AlphaBay Market: Lessons From Underground Intelligence Analysis – SANS CTI Summit 2018

(applause) – I'm a threat intelligence
analyst at iDefense, part of the Threat Hunting,
OSINT, and Reconnaissance team, and we specialize
in targeted attacks and underground research. So this is my first time
here at SANS and at CTI, so please be gentle, but generally we're
gonna be talking about the role that underground
intelligence plays within part of a threat
intelligence program, and we're gonna look at
it through the context of a deep-dive look
at AlphaBay Market, which was, until recently, one of the largest criminal
underground markets. So, for a background, I
really came into Threat Intel by a quite an unorthodox route, in that I don't have a
technical background.

I'm a massive tech geek, which is unsurprising
in this venue, but I came at this from a
War Studies perspective. I've originally studied
under Thomas Red doing intelligence
studies at grad school, and I'm really passionate about actually looking at
organizations and
how they function. So thinking about their
culture, their networks, and what drives them, what are
their incentive structures, and how does that help
us determine their future and behavior as adversaries? So, I'm gonna try
and show how we can bring these aspects
together with threat intel. So just as a baseline,
so everyone knows what we're talking about when we're talking
about underground intel. Underground intel is probably
one of the oldest elements of threat intelligence
in the sense that there's always been
underground criminal communities there have been people
trying to break into them. So, some of you might have
read Mischa Glenny's book on the topic Dark Markets,
which is essentially talking about how the FBI infiltrated
English and Russian language criminal communities
in the 2000s. Yeah, this has been going
on for quite a long time.

And generally, you're using
underground intelligence because you're trying
to provide visibility into underground
criminal activity, and what are the actors
actually planning there? What's their intent? What tool sets are they using? And you know, what's
their future development? And there's really
three main aspects to underground intelligence, and they obviously interrelated, and they feed into each other. So, first of all, you
have human intelligence.

That's engaging with
actors directly, trying to develop
sources, it's trying to actually infiltrate the
communities in the first place and developing a persona
through engaging these people. Someone that they'll
recognize over time. You're also conducting
open-source intelligence you could be using Huis data, you could be pulling
from social network data, or you could be looking
into government records and trying to tie people-
their digital identity to their real world identities. And then, finally, you have
classic cyber intelligence. Indicate there's a compromise,
reverse-engineering malware, and all of these things,
they feed together and they're trying
to give you context to inform your
defensive operations. What are the pros and cons
of underground intelligence? Here we're going to try and
actually do some real talk as opposed to just
vendor speak about what is the value of
underground intelligence, because there is a lot.

First and foremost, you're
using underground intelligence to try and get to
know your community. Get to know the people who are
targeting your organization. And this is primarily going to
be done by the cyber-criminal underground of financially
motivated actors because in all honesty,
there isn't a huge amount of underground activity
surrounding cyber espionage. There are in certain
communities in certain countries and certain regions,
but generally it's overwhelmingly financially
motivated cyber crime. And what you're trying to do
is, you're trying to identify the clusters of this
activity and trying to find clusters of activity
that are most relevant to your organization
or your vertical. Now, ideally, what you want
is to be able to identify activity at a
relatively early stage.

It could be, someone is trying
to put together a plan to attack your organization,
they are trying to obtain certain tools for it, and
that's the ideal scenario. When you're coming in right
at the beginning and you're starting to see a plot evolve. But generally, a lot of what
you see is suboptimal outcome which is actually, we're
seeing it right to the end.

Where we're seeing a
threat to the organization in the form of someone
selling or spinning off the results of their activity. If you work in a financial,
and you've ever been part of a fraud investigation team,
if you've ever spent any time with cyber-criminal underground, you're going to be seeing a
hell of a lot of this stuff. People selling bank accounts,
people selling credentials or whatever, but generally
that's often the most highly visible aspect of
underground intelligence. In terms of the value that
started off with the risk of underground intelligence,
compared to other parts of threat intelligence,
underground intelligence is fairly high-risk,
in the sense that this is a community that knows
that it's been infiltrated a lot of the time, it's
not a secret anymore that Brian Krebs is
hanging out in these places and has many Russian pseudonyms.

There's a lot of journalists
as well as Krebs, there's threat researchers,
and there's law enforcement all over the place. The people who form
these communities know that their
infiltrated, you are part of their threat profile. Do not expect them to act, unless they're
incredibly stupid, which some of them are, but generally do not
expect them to act as if they don't know
they're being watched. They know they're being
watched most of the time.

Actually, underground
intelligence is really tricky because there is a huge
amount of activity out there. There's thousands and
thousands of these sources from different
levels in terms of how easy they are to infiltrate and how easy they
are to observe. That has a big lift,
and technically, so you need to develop
a collection system to grab all that data and
ingest it, make sense of it. Often there's big language gaps, obviously everyone
knows about how big the Russian underground
is, but actually, knowing Russian is
just the start of it. There's a very
sophisticated dialect within these communities that
takes time to get to know. Of course, there's the
offset requirements because you can't
just go into this from your company's ASN.

You can't just go in
on a corporate machine. You have to build
tooling that will let you get into these communities
and if the box is compromised, it doesn't come back
to your organization. This is generally why
when people go for underground intel,
they go for vendors, because you're essentially
offsetting the risk to a vendor, and there's
nothing wrong with that. It's just the question
of how you use that and are you realistic
about the utility of that? A good way of thinking
about cyber criminality is, think of it in terms
of its operational cycle. This is similar, in a
way, to thinking about the terrorist operational cycle, if any of you are from a
counter-terrorism background. But generally, any normal
criminal will have to go through these stages of
thinking about what they actually want to do, how
they're going to do it, what resources they need,
and then actually going through and carrying out
the operation and then carrying out the
exploitation at the end and actually getting the financial
gain from that attack.

Generally what you
see is the top two. If you're lucky, and you're
observing underground activity, you can potentially see any
part of this attack cycle. But realistically, you're
most likely gonna see the very beginning,
the target selection, and the very end,
the exploitation. So that's something that the
vendor space has a problem with is that it likes to
sell to people the idea that it's going to give
you total visibility into attacker activity and
you're going to be able to see everything they're
doing and everything they're talking about. Realistically, the actors'
operational security and also, in terms of what
they need from the underground will mean that you will
not see that activity. You're most likely going
to see the very beginning and the very end. Then we talk about
practical examples. How should an organization
actually operationalize underground intelligence? This is going further
than just simply ingesting underground data like a
feed, because that's entirely the wrong way to use this. Underground intelligence is
most valuable when you can interact with the operation
cycle of cyber criminals and then potentially
mitigate that threat.

Just say for example,
you're a global hotel and resort operator,
maybe like this one. You're trying to
identify clusters of TTPs within particular
communities that you know potentially could
harm your organization based on your threat profile. Then, ingested through
your underground feed, or whatever your process is, you see a guy who
claims to be an employee of your organization,
and he's offering inside access to the
customer payment system for your company. Not for your company, but
for an unspecified company. Obviously, that would be
very interesting to you if you were on a
threat intel team, or if you're a part of
an instant response team. The value here is when
you can actually reach out to that actor and try and
work out, identify the threat. What's the credibility
of the threat? Does it relate to
your organization? Does it relate to someone
else's organization? And you can use
the three prongs, you can use the
cyber intelligence, trying to see if you can,
based on the conversation with the actor, can you
isolate which machine is being compromised? Or are you able to use
OSINT, are you able to see if the actor, you manage
to get them to provide a screenshot demonstrating
their access, because you're pretending
like you're interested in buying it.

Then you can
potentially geo-locate the office that's
been compromised based on the photo data. This is all very
practical and can be done. This is what the value of
underground intelligence is actually about identifying
and mitigating a threat at the earliest stage
you possibly can, rather than just observing
something and noting it. Now we can talk
about the fun stuff. Why are we talking
about AlphaBay? AlphaBay is a really
interesting criminal market. It was originally founded
in December 2014 by a guy called Alpha02,
that was his handle.

We now know that his real
name was Alexandre Cazes. He was a French-Canadian guy
from the Quebec province. AlphaBay is very interesting
because it wasn't just trying to be like any
other marketplace. It was trying to do
something different. It was trying to combine a
Silk Road style marketplace with a much wider nexus
of criminal activity. It was trying to plug
in a quite sophisticated very large, mostly
English-speaking criminal community with this marketplace.

And it was very
successful in doing that. By around June of
2017, we saw about 190,000 registered members
on the forum alone. We took a look at AlphaBay
and decided that this would be a great target for a
strategic research project, strategic underground
intelligence collection. Because what we really
wanted to understand was how the market worked, and how did that relate
to our customers? It was really good fun. AlphaBay is actually a
really interesting place to hang out, who'd've thought? It was a really good
community to spend time in. You learn a huge amount
about how the criminals actually operated,
how they thought, what they're interested
in, and we managed to complete the project and
publish it on our platform about a day before it was
taken down by law enforcement. So, we got lucky. Generally, AlphaBay, it was
split into these two components. You had the primary marketplace, the image is a bit blurry,
but on the left you can see this is search results
for the malware section.

There was a specific
malware subsection. Most Silk Road style
marketplaces do have malware, but AlphaBay was
interesting in that it had arguably the most sophisticated
and largest offering of malware on any tor
accessible marketplace. In addition to that, it
had the forum section, which was far busier and more
lively and more sophisticated than any other forum section
of any other marketplace. What happened to AlphaBay
is basically, suddenly, it just dropped off the
radar. It went dead. The website stopped resolving. Absolutely no one
knew what had happened and there was an effort by
the community to try and reach out to staff and
find out what on Earth has gone wrong, disappeared
with all our money.

The AlphaBay staff members
were, some of the junior staff members were saying "Don't worry, it's fine.
We're doing upgrades." And after some days had
passed, everyone was just like "It looks like they've just
gone, they've exit scammed, they've ran off with
all the deposited cash, so we're just going
to go to Hansa." Hansa was the second
biggest market at the time, and was pretty sophisticated
in its own right as well. What people didn't realize
is that these people were being steered into a trap. Because Hansa was being
operated as a honeypot by the Dutch national
police who'd seized it about a month before. As thousands of users
started migrating from AlphaBay to Hansa,
often in quite a rush, they were giving the
Dutch police a huge amount of metadata on the users.

They were just
sucking people up. On July 20th of 2017,
in a joint conference, police at the Dutch FBI
snapped the trap shut, announced both markets
had been seized and it sent absolute shock
through the community that this had happened. The idea of one
marketplace going down, that's the game,
that's how this goes. But two marketplaces
at the same time, in a coordinated
operation, no one thought the police were that smart. How do we actually
get to that place? Well, it turns out that while
Cazes and his crew had run a pretty tight shop, it
was a pretty sophisticated marketplace in terms of
operational security as well, it also made a pretty
crucial mistake at a pretty early stage of
setting up the marketplace.

Cazes had actually sent
out a "Welcome to AlphaBay" registration email and,
buried in the headers of that registration email,
it had the email address "". So once the FBI saw that, I think it was about two
years later they found that, there was collective
head-slapping all around. And the whole business
started to untangle. They managed to locate
his server farm in Canada, in his hometown, which,
again, pretty disappointing. And when they raided
his house in Thailand, he was living in
Thailand at that point, they actually found
everything laying out in plain text on his computer. Absolutely everything. The crown jewels,
all the wallet, all
the keys, everything. And, just for future
recommendations, if anyone here is thinking
about running a marketplace in the future, I wouldn't
recommend having a personal net worth document
stretching out all your assets around the world on the same computer that you
run your criminal marketplace.

Pro-tip. But, do you know who did
exactly the same thing? Dread Pirate Roberts. He did exactly the same thing. The Silk Road founded
exactly the same way. I can't even, I just
don't understand. What does AlphaBay actually
tell us about underground intel and why underground
intelligence is used for? So what we've found is
that AlphaBay gave us a huge amount of visibility
into the actual operational planning of a big network
of cyber criminal operators in the English language, who
tended to be in the kind of low-skill, in English we would
call them like barrow boys, people who are just trying to
find any kind of job they can to make a bit of cash, to people who are
marginally sophisticated or are fairly specialized in
certain areas of fiscal fraud.

But there's also a pretty
strong relationship between AlphaBay and the Russian
underground community as well. AlphaBay was actually
acting as a bridge between these two communities. And that was a deliberate
decision by the operators of the marketplace,
who were actually pretty sophisticated cyber
criminals in their own right. Again, this is something
that distinguishes AlphaBay from other markets, in that
AlphaBay is run by- was run by a coterie of really
spphisticated cyber criminals. People who had years od
experience, and they knew exactly what they were doing. Further evidence of their
sophistication is their financial model, which we
found significant evidence to suggest that AlphaBay was
more than just a marketplace, it was actually a multi-tier
financial scam involving crypto-currency manipulation. We're going to be talking about
that in a bit more detail.

This phrase I think
really helps encapsulate what the scene of
AlphaBay was like, in that it felt like Reddit, but
it was for criminals. It was highly social, it was
full of people just talking absolute nonsense most of
the time, coming up with the most ridiculous ideas
on how to make money. I remember seeing one
guy asking for help trying for someone to come and
chop down his neighbor's tree because he didn't want
to be caught doing it. Just totally bonkers
stuff like that. But generally, you had a
really wide selection of people with different skillsets all
trying to find each other and then potentially make some
money out of that partnership You had people like the
insiders, so there was quite a lot of people offering
insider services to banks or to retailers, "I can
hook you up, get past fraud protection systems." And you also had people
who were offering, they could set you up
a fraudulent company,
a front company to launder stolen money through.

You had people who specialized
in business email compromise. Really wide skillset. And obviously a lot of them
were idiots, but still, a significant
contingence were good. Now, an example of the kind
of tactical output that you got from these
kinds of interactions, and just by getting to
know the community there and interacting with them,
we were actually contacted by a criminal gang based
in the south of Europe . What they were, they were
a physical criminal gang, like a regular good
old-fashioned criminal gang. And what they were looking
for on AlphaBay was someone who could hook them
up with some malware. So they had physical access
to several companies' internal networks, we think that they
may have been contractors or may have people in as
contractors within the company. What they were trying to do
is find someone who could provide malware for them
that then they could install into those networks using
their insider access and then they can expel
all the data out, sell it, then profit would be split
with the specialist who could provide them
with the malware.

Pretty interesting stuff. Based on this interaction,
where we were able to speak with the actors and get
to know them and pin down what they were trying
to do, then we're able to pass that intelligence
off to the companies who are actually being targeted. Now, because this
is a public talk, we've had to change some
details to protect the victims, but generally, this is
the gist of what happened. That's the point is
that, it's going beyond- if we had simply reported
that we'd seen some people looking to buy malware, that
wouldn't be very interesting, so all the steps beyond that
of actually reaching out and connecting the actors,
working out what they want .

That gives you the killer piece. So the Russian
connection of AlphaBay is a really interesting one and not just for the
first reason I outlined in terms of a bridge, but also, they were trying to use
their connection to Russia as an OPSEC measure. So, explain a bit
how that worked. First of all, they would
tell people that sale of Russian personal data
and financial data was banned on the market,
that you couldn't sell it on the market.

Also, they regularly reached
out to people on the Russian underground saying "this
is a great place to hawk to English speakers." We actually saw direct
evidence of them reaching out on some top tier Russian
underground forums saying "Come to AlphaBay, it's a
really good place to sell in both English and Russian." But something doesn't
make sense here, because we know now that
Cazes was based in Canada, or at least his
infrastructure was, and he lived in Thailand, so why were they trying to
ban the sale of Russian data? There's a common characteristic
of a lot of Russian underground forums.

So what we think they
were trying to do is pose as that they
were based in Russia, they were trying to
essentially mislead people that they were based in Russia. This is the tagline for the
admin account run by Cazes. It says in Russian, I can't
speak in Russian, so I'm butchering it, but
it means basically "Be careful, brothers." Ooh, spooky Russian mafia. Very interesting. I think, ultimately, they're
playing a double game here, because they're trying
to persuade everyone that "Yeah, we're spooky
Russian mafia, don't bother coming after us
because we've located all our infrastructure
in Russia." They actually explicitly
said that on the forum several times, that we now
know is likely to be untrue.

But we think that there also
was quite a strong relationship between the admins and the
staff, and the CIS region, the Russian Commonwealth of
Independent States region. Some evidence suggests that
several of the staff members were based there, or had
been based there originally, and did speak Russian. AlphaBay's financial model
is particularly interesting and sophisticated in
comparison to it's adversaries, or competitors, rather, in that it incorporated
the usual Escrow system for a market, but in
addition, it had an automated credit card shop, so
if you've ever seen any usual credit card auto shops
like Joker Stash or whatever, it had one of those
built into the market for the credit card sellers,
bulk credit card sellers.

It also had a mixer built
into it, so you could mix your crypto-currency
within the site without having to use an
additional service. But that wasn't the end of it. The marketplace was part
of a wider financial model, and they were very
explicit about this. This is a direct quote from
AlphaBay's support account on Reddit, because they
maintained several accounts on Reddit, just to keep in
touch with their buyers, explaining why "Don't worry,
AlphaBay's not going to exit scam because we
have a much better idea." We think we've identified
at least one root as to how they were doing this.

AlphaBay was pretty
innovative in that it was one of the first currencies
to support a multitude of alternative cryptocurrencies
in addition to Bitcoin. They ended up adopting
two coins successfully, and it looks like they weren't
able to complete the third coin integration at the end
because they were seized. They actually managed to
integrate Monero and Ethereum and then didn't
manage to do ZCash. What we think that
they were doing was, they were using the marketplace
and the trade within the marketplace to actually
try and influence the value of the coins themselves. We think the strategy
went something like this. In the first step, you buy
a lot of cryptocurrency that wasn't currently supported
by any major marketplaces. It, at the time, was
relatively obscure on the criminal underground. And then, what you do
after that is tell people AlphaBay is now supporting
this coin, and you should totally look at trading it,
because this is obviously going to affect
the coin's value.

Then you see people start
shooting into the market as people start to see a
movement into the market. The currency is now supported
among the underground. And congratulations, you
just pumped up the currency that you previously bought. One example of where
we think they did this is with the coin Monero. Monero is pretty massive now
on the underground, it's a really popular underground coin, partly because it's relatively
easy to mine with GPUs. It's really popular
with miner malware and it's also staring to be
integrated into ransomware. It's a coin that's trying to
be harder to track than Bitcoin It's trying to improve on a
lot of the benefits to Bitcoin for criminal underground uses. Before AlphaBay adopted it,
it was relatively obscure. Around August 18th, the market
cap was about 28 million. There's also not much trading
activity, it's pretty quiet. On August 21st, a market
called Oasis Market, which is smaller drug-focused
market, announces support. That's interesting, they're
the first ones to come in.

There's a little bit
of change in the price, but not really that much. Now, on August 22nd,
AlphaBay announces support for the coin, and at
the same time, they say, they said this
specifically on the forum, "This is a really good
time to invest in Monero." No winky face, but you can
imagine the winky face. And as the coin is integrated
into marketplace and completed there's a huge
amount of trading. After that announcement,
there was something like $61M of trade in 24-hours,
that's one estimate from a guy. By the time they had
completed the integration, the value's over triple. Over 300% increase in
the value of currency. I think Monero now
is worth about $5B so if you invested, based
on an AlphaBay coin pick, you did pretty well. If you spent any time on
AlphaBay, you might recognize this guy's distinctive turn
of phrase and unique voice. This is someone who is a quite
prominent voice on the forum. He called this out at the
time, this was at the time of ZCash integration.

As you can see, he says So, at least I'm not
the only one saying it. This is actually an
asset forfeiture notice that was released when AlphaBay,
when Cazes was indicted and AlphaBay was shut down. This is just Cazes's
personal holdings, this is not associated with the wallet
infrastructure for AlphaBay, just from his personal wallets, he had 1,605 Bitcoin, 8,309 Ethereum, 3,691 Zcash, and an unknown number of Monero. They weren't able to work out how much Monero he actually had. Advertise the currency or
not, make your mind up. There is some evidence
that he was engaging in personal trading
of the same currencies the marketplace was supporting. This is the rough
valuation as of Sunday now, how much that was worth. He did alright, he
did pretty well. So, what does AlphaBay
actually tell us about underground intelligence? If you spend time in
these communities, get to know these communities, you can learn a huge
amount about the intent of cyber criminals
and the development of their techniques,
tactics, and procedures.

It's a powerful capability,
but it's a limited capability because you will
never see all of it. You will only ever
see a partial picture. It is something that should
be incorporated into any mature threat
intelligence program. There's no shame
about using a vendor. This is something tricky,
and it's hard to scale. Fundamentally, my message here
is to try and go out there and get to know your community. Get to know cyber
criminals that you identify as likely to target
your vertical or likely to target
your organization and that will really help
inform your threat profile. Potentially, help
resolve an incident. Thanks very much, and if
you have any questions, hit me up. (applause).

You May Also Like