It’s Back to BTC for Darknet Markets After Monero’s Binance Delisting: Chainalysis

Farwa is an experienced InfoSec writer and cybersecurity journalist skilled in writing articles related to cybersecurity, AI, DevOps, Big Data, Cloud security, VPNs, IAM, and Cloud Computing. Also a contributor on Tripwire.com, Infosecurity Magazine, Security Boulevard, DevOps.com, and CPO Magazine. Changing the Tor browser settings can further boost your security levels on the dark web shops. For instance, you can choose the preferred security levels for enhanced protection. The security level is set to ‘Standard’ by default, but you can change it to the ‘safest’ and enjoy more security while accessing the dark web. Despite using a VPN, there’s always a risk of the VPN leaking your IP address through DNS or WebRTC leaks or misconfigurations when on a dark web forum or marketplace.

How to Prevent Phishing Attacks?

Treat these as self‑reported marketing details rather than independently verified features; such pages are useful for understanding how the site portrays itself but can lag reality. Overall, Abacus Market distinguishes itself through rigorous security measures, effective moderation policies, and a strong emphasis on protecting user privacy. Despite minor accessibility inconveniences, these strengths have solidified its position among the top dark-web marketplaces in 2025. A Canadian market established in 2021, WTN offers over 9,000 products, including narcotics, fake goods, and digital services. It operates in both French and English and has built a reputation for ease-of-use.

What are onion sites and dark web websites?

These markets have grown into a sophisticated ecosystem, offering a wide range of products and services that cater to diverse consumer needs. The integration of cryptocurrencies and privacy-focused tools has further enhanced the efficiency and security of transactions, making darknet platforms a preferred choice for many users. Examples include the sale of high-quality products with low risk for contamination (including lacing and cutting), vendor-tested products, sharing of trip reports, and online discussion of harm reduction practices.

• Next, we extracted information about stolen data products from the markets on a weekly basis for eight months, from September 1, 2020, through April 30, 2021.
• Though Genesis Market domains and servers were seized and antivirus programs have been updated, cybercriminals have already rebuilt illicit services like these.
• Additionally, transactions are made with cryptocurrencies, mostly Bitcoin, which also provide anonymity to the transaction parties6,36.
• Law enforcement agencies monitor many dangerous markets, and even anonymous browsing isn’t foolproof.
• Further market diversification occurred in 2015, as did further developments around escrow and decentralization.

TorShop Mart

Darknet market vendors have suffered—as legitimate vendors have—through a strained postage and shipping network on account of COVID-19. However, according to Chainalysis, the driving force of this revenue is a combination of increased competition and efforts by law enforcement to crack down on the markets themselves. According to Chainalysis’ 2025 Crypto Crime Report, darknet market (DNM) vendors are adapting their money laundering tactics. While centralized exchanges (CEXs) remain the dominant cash-out method, a notable shift has been toward decentralized finance (DeFi) protocols. The horizontal bars represent each market lifetime, i.e., the time when the market becomes active until its closure, and is colored according to the market’s monthly trading volume in USD.

Author & Researcher services

Furthermore, law enforcement worldwide has stepped up its efforts, seized assets, and disrupted key money laundering networks. Additionally, we analyse the U2U network of transactions, i.e., the transactions between pairs of market first-neighbors where the source and destination nodes are market users without the market as an intermediate. In the U2U network, an edge connects nodes that are not necessarily users of the same market. Previous studies have shown that, although the number of users and transactions is larger in markets, the trading volume in the U2U network is larger than that of markets13. The largest component of the S2S network one year before and one year after the operation Bayonet. Nodes are sellers that are active within the time period, and an edge is placed between two sellers if at least one transaction occurs between them during the period.

• Its 9,000+ users and 700+ vendors focus on drug trades with strong escrow security.
• Its main inventory includes corporate credentials, system logs, RDP access points, and internal network data.
• Cointelegraph is committed to providing independent, high-quality journalism across the crypto, blockchain, AI, and fintech industries.
• STYX Market focuses specifically on financial fraud, making it a go-to destination for cybercriminals engaged in this activity.
• It runs on a rewritten version of the old Versus codebase, so the UI feels familiar but adds per-order “vendor bond staking” meant to reduce exit temptations.
• The use of digital signatures can also help verify the authenticity of users and transactions.
• In panels (b, c), we show the number of all sellers and buyers per quarter, respectively.
• Welcome to this collection of darknet resources, curated exclusively for educational and informational purposes.

Daily Debrief Newsletter

Because they are already active in more than one market, the migration cost for the multihomers is usually smaller compared to that for non-multihomer users, especially for sellers, that need to rebuilt their reputation23. Our classification shows that the number of sellers is significantly smaller than the number of buyers, as shown in Figs. The number of actors in the ecosystem is affected by several factors, especially market closures. Notably, the number of buyers and sellers significantly drops after the operation Bayonet in the last quarter of 2017, which shut down AlphaBay and Hansa markets, causing a major shock in the ecosystem34. However, the number of buyers rapidly recovers, which does not happen to sellers. And over the last 9 months, using a mix of publicity stunts and crippling cyber attacks on each other, OMG, Kraken and around 10 other darknet markets have been engaged in a tit-for-tat turf war for Hydra’s throne.

Financial Loss

Over the years, these platforms have transformed into sophisticated ecosystems that cater to a wide range of products and services, with a particular emphasis on secure online trade. The integration of cryptocurrencies such as Bitcoin and Monero has played a pivotal role in ensuring anonymity and facilitating seamless transactions, making these markets more accessible and reliable for users worldwide. Dark web marketplaces have been a significant outlet for illicit trade, serving millions of users worldwide for over a decade. First, we propose an algorithm that categorizes users either as buyers or sellers, and show that a large fraction of the trading volume is concentrated in a small group of elite market participants.

DarkRaaS & CornDB: Evidence of a Coordinated Network?

We pulled six months of uptime data from open monitoring relays, read 2 400+ recent user comments on three invite-only forums, and tested each site with a clean Tor setup to check speed, PGP workflow and dispute flow. Longevity, code reuse and past exit-scam history are factored in, but we weigh present behaviour more heavily. Finally, we ran a small sample order on each to time escrow release and support response. All numbers are rounded; darknet telemetry is noisy and markets change weekly. Established in 2019, Russian Market is a well-known and highly regarded data store on the dark web, specializing in the sale of PII and various forms of stolen data. Despite its name, the marketplace operates primarily in English and serves a global audience.

Norwegian Dam Valve Forced Open for Hours in Cyberattack

For instance, stolen data can result in unauthorized payments, the draining of accounts, or even registered loans. Who doesn’t like privacy, especially when dealing with the buying and selling of illegal products and services? Therefore, given the nature of anonymity and privacy of the dark web, several stores keep on emerging in the dark despite a continuous crackdown on several others.

A Chainalysis report finds that there are fewer darknet markets—but they’re growing in revenue.

It has gained a reputation for being a reliable source of high-quality data for cybercriminals. Its focus on financial fraud and high-value transactions has attracted a dedicated user base, contributing to its growing reputation and market value. Based on our observations from analysis on dark web data using Lunar, we’ve identified the top 7 marketplaces on the dark web in 2025. We developed Lunar to monitor the deep and dark web, including dark web marketplace sites. Dark markets include features similar to those found in legitimate e-commerce platforms, such as product listings, user reviews, ratings, and customer support.

2a, where the overall ecosystem volume quickly recovers after market closures. This is an outcome of the ecosystem’s resilience, largely supported by the migration of users15. Correspondingly, the multihoming activity is a mechanism that contributes to the ecosystem’s resilience.

Cyber Threat Actors Ramp Up Attacks on Industrial Environments

Darknets and dark markets present a multifaceted challenge to businesses and society as a whole. While these hidden networks can be used for legitimate purposes, they are equally significant as vectors for cybercrime and illicit activities. Dark markets often employ end-to-end encryption for communication between buyers and sellers, enhancing security and privacy.

The sad reality is the fact that law enforcement agencies can’t track and prosecute perpetrators or even take down such content given the anonymous nature of the dark web. As much as authorities work hard to shut down various sites, it shows what the dark web is capable of doing if left unchecked. The internet is a wide landscape that comprises the surface part – the internet that we all know and the hidden portion.

Tweak Tor browser settings

• Notably, Abacus explicitly forbids highly dangerous goods, including weapons, explosives, and exploitative material, which has helped maintain a relatively favorable reputation among its user base.
• Fentanyl and fentanyl-laced drugs also arrive in the United States through Latin America based cartels.
• Exploring the dark web can be eye-opening, but it’s also risky without the right protection.
• What makes this market popular is the fact that it’s less expensive compared to the rest.
• The number of malicious tools, or “drainers,” designed to steal cryptocurrency assets like tokens and NFTs saw a substantial rise.

While not an onion site, Tor Metrics can provide a fascinating peek “under the hood” of the dark web. It tracks Tor user activity by region, showing trends in access and adoption without collecting personal data. These insights help researchers and privacy advocates understand where Tor is most relied upon, often highlighting global patterns in censorship, surveillance, and the demand for online anonymity. DuckDuckGo is a privacy-focused search engine that works as Tor browser’s primary search engine. It doesn’t track searches or store personal data, making it a strong option for users seeking more anonymous private browsing. However, DuckDuckGo doesn’t index dark web content — it only accesses surface and deep web sites through Tor.

For instance, we cannot verify if an entity classified as seller is in fact a seller. Similarly, there is no unique choice for the classification parameters or ground truth for fitting them. In light of this, we have chosen the parameters conservatively, obtaining estimates for the number of sellers that are in general smaller than the ones produced by other methods. Second, our approach does not explicitly classify buyers, which are entities that were not classified as sellers. There is a gray zone in which some sellers and buyers may not be easily distinguishable in transaction networks.

One of the central[75] discussion forums was Reddit’s /r/DarkNetMarkets/,[76][77][78] which has been the subject of legal investigation, as well as the Tor-based discussion forum, The Hub. Marketplaces often collapse when servers, hosting providers, or related services are seized. Even partial disruptions can trigger panic, causing users and vendors to abandon the platform. Agencies like the Federal Bureau of Investigation and Europol monitor marketplaces over long periods rather than acting immediately. This allows them to map infrastructure, track financial flows, and identify administrators and vendors. Dark web marketplaces expose users to multiple layers of risk that extend beyond financial loss and affect legal standing, personal safety, and long-term consequences.

Regional websites

However, many sites on the dark web host illegal content or activities, and engaging with those can lead to serious legal consequences. In some countries, like Russia or China, dark web access itself may be blocked or penalized. Facebook’s onion mirror allows people to access it in countries that block the platform, allowing people to connect across digital borders. That said, the social network’s data collection and tracking practices may seem at odds with many of the principles motivating dark web users.

With over 20 years of experience in cybersecurity and marketing, Ben has held leadership roles at companies like Check Point, Cognyte, Cylus, and Ionix. An award-winning cybercrime threat intelligence firm, KELA’s mission is to provide 100% real, actionable intelligence on threats emerging from the cybercrime underground, to support the prevention of digital crimes. As of September 2025, public trackers mark it closed, underscoring the sector’s churn amid phishing/DDoS and sustained law‑enforcement pressure. Since 2020, 2easy has sold massive stealer logs with sensitive data like passwords, bank cards, and initial access credentials. It supports operations in multiple languages and operates on both clearnet and Tor.

• If your personal data ends up for sale on the dark web, it can lead to serious consequences like identity theft, financial fraud, or unauthorized access to your online accounts.
• We find that trading properties of buyers and sellers reflect the dominance of DWMs in the ecosystem.
• The website allows a personalized searching experience, where you can search according to your geographical location, country-specific, and keyword or price-specific search results.
• We pulled six months of uptime data from open monitoring relays, read 2 400+ recent user comments on three invite-only forums, and tested each site with a clean Tor setup to check speed, PGP workflow and dispute flow.
• Besides this, it supports wallet-less transactions and accepts payments through Bitcoin, Litecoin, Monero, and Zcash.
• A Distributed Denial of Service (DDoS) attack is designed to disrupt access to websites and other internet resources.
• The Dutch National Police successfully located and seized the server infrastructure hosting Archetyp Market at a data center in the Netherlands, effectively terminating the platform’s operations.
• Nevertheless, it is important to stress that the results are robust under considerable variation of the parameters, indicating that the coherent picture emerging from our analysis does not depend on the details of the method.

If any user is found not complying with the law, strict and immediate action will be taken against them. It uses PGP encryption to protect sensitive data and messages, and accepts payments via Monera and Bitcoin to keep you anonymous on this marketplace. Bohemia is a modern dark darknet markets legit web marketplace with a great user interface that is easy to use and navigate. It asks you to pay the merchant fee if you want to sell something, preventing the buyers from getting scammed. The marketplace has a pleasant, user-friendly interface built from the ground up.

The Torrez market is one of the biggest dark net marketplaces, also called a community-driven marketplace. It contains a good selection of product listings that range over 35,000 items. It uses PGP encryption, two-factor authentication, and OPTP authentication to ensure users’ security. Mega Market is a new yet popular shop on the dark web that reached a skyrocketing reputation after the closure of the Hydra market. It allows you to buy and sell a wide range of products and services with a good user experience.

One of the most common types of illicit goods is stolen login credentials, often collected from data breaches. These “credential dumps” allow criminals to access online accounts, steal identities, and commit fraud. Miklos has long-time experience in cybersecurity and data privacy having worked with international teams for more than 10 years in projects involving penetration testing, network security and cryptography.

The marketplace is much more organized, which makes it easy to use and navigate. Its intuitive interface and advanced search features make it easy to find local and global products. The marketplace extensively vets vendors listed within its deep web environment that offer a wide range of product portfolios, including security solutions, digital services, and specialized equipment.

Our research shows that, like most legal commodities, stolen data products flow through a supply chain consisting of producers, wholesalers, and consumers. But this supply chain involves the interconnection of multiple criminal organizations operating in illicit underground marketplaces. ASAP is a tech nerd’s playground—accepting BTC, LTC, ZCash, and Monero, it’s got options for days. Their DeadDrop system’s a standout—vendors stash your goods IRL, no mailing hassles—and wallet-less payments mean no one’s bolting with your cash, a relief after I got burned once by a shady escrow dodge. Listings aren’t public, but it’s steady—think drugs (weed, pills, some synthetics), a few digital extras like cracked accounts. They’ve got 2FA and encryption that’s tighter than a drum, which I’ve tested against crash-prone sites and found solid.