Welcome to the eighth OnionScan Report. The aim of these reports is to provide an accurate and up-to-date analysis of how anonymity networks are being used in the real world.
In this report we will provide an in depth analysis of the financial information & business of a darknet marketplace, demonstrating how information publicly available can be used to build up a detailed profile.
Summary
Hansa Marketplace is a dark web marketplace where vendors can sell illicit products such as hacked accounts & drugs. We conducted a large scale crawl & analysis of the products & reviews listed on the marketplace.
By using those products listings & reviews we were able to gain a large amount of information about financial transactions facilitate by Hansa Market, including, how much Hansa Market facilitates, which vendors earn the most through Hansa, which products are bought the most & where vendors are likely based.
We discuss the impact of such information leaking through market reputation systems & what the future might look like.
Methodology
Between December 10th to December 14th 2016 we conducted a large crawl of the dark web marketplace Hansa. To do this we modified a version of OnionScan to output CSV records for each configured user relationship.
The two relationships we configured were: vendors listings & customer reviews. We have provided these relationship configurations at the end of this report.
Vendor Listings extracted information about each product sold on Hansa marketplace, including the Title, the Price in USD, the top level Category the item was listed under, the country the vendor claimed the product shipped from (if applicable), and the Vendor who was selling the product.
Customer Reviews extracted each review of the item listed on the products page, this included the time of the review, whether the review was positive,neutral or negative, the delivery time, the redacted user name & any review text.
We configured OnionScan to perform a deep scan, discovering & scanning new pages to a depth of 100 link follows and conducted multiple scans over the course of a week.
The scans themselves took many hours to complete, and multiple scans were run to ensure complete coverage of the site.
Overall we collected 14,544 unique product listings & 43,841 user reviews. We believe this is the largest processed scrape of dark market listings & reviews publicly available*.
After scanning we analyzed the data in the following ways:
- Number of products sold by each vendor
- Amount of revenue generated by each vendor
- Most popular products
- Highest revenue products
- Which vendors shipped from which country
- Customer satisfaction with the product
Hansa Market Finances
Through our analysis we determined that Hansa likely facilitated over $3,000,000 USD worth of sales between September 2015 & December 2016.
Hansa Market was formed in late 2015, and according to a report published by RAND in January 2016 there were 4,829 listings & 219 vendors on the site.
Our scrapes, taken in mid December, show that those numbers have grown; showing Hansa as having 14,544 listings offered by 511 vendors.
Through our analysis we determined that Hansa likely facilitated over $3,000,000 USD worth of sales between September 2015 & December 2016.
These figures are based on the reviews logged for each scrapped item, and the price of the product as listed when scrapped. Hansa earns between 2% and 5% commission on each item depending on the status of the vendor, that means we can estimate Hansa itself likely made $100,000 USD - $150,000 USD between September 2015 & December 2016 (not including vendor fees & other miscellaneous income)
Popular Vendors & Products
Proceeds from Drugs (over $3,000,000 USD) dominate Hansa's income, with Counterfeit (~$120,000 USD) & Fraud (~$79,000 USD) related products trailing way behind.
Despite drugs overwhlemly contributing to the bottom line it is digital items like accounts on Porn sites & how-to books that dominate the top 20 most sold products. Only 5 products in the top 20 most sold products can be classified as drugs - these are Liquid Mushrooms, MDMA & Xanax.
Being a Vendor on a Dark Market appears to pay well, with the top vendor (dutchcandyshop) selling $171,747.71 USD
The product with the highest number of reviews (and presumably sales) is titled +++++ Netflix Account(Premium + Lifetime) -Best price on Hansa +++++
. This "Lifetime" Netflix Account sells for just 99 cents, and has 745 reviews. As with all reviews on Hansa the majority are positive with comments such as "All good, thanks a lot"
& "Quick delivery, fixed issue quick as well, trust worthy and fixes issue if it happens. Highly recommend!"
- lurking in between there are a few negative reviews "1 month later, account isn't working again (4th time)"
and "its not lifetime"
. Perhaps indicating that these are hacked Netflix accounts that for the most part, remain hacked.
Being a Vendor on a Dark Market appears to pay well, with the top vendor (dutchcandyshop) selling $171,747.71 USD worth of product, and all vendors in the top selling over $50,000 USD worth of product each since September 2015.
These numbers are based on the price of the product when scraped & the number of reviews - it is quite possible that user do not leave reviews, or that products are removed from the site when they are no longer available - meaning that data isn't available to collect - that being said, based on the large number of reviews we are analyzing, it seems correct to say that vendors are making serious money through Hansa marketplace.
Positive Reviews
We mentioned above that practically all of the reviews that we scrapped were found to be positive. In fact only 825 products had any neutral or negative reviews.
Overall, 96.4% of all reviews on Hansa Marketplace were positive.
This trend towards positivity likely stems from a few key factors:
- Sales have to be finalized by the buyer & the seller - failure to deliver an item results in the sale not being finalized, and in many cases canceled. As such no review would be left.
- Dark Marketplaces rely heavily on trust models and so there is a natural pressure on vendors to ensure what they are selling is legitimate (for some meaning of the word legitimate)
Shipping & Countries
Vendors have a bias towards only supplying within their countries borders - this is caused by the difference in the levels of package inspection within a country verses at international borders (and most countries having stricter punishments for shipping illicit products across borders).
The above means that products on darkmarkets are often listed alongside their shipping origin & destinations. Buyers will use this shipping information to filter products that they would be unable to receive.
Using this information we can work out where vendors operate from, and (based on information about the product itself), work out how much product from dark markets is moving through a given countries postal system.
After discounting digital items & those where the vendor claim they ship worldwide, the United States is the country with the most number of vendors who list it as an origin with 149. Germany (51) and the United Kingdom (50) follow. After that the number of products per vendors in country drops pretty quickly from The Netherlands (43) to Canada with (15) and China (6).
Discussion
We have been able to determine very specific information about the business of Hansa market just by using information publicly available on the marketplace itself.
This poses a big threat for Hansa and other darknet marketplaces. The anti-scrapping technology applied by marketplaces like Hansa is trivial & at most relies on easily defeatable CAPTCHAs. Dark markets are unable to utilize modern robot detection frameworks because all of them rely on large centralized companies & are unsuitable for anonymous marketplaces.
To put it another way, the amount of data being put out by Hansa (and others) is a risk to the anonymity of themselves & the vendors & customers that use the site.
Because of this, crawling dark markets can result in a trove in information that can be analyzed to uncover not just the finances of the marketplace, but that of vendors & products.
We are able to tie Vendors to countries & product categories, as well as work out how much income they have taken in & when that occurred. In criminal investigations, this kind of information is used to correlate bank account transactions or other financial interactions and to narrow down suspect lists.
To put it another way, the amount of data being put out by Hansa (and others) is a risk to the anonymity of themselves & the vendors & customers that use the site.
Towards Anonymous Reputation
This hints at the underling problem that is pervasive to these kinds of marketplaces; Customers need information to work out which vendors are trust worthy & what products to buy. In order to encourage sales, Vendors & Marketplaces are encouraged to make reviews available as well as the overall reputation of the Vendor. Without this information it is likely that Customers will go elsewhere to buy.
But this information has a cost, and that cost comes when each data point is correlated with the others & external information. As we have shown before, correlation can kill anonymity, and the reputation & review data being provided by modern marketplaces is no exception.
If markets want to avoid these kind of leaks in the future then there needs to be an entire overhaul in the foundations of these reputation systems. There is some theoretical schemes being proposed that use zero-knowledge proofs to demonstrate trustworthiness without revealing particular information - we imagine that such schemes will become more popular as time goes on.
We are able to tie Vendors to countries & product categories, as well as work out how much income they have taken in & when that occurred. In criminal investigations, this kind of information could be correlated to bank account transactions or other financial interactions to narrow down suspect lists.
Conclusion
The reputation systems that power dark markets are vulnerable to exploitation. The data that can be gathered by them is often enough to reverse engineer detailed finances of marketplaces, vendors & product lines. While we have only looked at Hansa in this report, cursory examinations of other markets seem to indicate that this problem is universal - and will likely be for a considerable time to come.
If you would like to support further research and development of tools like OnionScan you can become a patron at Patreon
Data
You can find the data used in this analysis at https://polecat.mascherari.press/onionscan/dark-web-data-dumps/tree/master
* This report originally stated that we believe the data behind this scrape to be the largest publicly available. It should have read that we believe this data is the largest processed dump of dark market listings & reviews publicly available.