Criminals are often just like any other citizen, found criminologist and PhD candidate Rolf van Wegberg (TPM). They look for the most reliable service on online markets.
(Illustration: Pxhere)

Criminals are often just like any other citizen, found criminologist and PhD candidate Rolf van Wegberg (TPM). They look for the most reliable service on online markets.

Lees in het Nederlands

There is a dedicated area on the internet for criminal activities. It is not the ‘clear web’ where you are reading this, but the ‘dark web’ where a TOR browser guarantees anonymity. Marketplaces there do not sell children’s bicycles or clothing, but drugs, weapons, stolen credit cards and assembly packages for DDoS attacks, phishing campaigns or ransomware. At least, this is what criminologist Rolf van Wegberg has seen over the last few years.

After completing his studies at Leiden University, Van Wegberg combined Computer Sciences at the Cyber Security group at TPM with criminology for his doctoral degree research. “The reasons for criminals to choose a particular service provider are the same as in the ordinary world,” Van Wegberg says. “Buyers check the ratings left by other customers. Customer service, a money return policy for dissatisfied customers, and offering brand names strengthen trust.” The result is that the top 10% most professional vendors on a market platform generate 90% of the turnover.

How does Van Wegberg know this? From studying six years’ worth of transactions on eight important underground platforms. Dark web marketplaces are regularly removed. The first marketplace was Silk Road followed by AlphaBay, Hansa Market and plenty of others. It is estimated that, despite regular removals, there are still about 10 to 15 marketplaces in operation.

Their structure is mainly the same still, explains Van Wegberg. Access is through a TOR browser and payment is done in bitcoins as soon as customers have received their ‘orders’. With the help of two American researchers, Van Wegberg could save the source codes of some of the market pages. This is called ‘scraping’ and it revealed a database of thousands of vendors, tens of thousands of products and millions of feedback. Since then, after working with police services, he also has access to the files of other defunct illegal marketplaces.

Analysing these showed that not only do a small number of vendors generate the most turnover, but that these professional vendors are very versatile. Apart from malware packages, they also supply ‘bulletproof hosting’ for phishing websites or to share child pornography.

When planning a raid on online criminal activities, the logical thing would be to concentrate on the most professional vendors. Van Wegberg endorses this saying that choosing them would make best use of the tracing capacity. At the same time, detectives are always dependent on often unprofessional errors to reveal the identity of the suspects and on the organisations being based in the Netherlands.