Hacker's paradise: Secrets of the "dark web"

Make no mistake, there really is a "dark web" out there. And while you probably don't want to go there, your personal information may already be on it.

Many Americans either knew little or nothing about the dark web prior to last weekend, when WannaCry, the biggest cyberattack in history, crippled computers in 150 countries. The leading theory about who is responsible for the breach is that a hacker group that calls itself "Shadow Brokers" stole a cybersecurity weapon called "Eternal Blue" from the U.S. National Security Agency, loaded it onto the dark web and turned it against us.

So what exactly is the dark web? It is a marketplace, perhaps more like a bazaar, for malware where vendors exchange and sell nefarious items, like drugs, in exchange for cryptocurrency like bitcoin. Much like street vendors, they pop up and shut down whenever they sense threats from law enforcement.

"Hacking is an industry," according to Allianz, the world's largest insurer. Since Allianz is insuring companies against damages resulting from WannaCry and other cyberattacks, it has a vested interest in understanding and stopping them.

"The most famous of these dark web sites was called 'Silk Road,'" said the insurer's U.S. head of cyber, Jenny Soubra. Although Silk Road, which was allegedly used to buy drugs and launder money, was shut down by the FBI in 2013, many more popped up in its place -- and are even more sophisticated.

Both law enforcement and national security officials are well aware of this illegal malware marketplace, but no one can shut it down unless it makes mistakes like Silk Road, or it puts itself within range of international authorities. And the reason is technology.

"They leverage cloud computing concepts to virtualize the exchanges -- they aren't in a single location or on a single server," Soubra said of the digital marketplaces. That's why the dark web remains "an extremely robust exchange." 

To understand it better, look at Silk Road. Its founder, who called himself "Dread Pirate Roberts" after the character in the film "The Princess Bride," helped people to buy, sell and trade drugs online by setting up accounts through him, using "Tor," a computer program that allows users to remain anonymous, and bitcoin, which is easily transferrable from one account to another without either one knowing who the other is. "Roberts" even created an automated escrow payment system. 

By keeping his exchange roving across the cloud, he was able to avoid detection until the FBI was able to hack him. Roberts, whose real name was Ross Ulbricht, was sentenced to life imprisonment without parole, an indication of how serious these crimes were seen by federal authorities. According to court records, he possessed – in total – as much as $100 million in bitcoin at the time he was caught.

The dark web is also effectively a field of combat. It pits "white hat" hackers, such as the British researcher who discovered the kill switch that turned off WannaCry and saved millions of computers, against "black hat" hackers, who in this case recoded the virus to remove the kill switch and make it even more virulent. More attacks like this are coming, predicted international insurance broker Willis Towers Watson in a client alert.  

And there's an army of hackers on both sides. I once encountered a Boston hacking group that focused on Microsoft because it was seen as the most inviting and challenging target. This group considered themselves "white hat" hackers because they would tell Microsoft about the breach they'd found and challenge the software giant to fix it.

Microsoft often did. But when it didn't, they would publish the vulnerability on the Internet to force the company to act. In the case of WannaCry, the software maker has been criticized for not acting fast enough or going far enough in publicizing the fix, perhaps because the U.S. government was exploiting this vulnerability to identify terrorists. Microsoft in turn criticized the U.S. government for "hoarding" vulnerabilities in the company's technology.

Hackers are not one size fits all. "Some are 'script kiddies' who know only very basic coding and try to infiltrate various networks," said Soubra. "They will never use Tor or other dark web concepts." 

Others are sophisticated and know how to utilize dark web addresses other than the usual "http" or "www". Most of us wouldn't know where to look for these, and, to be blunt, wouldn't want to, unless our computers had several levels of security. 

"I wouldn't do it from my computer, that's for sure," Soubra said. Other computer programmers and information technology specialists have said the exact same thing: Don't go there.

Hackers' motivations also vary. North Korea, which some suspect of being linked to WannaCry, has a geopolitical motive for its attacks. Others, like former U.S. contractor Edward Snowden, are considered "hacktavists" with a social motivation to stop governments from snooping on individuals.

But many are in it for the money, or "ransomware," which raises a question: How do they get paid? After seizing control of computers, the WannaCry hackers demanded $300 in bitcoin – a digital currency easily transferable from one anonymous account to another – or they would possibly destroy the information. According to published reports, they received very little money … this time. But since ransomware often goes unreported even by public companies, it's hard to put an exact figure on the toll of such electronic coercion. 

So is there an answer? New technology often winds up in the hands of hackers. Some suggest smarter technology, and smarter people who are taught how to use it. There may also be a "nuclear" option. Soubra said there are rumors about a mythical "kill switch" for the whole internet, but utilizing it to shut things down in the event of a hack gone wild is analogous to a doomsday scenario.

The darkest part of the dark web is that these hacks have already made most of us vulnerable. Our personal information – birth dates, Social Security numbers, and bank account and credit card information – may already be for sale in the malware marketplace. And there's no definitive way for us to find out.

Certainly, the U.S. government and the private sector are taking the threat seriously, which is why so few American companies were compromised by WannaCry, experts said. Standalone cyber insurance is now a $3.25 billion industry, according to the Insurance Information Institute, and expected to double in size in a few years.

But hackers continue to grow increasingly resourceful. They now see opportunities in the new technologies contained within our homes and autos, such as smart TVs, security door locks, devices we talk to and automated vehicles. The technology that benefits us could be turned against us. 

 Said Timothy Zellman, counsel for Hartford Steam Boiler, an insurer of cyber risks that is owned by Munich Re, in a recent report, "Cybercriminals are always looking for new targets."

  • Ed Leefeldt

    Ed Leefeldt is an award-winning investigative and business journalist who has worked for Reuters, Bloomberg and Dow Jones, and contributed to the Wall Street Journal and the New York Times. He is also the author of The Woman Who Rode the Wind, a novel about early flight.