The past year has been marked by significant progress against dark web criminality. Law enforcement agencies worldwide have successfully targeted and disrupted notorious ransomware groups like LockBit and dismantled dark web marketplaces such as Nemesis.

These operations are not just about seizing servers – they represent a sophisticated, multi-faceted approach designed to undermine and discredit cybercriminal enterprises.

There is a cliché in the security industry that cybercriminal gangs are like the mythical Hydra: cut off one head and three more appear to take its place. However, the volume of law enforcement action and use of new tactics seem to be cutting off heads faster than they can resurge - at least for now. What has changed to enable this progress? 

Law Enforcement Changes its Approach

Reputation is everything on the dark web and recent law enforcement efforts have zeroed in on how they can exploit this: focusing not just on arresting key members (which is impossible in some cases where criminals in non-extradition territories) but also on publicly discrediting the actors behind these groups.

These PsyOps (psychological operations) are designed to create distrust and paranoia within hacker communities, making it difficult for these groups to operate cohesively.

The takedown of LockBit was a landmark law enforcement operation in showcasing this new strategy. Dubbed Operation Cronos, the mission included the “traditional” targeting of the group’s core infrastructure, but it didn’t stop there. Law enforcement agencies also used psychological tactics to damage LockBit’s reputation and create chaos among its members.

This included revealing internal chats and IP addresses, which significantly impacted their operations by discouraging collaboration with LockBit. Key milestones of Operation Cronos included:

• 20th February 2024: International agencies take control of LockBit’s servers and redesigned LockBit’s leak website, where it published its victims’ stolen data, and used the site to publish LockBit’s inner workings.  

• 24th February 2024: LockBit conceded in a statement that their infrastructure had been compromised due to an unpatched vulnerability but vowed to continue. 

• 7th May 2024:  Law enforcement published images of LockBit’s administration system and revealed the identity of Dimitry Khoroshev, aka LockBitSupp, along with usernames and login details of 194 LockBit “affiliate” members. 

While LockBit has continued, many security firms have noted a decline in the group’s output following Operation Cronos, and it is hard to imagine how the group can continue at the same rate following the reputation damage induced by the law enforcement action. The significance of this should not be understated - as LockBit was previously the most prolific ransomware group in operation.

A Ripple Effect: BlackCat in Retreat

The fallout from LockBit’s takedown was not isolated to the group itself, sending a message to the wider ransomware ecosystem that law enforcement had a new way of working. It is almost certainly not a coincidence that the BlackCat (aka AlphV) ransomware group, notorious in its own right, initiated an exit scam (a dark web term for stealing money - in this case from their own affiliate - and disappearing) just weeks after Operation Cronos came to light.

Beyond the world of ransomware as well, there has been huge disruption in other areas of the dark web driven by law enforcement action: 

• Nemesis Marketplace: Nemesis was a thriving dark web market specialising in cybercrime and fraud-related products. In March 2024, German authorities, in collaboration with Lithuanian and U.S. agencies, seized Nemesis’s infrastructure and confiscated substantial cryptocurrency assets, demonstrating the power of international cooperation.  

• Incognito Market: Known for its innovative features and community governance, Incognito Market’s administrators also attempted an exit scam in March 2024. However, law enforcement quickly caught up with them, arresting key figures in May 2024 - proving that retirement is no escape from justice.  

• Cobalt Strike: In a significant blow to cybercriminals, law enforcement agencies have disrupted the distribution of cracked versions of Cobalt Strike, a legitimate penetration testing tool often misused by ransomware groups. The operation that took place in June 2024 highlights the increasing effectiveness of international collaboration and intelligence sharing. 

Bold Approaches to Tackling Ransomware

In spite of recent successes, ransomware remains a persistent challenge. Completely eradicating it would require more radical action, such as limiting or completely banning the payment of ransomware.

This policy, which was recently under consideration in the UK - and may well come back now the general election is in the rear view mirror - would undoubtedly have an impact in  dismantling the financial incentives that underpin the ransomware business model. The logic is simple: without payments, ransomware loses its profitability, removing the incentive for ransomware groups to attack the UK.

Of course, it is not a policy without cost - in the short term businesses impacted by ransomware may well go under if they cannot pay to retrieve their data or unlock their infrastructure. However, while this would be a major step for the government to take, recent successes against ransomware groups demonstrate that new approaches can yield positive results, undermining the ransomware "playbook."

The Road Ahead  

The fight against ransomware and dark web criminality is entering a new phase. The successes of 2023/2024 demonstrate that innovative and aggressive law enforcement tactics can yield significant results, but the battle is ongoing and law enforcement must continue to evolve, adapting to the ever-changing tactics of cybercriminals.

The combined efforts of governments, cybersecurity firms, and the private sector are crucial. By continuing to push the envelope with new strategies and policies, we can make significant strides in mitigating these pervasive threats.

Dr. Gareth Owenson CTO and co-founder of Searchlight Cyber