In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Exchange Market.
Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.
For this marketplace snapshot, our analysts selected a darknet marketplace hosted on Tor called Exchange Market. Exchange marketplace content is predominantly Chinese Mandarin and features illicit goods traditionally offered on a typical criminal marketplace – including weapons. The market does not appear to emphasize drugs for purchase in variety and volume as is common with other decentralized markets on the darknet.
Since early 2019, DarkOwl has observed activity from Exchange Market with a comprehensive offering of physical and virtual goods and services for sale; including advertisements that are supportive and worthwhile to darknet and underground criminal communities. The market’s onion service is advertised as though it is based in China, uses mostly Chinese Mandarin language, and references popular technology and applications exclusive to China culture. The market is not widely advertised across the darknet in typical marketplace discussion boards and link lists.
Like most decentralized markets, account registration and user authentication are required before accessing Exchange market’s listings. The market also requires the user solve an English-character-based CAPTCHA before access is granted.
Once authenticated, the banner includes the English phrase:
The top banner includes three sections translated to English as:
Exchange market is divided into different sections with each advertising a different category of items for sale. Sections at the very top offer paid advertising materials as is common with other darknet marketplaces and forums. For example, some paid advertisements listed include recruitment and data brokerage offerings:
Below the Paid Advertising section, there are different categories listed with dozens of individual advertisements each. The advertisements listed are updated frequently.
|Data Resource |
|Service Business |
|Virtual item |
|1 15W pieces of the latest national college student data in July 2021 suitable for online loans ||1 11 detective business inquiry 11 high quality and lowest price on the whole network 11 recruiting agents 11||1 In 2022, the whole network will launch Android remote control stealing u|
|2 470,000 pieces of data on the wehkamp shopping station in the Netherlands||2 In 2022, the latest PAYPAL binding foreign credit card fraud core technology||2 Spanish driver’s license positive and negative hand-held driver’s license 21 sets|
|3 The latest Indian online loan data in August: 340,000 loans_Automatic delivery||3 Each website platform mobile app and various industries data capture provides one-by-one private customization for telemarketing SMS||3 Italian Passport Handheld Passport 17 Sets|
|4 Brazil shopping data 450,000 items_Automatic delivery_August 2022||4 Website penetration-obtaining database-webshell permissions||4 17 sets of Polish ID cards with front and back photos|
|5 390,000 pieces of Brazilian currency data in August 2022||5 1. Penetration data, 1. Regular update, 1. Long-term provision, 1.||5 British passport holding 187 sets of passports|
|6 500,000 shopping data in Spain_Automatic delivery||6 thug private detective||6 1434 sets of US driver’s license front and back hand-held driver’s license|
|7 57W National Physician and Physician Registration Examination Database Package is of great value for money||7 Dead and Remnant Order Customized Order||7 37 sets of Japanese driver’s license plus hand-held driver’s license japan driver’s license|
|8 Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates||8 Anti-drinking tea network security Anonymous anti-tracking evades the investigation of the Internet police to deal with national security tea-drinking security money laundering technology||8 TRCERC’s latest release of the coin withdrawal interface source code is fully open source, there are two sets|
|9 870,000 names and email addresses of real estate agents in the United States||9 All kinds of inquiries of detectives||9 In 2021, the latest bitcoin money laundering technology is very safe in the black production circle|
|10 US Wolf Eye Clinic patient data 630,000 phone and mailbox SSN||10 24-hour stable query business||10 11 teach you how to date a girl in junior high, high school and college 11 by no means a cold reading pua tutorial|
|11 elitemate US online dating site data 1.04 million||11 Check cars, check people, check all||11 AliExpress eBay Amazon Alibaba Taobao and other e-commerce seller data|
|12 7.73 million Robinhood stock and cryptocurrency investing sites||12 Query ID card activity track||12 Latest National Official Contact Information Official Position|
|13 570,000 users of btce cryptocurrency platform||13 Detective_Check_Online second message||13 CC attack tutorial and software|
|14 24,970 US users of bitmain bitcoin mining machine||14 High-quality file inspection on the whole network||14 Naked chat fraud to obtain address book source code Naked chat software codeless video voice changing software photographed and shipped automatically|
|15 xcoins peer-to-peer bitcoin market users 25373||15 one-one-one-one-one-one-one-one-one-one-one-one-one-one-one||15 Hacker QQ number stealing tutorial with software|
|16 bitcoinnetworks bitcoin contract website 5237||16 Monero Money Laundering 2021 The Safest Way to Launder Money Original||16 The full technical information of the hacker is here|
This section of the market has listings focused the brokerage of personally identifiable information (PII) and digital identity theft crime including: selling PII exfiltrated from shopping data, college students’ data, phone numbers, social security numbers (SSNs), addresses, and users of bitcoin services. The personal data offered appears to be primarily sourced from individuals located in the Netherlands, India, Brazil, Spain, the United States, and Taiwan.
The Unites States is targeted the most frequently in this category with personal data available stolen from US real estate agents, a US optometrist’s patient data, and data from a US online dating service. A newer advertisement, shared this week, titled, “3.26 million in 22 years in the United States_Detailed personal information of US citizens” claims that the data is US personal identity data from 2021 and that 2022 and includes names, addresses, phone numbers, and work associations, and industries.
Another listing, titled “Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates,” is notable given tensions between the China and Taiwan and likely a result of recent cyberattacks against the country. Each database offered appears to be legitimate and links to real data.
Neither advertisement includes a price for the databases.
Listings under the service business category include social engineering, penetration testing, fraud technologies, private detectives, internet tracking avoidance and privacy, and methods for money laundering.
One listing appears to offer one-on-one guidance for the “private customization for telemarketing SMS” – which is likely a customized SMS hijacking service.
The “virtual items” features malware, trojans, and viruses for conducting cybercrime. Our analysts noted several RATs (Remote Access Trojans), PII for social engineering and fraud, hacking tutorials and associated software, video and voice changing software, and Bitcoin laundering technology.
Interestingly, most of the PII offered here originated from citizens in Spain, Italy, the United Kingdom, Japan, the United States, and Poland – suggesting that either Chinese-based threat actors are directly targeting these countries or non-China based data brokers are reselling exfiltrated databases on this market. Other databases for sale included e-commerce websites such as Amazon, AliExpress, eBay, Alibaba, and Taobao.
Instead of offering a wide selection of drugs for sale as a ‘physical good’ for sale, this section of the market features counterfeited documents and items (e.g. cigarettes), weapons, and a limited supply of LSD tabs and prescription drugs. Clonazepam and LSD tabs are allegedly shipped from Europe, a handgun offered for $10,200 USD, and fake tax certificates and bank cards were advertised from various international government and financial institutions.
Of note, the handgun’s advertisement description, “Glock19 customer customized list” does not correlate to the model of the handgun pictured. The picture is a G17 Glock instead and includes the inscription “Austria” on the weapon. Despite the discrepancy in what is advertisement and the picture, there are other automatic and semi-automatic weapons included in the Glock19 advertisement.
[TRANSLATED ADVERTISEMENT – Source Google Translate]
The Technical Skills section cover numerous skills required for fraud and hacking technologies. Some technical skills advertisements include antivirus software by-pass techniques, methods to register Google voice account with US phone numbers, online credit card loans, DDoS attacks, and scraping information from WeChat chat records real-time. There are also some unexpected socially specific skills on offer like: “Tricks to Control Women” and “The Manson Method to Get Women Addicted to You.”
This section of the market includes what one would expect with subscriptions and pornographic content available for purchase and download. There are also mentions of CSAM content.
This section includes uncategorized listings for a variety of products, much of which is similar to the ones already described above. Our analysts noted offers for ransomware, international passports, hacking toolkits and tutorials, and unrelated listings, such as “The most complete network of CCP princelings.”
The Basic Knowledge section of the marketplace is a mixture of offerings and discussions on topics such as earning passive income, fraud and hacking tutorials, and practical dating skills.
This section of the market appears to also include an option to add comments to posts, although additional marketplace approvals and/or Bitcoin payment may be required.
With longevity and network persistence offering illegal goods and services since 2019, DarkOwl assesses that Exchange Market is a comprehensive darknet marketplace that sells goods and services to support the full spectrum of potential cybercrime. In addition to databases and exploits to conduct financial and identity fraud, scamming, hacking, ransomware campaigns, and more, the market appears to also support a solid recruitment and hacker-for-hire segment of the Chinese-malware community.
Unlike other decentralized markets, Exchange Market demonstrates higher concern for anonymity by providing random numbers to users rather than personalized aliases. While the language barrier might limit access for large swaths of darknet users – who are predominantly English and Russian speakers – Exchange Market’s popularity is consistent despite limited out of market advertising and is still flourishing on its own.