Alpha bay, Silk Road, Hansa: They made the headlines of newspapers for weeks. They were underground markets offering several illicit goods and services and were shut down in 2013 and 2017. All were using Tor, currently the most used parallel Internet network, called Darknet.
(Here, the bold cables represent the overlay and the smaller one, TCP/IP. We can see that the computers are not connected in the same way within the two networks.)
Since the computers part of a Darknet are interconnected using custom protocols, they usually provide more privacy than the Internet, often offer anonymous services like mail and Instant Messaging and data only accessible using the Darknet specific protocol.
Their ultimate goal is to provide complete anonymization between the data provider (like a webserver) and the client accessing such data (like a browser) using custom routing rules and specific encryption system.
Although such networks are still heavily used for these purposes, criminals made their way into them, attracted by the anonymity they provide. Sharing of illegal contents and selling of illicit or illegal goods or services were greatly facilitated since they cannot be accessed without knowing the exact address and search engines are unable to see them (Deep Web).
Servers hosting or offering such illegal contents are hard to take down and the people running them even harder to arrest. For the record, Silk Road market owner were tracked down thanks to the use of honeypots and hacking by the Drug Enforcement Administration (DEA).
Several Darknets are currently operating, the best known being Freenet, I2P and Tor. The last one being the most popular (both for free speech and criminal activities), we will focus on it.
Network administrators can configure the service they manage to be also directly accessible within the Tor network, removing the need to pass through an exit nodes, using a “.onion” address.
One such exemple is DuckDuckGo search engine which can be accessed using address https://duckduckgo.com or 3g2upl4pq6kufc4m.onion.
However, some are only reachable through a “.onion” address and have no standard counterpart, these are called “hidden services” and usually feature illegal contents, like underground markets.
Even if numerous illicit markets were closed in 2017, it is still possible to find some easily. The goods the most proposed are drugs or medications that require prescriptions to obtain them (usually opiates), followed by credit card number and password lists, counterfeits and porn accounts.
Some markets features more sensitive contents like child pornography videos, weapons and even hitman services but they are harder to find. The transaction between the seller and the buyer are anonymous and the payment is made available through the use of cryptocurrencies.
Attackers can also set exit nodes to gather email addresses and password used by Tor users when connecting to online accounts. Such attacks can easily be prevented using end-to-end encryption (HTTPS instead of HTTP).
More rarely, network traffic may be modified to include malware in downloaded software. However, this won’t work with signed executables.