The State of the Deep Web 2016

The deep web in 2016 is more controlled by paranoia and trust than it has ever been before. At first glance, these two forces may seem to be in opposition. In fact, they are inextricably linked and the deep web could not operate without them.

First of all, let me give my definition of the deep web, because there is some disagreement about what its parameters are. In my opinion, any site that is accessible through normal browsers, including those that require passwords to enter, are really in the normal web. Those sites that can only be accessed by special, secure browsers, like Tor, I refer to as deep web sites. Within this deep web region, there are dark web sites. These are sites that are dedicated to illegal activities which victimize people. These include child pornography sites, human trafficking sites, hackers-for-hire sites, and any site that will accept money for harming individuals. I do not include in the dark web those victimless, though technically illegal, sites such as drug-selling or weapon-selling sites. Anyway, that’s the definition that I will be working within here.

Some things haven’t changed much since my past investigations. The Tor browser is still the most common way to access deep web or .onion sites, even though more deep web denizens question its safety than in the past. Tor has come under repeated attack by the US and other governments and has ramped up its efforts to remain credible (see my article, The Battle for Tor, for details).

The unprecedented level of paranoia in deep web markets has led those managing these sites to take security to the extreme level; something regular online companies could learn from. For example, one of the currently most popular deep web markets, Alphabay, brags about the following security features:

– Multisig transactions (2/3)

– 2FA

– Withdrawal PIN

– Vendor bond

– Forced vendor PGP

Don’t feel bad if you are confused by these terms. Even those trying to sell in the deep web aren’t really sure what they mean. As one forum participant noted. “I’ve bought from vendors with MultiSig and I never got no key. In fact I still have no clue what they are talking about. You now have 2 of the 3 keys so you should know the rest? Am I looking for a treasure with pieces of a map?”

Anyway, here are my explanations for the terms above.

Multisig Transactions – (multisignature transactions) First of all, you have to remember that all transactions in the deep web are done via Bitcoins. Recently, there have been some hacks which have compromised Bitcoin addresses or identifying information. This means that whoever has the Bitcoin address has control of the Bitcoins. Though it may be possible to compromise one Bitcoin address, it is far more difficult to compromise two or more addresses connected to the same Bitcoin transaction.

At Alphabay, a buyer first agrees to purchase a product by sending 4% of the total transaction amount to a market controlled account. The buyer and seller can then see each others’ public address/information stored on the Alphabay site. If they are happy with this, the transaction continues. The buyer will get a private address generated by the market to which they, the buyer, will send the rest of the money for the purchase. The seller will then ship the product. If the buyer is happy with the product, the market will then send the money on to the seller. If the buyer is not happy, they ship the product back and the market refunds the money. The market keeps the address (and money) until all disputes are settled. Anyway, this may be somewhat simplified, but it is not unlike what Amazon does, only on a more secure level. Yes, it does leave the buyer and seller vulnerable to market fraud (and this has occurred from time to time as markets made off with buyer Bitcoins) but it does put another layer of protection on individual Bitcoin accounts.

2FA – Probably everyone knows this means, two-factor authentication. It takes a little work to get registered on the Alphabay market because of it. At the time I visited, I got a message that they were currently under a DDoS attack and I had to enter a Captcha to get to the registration page. Registration requires a password, a pin number, and entering a Captcha to continue. You then get a ‘mnemonic’ of nine random words. This will enable you to get your password back if you forget it. You will only get this mnemonic once. Lose it and you lose your account (and all the money in it).

Vendor Bond – I’m not all that clear on this but I’m guessing it’s a certain amount of money a potential seller must pay to legitimize themselves. On Alphabay it’s $100.

Forced vendor PGP – Vendors must use encryption.

However, despite all of these security features, some Alphabay customers don’t think the site’s security goes far enough. You can think of this as paranoia or good practice, but they advise customers to,

“Use the links on this website to access the site every single time

Always use a vpn

Change your password every week or two at minimum even if you feel that there is no need

Only deal with vendors that have excellent reviews and respond to you if you have any questions/also make sure they are currently active

Keep screenshots or records of all dealings until your package arrives in case of a dispute

Don’t FE (Federal Express) unless you are comfortable with the possibility of losing your money. Personally all of my dealings were FE and I understand the risks and if I was ripped of its just as much my fault as the vendors

If offered spend the $ for tracked shipping

Try to only use vendors in your country to lessen the risk of seizure

Never click on links or downloads to avoid the risk of being phished

Never tell anybody what you are doing, what you are buying or when you expect it too arrive. Pretty much keep all your online business to yourself.”

I guess that about covers it.

The first thing I noticed on reaching the Alphabay market was the auto shop feature for credit cards and online accounts. You can search for the kind of credit cards or breached accounts you want to buy (see below). (For those who don’t know, BIN means, bank identification number. Sellers will talk of BINlists, which are lists of supposedly valid credit cards.)



Besides the auto search feature, Alphabay has all the traditional items for sale that deep web customers are used to seeing. There are, of course, the ever-popular drug sellers. You can buy credit cards, credit card information, lists of personal information, malware, hackers, guns, fake passports and driver licenses, counterfeit money, and bank account information. Alphabay has not so far suffered any security breaches, despite its complaint of being under a continuous DDoS attack.

The element of trust develops with a seller’s reputation. Buyers rate the sellers on their performance and the quality of their product. Without trust, sellers get no customers. Most fights are over unfair reviews. Keep in mind that the all-pervading paranoia here will make buyers see the slightest hint of a negative as a warning flag. Those who do not get perfect treatment or who run into problems are quick to complain about Alphabay. Many seem happy with the drug sales but complain about getting dead credit cards. As one disgruntled customer puts it,

“This site is Bad News! Ive been around from the beggining. Ive tried to defend it but realistically this place is a snake pit. Everyone one here is either a leech or trying to snake. If you really believe your not being snaked then your probably one of the many newbie leeches on there.”

 Unlike Amazon, Alphabay doesn’t have the financial ability to reimburse upset customers. Let the buyer beware is really what it comes down to.

 However, there is one overriding fear that permeates all deep market sites and infects all customers. This is the fear that the market, or one of its vendors, will stage an ‘exit scam’. This is where the market (or a vendor) disappears overnight and takes all of their customers’ Bitcoins with them. It has happened many times before. Motherboard calls the exit scam the deep web’s “perfect crime”. The problem is that it can only be performed by trusted vendors and markets. You see, these trusted entities often continue to do business for a long time after they have disappeared. People send them money because, they are trusted. It takes time for them to realize that they have been scammed. This is what happened last year when Evolution Marketplace disappeared with $12 million of customer Bitcoins. Everyone in deep web markets is anonymous. The worst and most unforgiveable behavior is giving up someone’s true identity. So. unless someone else knows who the administrators of the market are, they will probably never have to pay for the theft. Besides, what do the victims do? Complain to the FBI? Unlikely.

So it is that, recently, when customers found they were having trouble logging into Alphabay, a mass panic ensued. “THIS IS THE ALARM PEOPLE. THEY ARE GOING TO RUN BELIEVE ME !!” One customer wrote. Well, as of this writing, they are still there, but the paranoia remains.

Some Final Thoughts

Think of the deep web markets as communities. They are like communities that formed in the western US before the pioneers moved in. These were the times of fur traders, explorers, and ne’er do wells who built their lives around remote trading posts. There was no organized law and justice was meted out on an individual basis. The same thinking exists in the deep web. When the administrators of the Evolution market made off with everyone’s Bitcoins, there was talk on the forums of hiring hitmen, which, supposedly, you could do on the deep web easily enough. Despite such, often vacant, threats, conmen and scammers continue prowling around deep web markets. They find the lack of law enforcement in the deep web highly attractive, and, for this reason, many buyers have been conned by a variety of scams. Without organized law enforcement, there is no fear of retribution. However, I believe that some sort of law enforcement will be the next big development as the deep web communities begin to become more ‘civilized’. How this will manifest itself is difficult to say since everyone is anonymous to everyone else. It may be that administrators would have to find some way to match true identities to users. It could even be that these markets are subsumed by bigger more organized communities with tighter security and dedicated law enforcement of their own.

With the fear of privacy and freedom diminishing in the ‘real’ world, the freedom that the deep web offers is attractive to many. As yet, there are no truly organized cyber communities in the deep web. A true community would have markets, media, policing, banking, cyber security, political infrastructure, and more all in one place. There would also be a need to meet ‘citizenship requirements’ (proving you are not a government agent). There would be certain laws to maintain order and prevent fraud. The seedlings of such communities exist in certain forums like IntelExchange, but there is just too much paranoia there to feel completely free. Interestingly, one site on the deep web is totally dedicated to the works of American revolutionary, Thomas Paine. Perhaps he best sums up the attitude of those looking for freedom in the deep web when, in 1776, he wrote, “Freedom hath been hunted round the globe. Asia, and Africa, have long expelled her. Europe regards her like a stranger, and England hath given her warning to depart. O! receive the fugitive, and prepare in time an asylum for mankind.”

This could be easily become the nucleating principle for those seeking, in a cyber way, the same freedoms that Paine was looking for in analog America.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s