Cyber Risk News
In a campaign that has lasted at least three years, financially motivated attackers have been targeting Rosneft, a state-owned Russian oil company, according to new threat intelligence published by Cylance.
In its Threat Intelligence Bulletin, researchers discovered that ordinary criminals – not state-sponsored actors – were behind the attacks on the predominantly Moscow-owned company. Anticipating that researchers would assume that the campaign was a nation-state attack on the critical infrastructure of a company that holds enormous political influence in Russia, these cyber-criminals were well camouflaged, making attribution all the more challenging.
Upon investigating the command-and-control (C&C) domains used by the malware authors, researchers learned that “the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges,” according to the research.
The attackers used Microsoft Office macros to deliver malicious implants to their targets throughout their extensive phishing campaign. Through analyzing several samples of the malware, researchers discovered a backdoor, programmed in Delphi, that shared IP address and hostname information in its communication over HTTP with two C&C servers.
“The backdoor had the ability to upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system,” the bulletin said.
“Business email compromises like the one seen in this attack are, according to the FBI, big business – costing victims $12 bn globally in 2018 alone,” said Kevin Livelli, director of threat intelligence at Cylance.
“Organizations outside the specific target set of this attack should be alert to the fact that the techniques and targeting we normally associate with state or state-sponsored espionage efforts are also being used by ordinary criminals (even lone actors) motivated by financial gain. Targeted attacks come in all flavors – including crime – and defenders should be vigilant to this fact and resist jumping to conclusions when they see activity that might otherwise scream 'APT.'”
Security researchers have discovered a major targeted attack campaign aimed at stealing info from scores of mainly English-speaking organizations around the world and using source code from the infamous Lazarus Group.
What McAfee has dubbed “Operation Sharpshooter” targets government, defence, nuclear, energy and financial organizations, mainly in the US but also the UK, Canada, Australia, New Zealand, Russia, India and elsewhere.
Some 87 organizations have so far been found to be infected with the Rising Sun implant, a modular backdoor which allows the attackers to perform reconnaissance by accessing sensitive information including documents, usernames, network configuration and system settings.
Although not previously seen, the implant draws on source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer, used in the notorious attack on Sony Pictures Entertainment. However, McAfee is not attributing the campaign to North Korea — in fact, the “numerous technical links” to the group raise the possibility that this is a false flag, it claimed.
The initial attack vector is fairly standard: a weaponized macro-based document which, when opened, runs an in-memory implant to download and retrieve the second-stage Rising Sun malware.
Any data of interest is encrypted and sent back to the C&C server. It’s unclear whether the operation will stop at reconnaissance or if this is just the first stage in a multi-layered sophisticated campaign.
“Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors,” argued McAfee chief scientist and fellow, Raj Samani.
“However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated. Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems.”
The coming year will see a mix of old and new as phishing is supercharged with AI but reported vulnerabilities continue to cause organizations problems, according to Trend Micro.
The security giant claimed in its predictions report this week that phishing will continue to grow in popularity as exploit kits fade. The number of detections of the latter has fallen from over 14.4 million in 2015 to just 261,000 today, while blocked phishing URL volumes have jumped from 8.1 million to over 210 million over the same time period.
However, attackers will be looking to make phishing even harder to detect, via new tactics such as using AI to monitor executives’ online behavior, and AI-enabled chatbots to lure users into clicking on malicious links.
Another social engineering-based attack set to hit the mainstream in 2019 is SIM-swap fraud, according to the vendor.
However, despite some relatively new tools and techniques breaking onto the scene, it is the tried-and-tested options that remain a major threat over the coming year.
These include exploitation of known vulnerabilities: 99.99% of exploit-based attacks will involve vulnerabilities for which patches have been available for weeks or even months but have not been applied, predicted Trend Micro.
Many of these will be found in OT systems like SCADA human machine interfaces, as well as newer systems like Kubernetes and other cloud software.
Hackers will also respond to the increasing use of AI by the white hats to try and stay hidden by “living off the land,” according to principal security architect, Bharat Mistry.
“By repurposing standard computing objects for reasons other than their intended purposes — such as unconventional file extensions or online storage services — the threat actor’s arsenal will evolve significantly, and enable them to intelligently camouflage within the corporate network,” he explained.
“In 2019, as cyber-criminals look to infiltrate sites under the radar, it’s imperative that enterprises implement comprehensive security solutions that are able to spot disguised profiling attempts.”
There’ll be plenty for system administrators to do right up to the end of the year with Microsoft’s latest patch update round featuring fixes for nine critical vulnerabilities including one zero-day bug.
The 39 flaws reported by the computing giant on Tuesday paled in comparison to the 87 posted by Adobe and represent a relatively light load, but there are important caveats.
The main one is CVE-2018-8611, an elevation-of-privilege (EoP) bug that affects all supported operating systems from Windows 7 to Server 2019, enabling an attacker to run arbitrary code in kernel mode.
“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system,” explained Microsoft.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Another one to note is CVE-2018-8517, a publicly disclosed flaw which could allow a DoS attack in .NET web apps.
“The vulnerability can be exploited remotely without authentication by issuing a specially crafted request to the vulnerable application,” explained Ivanti’s Chris Goettl.
“The vulnerability is rated as important likely due to complexity to exploit, but it has been publicly disclosed, meaning enough information has been revealed to the public to give a threat actor a head start on creating an exploit to take advantage of the vulnerability.”
Allan Liska, senior solutions architect at Recorded Future, also pointed to a critical heap overflow vulnerability in Microsoft’s DNS Server (CVE-2018-8626), and several critical flaws in the Microsoft Edge Chakra Core scripting engine.
“This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017,” he explained.
This month’s Chakra memory corruption vulnerabilities (CVE-2018-8583 and CVE-2018-8629) would allow an attacker to execute arbitrary code on the victim’s machine.
Experts also urged firms to apply Adobe’s patches, especially those for CVE-2018-15982 and CVE-2018-15983, two critical Adobe Flash zero-day vulnerabilities being actively exploited in the wild.
Amplification bots spread both information and misinformation across Twitter's social network through retweets, and according to new research from Duo Security, these bots not only affect how content spreads but also how the information is perceived.
Published today, Anatomy of Twitter Bots: Amplification Bots, Jordan Wright and Olabode Anise detail the characteristics that make up amplification bots based on a data set of 576 million tweets. The researchers also looked at how to build a crawler that can map out entire botnets of this kind.
The research is the culmination of a three-part series that began at Black Hat 2018 with "Don’t @ Me: Hunting Twitter Bots at Scale" and was followed by a more detailed explanation of how fake followers operate.
The focus in this final part of the series is on automated retweeting. Because retweeting is what boosts an account's popularity, amplification bots are concerning from an information security perspective. “Automated retweeting of a tweet [is considered] to be more damaging to social network conversation, since it actively spreads content as opposed to just artificially boosting the content’s popularity,” the authors wrote.
Determining which accounts are bots and which are authentic took a bit of work, though. In essence, researchers had to distinguish different patterns of likes and retweets from a wide sampling of accounts.
“We found that an average account’s timeline is composed 37.6 percent of retweets while the 90th percentile was composed of 75 percent of retweets. Because our dataset of tweets does include accounts that exhibit bot-like characteristics, it’s important to note that the the overall distribution of retweets in an account’s timeline may be affected by their behavior.”
Research suggested a key factor that distinguishes bots from actual user accounts is found in the timeline, with actual users tending to retweet in consecutive order while the activity of bots is more scattered. After determining normal behaviors, researchers set out to find bots as seen in the image below:
Credit: Duo Security
“The account’s most recent (re)tweet has 969 retweets and 164 likes, which is strange. Most tweets with that many retweets won’t have a retweet-to-like ratio of almost 6:1. To put some numbers to how rare this is, only 0.2 percent of tweets in our dataset had more than at least 900 retweets and a similar retweet-to-like-ratio,” researchers wrote.
Finding one bot then opened the door for the discover of many more amplification bots, which have the potential to sully the credibility of retweets, though determining legitimate information from misinformation is a challenge.
The US House of Representatives Committee on Oversight and Government Reform released its report on the Equifax breach. It found that the lack of modernized security controls combined with dozens of expired certificates created vulnerable systems and resulted in the data breach of 143 million records.
The cyberattack that started on May 13, 2017, lasted for 76 days, during which time malicious actors were able to access and exfiltrate unencrypted personally identifiable information hundreds of times, according to the report.
The breach resulted in CEO Richard Smith announcing his retirement on September 26, 2017, a little over a month after he had delivered a speech at the University of Georgia in which he explained that the company manages massive amounts of very unique data.
Smith stated: “We have data on approaching 100 million companies around the world. The data assets are so large, so unique it is...credit data, it is financial data – we have something like $20 trillion of wealth data on individuals, so how many annuities, mutual funds, equities you own. About $20 trillion on property data, so property that you might own – what the value was when you bought it, what it’s worth today. Utility data, marketing data, I could go on and on and on – but massive amounts of data.”
According to the committee’s findings, “Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation.”
“This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.”
In addition, building critical IT applications on custom-built legacy systems added to the complexity of Equifax’s systems, which was addressed too late to prevent the breach. The report noted that Equifax understood that operating legacy IT systems posed inherent security risks, as was evidenced by the company’s action to modernized its infrastructure – steps that should have been taken much sooner.
The committee concluded that “Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”
The attack targeted servers in Saudi Arabia, the United Arab Emirates and Kuwait, while the servers in Italy, France and Britain remain unaffected, according to Saipem’s head of digital and innovation, Mauro Piasere. The attack origination has not yet been determined.
“The servers involved have been shut down for the time being to assess the scale of the attack,” Piasere told Reuters.
Information Security tried to contact Saipem. As of the time of writing this, the company has not responded. The company did share an announcement on its website in which it stated:
“We are collecting all the elements useful for assessing the impact on our infrastructures and the actions to be taken to restore normal activities. We are also in the process of notifying the report of the incident to the competent authorities.”
A small Aberdeen, Scotland, office is the only European site affected by the attack, which has impacted 400 servers that remain down as the company investigates, according to Bloomberg Law.
“It's still too early to tell, but given Saipem's position as a trusted third-party supplier to Saudi Aramco, an educated guess would be that the adversary is the same one that attacked Saudi Aramco in the past – which points to the destructive Shamoon attacks of 2012 and 2016, now widely attributed to Iran," said Phil Neray, VP of industrial cybersecurity at CyberX.
Earlier this year, Saipem announced that it was looking to transition from oil and gas construction to offshore and wind energy, Energy Voice reported. To that end, it has invested $55m into technological innovation, though it is unclear what percentage of that investment is slated for cybersecurity.
New research has revealed a dearth of qualified cybersecurity staff in the NHS and low levels of spending on in-house training for employees.
RedScan received Freedom of Information (FOI) responses from 159 trusts between August and November.
It found that nearly a quarter of trusts have no qualified security professionals working in-house despite some of them employing as many as 16,000 staff.
Although some of this security work is outsourced by the health service, RedScan director of cybersecurity, Mark Nicholls, claimed that security specialists should still number more than the average of one per 2628 employees revealed by the research.
“There’s no magic number. Every organization has a responsibility to assess its cybersecurity risk and make a judgement call about the number of trained professionals it needs. Factors to consider include the size of the network, number of employees, systems in use, plus the type and quantity of data stored,” he told Infosecurity.
“When you consider how big a target the NHS is, how diverse and interconnected its networks are and how many people rely on healthcare services day-to-day, it’s pretty clear that trusts lack the specialist skills required. The fact that several trusts with more than 10,000 employees had no security professionals whatsoever is a great concern.”
What’s more, trusts spent an average of only £5356 on data security training over the past 12 months, with GDPR understandably the most common course type undertaken. However, this average figure hides a wide disparity in spending, with some trusts forking out just £238 and some as much as £78,000.
Trusts are also failing to meet minimum standards on information governance (IG) training, with NHS Digital requiring 95% of all staff to pass such training every 12 months, according to RedScan. Unfortunately, just 12% of trusts that sent back FOI answers had met this target, with the majority having trained 80-95% of staff.
However, a quarter had trained less than 80%, with some claiming less than half had been sent on IG courses.
The healthcare sector accounted for 43% of all data breach incidents reported to the ICO between January 2014 and December 2016, although this figure may be relatively high because of mandatory reporting requirements in the sector.
It added another 619 incidents in Q2 2018/19 alone, including 420 labelled as “disclosure of data” and 190 security-related.
The NHS will be banned from buying any more fax machines from next month as the government looks to upgrade the health service to more modern and secure communications platforms.
Health secretary Matt Hancock has also ordered a complete ban on their use by March 2020, as part of a plan to bring the NHS into the 21st century.
According to a Freedom of Information (FOI) request from the Royal College of Surgeons (RCS) in July, the NHS in England still uses over 8000 fax machines.
“We’ve got to get the basics right, like having computers that work and getting rid of the archaic fax machines still used across the NHS when everywhere else got rid of them years ago,” he said in a statement.
“I am instructing the NHS to stop buying fax machines and I’m setting a deadline for getting rid of them altogether. Email is much more secure and miles more effective than fax machines. The NHS can be the best in the world — and we can start with getting rid of fax machines.”
Richard Kerr, chair of the RCS Commission on the Future of Surgery, welcomed the news.
“Advances in artificial intelligence, genomics and imaging for healthcare promise exciting benefits for patients,” he argued. “As these digital technologies begin to play a bigger part in how we deliver healthcare it is crucial that we invest in better ways of communicating the vast amount of patient information that is going to be generated.”
Tony Pepper, CEO of Egress Software, highlighted the security risks associated with using fax machines.
“Fax machines provide a large surface area for human error and consequently data breaches when used to transfer sensitive data, as they can’t offer assurance over how the data is picked up and used at the receiving end, or a safety net to allow for user error when dialing,” he explained. “When used to transfer confidential information, there is a significant risk of a data breach.”
However, care will be needed to ensure sensitive data is encrypted when shared outside the health service via email, for example with patients, Pepper added.
Research from Check Point in August also pointed to a possible new attack vector exploiting vulnerabilities in a common implementation of the fax protocol, which could even allow hackers to infiltrate corporate networks via these machines.
Google is speeding up the closure of its unpopular social networking platform after discovering a new bug affecting over 52 million users.
The tech giant announced in October that it would be shutting Google+ in August 2019. However, that date has been brought forward to April next year, while its APIs will disappear “within the next 90 days,” according to G Suite product management VP, David Thacker.
The reason appears to be a newly discovered vulnerability in the API which the firm says impacts roughly 52.5 million users.
“With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile — like their name, email address, occupation, age — were granted permission to view profile information about that user even when set to not-public,” Thacker explained.
“In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.”
On the plus side, however, no developers were able to access information such as financial data, ID numbers, passwords, or similar which could have been used for identity theft. Google also said it has no evidence any developers abused the access they did have to users’ non-public information.
Thacker said Google was in the process of notifying any enterprise customers affected by the bug, with a list of impacted users being sent to system administrators.
The original vulnerability disclosed in October shared non-public profile information including name, email address, occupation, gender and age with others. Around 500,000 users were thought to be affected.
The House Energy and Commerce Committee released the comprehensive Cybersecurity Strategy Report, in which it identified procedures to both address and prevent cybersecurity incidents.
In the report, the committee identified six key concepts and priorities, noting, “The identification of these principles shaped the subcommittee’s approach to cybersecurity and guided subsequent work. As each of these concepts emerged, the subcommittee began exploring and analyzing possible strategies for addressing them.”
In addition to recognizing that there will always be unknowns and that it’s impossible to protect what you don’t know you have, the committee also realized that software is no longer written but assembled. As a result, there must be a common cybersecurity language, which was the fourth concept. The remaining two concepts stated, “Digital assets age faster and less predictably than physical ones. Cybersecurity takes a 'whole-of-society' approach.”
In attempting to answer the question, "If traditional IT strategies have proven ineffective, what can organizations do to better strengthen their cybersecurity capabilities?," identifying these six concepts led the committee to outline six priorities, which are:
Priority 1: The widespread adoption of coordinated disclosure programs.
Priority 2: The implementation of software bills of materials across connected technologies.
Priority 3: The support and stability of the open-source software ecosystem.
Priority 4: The health of the Common Vulnerabilities and Exposures (CVE) program.
Priority 5: The implementation of supported lifetimes strategies for technologies.
Priority 6: The strengthening of the public–private partnership model.
“Cybersecurity has become a priority for all Americans – from government and military leaders and corporate executives to small-business owners and everyday families,” said Rep. Greg Walden of Oregon, according to KTVZ.com. “That’s why we must take steps to strengthen our ability to confront the threats facing the internet and connected technologies that we are increasingly dependent on.
"This latest report outlines a strategy that, based on the significant body of work the Energy and Commerce Committee has already completed, would elevate cybersecurity capabilities across all sectors. We’ve had real bipartisan success in pursuing several of these policies at the committee, and I look forward to working across the aisle in the upcoming session of Congress to continue this vital work.”
Two recently published surveys about the telecom industry revealed that privacy as it relates to security and the internet of things (IoT) has become a top concern for both businesses and consumers.
Allot Telco's security trends report for 2018’s third quarter found that 50% of consumers polled were concerned about loss of privacy or a cyber-attack. Additionally, 72% of the consumers surveyed stated that they were willing to pay a monthly fee, averaging at $5.26, for an IoT security service, and 16% of those who would buy security services would make that investment in their internet service providers (ISPs).
More than 1,200 consumers across 10 different countries participated in the survey, which found that "to improve the security posture of homes and connected devices, the following must occur: Security at the device level must improve and security must be delivered at the network level."
Similar sentiments were mirrored in the recent 2018 Annual Industry Survey, published by Telecoms.com, which showed that 75% of the 1,500 executives from global telecom industries who participated in the survey said that privacy was the key concern of consumers living in a highly connected smart home, followed by identity theft, fraud and vandalism through hacking into connected devices.
Further, 90% of all respondents thought consumers would be willing to pay for smart-home cybersecurity service. Nearly three-quarters (74%) thought consumers would be happy to pay up to $10 a month.
“Over half of the respondents identified four different types of security solutions – DNS blacklisting/firewalls, IP/domain blacklisting, antivirus solutions, and deep packet inspection. Service providers need security capabilities that are high performance and multilayered. They should adopt targeted measures to secure every potential vulnerability, including the data center, control plane, and applications,” the report said.
According to the report, in view of these concerns industry professionals are planning to actively deliver IoT security services. To that end, 56% of respondents saw IoT as an important driver to expand their service portfolio and 46% saw it as significant channel to deliver new revenues.
Banking Trojan DanaBot has reportedly resurfaced with some new tricks. According to malware analysts at ESET, the Trojan has evolved beyond banking and is now being used to send spam directly to a victim’s inbox.
“Its operators have recently been experimenting with cunning email-address-harvesting and spam-sending features, capable of misusing webmail accounts of existing victims for further malware distribution,” ESET wrote.
In large part, the attacks have been targeting victims whose emails contain the substring “pec,” found in Italy-specific “certified electronic mail” addresses, according to ESET. Roundcube, Horde and Open-Xchange, as well as mail.yahoo.com, mail.google.com, mail.one.com and outlook.live.com, are included among the list of targeted email servers.
"Previously the DanaBot focused on mainly harvesting banking credentials by a similar means to the new threat, essentially by compromising the Bank’s Web Portal,” said Will LaSala, director, security solutions and security evangelist at OneSpan. “It would steal usernames and passwords. The new functionality seems as if they are focusing on just harvesting email addresses, from all sorts of different companies. The change in direction of the DanaBot shows that attacks that what started in banking is moving beyond banking."
Other high-profile attacks have been efforts to steal private information that can then be sold on the black market. "This private information is valuable," said LaSala, "because it helps criminals open new accounts and appear legitimate. The more private information that is stolen, the more difficult it will be for organizations to protect themselves from fraudulent accounts. Changes like those to well known malware showcase the fact that all forms of internet communication need to be protected and companies should be vigilant in patching security holes as soon as they can."
Over two-thirds of UK firms have fallen victim to a cyber-attack over the past year, with many claiming they don’t get enough guidance from the government on how to combat threats, according to RedSeal.
The security vendor polled over 500 UK IT professionals from mainly SMBs to better understand their cyber-resilience levels.
Some 68% claimed to have suffered at least one attack over the past 12 months, with 67% of these saying it had resulted in financial loss, over a third (37%) in customer attrition, and over a fifth (43%) in damage to their corporate reputation.
Nearly a third (31%) said the government doesn’t provide enough support on cybersecurity, despite the best efforts of the National Cyber Security Centre, which was set up two years ago with that mission in mind.
It has provided detailed advice for organizations in specific critical infrastructure sectors on how to comply with the new NIS Directive, for example, as well as implementing two-factor authentication and other crucial best practices, Cyber Aware advice for small businesses, and Cyber Essentials resources to encourage firms to get accredited with the baseline security standard.
Still, the RedSeal findings seem to show security shortcomings among many organizations. A significant minority (19%) said they had no incident response plan in place while nearly two-thirds (65%) of IT pros polled said they thought senior managers should pay more attention to cybersecurity in 2019.
The former is a serious issue given that both the GDPR and NIS Directive demand organizations have an effective plan in place should they suffer a successful attack.
Part of the challenge here is corporate culture and organization: just 30% of UK firms have a board member responsible for security, according to government figures.
Security bosses could help to break down the silos between their function and the boardroom by talking not in terms of cyber risk but business risk.
The RedSeal report’s findings are somewhat at odds with the government’s own report into cyber threat levels facing firms. Released earlier this year, it revealed that just 43% of companies had suffered a breach or attack over the previous 12 months.
Europol is celebrating after a major crackdown on online buyers of counterfeit money which has seen hundreds detained.
The police group claimed its latest operation stemmed from an arrest of a print shop owner in Austria in June this year.
The man was found to have been making counterfeit 10, 20, and 50 euro banknotes and selling them via several dark web marketplaces.
However, he’d failed to keep key information hidden from the investigating officers, meaning they were able to identify the email addresses of the buyers, who had purchased an estimated 10,000 banknotes.
A subsequent operation took place beginning November 19, with the majority of arrests made between December 3-6, according to Europol.
Nearly 300 houses were searched in 13 countries, with 235 suspects detained.
Police are also said to have seized 1500 counterfeit notes, drugs, weapons including guns, nunchaku, knives and blades, computers, mobile phones, Bitcoin and hardware for mining digital currency. In Germany, police even found two marijuana-growing facilities, while in France law enforcers discovered another counterfeiting print facility and a third marijuana farm.
“This joint effort highlights that complete anonymity on the internet and the darknet doesn’t exist,” said Europol deputy director of operations, Wil van Gemert.
“When you engage in illegal activity online, be prepared to have police knocking on your door sooner or later. Europol will continue to assist member states in their efforts of protecting the euro against counterfeiting, both in the real world as in the virtual one.”
The news follows an announcement last month that Europol had managed to shut down more than 33,000 websites selling counterfeit and stolen products, including pharmaceuticals, TV shows and electronics.
Police were also able to arrest 12 suspects and freeze over €1m in several bank accounts.
Despite van Gemert’s assertion, however, it is usually traditional police work offline that enables them to disrupt dark web traders. The vast majority remain at large and the marketplaces themselves up and running.