The third quarter of 2021 saw the disappearance of Televend, which was a significant blow to darknet vendors who had begun using the service to sell their products via instant messaging platforms as opposed to conventional darknet markets. This quarter also provided a better understanding of how certain major darknet forums were enforcing their ransomware ban and the way in which this was shaping the cybercrime ecosystem.
Televend Shuts Down
Televend, a service popular among darknet vendors, has been shut down. Unlike conventional darknet markets, Televend utilised the instant-messaging platform Telegram. The Televend operators created bots for individual vendors, enabling the sales process to become entirely automated, with customers selecting products and making payments all via the vendor bot. In exchange, the Televend operators received a percentage of each sale made via their bots. The service proved hugely popular as it allowed vendors to rapidly scale their sales operations and provided customers with a convenient and reliable alternative to darknet markets.
However, in mid-September, many Televend vendors began to report that they had not been receiving payments from sales they had made. It subsequently emerged that the wallet addresses for all Televend bots had been changed, so payments were being re-routed elsewhere. It is still unclear whether this was an exit scam by the Televend operators or part of a wider law enforcement operation that has not yet been publicly disclosed.
The long-term effects of this compromise remain to be seen. Many darknet vendors are still active on Telegram and have stated their intention to continue selling via the platform: doing so directly rather than via the Televend bots. However, these bots automated the sales process, whereas lone vendors selling directly to customers will be more time-consuming. This is unlikely to significantly impact smaller vendors, but it may constrain the number of sales made by large vendors. It is also worth noting that darknet markets are frequently compromised, yet they have remained a staple of criminal activity for many years. Given Televend’s popularity and the broader shift away from darknet markets towards alternative platforms, it is conceivable that a similar service will launch in the future.
The ransomware ban continues
One of the most significant developments on the darknet from the previous quarter was the decision by several major darknet forums to ban ransomware groups from advertising on their platforms. At the time, many of the forum administrators portrayed the ban as action is taken to prevent ransomware groups from dominating discussions. However, the bans were enacted soon after the DarkSide Colonial Pipeline ransomware incident, so it is likely these forums also feared they would be targeted by law enforcement if they were seen to be aiding ransomware groups efforts.
In the immediate aftermath of the ban, it was unclear to what extent it would be enforced. However, it is now clear that this ban has resulted in some major changes for how ransomware groups operate on darknet forums. First and foremost, they are banned from explicitly advertising their services. However, this has not stopped them from advertising their products via less direct means, such as offering bulk to purchase access in bulk (covered in our previous Darknet Quarterly Review).
Moreover, ransomware groups are still actively recruiting new members for their operations on these forums. In one instance, a public representative of a well-known ransomware group was observed advertising for open positions in their group and offering prospective candidates a fixed salary. While this ban has served to curb some of the more public ransomware activity on these forums, therefore, many groups remain active and still play a major role.
Q4 and 2022
The darknet market landscape will likely experience major changes in the coming months due to the recent shutdown of White House market. White House has been the largest English-language darknet market for over a year and its retirement will create an opening for other markets to grow. This shut down was initially expected to be a gradual process, with the main admin of White House originally announcing a phased retirement, before suddenly shutting down entirely without notice. This sudden shut down will inevitably accelerate White House market users shift to rival markets.
For darknet forums, the ban on ransomware groups is unlikely to be lifted in the immediate future. However, as the recent announcement concerning REvil shutting down illustrates, forums still play a role in providing ransomware groups with places to publicly communicate. It is likely that the mass purchasing of access and occasional recruitment drives will continue, both of which function as unofficial advertisements for the ransomware groups in question.