Woburn, MA – March 16, 2023 — New research from the Kaspersky Digital Footprint Intelligence team reveals cybercriminals posted more than 1 million escrow service messages on the darknet from 2020-2022. Escrow agents assisting cybercriminals wanting to buy, sell data, services, or conclude a partnership fulfilled agreements reducing the risks of cheating to earn three to 15 percent per transaction.
Cybercriminals active on the darknet care about their own security, and do not want to become a victim of their “colleagues.” When closing any transaction, such as buying databases, accounts, initial corporate accesses, etc., they use the intermediary services of escrow agents. These services can be done via human interaction or an automatic system developed to speed up and simplify relatively typical deals.
Kaspersky’s Digital Footprint Intelligence team monitors the darknet to help companies track cybercriminal discussions and other types of activities to prevent incidents and mitigate risks related to data leaks. The experts found the number of messages mentioning the use of an escrow agent (or other terms such as “guarantor”, “middleman”, “intermediary”, etc., designated to the same services) has amounted to more than one million from January 2020 to December 2022. These messages accounted for 14 percent of the total number of deal-related messages on various dark web resources. The share of deals with escrow services can be higher since cybercriminals often discuss detailed terms in person without specifying all the particulars in announcements and offers.
“The number of messages mentioning escrow services surged in the second half of 2021, and coincided with the dynamics of cybercriminal activity in shadow Telegram channels in general,” said Vera Kholopova, security services analyst at Kaspersky. “Members of the dark web community were increasingly transitioning there due to the compromise of several popular dark web forums in early 2021. In most of 2022, we saw a decline in activity on shadow resources in general. This may be a consequence of the escalated geopolitical situation, which motivated cybercriminals to cease their illegal activities and relocate using the accumulated money. Nevertheless, at the end of 2022, we have again seen growing escrow-related activity.”
Despite the rules of communication between cybercriminals on the forums and “dark web etiquette,” no escrow service protects against cheating. Apart from the cases when the buyer or seller changes their mind, one of the deal-breakers could be foul play. Both seller and buyer, as well as the escrow agent, can violate the deal arrangements, especially when it comes to large sums. With the help of Kaspersky Digital Footprint Intelligence, experts found a post accusing an official escrow agent of two shadow forums of not paying a total of US$170,000 in four deals.
Since the dark web community becomes more complex and structured, developing self-regulation systems as it grows. For effective protection against cybercriminals it is worth understanding how it operates, how cybercriminals interact with each other, what kinds of deals there are, and how they are carried out.
To read the full report about escrow services on the darknet, please visit Securelist.com.
To stay protected from the corporate threats emerging from darknet activities, Kaspersky researchers recommend implementing the following measures:
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
 The sample includes messages from international forums and marketplaces on the dark web, as well as from publicly available Telegram channels used by cybercriminals (a total of 226 forums and 489 channels).