Darknet Marketplace Snapshot: Exchange Market

September 29, 2022

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Exchange Market.  

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

For this marketplace snapshot, our analysts selected a darknet marketplace hosted on Tor called Exchange Market. Exchange marketplace content is predominantly Chinese Mandarin and features illicit goods traditionally offered on a typical criminal marketplace – including weapons. The market does not appear to emphasize drugs for purchase in variety and volume as is common with other decentralized markets on the darknet.

Since early 2019, DarkOwl has observed activity from Exchange Market with a comprehensive offering of physical and virtual goods and services for sale; including advertisements that are supportive and worthwhile to darknet and underground criminal communities. The market’s onion service is advertised as though it is based in China, uses mostly Chinese Mandarin language, and references popular technology and applications exclusive to China culture. The market is not widely advertised across the darknet in typical marketplace discussion boards and link lists.

Like most decentralized markets, account registration and user authentication are required before accessing Exchange market’s listings. The market also requires the user solve an English-character-based CAPTCHA before access is granted.

exchange market darknet marketplace - login screen
Exchange Market Login Screen, Source: Tor Browser

Once authenticated, the banner includes the English phrase:  

“Exchange, Trade Privately. Against Tracking and surveillance.”  

The top banner includes three sections translated to English as:

“Real-time manual penetration data for acquisition of first-hand online loans by overseas teams”; “Receive download site traffic”; and “Integrity buys and sells first-hand data on men and women.”
exchange market darknet marketplace - Post-Authentication
 Exchange Market, Post-Authentication, Source: Tor Browser 

A Closer Look at Exchange Market’s Goods & Services

Exchange market is divided into different sections with each advertising a different category of items for sale. Sections at the very top offer paid advertising materials as is common with other darknet marketplaces and forums. For example, some paid advertisements listed include recruitment and data brokerage offerings:

“High salary looking for 3 to 4 Java architects front end engineer jobs in Thailand”;
“A large number of financial investment data in the currency circle of Japan, South Korea, Europe and the United States stock and foreign exchange exchanges are collected”; and
“Looking for a hacker that can provide cvv sync fish.” 

Below the Paid Advertising section, there are different categories listed with dozens of individual advertisements each. The advertisements listed are updated frequently.

  • data resources
  • service businesses
  • virtual items
  • physical items
  • technical skills
  • video pornography
  • other categories
  • basic knowledge
  • private shop
Exchange Market: Three Categories of Goods & Services Advertised: Data Resources, Services, and Virtual Items
Three Categories of Goods & Services Advertised: Data Resources, Services, and Virtual Items, Source: Tor Browser
[TRANSLATED FIGURE BELOW – Source: Google Translate] 
Data Resource 
[see more] 
Service Business 
[see more] 
Virtual item 
[see more] 
1 15W pieces of the latest national college student data in July 2021 suitable for online loans 
1 11 detective business inquiry 11 high quality and lowest price on the whole network 11 recruiting agents 11 1 In 2022, the whole network will launch Android remote control stealing u 
2 470,000 pieces of data on the wehkamp shopping station in the Netherlands2  In 2022, the latest PAYPAL binding foreign credit card fraud core technology 2 Spanish driver’s license positive and negative hand-held driver’s license 21 sets 
3 The latest Indian online loan data in August: 340,000 loans_Automatic delivery 3 Each website platform mobile app and various industries data capture provides one-by-one private customization for telemarketing SMS 3 Italian Passport Handheld Passport 17 Sets 
4 Brazil shopping data 450,000 items_Automatic delivery_August 2022 4 Website penetration-obtaining database-webshell permissions 4 17 sets of Polish ID cards with front and back photos 
5 390,000 pieces of Brazilian currency data in August 2022 5 1. Penetration data, 1. Regular update, 1. Long-term provision, 1. 5 British passport holding 187 sets of passports 
6 500,000 shopping data in Spain_Automatic delivery 6 thug private detective 6 1434 sets of US driver’s license front and back hand-held driver’s license 
7 57W National Physician and Physician Registration Examination Database Package is of great value for money 7 Dead and Remnant Order Customized Order 7 37 sets of Japanese driver’s license plus hand-held driver’s license japan driver’s license 
8 Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates 8 Anti-drinking tea network security Anonymous anti-tracking evades the investigation of the Internet police to deal with national security tea-drinking security money laundering technology 8 TRCERC’s latest release of the coin withdrawal interface source code is fully open source, there are two sets 
9 870,000 names and email addresses of real estate agents in the United States 9 All kinds of inquiries of detectives 9 In 2021, the latest bitcoin money laundering technology is very safe in the black production circle 
10 US Wolf Eye Clinic patient data 630,000 phone and mailbox SSN 10 24-hour stable query business 10 11 teach you how to date a girl in junior high, high school and college 11 by no means a cold reading pua tutorial 
11 elitemate US online dating site data 1.04 million 11 Check cars, check people, check all 11 AliExpress eBay Amazon Alibaba Taobao and other e-commerce seller data 
12 7.73 million Robinhood stock and cryptocurrency investing sites 12 Query ID card activity track 12 Latest National Official Contact Information Official Position 
13 570,000 users of btce cryptocurrency platform13 Detective_Check_Online second message 13 CC attack tutorial and software 
14 24,970 US users of bitmain bitcoin mining machine 14 High-quality file inspection on the whole network 14 Naked chat fraud to obtain address book source code Naked chat software codeless video voice changing software photographed and shipped automatically 
15 xcoins peer-to-peer bitcoin market users 25373 15 one-one-one-one-one-one-one-one-one-one-one-one-one-one-one 15 Hacker QQ number stealing tutorial with software 
16 bitcoinnetworks bitcoin contract website 5237 16 Monero Money Laundering 2021 The Safest Way to Launder Money Original 16 The full technical information of the hacker is here  
Translated Table of Exchange Market Listings for data resources, business services, and virtual items

Data Resources 

This section of the market has listings focused the brokerage of personally identifiable information (PII) and digital identity theft crime including: selling PII exfiltrated from shopping data, college students’ data, phone numbers, social security numbers (SSNs), addresses, and users of bitcoin services. The personal data offered appears to be primarily sourced from individuals located in the Netherlands, India, Brazil, Spain, the United States, and Taiwan.

The Unites States is targeted the most frequently in this category with personal data available stolen from US real estate agents, a US optometrist’s patient data, and data from a US online dating service. A newer advertisement, shared this week, titled, “3.26 million in 22 years in the United States_Detailed personal information of US citizens” claims that the data is US personal identity data from 2021 and that 2022 and includes names, addresses, phone numbers, and work associations, and industries.

Data Resources Section of Exchange Market, Source: Tor Browser

Another listing, titled “Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates,” is notable given tensions between the China and Taiwan and likely a result of recent cyberattacks against the country. Each database offered appears to be legitimate and links to real data.   

Neither advertisement includes a price for the databases.

“Service Business” Offerings 

Listings under the service business category include social engineering, penetration testing, fraud technologies, private detectives, internet tracking avoidance and privacy, and methods for money laundering.

One listing appears to offer one-on-one guidance for the “private customization for telemarketing SMS” – which is likely a customized SMS hijacking service.

Virtual Items 

The “virtual items” features malware, trojans, and viruses for conducting cybercrime. Our analysts noted several RATs (Remote Access Trojans), PII for social engineering and fraud, hacking tutorials and associated software, video and voice changing software, and Bitcoin laundering technology.

Interestingly, most of the PII offered here originated from citizens in Spain, Italy, the United Kingdom, Japan, the United States, and Poland – suggesting that either Chinese-based threat actors are directly targeting these countries or non-China based data brokers are reselling exfiltrated databases on this market. Other databases for sale included e-commerce websites such as Amazon, AliExpress, eBay, Alibaba, and Taobao.  

Physical Items 

Instead of offering a wide selection of drugs for sale as a ‘physical good’ for sale, this section of the market features counterfeited documents and items (e.g. cigarettes), weapons, and a limited supply of LSD tabs and prescription drugs. Clonazepam and LSD tabs are allegedly shipped from Europe, a handgun offered for $10,200 USD, and fake tax certificates and bank cards were advertised from various international government and financial institutions.

Of note, the handgun’s advertisement description, “Glock19 customer customized list” does not correlate to the model of the handgun pictured. The picture is a G17 Glock instead and includes the inscription “Austria” on the weapon. Despite the discrepancy in what is advertisement and the picture, there are other automatic and semi-automatic weapons included in the Glock19 advertisement.

[TRANSLATED ADVERTISEMENT – Source Google Translate]

“New glock 19 gen4 price ($10,200)

Shipping time is about a month

No refunds will be accepted after payment, as the goods will not be returned once dispatched,
Because of their own problems, the mobile phone number is not answered, the goods are not received, and refunds are not accepted.
If you do not receive the goods or do not meet the requirements can be refunded. Please release the money after receiving the goods without any problems, for the sake of long-term cooperation in the future

Save time for those who really need it, don’t bother.

AR15
AR-24K
beretta PX4
MAC 11
Russian-made Markov is cheap

Customer-made list, if you need anything else, you can send a private message, don’t waste everyone’s time thank you [If you want to order, please make a sincere consultation for $10, send a private message on the site, or leave a telegram or encrypted email

Only connect with the big boss, you can also come if you think you have the strength. Don’t waste your time consulting if you are bored
I finally want to say that cheap people deserve to be deceived. . . Stop believing those in some groups. . All liars can’t see it.”
Handgun offered for sale on the darknet marketplace, Source: Tor Browser 

Technical Skills 

The Technical Skills section cover numerous skills required for fraud and hacking technologies. Some technical skills advertisements include antivirus software by-pass techniques, methods to register Google voice account with US phone numbers, online credit card loans, DDoS attacks, and scraping information from WeChat chat records real-time. There are also some unexpected socially specific skills on offer like:  “Tricks to Control Women” and “The Manson Method to Get Women Addicted to You.” 

Video Pornography

This section of the market includes what one would expect with subscriptions and pornographic content available for purchase and download. There are also mentions of CSAM content.

Other Categories 

This section includes uncategorized listings for a variety of products, much of which is similar to the ones already described above. Our analysts noted offers for ransomware, international passports, hacking toolkits and tutorials, and unrelated listings, such as “The most complete network of CCP princelings.”  

Basic Knowledge 

The Basic Knowledge section of the marketplace is a mixture of offerings and discussions on topics such as earning passive income, fraud and hacking tutorials, and practical dating skills.  

More Exchange Market Listings, Source: Tor Browser

This section of the market appears to also include an option to add comments to posts, although additional marketplace approvals and/or Bitcoin payment may be required.

Exchange Market: DarkOwl Analyst’s Observations

  • Exchange Marketplace restricts any personalization of buyer or vendor accounts. There are no custom usernames or avatars associated with either type of account.
  • Vendors are provided a “seller account number” that appears with their product listings and there is no obvious vouching for a vendor’s legitimacy with reviews and creditability from other marketplaces or sources.
  • Similarly, buyers are issued a random string of numbers that serve as the account’s username, further obfuscating the identities of all parties involved in a marketplace transaction.
  • A limited number of vendors include links to potentially associated Telegram channels and/or include English text in their advertisements.
  • Products on the marketplace are tailored towards Chinese online services, e.g. ransomware to target Taobao, Xianyu, WeChat, and Weibo.  
  • To transact with a vendor on Exchange, the onion service requires the buyer generate a separate transaction password.
  • The marketplace serves as ‘escrow’ with a ‘pay-to-play’ mentality, requiring Bitcoin deposit for an account to be fully activated.  

Conclusions 

With longevity and network persistence offering illegal goods and services since 2019, DarkOwl assesses that Exchange Market is a comprehensive darknet marketplace that sells goods and services to support the full spectrum of potential cybercrime. In addition to databases and exploits to conduct financial and identity fraud, scamming, hacking, ransomware campaigns, and more, the market appears to also support a solid recruitment and hacker-for-hire segment of the Chinese-malware community. 

Unlike other decentralized markets, Exchange Market demonstrates higher concern for anonymity by providing random numbers to users rather than personalized aliases.  While the language barrier might limit access for large swaths of darknet users – who are predominantly English and Russian speakers – Exchange Market’s popularity is consistent despite limited out of market advertising and is still flourishing on its own.  


Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Spotlight.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.