.cmu.edu/markets/