March 21, 2022by Cybersixgill

Trust on the Deep and Dark Web

Trust on the deep and dark web, like in many relationships, is complicated. Whether conducting a transaction in a forum or a marketplace, there is always a risk of getting scammed or potentially falling into the trap of an investigation. To safeguard the trust of cybercriminal buyers and sellers, many underground markets and forums implement a variety of built-in measures to allow the continued functioning of operations within their illicit economy.

The dark web is home to a vast ecosystem of malicious threat actors of various cybercriminal proclivities, among them, those looking to anonymously purchase illegal services and digital or physical goods. This community of threat actors includes script kiddies, seasoned hackers, scammers, hacktivists, weapons/narcotics buyers, criminal syndicates, and nation-state actors. Hidden within their ranks are also impersonators, such as government agencies, law enforcement, and security researchers, among others.

With a wide spectrum of motivations driving each user, and the anonymous nature of the dark web, how do illicit deals get made? Whether conducting a transaction in a forum or a marketplace, there is always a risk of getting scammed or potentially falling in the trap of an investigation. In this context, many underground markets and forums implement a variety of built-in measures to allow the continued functioning of operations within the illicit economy - some of which mirror similar mechanisms used by legitimate e-commerce sites.

Escrow Services

Escrow services involve an arrangement with a neutral third party guarantor who, after the terms of the deal have been agreed upon between buyer and seller, receives the payment from the buyer. After the buyer has confirmed that the goods/services received from the seller meet their expectations according to the deal’s agreed conditions, the guarantor then releases the payment sum to the vendor - until which the funds are held in “escrow.” This dark web drug vendor describes the process of escrow payment within a dark web marketplace, as depicted in the screenshot below:

Why would a middleman insert themselves into a transaction? In many underground marketplaces, escrow is often a built-in aspect of the site, as it is in the administrator’s best interest to enable credibility. In exchange for safeguarding the trust between buyer and seller in a given transaction, the middleman charges a broker’s fee, profiting  a percentage of the deal’s total sum.

Such services are not unique to dark web marketplaces - there are also third party escrow services operating in forums. Ultimately, escrow services are one way to conduct business in low trust environments, ensuring that the expected goods/services are transferred according to the agreed conditions. Some threat actors will only agree to conduct transactions through guarantors, who are oftentimes part of the workforce operating a forum.

As in legitimate e-commerce stores, in the cybercriminal underground, administrators understand that customer service is key to a successful service.

However, simply having an escrow service does not always indicate that the platform is immune to scams - in the screenshot below, an actor warns about a scam site with a fake escrow service.

Customer Feedback

Customer feedback enables users to rate a seller, whether to express gratitude for a positive transaction or to air grievances and potentially scare away other buyers. On platforms that support and display customer feedback for each vendor, if two similar products are advertised at the same price, the one with more positive reviews is likely to attract more buyers. Satisfied clients may also become loyal customers, which in turn would benefit both parties.

Vendors understand the importance of reviews, and some even implore their buyers to reach out to them should they encounter any issues with the good/service provided, before posting a negative review.

Mounting negative reviews against a vendor can spiral into public uproar and shaming about poor service, with some forums including a public arbitration service to resolve such disputes. Each user can provide evidence regarding their grievances to a neutral third party - oftentimes members of the forum’s administration team. The onus of proof in such cases is on the accuser, as generally requested by the arbitrator.

In this example, the alleged victim provides a screenshot of the payment made to the accused, as part of the evidence provided.

Such cases do not always end in the accuser’s favor. If they are unsuccessful in providing convincing evidence, the arbitrator may rule to ban them from the forum.


Developing trust on the underground is a challenging endeavor. Users operating in the anonymous criminal underground are cautious, simultaneously wary of both avoiding exposure to law enforcement/security researchers as well as maintaining vigilance in the face of  scammers or rivals looking to take out the competition. A reputation isn’t built overnight, rather, it needs to be cultivated over time. Building and maintaining a positive reputation is made even more difficult given the life-span of  some forums, as a built-up persona can die out with the closure of a forum - unless that actor is using a similar alias/contact information in other communities.

One strategy to gain prominence and recognition could be by showcasing oneself as an active member of the underground. Threat actors can showcase their commitment to the cybercriminal community by providing stolen data or access to hacking tools free of charge, or by sharing their expertise and technical know-how for novice members of the community.  Moreover, in addition to accruing a collection of positive reviews for their contributions to the cybercriminal ecosystem, threat actors can also bolster their reputation by obtaining recommendations from prominent actors vouching for their credibility and expertise – although this can take some time.

You may also like

A close-up, detailed, and vibrant image of a microscopic cell with numerous tentacle-like extensions, depicted in shades of pink and purple against a blurred blue background.

May 15, 2024

Black Basta's Devastating Attack on a US Hospital System: Lessons Learned and Protective Measures

Read more
Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Chris Strand-Thumbnail

May 07, 2024

Enhancing Security Posture with Cyber Risk Intelligence Part 2

Read more