Identifying key players in dark web marketplaces through Bitcoin transaction networks Scientific Reports

Layer a VPN (e.g., NordVPN) to mask your IP before entering darknet markets. A timeline of darknet marketplace evolution, from Silk Road to 2025’s top players. But according to Ingo Fiedler, co-founder of Blockchain Research Lab, this trend is primarily the result of increasing law enforcement focus on the darknet market industry.

Stolen data ecosystem

The horizontal bars represent each market lifetime, i.e., the time when the market becomes active until its closure, and is colored according to the market’s monthly trading volume in USD. In the vertical axis, markets are in the chronological order of their launch date, although for some markets the activity effectively starts after the launch date (e.g., AlphaBay). Buyers simultaneously active darknet markets links on multiple markets also play the role of connectors in the ecosystem. Therefore, we analyse the temporal network where nodes are the active markets and an edge between the nodes represents the number of multibuyers between them, what we henceforth call the multibuyer network. The structural change seen in the multiseller network is not observed in the multibuyer network, as show in Fig.

Cloned Credit Cards and Cardholder Data

In light of this, we have chosen the parameters conservatively, obtaining estimates for the number of sellers that are in general smaller than the ones produced by other methods. Second, our approach does not explicitly classify buyers, which are entities that were not classified as sellers. There is a gray zone in which some sellers and buyers may not be easily distinguishable in transaction networks. For instance, there may be sellers that make a small amount of transactions, or spend more than receive, which we would classify as buyers. Nevertheless, it is important to stress that the results are robust under considerable variation of the parameters, indicating that the coherent picture emerging from our analysis does not depend on the details of the method.

Ethical and Legal Boundaries in Monitoring Darknet Marketplaces

After a major external shock in 2017, the S2S network shrinks but, unlike the multiseller network, recovers, and grows again (though slower than the multibuyer network). This suggests that the multiseller activity is sensitive to external shocks but also that it yields higher profits. The structural change in the multiseller network and the resilience of the multibuyer network. Temporal network of multisellers (top) and multibuyers (bottom) between markets for each year.

Abacus Market

A thriving category of illicit goods and services sold on dark web markets is that of scans of personal documents. As with our previous reports, we gather data by scanning Dark Web marketplaces, forums, and websites. This information is then processed to generate an index of average prices for a broad range of specific products. In 2022 and Q dark web markets continued to bloom with a multitude of listings of various illegal goods and services. We do not engage with darknet markets; our mission is exclusively dedicated to providing information for research and educational purposes.

Cyber Threat Actors Ramp Up Attacks on Industrial Environments

While market dynamics may have shifted since, the cited data illustrates how cartels had previously exploited crypto ecosystems. The TRM Labs report also revealed that crypto use in vendor shop drug sales more than doubled in 2024, reaching over $600 million in volume. The findings by TRM Labs align with other investigations into the intersection of cryptocurrency and the drug trade. TRM Labs found that only four Russian-language marketplaces exited the ecosystem in 2024, out of approximately 20 operating during the year.

• This survey highlights active and recently shuttered markets with actionable metrics and intelligence for threat hunters, CISOs, and red team leaders.
• The browser uses onion routing technology to route the internet traffic through multiple relay nodes that provide layered encryption.
• Correspondingly, the multihoming activity is a mechanism that contributes to the ecosystem’s resilience.
• Our results also support recent recommendations of paying attention to individual sellers rather than entire DWMs40.
• These platforms have streamlined navigation, making it easier for users to access products, communicate with vendors, and complete transactions.
• From 2012 to 2016, the largest component of S2S network continuously grows in number of nodes and connections, as shown in Fig.
• Although it shows fluctuations, including those caused by external shocks, the ecosystem exhibits a positive growth trend in terms of trading volume.
• Therefore, it’s clear that as long as there’s demand and supply of illegal products, the darknet markets are going nowhere anytime soon, no matter the number of times law enforcement takes them down.

How Do Dark Web Marketplaces Typically Operate?

The evolution of the multibuyer network follows a similar pattern to the multiseller network until 2015, despite a stronger polarization around Hydra instead of AlphaBay during 2017. However, after the operation Bayonet, although the network shows a decrease in connectivity, it still remains highly connected and with a large number of active multibuyers. Moreover, the network had already fully recovered by 2019 showing a strong resilience against external shocks. Yet, like the Hydra of Greek legend, whose heads multiply when they are severed, a new generation of darknet markets popped up to challenge for control of a market worth at least $1.37 billion, according to unofficial estimates.

Predicted Cybersecurity Trends of 2024

To expand their reach, some marketplaces established parallel channels on Telegram. This further complicates monitoring efforts because now you need to search for the related Telegram channels and track activity there and on the marketplace itself. Clearnet “directory” pages and market overviews frequently characterize Ares as using a walletless / direct‑pay approach with escrow, plus support for BTC and XMR (sometimes listing additional coins). Treat these as self‑reported marketing details rather than independently verified features; such pages are useful for understanding how the site portrays itself but can lag reality.

Alphabay Market

• The dark net’s layered encryption and routing protocols offer stronger anonymity, making onion sites appealing to whistleblowers, political dissidents, privacy advocates — and, inevitably, cybercriminals.
• 2c which shows that since 2011 U2U transactions have consistently involved greater monthly volume than the volume sent to all DWMs.
• These summaries echo the familiar “escrow + vendor reputation” model—reviews and sales history as primary trust signals.
• With stricter Know Your Customer (KYC) and Anti-Money Laundering (AML) measures, illicit actors are facing greater challenges when attempting to cash out.
• Since the beginning of DWMs’ activity, there has been a shift in the law enforcement approach from focusing on market admins towards sellers and buyers9,13.
• These sites use “.onion” domains, which are made up of random letters and numbers up to 56 characters long.
• Criminals can use this data to impersonate people on the internet and even open online accounts in their names.

Using his credentials, cybercriminals committed a variety of online fraud activity over the course of six months. In 2019, the FBI started its investigation into Genesis Market and enlisted other government agencies and law enforcement organizations across the world, working towards the market’s closure on April 4, 2023. As part of the investigation, the Dutch National Police took the lead on cybercrime prevention, and Van Well shared his insight on the sophistication of the fraud shop’s operation. Another darknet market known for facilitating fentanyl sales to the United States was Canada-based AlphaBay. A once-sizable illicit enterprise that began in 2014, AlphaBay was closed by authorities in 2017 and then reopened in 2021.

Key Goods and Services Offered

In Grand Theft Auto Online, players who purchase warehouses and garages for illicit cargo and stolen cars can buy/steal and sell them through trade on the “SecuroServ” syndicate website. We reviewed dark web marketplaces by analyzing publicly available cybersecurity reports, threat-intelligence research, and historical records. This approach allows evaluation without direct interaction or participation. Darknet marketplaces in 2025 illustrate a resilient and evolving underground economy. Major active platforms include Abacus, Russian Market, BriansClub, and Exodus.

Ready to Explore Web Data at Scale?

This article reveals the top 10 dark web markets dominating in 2025, their unique characteristics, and the critical implications for enterprise cybersecurity. Tor2door Market is among the largest dark net shops you must visit in 2025 if you’ve decided to visit such sites. On average, the marketplace consists of more than 11,000 items and 1000 vendors. The website allows visitors to view all the goods and services on display before they buy something. However, the platform lacks an advanced search option and a wallet-free payment option.

• Perhaps, hiring a hacker can feel impossible, but it’s a genuine threat that you need to be aware of.
• Many people also prefer to buy goods and services online, which allows for more opportunities to steal people’s personal data and financial information.
• TorZon Market is a large, general‑purpose dark‑web marketplace that’s frequently cited in 2024–2025 roundups.
• Businesses should be aware of the potential for data leaks and invest in data loss prevention measures.
• Moreover, we observe a trend of increase in their median income relative to the value before operation Bayonet—an increase of almost six times by the end of the period of observation (see Supplementary Information S4).
• In a DDoS attack, the server is bombarded with artificial traffic, which makes it difficult for the server to process web requests, and it ultimately goes down.

Dark Web Market Revenues Sink 50% in 2022

The number of multisellers steeply decreases after operation Bayonet but they still sustain high incomes. With Abacus’s departure, remaining platforms such as DrugHub, TorZon Market, and MGM Grand face increased pressure to absorb displaced users while navigating the same risks that led to their predecessor’s downfall. This sharp decrease in user confidence preceded the marketplace’s complete disappearance from all internet-facing infrastructure, including its clearnet mirror. A curated collection of darknet resources for educational purposes, offering insights into darknet frameworks, tools, and security practices. Collaboration between law enforcement and cybersecurity experts, as well as innovations in defense strategies, will be crucial to counter the relentless tactics of cybercriminals. Following stricter bans on Telegram channels hosting cybercriminals, experts predict a resurgence of activity on dark web forums.

Cartels reportedly used USDT to fund operations, sometimes profiting from price gaps across different crypto markets. The ongoing move toward decentralized platforms suggests the crypto drug ecosystem will remain fluid, creating new enforcement challenges. Last month, blockchain analytics firm Chainalysis uncovered direct financial ties between Mexican drug cartels and Chinese suppliers of fentanyl precursors through crypto transactions. With a FlareScore of 64/100, the website presents a warning level of risk.

• Though Mega Darknet Market typically serves a Russian customer base, the drug revenue shown in the chart above likely came from customers based in Europe.
• Established in 2022, WizardShop is one of the biggest data stores on the dark web, focusing mainly on carding and financial data.
• The result is a time series of lists of sellers and buyers for each period and for each market and the U2U network.
• The users on this site could review and rate the products that promote reliable and fraudster vendors.
• The last several years’ examples include Silk Road, AlphaBay, Wall Street Market, and Hydra, most recently.

Interestingly, the S2S network shows an intermediate level of resilience, which suggests that the S2S network might play the role of a supply chain network on the dark web. Furthermore, after a shock, the activity of buyers is resumed almost immediately, while the activity of sellers recovers more slowly. These different regimes suggest that the ecosystem’s resilience is mainly supported by the high demand of buyers rather than the response of the sellers.

However, little is known about how DWM users trade and transact outside the DWMs. On the one hand, some recent works have shown that a significant number of DWM users trade drugs and other illicit goods using social media platforms, such as Facebook, Telegram, and Reddit16,17,18,19,20. Moreover, several qualitative, interview-based studies have shown that DWM users form direct trading relationships with other users, starting user-to-user (U2U) pairs that bypass the intermediary role of DWMs21,22.

Tor Metrics

• Transaction trends and cryptocurrency movement patterns are analyzed at a high level.
• They used “free data dumps” and emotional marketing to build trust before vanishing—an enduring lesson in the risks of social engineering.
• The market has built trust among users as it brings vendor reviews from different places and then verifies them with PGP signatures – that way, the buyers feel confident.
• Bohemia popped up post-Hydra takedown and brings a fresh vibe—drugs (weed, pills, some coke) and digital goodies like hacked logins, no exact listing count, but it’s growing fast.
• Because they are already active in more than one market, the migration cost for the multihomers is usually smaller compared to that for non-multihomer users, especially for sellers, that need to rebuilt their reputation23.
• Examples include the sale of high-quality products with low risk for contamination (including lacing and cutting), vendor-tested products, sharing of trip reports, and online discussion of harm reduction practices.
• On the one hand, some recent works have shown that a significant number of DWM users trade drugs and other illicit goods using social media platforms, such as Facebook, Telegram, and Reddit16,17,18,19,20.

In order to investigate the role of direct transactions between market participants, we now analyse the evolution of the S2S network, i.e., the network of the U2U transactions involving only sellers. The nodes of the S2S network are active sellers (i.e., sellers that are trading at the time) and two sellers are connected by an edge if at least one transaction was made between them during the considered snapshot period. Although the S2S network is composed only of U2U transactions, all categories of sellers (i.e, market-only, U2U-only, and market-U2U) are present in the S2S network.

In This News

Tools like Tor are used to bypass government-imposed firewalls and surveillance, ensuring open communication. The significance here is the preservation of civil liberties and the right to information. Businesses operating in such regions may need to adapt to the technical challenges and risks posed by using darknets for legitimate purposes.

At its launch, the platform accepted payments through Litecoin, but now it has incorporated support for other payment methods like Monero and Bitcoin. The platform also cares about its users and uses PGP encryption and two-factor authentication to secure their data and communication. Accessing any darknet marketplace is dangerous because it is known to be a hub for illegal trade. In addition, several fake websites impersonate the famous dark net marketplace to obtain your financial and personal information and use it for malicious purposes.

Dark web websites won’t show up on Google, but they are indexed by dark web search engines such as Torch. Authorities struggle to track transactions in decentralized systems due to scarce data trails. The speed and anonymity of digital exchanges hinder identification, complicating efforts to dismantle illicit networks. According to the TRM Labs 2025 Crypto Crime Report, Russian-language darknet marketplaces brought in more than $1.7 billion in 2024, continuing a year-over-year increase first noted in 2023. Its focus on financial fraud and high-value transactions has attracted a dedicated user base, contributing to its growing reputation and market value. Valued at approximately $15 million, Abacus Market is one of the most lucrative platforms in the dark web ecosystem.

The legality depends on your activities and your country’s specific laws regarding darknet use. To access darknets, users typically need to download and configure the Tor Browser; a modified version of Mozilla Firefox that routes all traffic through the Tor network. This browser enables access to websites with .onion domain extensions, which are specific to the Tor network.