Cyber criminals are branching out from the dark web and into consumer encrypted messaging apps to conduct their nefarious deeds, whilst personal use of encryption is also growing dramatically. With the take down of the Dark Web market, including Hansa Market and Alpha Bay cyber criminals are turning to mobile messaging apps to do their bidding in order to evade authorities and continue their trade.
Cyber criminals are using hosted group chats on encrypted apps known as ‘channels’ to broadcast messages to unlimited numbers of subscribers. While the chat messaging history can be viewed publicly, responses to public messaging can be done privately giving cyber-criminals more opportunities to disguise their activities. This enables threat actors to have private end to end encrypted conversations while their identities remain hidden as opposed to dark web conversations that left all the communications exposed.
In these channels, researchers spotted illicit job offers that were colour coded with jobs that are dangerous and likely to entail legal risks and others were marked a different colour that were less threatening. Researchers also spotted stolen documents or hacking tools. Governments are already looking into new ways to combat the free reigns these encrypted apps in an argument that may spill over into the encryption of messaging apps as well.
What the criminals do with the consumer encrypted apps
Dark web drug dealers are turning to popular apps to peddle their products, often using street graffiti to advertise their accounts to customers and automated bots to communicate with them. The shift follows a crackdown on illicit online markets, together with the introduction of encryption into apps that allows users to remain anonymous.
Cyber experts have broken down this developing pattern amongst the criminals. Talking secretly to The Independent, a dark web researcher who has infiltrated channels on the messaging app Telegram explained how automated bots are used to communicate with customers – both for convenience and to defer liability.
The researcher shared images of the channel names spray-painted on walls near transport hubs and other public places in order to advertise the channels to potential customers. Another major change in the way these drug dealers operate is in the use of “dead drops” to distribute the product.
Although, Criminals are slowly turning away from traditional money crimes like robbery and burglary to focus on white-collar crimes, which yield better returns with remarkably less chance of being caught. However, due to harsher fraud sentencing guidelines and the threat of losing money and property to asset forfeiture, many of these criminals are turning to a new platform – cryptocurrency – to hide money, making it very difficult for local and state agencies to investigate.
Bitcoin, Ethereum, Litecoin and Ripple are some of the 1,600+ cryptocurrencies available for purchase. Some, like Monero and Zcash, are privacy coins that can be used to launder money and make it harder for law enforcement to track and seize. Monero even specifies on its website that its currency is “designed to be private, secure and untraceable”. The combination of these cryptocurrencies and consumer messaging applications are offering criminals with an encrypted method of carrying out illegal business.
Apps that have been involved in criminal activity
Phantom security: 1 year on
Phantom Secure is a company that deals with the encryption of communication devices. The company boasted of being the world’s most trusted communication service due to the encryption capabilities they offer.
Following the revelations that the services offered by Phantom Secure were used by criminals to traffic drugs and perpetrate other illegal acts, it was important that the law enforcement agencies in the affected countries came together and disband the enterprise.
Investigations started about a year ago and culminated with the arrest of the company’s CEO, Vincent Ramos. The investigation also named four Phantom associates as alleged co-conspirators, the aliases of the four men were Chino, Caddy, Snowstar and Maestro. The five suspects are charged with knowingly participating in an enterprise that targets criminals.
Once the product is acquired by the criminal, they would use it to traffic illegal drugs and firearms, and to facilitate money laundering and cybercrime-all of which happen to be activities readily available over darknet markets.
Telegram launched in 2013, and is an encrypted instant-messaging application with 200 million active users monthly. Similar to WhatsApp, Telegram users can chat to individuals as well as groups. Any criminal with a shady offer or conversation to start can enjoy private and end-to-end encrypted chats instead of the exposed threads that are seen in online forums. In the past, several steps were required to ensure an anonymous connection to the Dark Web via the TOR platform. But today any Telegram user can easily join channels with a single tap on their phone, while keeping their identity hidden.
Examples of the chat channels discovered by Check Point researchers are ‘Dark Jobs’, ‘Dark Work’ and ‘Black Markets’. Messages on these include advertisements seeking to recruit employees of companies or banks, to obtain inside information and sensitive data. One eye-catching job posting found by the researchers was seeking employees of Western Union or Money Gram that have access to certain systems. Allegedly, the employees would be paid $1000 per day for their efforts. Mobile network operators’ employees are also highly sought after. This inside information could be sold, or used to conduct a cyberattack from inside the company.
Criminals were amongst those who purchased the IronPhones, and used the IronChat app to communicate openly about their activities, believing that they were safe as they paid up US $1500 for a six month subscription to the service. What they did not realise was that the app had been compromised by police.
Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden.
Police haven’t described how they made the breakthrough of managing to crack the IronChat system, and snoop upon encrypted messages, but the suspicion will be that the encrypted chat app had a weakness – such as its reliance on a central server.
In a statement, police in the Netherlands explained that as a result of their surveillance, law enforcement agencies have seized automatic weapons, large quantities of hard drugs (MDMA and cocaine), 90,000 Euros in cash, and dismantled a drugs lab.
In addition, a number of suspects are also said to have already been arrested, with multiple searches taking place in various locations around the country.
The future of consumer encrypted messaging & use in darknet markets
As is true in the recent Phantom Secure takedown, international law enforcement bodies are always quick to work together to bring down major criminal operations. This was also the case during last year’s takedown of AlphaBay and Hansa markets.
The seizure of the two darknet markets happened weeks apart-starting with AlphaBay and followed by Hansa. All of it was a game plan to learn the behavior of darknet market users. But as expected, when AlphaBay went offline, darknet market users rushed to open accounts on Hansa without knowing what was happening behind the scenes.
But as explained in an analysis of darknet market trends and patterns, markets fall at the least expected time. The users are normally left stranded and others counting losses irrespective of the reason for the market going down.
However, the fall of one market will lead to the rise of another hidden marketplace, proving the statement “when one door closes another one opens” is indeed true.
The same case may be applicable with Phantom Secure. Despite the fact that it was a preference for many online criminals, users will inevitably switch to the next best messaging platform that offers anonymity. There is also the possibility that someone will develop an encryption-based messaging service that works in the same manner as Phantom products.
How our enterprise app prevents criminal activity
With a focus on secure enterprise communications, Salt Communications’ opinion on providing encryption services to private citizens is irrelevant. Salt Communications is not a consumer offering, and will only provide access of our solution to qualified, reputable enterprises and organisations.
Salt Communications has been built with the ethos of giving control to legal organisations, allowing them to trust the technology they use, with the promise that their information is private. By adopting a strict ‘Know Your Customer’ (KYC) policy Salt Communications have rejected approaches from many companies across the globe, when the company has been unable to satisfy the necessary KYC assessment. Salt Communications and its security partners ensure that only approved professionals with a real-life legal use case have access to their encrypted network. We are not a consumer app available to anyone and most importantly we do not provide lip-service KYC to legal fronts for illegal practices.
If you have any questions about this article or you are apart of an official organisation who would like to trial the system, please contact us on firstname.lastname@example.org and we’d be happy to assist you in any way.
About Salt Communications
Salt Communications, ranked in the top half in the Cybersecurity 500, provides a fully enterprise-managed software solution that enables absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. The Salt Communications Desktop and Mobile apps are intuitive and easy to install and use. Salt Communications’ Communication Manager provides a console for tight management of users and can be configured for the management of regulatory compliance. Salt Communications is headquartered in Belfast, Ireland, for more information visit saltcommunications.com.