The Dark Web has existed in its current form for over 15 years. While it has evolved and changed, the concept of threat actors, each with their own expertise, congregating in communities to trade their products and services has remained unchanged. For many years it was the focus of professionals, law enforcement agents and security analysts, until its existence has become mass-knowledge to the point that it was featured in news articles, movies and TV shows. This newfound fame is now drawing a new generation of criminals and wannabe-criminals, who otherwise would not have joined these circles.
The cyberciminal community of the Dark Web has never been homogeneous. It hosts highly sophisticated criminal networks, who steal and defraud millions of dollars, as well nickel-and-dime fraudsters who are scraping by using unsophisticated methods. The circles for each of those groups, as well as the groups in between, are separate. There are closed secretive forums for the sophisticated threat actors, while other sources for beginners and intermediate criminals.
The majority of the members in the Dark Web are on the unsophisticated side, their circles are populated by non-technical people mainly from poor countries, as well as young people from low social economic status that are in the beginning of their criminal journey.
The unsophisticated nature of their communities promotes a focus on local activities, with many forums and chat rooms offered in specific languages. After all, it’s easier to abuse systems that are in your language and you are familiar of, than foreign systems in languages you may not master. As a result, the Dark Web always had some “local” communities, especially in particular regions, such as Germany and Brazil.
Now, as a new generation of criminals joins the Dark Web due to its reputation, mainly young people who are unsophisticated (everybody has to start somewhere), the Dark Web’s local communities are expanding. There are new communities popping up in languages which up until now have not been available on the Dark Web, as they were more “niche”.
Take Israel for example. Unsurprisingly, due to its population size there was never a major presence of Israeli threat actors on Dark Web sources. Just like any other country, it did produce cybercriminals over the years who participated in the underground economy, however there were never any resources in Hebrew. Israeli criminals operated mainly in English speaking forums and did not necessarily target Israelis victims. In recent years there were some resources that were technically facilitating crime, but they were focused on enabling drug trade over the internet, rather than a channel for cybercriminals. That is, until now.
Recently, a new Telegram group with the unimaginative name of “Darknet Israel” has popped up, where sellers of tools, data and even counterfeit cash promote their offerings, much like the IRC chat rooms of yore.
“Darknet Israel” appears to be plagued with the same issues that the IRC chat rooms of the early days of the Dark Web had. Without any processes in place to protect buyers, such as escrow, it seems to be populated by quite a few rippers – fraudsters who rip off other fraudsters. This can be easily observed from the type of products that are being offered for sale. For example, one fraudster offers “Dumps + PINs” for sale – credit cards with their PIN code, that can be used in ATMs. These items are often sold by rippers, as they are “as good as cash”, which begs the question why anyone would sell them for any reason instead of using it themselves.
Despite being populated by rippers, there were quite a few “legitimate” criminals in IRC chat rooms as well and that may also be the case for this group. This similarity also suggests that much like IRC chat rooms, it is mostly populated by beginner criminals.
The terms “Dark Web” and “Darknet” were never given to these communities by the criminals, but by the media. The names of forums and markets within these circles have always been creative and varied – DarkMarket, CardersMarket, RaidForums, CC Power, Carders Villa, Alpha Market, and more. The fact that the group is called “Darknet Israel” suggests that it was created by people who have first heard of its existence after the term “DarkNet” has been coined, meaning that it is part of this new generation of fraudsters – those who have started their criminal journey after reading about the Dark Web.
“DarkNet Israel” is one example out of several, showing that the Dark Web is being affected by the focus it receives by the media, drawing aspiring criminals and those who come from a social economic status that doesn’t provide them a lot of alternatives. This exposure has put criminals under more scrutiny than ever, with an ever growing number of “dark web monitoring” services – but also injects new blood into it and creating new niche communities.
The end result is that even regions that have so far enjoyed a low volume of attacks due to geographical barriers such as language will eventually be more targeted by threat actors from the same region.