The black market for black markets-Cybercrime goes PaaS

IntSights Research Group (IRG) has uncovered an interesting new development: a black market for black markets. Developers are selling a black market framework, which allows ‘merchants’ to sell just about anything.

Years ago, SAP developed a similar approach for legitimate enterprises, streamlining procurement and exchanges. Today, cyber criminals are evolving along that same trajectory. (Oddly, though, they failed to name their service.)


Black markets have been around for several decades. These online marketplaces resemble e-commerce sites in their original form- they allow multiple vendors to list their goods and services and sell these to consumers. Selling mostly illegal wares and dubious services (from voodoo rituals to assassination services, from submarines to drugs and malware) these markets have certain mechanisms to keep the trade flowing, including a rating mechanism (developed long before Amazon or e-Bay had built sellers ratings into their site) and an escrow mechanism to maintain “honor among thieves” and ensure the buyer gets the product or services as promised before releasing the funds to the seller. These marketplaces sell almost anything, but the technical infrastructure to build and maintain one is complicated, which limited their number and made them an easy target for law enforcement agencies “take-down” operations.

The famous "Silk Road" black market (before the FBI took it down)

Not anymore.

Black Market as a platform

While monitoring Jabber messages the team identified a group which goes by the name” TeamZero” that offers to sell the infrastructure for a black market site. The use of Jabber isn’t unique, (as we’ve noted in a previous blog post, messaging apps use is growing in popularity ) but might indicate that the group reckons it is challenging existing market place and therefore chose not to publish this directly online.
In the ad, the threat actor presents himself as a member of TeamZero, a criminal group that provides professional hacking services. They state, ““We are not Kids playing around a little bit, we are working in this Business for more than 20 years now! We're a team of individuals with very similar technical skills and work in a red team configuration.”

Additionally, they clarify, “Our credentials include: Social Media Hacking (Specific Accounts) * Email Hacking (Specific Accounts) * cPanel Hacking (Specific Accounts) * DDOS Attacks * FTP (Specific Accounts) * Individual Custom Work”,” noting that they’ve had repeated success.

Other than the ads that are circulating widely on Jabber messages, the threat actor and group have quite a low profile on cybercrime forums and black-markets, making this new trend a significant development on the Dark Web for several reasons.

Most importantly, it affirms the commoditization of cyber-crime. The fact that cyber criminals are developing tools for black markets en masse suggests that there is a growing market that will continue to be filled.

Also significant is that the accessibility of these PaaS tools decentralizes criminal activity. By creating multiple markets, it becomes more difficult for law enforcement and other snooping eyes to maintain visibility into criminal activity.

Buying and selling stolen goods is never easy and is often manual done manually, but PaaS makes cybercrime much more efficient. The current exchange of selling a one-off fashion in forums is a slow and unreliable process, but this new system promises automation coupled with scale, making cybercrime much more efficient.

How does it work?

Step 1: Pay in BitCoin to obtain the service. In this case, it costs $4500 per license.

Step 2: Obtain Professional Services.

Since no two markets will be alike, some degree of customization will be needed. In this case, the service allows for their customers to account for these differences with a PS team. Much like companies need Accenture or PWC to customize an instance of SAP for their unique business, cybercriminals are no different.


IntSight will continue to monitor the growth of black market PaaS, as they are likely to follow the same evolutionary process of traditional software. Though in the beginning stages, the cybercrime software world is going through the same process that B2B software vendors went in the last couple of years. Where once software products were standalone, now everything is as a service, even black markets.

This post was written by Ido Wulkan, intelligence team leader at IntSights

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.