What we see when we browse the web is just the tip of the iceberg. Hidden below the surface, accessible only by the Tor browser, exists a marketplace in which criminals can sell drugs, weapons and stolen data with relatively little surveillance.

But lawless does not mean rule-less. Research by cybersecurity company Trustwave shines a light into the Web’s darkest corners, and in doing so reveals surprising patterns of behaviour among its criminal populace.

"The dark web and the underground communities are a lot more structured than what people may think," says Mador.

One example is recruiting bank insiders. Mador says that these tend to be Russian or Eastern European banks.

The reasons for recruiting an insider vary. Sometimes it’s to gain access to information. Other times it’s to increase the withdrawal limits of stolen cards to allow criminals to withdraw as much as possible before they get blocked.

For this service, recruiters are willing to pay up to ten times their legitimate salary – and that’s just for an hour of their time per day for a month.

But with high reward comes high risk, explains Mador: "Not only may they lose their job, they may go to prison, they may lose their ability to work in the finance sector entirely for the rest of their lives."

Brazen approaches

The entire process is open, and Mador describes the brazenness as “shocking”.

“Clearly, from the description of the jobs, these are illegal,” says Mador. “They're not trying to hide that.”

Trustwave’s observations also reveal a “pretty good” correlation between the riskiness of the job and the reward.

“Clearly, from the description of the jobs, these are illegal. They're not trying to hide that.”

Drug delivery drivers, for example, are offered five to eight times more than the highest paying driving jobs.

"This type of job involves very high risk,” says Mador. “If the police arrests that person he or she can spend many years in prison, so that's why they reward them so well."

For comparison, research shows that the most dangerous jobs in the legitimate world– agriculture, forestry and fishing – only pay marginally higher than the national average.

The dark web recruitment process

Most of the dark web recruitment process isn’t visible to Mador and his team because once a job is accepted, the parties move to a secure instant messaging service.

But what they can see shows similar market forces at play to the legitimate world’s recruitment process – supply and demand, etc. – the dark web creates its own rules.

One such example is in jobs where the recruited person is handling a valuable commodity, such as drugs. Prospective employees are expected to pay a deposit equal or proportional to the value of the merchandise before they are sent the commodity.

Upon successful completion of the job, they receive their deposit back in addition to their pay.

“These guys obviously can't go to court so they have to develop their own rules.”

"This concept doesn't exist in the legit world,” says Mador. "That's clearly done because the employer has to protect themselves from the scenario where the person will away with drugs or with that merchandise.

“In the real world of course the company can sue the employee if that ever happens and the court will rule against the employee who will have to compensate the company."

"But these guys obviously can't go to court so they have to develop their own rules."

Zero-day exploits: dark web gold

All of these rules were observed as a by-product from Trustwave’s primary research on malware being sold on black markets, which makes up a small but notable part of the dark web’s transactions.

Mobile malware can be purchased for as little as $150, commercial malware $2,500 and higher.

But the big bucks is in selling exploits that take advantage of a particular vulnerability in a system. Two years ago, the Trustwave team came across a person trying to sell a then unknown zero-day exploit that was present in all versions of Windows. The price? $95,000.

"The vulnerability allowed what's called lockout privilege escalation (LPE),” says Mador. “Let's say someone runs the malware in a user account – a non-administrator account – by using that vulnerability and exploit, they will be able to escalate their privilege to an administrator account.”

Essentially, the exploit allows the hacker to do more with the infected device than they would be able to without it. They can impact “millions” of people every month.

After two weeks, the seller lowered the price to $85,000 then sold it. Trustwave reported this vulnerability to Microsoft to ensure the proper protection could be taken against it.

“In a community of criminals, how does the scammer ensure they don’t become the scammed?”

But what was most interesting about the transaction was steps the seller took to persuade buyers that the zero-day worked as advertised. In a community of criminals, how does the scammer ensure they don’t become the scammed?

Step forward escrow services, a legal practise in which a third party keeps the commodity until the other party meets their end.

“In escrow, normally a respected criminal, sometimes the forum administrator he gets the zero-day from the seller, he gets the money from the potential buyer,” says Mador.

“He then confirms that the zero-days works as advertised. And then, once confirmed, he sends the money to the seller and the zero-day information. So it's a way to guarantee that people don't get scammed."

Too many cases to report to the police

When Trustwave finds malware or exploit kits, they update their secure web gateways to block them.

But there are far too many incidents to report case-by-case because there are "hundreds and hundreds of websites on the dark web selling drugs" and there are "many that sell guns, etc.".

For more serious cases, Trustwave provides technical advice to law enforcement, typically in a few global cases a year.

"If they need our help, we do help,” says Mador. “They approach us especially when it comes to investigating cyber threats."

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang