Report highlights how shady business is done on dark Web

The company said the total number of messages on shadow sites mentioning escrow agents, by quarter, from 2020 to 2022.

The latest Kaspersky research has revealed that cybercriminals posted more than one million messages mentioning escrow services on the dark Web from 2020 to 2022.

The company said the total number of messages on shadow sites mentioning escrow agents,
by quarter, from 2020 to 2022

Escrow agents are third-party intermediaries involved in such deals to control the fulfillment of agreements and reduce the risks of cheating. They partner with cybercriminals who want to sell or buy data, services, or conclude a partnership — usually earning from three to 15 percent of the transaction.

However, the deal can still fail for various reasons, including those related to escrow scams. How such business is done on the darknet is described in a new report by Kaspersky Digital Footprint Intelligence team.

According to Kaspersky, cybercriminals active on the darknet care about their own security, and do not want to become a victim of their “colleagues”. When closing any transaction, such as buying databases, accounts, initial corporate accesses, etc., they use intermediary services of escrow agents.

It can be a human or an automatic system, developed to speed up and simplify relatively typical deals. For expensive or untypical cases, cybercriminals still engage a human intermediary.

“Cybercriminal activities on the dark web are rampant, and various illegal transactions occur frequently. Escrow services have emerged alongside, but fraudulent activities related to them also occur frequently, disrupting the ‘order’ of the dark Web. This makes cybercriminals who create cybersecurity problems also have to worry about security issues,” Chris Connell, APAC managing director for Kaspersky, said.

Kaspersky Digital Footprint Intelligence team monitors the dark Web to help companies track cybercriminal discussions and other types of activities to prevent incidents and mitigate risks related to data leaks.

The experts found the number of messages mentioning the use of an escrow agent (or other terms such as “guarantor”, “middleman”, “intermediary”, etc., designated to the same services) has amounted to more than one million from January 2020 to December 2022.

These messages accounted for 14 percent of the total number of deal-related messages on various dark web resources. In fact, the share of deals with escrow services can be higher since cybercriminals often discuss detailed terms in person without specifying all the particulars in announcements and offers.

“The number of messages mentioning escrow services surged in the second half of 2021, and coincided with the dynamics of cybercriminal activity in shadow Telegram channels in general. Members of the dark Web community were increasingly transitioning there due to the compromise of several popular dark web forums in early 2021,” Vera Kholopova, security services analyst at Kaspersky, said.

“In most of 2022, we saw a decline in activity on shadow resources in general. This may be a consequence of the escalated geopolitical situation, which motivated cybercriminals to cease their illegal activities and relocate using the accumulated money. Nevertheless, at the end of 2022, we have again seen growing escrow-related activity.”

Despite the rules of communication between cybercriminals on the forums and “dark Web etiquette”, no escrow service protects against cheating. Apart from the cases when the buyer or seller changes their mind, one of the deal-breakers could be foul play.

Both seller and buyer, as well as the escrow agent, can violate the deal arrangements, especially when it comes to large sums. With the help of Kaspersky Digital Footprint Intelligence, experts found a post accusing an official escrow agent of two shadow forums (including the popular one) of not paying a total of $170,000 in four deals.