With the rise and fall of dark web black markets like Alphabay and the Silk Road, law enforcement officials have repeatedly warned that even anonymity tools like Tor and cryptocurrencies won’t hide criminals from the law’s long reach. But the most recent takedown of another massive cybercrime forum carries a different lesson: It’s still possible to create an online black market even outside of the dark web’s cover, grow it to a half-billion dollar operation, and get away with it for the better part of a decade.
On Wednesday, the Department of Justice unsealed an indictment against no fewer than 36 people, accused of acting variously as administrators, moderators, and sellers of illegal hacking and fraud services on a black market forum known as Infraud. A coordinated action by Homeland Security Investigations and cops in Australia, Britain, France, Italy, Kosovo and Serbia arrested 13 of those named, and took down the website itself, replacing it with a seizure notice.
The indictment accuses those dozens of defendants, located from Moldova to the Ivory Coast to Bangladesh, of trading in stolen credit card numbers, Social Security numbers, compromised accounts, and materials to create counterfeit cards. They were also allegedly involved in malware, money laundering, and so-called “bulletproof” hosting services designed to host other illegal online operations. In total, the forum’s members are accused of causing $530 million dollars in damage to companies and individuals.
“Infraud was truly the premier one-stop shop for cybercriminals worldwide,” the Justice Department’s Deputy Assistant Attorney General David Rybicki told reporters in a press conference.
But just as noteworthy as the staggering scale of that busted operation—one of the largest in history—is its relative impunity. The majority of the defendants, according to the Justice Department’s statements, seemingly remain at large. That includes Infraud’s creator, the Ukrainian Svyatoslav Bondarenko. And after seven years online, Infraud also achieved longevity that’s far greater than most online black markets. The Silk Road, for instance, despite running as a carefully anonymized Tor Hidden Service and only using the cryptocurrency Bitcoin, persisted on the dark web for two and a half years before it was seized and its administrator arrested. The more recent go-to bazaar for dark web contraband, AlphaBay, lasted just three years.
Infraud remained online well over twice as long as those fellow black markets, while at times hiding in plain sight. The forum was initially hosted as a traditional website, reachable at the URLs infraud.cc and infraud.ws, though it may have later moved to Tor or other better hidden addresses.
The administrators’ most effective tactic to evade law enforcement for so long may have been an old-fashioned one: They ran the site from a server in a country beyond US law enforcement’s reach, likely Russia, says former FBI cybercrime agent EJ Hilbert, who’s now a vice president of cybersecurity at security firm Gavin DeBecker and Associates. Hilbert speculates that the site used the same sort of “bulletproof” hosting that site’s vendors offered for sale, which keeps servers far from American and Western European cops, anonymizes their operators, and frequently moves them to stay a step ahead of investigators. “They were sitting in countries outside the jurisdiction of Western law enforcement,” says Hilbert. “That’s why something like this can remain live for an extended period of time.”
In fact, since March of 2011, less than a year after allegedly founding Infraud, Bondarenko declared that all buying and selling of contraband with Russian victims would be banned from the forum. That tactic, frequently used by Russia-based crime sites, effectively dissuades Russian law enforcement from pursuing most domestically hosted cybercrime. Berkeley computer security researcher Nick Weaver argues that form of “arbitrage”—running a crime scheme with profitable victims in one locale, while hosting in another that’s safer from prosecution—can provide more effective shielding for criminals than Tor. “You find a place where the local laws are happy and host there,” Weaver says. “A cybercrime forum that is ‘no damage to Russia’ is generally allowed in Russia, no need to use Tor.”
That geographic strategy is a well-worn one for cybercriminals, and it long predates both the dark web and Infraud. But given the scale and long life of Infraud’s criminal activity, the site shows just how effective it remains even now. And Hilbert argues that the recent decline in Russian-American relations—particularly around Russia’s own state-sponsored hacking operations—won’t help. “With our government’s animosity to the Russians, and their animosity to us, there’s no reason for them to assist on crimes that don’t impact their people,” says Hilbert.
Just how US, Australian, and European authorities did eventually shut down Infraud remains unclear, and the Justice Department declined to make any officials available to answer WIRED’s questions. As part of the indictment, the Justice Department described a complex organizational chart of Infraud’s alleged staff—from members to VIP members to moderators to super moderators to administrators—which Hilbert suggests could mean they spent years slowly flipping members to identify others in the organization, or gain more information about the site’s hosting.
Despite many of Infraud’s defendants remaining free, the Justice Department’s Rybicki emphasized that the takedown represents a win for the global fight against cybercrime. “The charges and arrests announced today are a victory for the rule of law,” he said. “Law enforcement across the globe acted swiftly to take Infraud’s cybercriminals off the Internet.”
The Infraud bust will no doubt put a serious dent in the cybercriminal underground. But if seven years counts as a “swift” operation, the next Russian black market administrators may be taking comfort in the prospect of a long career ahead of them.