survey

Botnet Business Models, Takedown Attempts, and the Darkweb Market: A Survey

Authors:
Dimitrios Georgoulias

Aalborg University, Copenhagen, Denmark

Aalborg University, Copenhagen, Denmark

0000-0001-5842-1236
View Profile

,
Jens Myrup Pedersen

Aalborg University, Copenhagen, Denmark

Aalborg University, Copenhagen, Denmark

0000-0002-1903-2921
View Profile

,
Morten Falch

Aalborg University, Copenhagen, Denmark

Aalborg University, Copenhagen, Denmark

0000-0002-2649-215X
View Profile

,
Emmanouil Vasilomanolakis

Technical University of Denmark, Kongens Lyngby, Denmark

Technical University of Denmark, Kongens Lyngby, Denmark

0000-0001-5068-9158
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 55 Issue 11Article No.: 219pp 1–39https://doi.org/10.1145/3575808

Published:09 February 2023Publication History

ACM Computing Surveys

Abstract

Botnets account for a substantial portion of cybercrime. Botmasters utilize darkweb marketplaces to promote and provide their services, which can vary from renting or buying a botnet (or parts of it) to hiring services (e.g., distributed denial of service attacks). At the same time, botnet takedown attempts have proven to be challenging, demanding a combination of technical and legal methods, and often requiring the collaboration of a plethora of entities with varying jurisdictions. In this article, we map the elements associated with the business aspect of botnets and utilize them to develop adaptations of two widely used business models. Furthermore, we analyze the 28 most notable botnet takedown operations carried out from 2008 to 2021, in regard to the methods employed, and illustrate the correlation between these methods and the segments of our adapted business models. Our analysis suggests that the botnet takedown methods have been mainly focused on the technical side, but not on the botnet economic components. We aim to shed light on new takedown vectors and incentivize takedown actors to expand their efforts to methods oriented more toward the business side of botnets, which could contribute toward eliminating some of the challenges that surround takedown operations.

REFERENCES

[1] Agbolade Tokunbo. 2020. Value Chain Analysis: An Internal Assessment of Competitive Advantage. Retrieved December 22, 2022 from https://www.business-to-you.com/value-chain/.Google Scholar
[2] Ahmad Wajeeha. 2019. Why Botnets Persist: Designing Effective Technical and Policy Interventions. Retrieved December 22, 2022 from https://internetpolicy.mit.edu/wp-content/uploads/2019/09/publications-ipri-2019-02.pdf.Google Scholar
[3] Akamai. 2020. Ransom Demands Return: New DDoS Extortion Threats from Old Actors Targeting Finance and Retail. Retrieved December 22, 2022 from https://blogs.akamai.com/sitr/2020/08/ransom-demands-return-new-ddos-extortion-threats-from-old-actors-targeting-finance-and-retail.html.Google Scholar
[4] Bruce Sterling. 2008. Srizbi Botnet Re-commandeered, spewing spam all over. https://www.wired.com/2008/11/srizbi-botnet-r/.Google Scholar
[5] Alieyan Kamal, Almomani Ammar, Manasrah Ahmad, and Kadhum Mohammed M.. 2017. A survey of botnet detection based on DNS. Neural Computing and Applications 28, 7 (2017), 1541–1558.Google ScholarDigital Library
[6] Alrwais Sumayah, Liao Xiaojing, Mi Xianghang, Wang Peng, Wang Xiaofeng, Qian Feng, Beyah Raheem, and McCoy Damon. 2017. Under the shadow of sunshine: Understanding and detecting bulletproof hosting on legitimate service provider networks. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP’17). IEEE, Los Alamitos, CA, 805–823. DOI:Google ScholarCross Ref
[7] Anagnostopoulos Marios, Kambourakis Georgios, Drakatos Panagiotis, Karavolos Michail, Kotsilitis Sarantis, and Yau David K. Y.. 2017. Botnet command and control architectures revisited: Tor hidden services and fluxing. In Proceedings of the International Conference on Web Information Systems Engineering. 517–527. https://link.springer.com/chapter/10.1007/978-3-319-68786-5_41.Google ScholarDigital Library
[8] Antonakakis Manos, April Tim, Bailey Michael, Bernhard Matt, Bursztein Elie, Cochran Jaime, Durumeric Zakir, et al. 2017. Understanding the Mirai botnet. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17). 1093–1110.Google Scholar
[9] Backer Dan Woods, Sara Boddy, and Shahnawaz. 2020. Genesis Marketplace, a Digital Fingerprint Darknet Store. Retrieved December 22, 2022 from https://www.f5.com/labs/articles/threat-intelligence/genesis-marketplace--a-digital-fingerprint-darknet-store.Google Scholar
[10] BBC. 2013. FBI and Microsoft take down $500m-theft botnet Citadel. BBC. Retrieved December 22, 2022 from https://www.bbc.com/news/technology-22795074#::text=The%20FBI%20and%20Microsoft%20have,million%20machines%20to%20steal%20data.Google Scholar
[11] Benjamin Victor, Li Weifeng, Holt Thomas, and Chen Hsinchun. 2015. Exploring threats and vulnerabilities in hacker web: Forums, IRC and carding shops. In Proceedings of the 2015 IEEE International Conference on Intelligence and Security Informatics (ISI’15). IEEE, Los Alamitos, CA, 85–90. DOI:Google ScholarCross Ref
[12] Böck Leon, Vasilomanolakis Emmanouil, Mühlhäuser Max, and Karuppayah Shankar. 2018. Next generation P2P botnets: Monitoring under adverse conditions. In Research in Attacks, Intrusions, and Defenses, Bailey Michael, Holz Thorsten, Stamatogiannakis Manolis, and Ioannidis Sotiris (Eds.). Springer International Publishing, Cham, Switzerland, 511–531. Google Scholar
[13] Bohannon John. 2020. Why criminals can’t hide behind Bitcoin. Science. Retrieved December 22, 2022 from https://www.sciencemag.org/news/2016/03/why-criminals-cant-hide-behind-bitcoin.Google Scholar
[14] Bottazzi Giovanni and Me Gianluigi. 2014. The botnet revenue model. In Proceedings of the 7th International Conference on Security of Information and Networks (SIN’14). ACM, New York, NY, 459–465. DOI:Google ScholarDigital Library
[15] Bryans Danton. 2014. Bitcoin and money laundering: Mining for an effective solution. Indiana Law Journal 89 (2014), 441.Google Scholar
[16] Burt Tom. 2020. New action to disrupt world’s largest online criminal network. Microsoft. Retrieved December 22, 2022 from https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/.Google Scholar
[17] Busby Mattha. 2021. DarkMarket: World’s Largest Illegal Dark Web Marketplace Taken Down. Retrieved December 22, 2022 from https://www.europol.europa.eu/newsroom/news/darkmarket-worlds-largest-illegal-dark-web-marketplace-taken-down.Google Scholar
[18] Böck Leon, Fejrskov Martin, Demetzou Katerina, Karuppayah Shankar, Mühlhäuser Max, and Vasilomanolakis Emmanouil. 2022. Processing of botnet tracking data under the GDPR. Computer Law & Security Review 45 (2022), 105652. DOI:Google ScholarCross Ref
[19] Caballero Juan, Grier Chris, Kreibich Christian, and Paxson Vern. 2011. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the 20th USENIX Security Symposium (USENIX Security’11). 13. https://www.usenix.org/conference/usenix-security-11/measuring-pay-install-commoditization-malware-distribution.Google Scholar
[20] Caspi Guy. 2020. Why Are We Losing the Cyberwar? Retrieved December 22, 2022 from https://www.forbes.com/sites/forbestechcouncil/2020/01/22/why-are-we-losing-the-cyberwar/.Google Scholar
[21] Center Microsoft News. 2013. Microsoft, the FBI, Europol and industry partners disrupt the notorious ZeroAccess botnet. Microsoft. Retrieved December 22, 2022 from https://news.microsoft.com/2013/12/05/microsoft-the-fbi-europol-and-industry-partners-disrupt-the-notorious-zeroaccess-botnet/.Google Scholar
[22] Chen Thomas M.. 2010. Stuxnet, the real start of cyber warfare? [Editor’s Note]. IEEE Network 24, 6 (2010), 2–3.Google ScholarDigital Library
[23] Choo Kim-Kwang Raymond. 2011. The cyber threat landscape: Challenges and future research directions. Computers & Security 30, 8 (2011), 719–731.Google ScholarDigital Library
[24] Cimpanu Catalin. 2020. Microsoft orchestrates coordinated takedown of Necurs botnet. ZDNET. Retrieved December 22, 2022 from https://www.zdnet.com/article/microsoft-orchestrates-coordinated-takedown-of-necurs-botnet/.Google Scholar
[25] Cole Alma, Mellor Michael, and Noyes Daniel. 2007. Botnets: The rise of the machines. In Proceedings on the 6th Annual Security Conference. ACM, New York, NY, 1–14.Google Scholar
[26] Cooke Evan, Jahanian Farnam, and McPherson Danny. 2005. The zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI’05). 39–44.Google Scholar
[27] Curran Dylan. 2018. My terrifying deep dive into one of Russia’s largest hacking forums. The Guardian. Retrieved December 22, 2022 from https://www.theguardian.com/commentisfree/2018/jul/24/darknet-dark-web-hacking-forum-internet-safety.Google Scholar
[28] Dalton Mike. 2020. Can Monero Be Traced? How the U.S. Is Trying to Track the Privacy Coin. Retrieved December 22, 2022 from https://www.bitrates.com/news/p/can-monero-be-traced-how-the-us-is-trying-to-track-the-privacy-coin.Google Scholar
[29] Decker A., Sancho D., Kharouni L., Goncharov M., and McArdle R.. 2009. A study of the Pushdo/Cutwail botnet.Google Scholar
[30] Shadows Photon Research Team Digital. 2020. With the Empire Falling, Who Will Take Over the Throne? Retrieved December 22, 2022 from https://www.digitalshadows.com/blog-and-research/with-the-empire-falling-who-will-take-over-the-throne/.Google Scholar
[31] Dittrich David. 2012. So you want to take over a botnet. In Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats (LEET’12). 6.Google ScholarDigital Library
[32] Dittrich David, Leder Felix, and Werner Tillmann. 2010. A case study in ethical decision making regarding remote mitigation of botnets. In Proceedings of the International Conference on Financial Cryptography and Data Security. 216–230.Google ScholarCross Ref
[33] Du Po-Yi, Zhang Ning, Ebrahimi Mohammedreza, Samtani Sagar, Lazarine Ben, Arnold Nolan, Dunn Rachael, et al. 2018. Identifying, collecting, and presenting hacker community data: Forums, IRC, carding shops, and DNMs. In Proceedings of the 2018 IEEE International Conference on Intelligence and Security Informatics (ISI’18). IEEE, Los Alamitos, CA, 70–75.Google ScholarDigital Library
[34] Ebinum Mike. 2016. How To: Business Model Canvas Explained. Retrieved December 22, 2022 from https://medium.com/seed-digital/how-to-business-model-canvas-explained-ad3676b6fe4a.Google Scholar
[35] EC-Council. 2019. A chronological look at the biggest botnet attacks of the 21st century. https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/the-biggest-botnet-attacks-to-date/.Google Scholar
[36] EMCDDA. 2020. EMCDDA Special Report: COVID-19 and Drugs—Drug Supply via DarkNet Markets. Retrieved December 22, 2022 from https://www.emcdda.europa.eu/publications/ad-hoc/covid-19-and-drugs-drug-supply-via-darknet-markets.Google Scholar
[37] Enisa. 2020. ENISA Threat Landscape 2020—Cryptojacking. Retrieved December 22, 2022 from https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-cryptojacking.Google Scholar
[38] Enisa. 2020. ENISA Threat Landscape 2020: Cyber Attacks Becoming More Sophisticated, Targeted, Widespread and Undetected. Retrieved December 22, 2022 from https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020.Google Scholar
[39] Esteves Jose, Ramalho Elisabeth, and Haro Guillermo De. 2017. To improve cybersecurity, think like a hacker. MIT Sloan Management Review 58, 3 (2017), 71.Google Scholar
[40] Europol. 2014. Global Action Targeting Shylock Malware. Retrieved December 22, 2022 from https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware.Google Scholar
[41] Europol. 2015. Botnet Taken Down through International Law Enforcement Cooperation. Retrieved December 22, 2022 from https://www.europol.europa.eu/newsroom/news/botnet-taken-down-through-international-law-enforcement-cooperation.Google Scholar
[42] Europol. 2016. ‘Avalance’ Network Dismantled in International Cyber Operation. Retrieved December 22, 2022 from https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation.Google Scholar
[43] Europol. 2019. MONEY MULING: Public awareness and prevention. Retrieved December 22, 2022 from https://www.europol.europa.eu/operations-services-and-innovation/public-awareness-and-prevention-guides/money-muling.Google Scholar
[44] Europol. 2021. World’s Most Dangerous Malware EMOTET Disrupted through Global Action. Retrieved December 22, 2022 from https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action.Google Scholar
[45] Flashpoint. 2020. Pricing Analysis: Dark Web Marketplaces 2020. Retrieved December 22, 2022 from https://go.flashpoint-intel.com/docs/flashpoint-pricing-analysis-dark-web-marketplaces-2020.Google Scholar
[46] Ford Richard and Gordon Sarah. 2006. Cent, five cent, ten cent, dollar: Hitting botnets where it really hurts. In Proceedings of the 2006 Workshop on New Security Paradigms (NSPW’06). ACM, New York, NY, 3–10. DOI:Google ScholarDigital Library
[47] Friess Nathan and Aycock John. 2007. Black Market Botnets. Retrieved December 22, 2022 from https://prism.ucalgary.ca/handle/1880/45380.Google Scholar
[48] Frkat D., Annessi R., and Zseby T.. 2018. ChainChannels: Private botnet communication over public blockchains. In Proceedings of the 2018 IEEE International Conference on Internet of Things (iThings’18) and IEEE Green Computing and Communications (GreenCom’18) and IEEE Cyber, Physical, and Social Computing (CPSCom’18), and IEEE Smart Data (SmartData’18). IEEE, Los Alamitos, CA, 1244–1252. DOI:Google ScholarCross Ref
[49] Garcia Sebastian, Grill Martin, Stiborek Jan, and Zunino Alejandro. 2014. An empirical comparison of botnet detection methods. Computers & Security 45 (2014), 100–123.Google ScholarDigital Library
[50] Georgoulias Dimitrios, Pedersen Jens Myrup, Falch Morten, and Vasilomanolakis Emmanouil. 2021. A qualitative mapping of Darkweb marketplaces. In Proceedings of the 2021 APWG Symposium on Electronic Crime Research (eCrime). IEEE, Los Alamitos, CA, 1–15. DOI:Google ScholarCross Ref
[51] Georgoulias Dimitrios, Pedersen Jens Myrup, Falch Morten, and Vasilomanolakis Emmanouil. 2022. COVID-19 vaccination certificates in the Darkweb. Digital Threats: Research and Practice. Accepted April 2022. DOI:Google ScholarDigital Library
[52] Gomez Miguel. 2020. Dark Web Price Index 2020. Retrieved December 22, 2022 from https://www.privacyaffairs.com/dark-web-price-index-2020/#6.Google Scholar
[53] Goncharov Max. 2012. Russian Underground 101. Trend Micro.Google Scholar
[54] Goncharov Max. 2015. Bulletproof Hosting Services: Cybercriminal Hideouts for Lease. Retrieved December 22, 2022 from https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/bulletproof-hosting-services-cybercriminal-hideouts-for-lease.Google Scholar
[55] Goodchild Joan. 2011. Conficker Working Group says worm is stopped, but not gone. CSO. Retrieved December 22, 2022 from https://www.csoonline.com/article/2126743/conficker-working-group-says-worm-is-stopped--but-not-gone.html.Google Scholar
[56] Grizzard Julian B., Sharma Vikram, Nunnery Chris, Kang Brent ByungHoon, and Dagon David. 2007. Peer-to-peer botnets: Overview and case study. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots’07). 1.Google Scholar
[57] Guirakhoo Alex. 2019. Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums. Retrieved December 22, 2022 from https://www.digitalshadows.com/blog-and-research/understanding-the-different-cybercriminal-platforms-avcs-marketplaces-and-forums/.Google Scholar
[58] Hackerspaces. 2020. IRC Channel. Retrieved December 22, 2022 from https://wiki.hackerspaces.org/IRC_Channel.Google Scholar
[59] Hardoy Juan. 2015. Breaking up a botnet—How Ramnit was foiled. Microsoft. Retrieved December 22, 2022 from https://blogs.microsoft.com/eupolicy/2015/10/22/breaking-up-a-botnet-how-ramnit-was-foiled/.Google Scholar
[60] Hern Alex. 2020. Silk Road bitcoins worth $1bn change hands after seven years. The Guardian. Retrieved December 22, 2022 from https://www.theguardian.com/technology/2020/nov/04/silk-road-bitcoins-worth-1bn-change-hands-after-seven-years.Google Scholar
[61] Huang Keman, Siegel Michael, and Madnick Stuart. 2018. Systematically understanding the cyber attack business: A survey. ACM Computing Surveys 51, 4 (2018), 1–36.Google ScholarDigital Library
[62] Hyslip Thomas S.. 2020. Cybercrime-as-a-service operations. In The Palgrave Handbook of International Cybercrime and Cyberdeviance. Springer International Publishing, Cham, Switzerland, 815–846. DOI:Google ScholarCross Ref
[63] Ilascu Ionut. 2020. TrickBot malware under siege from all sides, and it’s working. BleepingComputer. Retrieved December 22, 2022 from https://www.bleepingcomputer.com/news/security/trickbot-malware-under-siege-from-all-sides-and-its-working/.Google Scholar
[64] Manufacturing Cambridge University Institute for. 2016. Porter’s Value Chain. Retrieved December 22, 2022 from https://www.ifm.eng.cam.ac.uk/research/dstools/value-chain-/.Google Scholar
[65] Interpol. 2015. INTERPOL supports global operation against Dorkbot botnet. Interpol. Retrieved December 22, 2022 from https://www.interpol.int/es/Noticias-y-acontecimientos/Noticias/2015/INTERPOL-supports-global-operation-against-Dorkbot-botnet.Google Scholar
[66] Kain Erik. 2013. The Silk Road Shuts Down, But the Black Market Isn’t Going Anywhere. Retrieved December 22, 2022 from https://www.forbes.com/sites/erikkain/2013/10/02/the-silk-road-shuts-down-but-the-black-market-isnt-going-anywhere/?sh=6cff0e987a6c.Google Scholar
[67] Karami Mohammad, Park Youngsam, and McCoy Damon. 2016. Stress testing the booters: Understanding and undermining the business of DDoS services. In Proceedings of the 25th International Conference on World Wide Web (WWW’16). 1033–1043. DOI:Google ScholarDigital Library
[68] Kaspersky. 2014. Shylock/Caphaw Malware Trojan: The Overview. Retrieved December 22, 2022 from https://securelist.com/shylockcaphaw-malware-trojan-the-overview/64599/.Google Scholar
[69] Kaspersky. 2021. Zeus Virus. Retrieved December 22, 2022 from https://usa.kaspersky.com/resource-center/threats/zeus-virus.Google Scholar
[70] Kessem Limor. 2015. The Return of Ramnit: Life After a Law Enforcement Takedown. Retrieved December 22, 2022 from https://securityintelligence.com/the-return-of-ramnit-life-after-a-law-enforcement-takedown/.Google Scholar
[71] Khattak S., Ramay N. R., Khan K. R., Syed A. A., and Khayam S. A.. 2014. A taxonomy of botnet behavior, detection, and defense. IEEE Communications Surveys Tutorials 16, 2 (2014), 898–924. DOI:Google ScholarCross Ref
[72] Kolias Constantinos, Kambourakis Georgios, Stavrou Angelos, and Voas Jeffrey. 2017. DDoS in the IoT: Mirai and other botnets. Computer 50, 7 (2017), 80–84. https://ieeexplore.ieee.org/abstract/document/7971869.Google ScholarDigital Library
[73] Krebs Brian. 2011. U.S. Government Takes Down Coreflood Botnet. Retrieved December 22, 2022 from https://krebsonsecurity.com/2011/04/u-s-government-takes-down-coreflood-botnet/.Google Scholar
[74] Krebs Brian. 2011. ‘Biggest Cybercriminal Takedown in History.’ Retrieved December 22, 2022 from https://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/.Google Scholar
[75] Krebs Brian. 2012. Top Spam Botnet, “Grum,” Unplugged. Retrieved December 22, 2022 from https://krebsonsecurity.com/2012/07/top-spam-botnet-grum-unplugged/.Google Scholar
[76] Krebs Brian. 2017. Who Is Anna-Senpai, the Mirai Worm Author? Retrieved December 22, 2022 from https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/.Google Scholar
[77] Krebs Brian. 2021. International Action Targets Emotet Crimeware. Retrieved December 22, 2022 from https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware/.Google Scholar
[78] Langdon Scott. 2020. Is Bitcoin Traceable? Things You Must Know. Retrieved December 22, 2022 from https://www.moneytaskforce.com/money/is-bitcoin-traceable/.Google Scholar
[79] Levchenko Kirill, Pitsillidis Andreas, Chachra Neha, Enright Brandon, Félegyházi Márk, Grier Chris, Halvorson Tristan, et al. 2011. Click trajectories: End-to-end analysis of the spam value chain. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP’11). IEEE, Los Alamitos, CA, 431–446. DOI:Google ScholarDigital Library
[80] Leyden John. 2012. Microsoft seizes Chinese dot-org to kill Nitol bot army. The Register. Retrieved December 22, 2022 from https://www.theregister.com/2012/09/13/botnet_takedown/.Google Scholar
[81] Li Zhen and Liao Qi. 2014. Toward a monopoly botnet market. Information Security Journal: A Global Perspective 23, 4-6 (2014), 159–171. DOI:Google ScholarDigital Library
[82] Li Zhen, Liao Qi, and Striegel Aaron. 2009. Botnet economics: Uncertainty matters. In Managing Information Risk and the Economics of Security. Springer, Boston, MA, 245–267. https://link.springer.com/chapter/10.1007/978-0-387-09762-6_12Google ScholarCross Ref
[83] MalwareBytes. 2021. Ryuk Ransomware. Retrieved December 22, 2022 from https://www.malwarebytes.com/ryuk-ransomware/.Google Scholar
[84] Malwarebytes. 2021. Trickbot. Retrieved December 22, 2022 from https://www.malwarebytes.com/trickbot/.Google Scholar
[85] Maor Etay. 2013. No Money Mule, No Problem: Recruitment Website Kits for Sale. Retrieved December 22, 2022 from https://securityintelligence.com/money-mule-problem-recruitment-website-kits-sale/.Google Scholar
[86] Hutchins MalwareTech Marcus. 2017. The Kelihos Botnet. Retrieved December 22, 2022 from https://www.malwaretech.com/2017/04/the-kelihos-botnet.html.Google Scholar
[87] DarknetOnions.com. 2021. How to Use ToRReZ Market: A Complete Guide. https://darknetone.com/how-to-use-torrez-market-a-complete-guide/.Google Scholar
[88] Darknetone.com. 2021. Dread. https://darknetone.com/market/dread/.Google Scholar
[89] DarknetOnions.com. 2021. How to Use White House Market: A Complete Guide. https://darknetone.com/how-to-use-white-house-market-a-complete-guide/.Google Scholar
[90] DarknetOnions.com. 2021. Complete Guide to Hydra Market. https://darknetone.com/a-complete-guide-to-hydra-market/.Google Scholar
[91] Matt. 2020. How dark web users utilise postal services to buy and ship drugs. OSINT. Retrieved December 22, 2022 from https://www.osintme.com/index.php/2020/06/12/how-dark-web-users-utilise-postal-services-to-buy-and-ship-drugs/.Google Scholar
[92] McCaul Michael. 2017. The war in cyberspace: Why we are losing—How to fight back. YouTube. Retrieved December 22, 2022 from https://www.youtube.com/watch?v=nq__jneFcps&ab_channel=RSAConference.Google Scholar
[93] McDermott Christopher D., Majdani Farzan, and Petrovski Andrei V.. 2018. Botnet detection in the Internet of Things using deep learning approaches. In Proceedings of the 2018 International Joint Conference on Neural Networks (IJCNN’18). IEEE, Los Alamitos, CA, 1–8.Google ScholarCross Ref
[94] Werner Elliott Peterson Michael Sandee and Tillmann. 2015. Gameover Zeus—Bad Guys and Backends. Retrieved December 22, 2022 from https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf.Google Scholar
[95] Mukhopadhyay Ujan, Skjellum Anthony, Hambolu Oluwakemi, Oakley Jon, Yu Lu, and Brooks Richard. 2016. A brief survey of cryptocurrency systems. In Proceedings of the 2016 14th Annual Conference on Privacy, Security, and Trust (PST’16). IEEE, Los Alamitos, CA, 745–752.Google ScholarCross Ref
[96] Nadji Yacin, Antonakakis Manos, Perdisci Roberto, Dagon David, and Lee Wenke. 2013. Beheading hydras: Performing effective botnet takedowns. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 121–132. DOI:Google ScholarDigital Library
[97] Popper Rebecca R. Ruiz and Nathaniel. 2017. 2 Leading Online Black Markets Are Shut Down by Authorities. Retrieved December 22, 2022 from https://www.nytimes.com/2017/07/20/business/dealbook/alphabay-dark-web-opioids.html.Google Scholar
[98] Aste Gonzalo. 2012. Osterwalder explaining the Business Model Canvas. YouTube. Retrieved December 22, 2022 from https://www.youtube.com/watch?v=RzkdJiax6Tw&t=1939s&ab_channel=GonzaloAste.Google Scholar
[99] Osterwalder Alexander and Pigneur Yves. 2010. Business Model Generation: A Handbook for Visionaries, Game Changers, and Challengers. John Wiley & Sons, Hoboken, NJ.Google Scholar
[100] Patel Mehul. 2019. Cat and Mouse: Understanding the Security Industry’s Failure to Stop Cyberattackers. Retrieved December 22, 2022 from https://securityboulevard.com/2019/08/cat-and-mouse-understanding-the-security-industrys-failure-to-stop-cyberattackers/.Google Scholar
[101] Ostroff Paul Vigna and Caitlin. 2020. Why Hackers Use Bitcoin and Why It Is So Difficult to Trace. Retrieved December 22, 2022 from https://www.wsj.com/articles/why-hackers-use-bitcoin-and-why-it-is-so-difficult-to-trace-11594931595.Google Scholar
[102] Point Check. 2021. February 2021’s Most Wanted Malware: Trickbot Takes Over Following Emotet Shutdown. Retrieved December 22, 2022 from https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/.Google Scholar
[103] Pointer Robey. 2021. Welcome to Eggdrop! Retrieved December 22, 2022 from https://www.eggheads.org/.Google Scholar
[104] Police Dutch. 2021. International Police Operation LadyBird: Global Botnet Emotet Dismantled. Retrieved December 22, 2022 from https://www.politie.nl/nieuws/2021/januari/27/11-internationale-politieoperatie-ladybird-botnet-emotet-wereldwijd-ontmanteld.html.Google Scholar
[105] Porter Michael E. and Advantage Competitive. 1985. Creating and sustaining superior performance. Competitive Advantage 167 (1985), 167–206.Google Scholar
[106] Poston Howard. 2020. Cybercrime at scale: Dissecting a dark web phishing kit. INFOSEC. Retrieved December 22, 2022 from https://resources.infosecinstitute.com/topic/cybercrime-at-scale-dissecting-a-dark-web-phishing-kit/.Google Scholar
[107] Prasad K. Munivara, Reddy A. Rama Mohan, and Rao K. Venugopal. 2020. BARTD: Bio-inspired anomaly based real time detection of under rated app-DDoS attack on web. Journal of King Saud University-Computer and Information Sciences 32, 1 (2020), 73–87.Google ScholarDigital Library
[108] Putman C. G. J., Abhishta, and Nieuwenhuis L. J. M.. 2018. Business model of a botnet. In Proceedings of the 2018 26th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP’18). IEEE, Los Alamitos, CA, 441–445. DOI:Google ScholarCross Ref
[109] Reuter Peter. 2005. Chasing Dirty Money: The Fight Against Money Laundering. Peterson Institute, Washington, DC.Google Scholar
[110] Rodríguez-Gómez Rafael A., Maciá-Fernández Gabriel, and García-Teodoro Pedro. 2013. Survey and taxonomy of botnet research through life-cycle. ACM Computing Surveys 45, 4 (Aug. 2013), Article 45, 33 pages. DOI:Google ScholarDigital Library
[111] Samani Raj and Paget Francois. 2013. Cybercrime Exposed: Cybercrime-as-a-Service. McAfee.Google Scholar
[112] Sattler Jason. 2019. What we’ve learned from 10 years of the Conficker mystery. F-Secure. Retrieved December 22, 2022 from https://blog.f-secure.com/what-weve-learned-from-10-years-of-the-conficker-mystery/.Google Scholar
[113] Schwartz Mathew J.. 2013. Microsoft, FBI Trumpet Citadel Botnet Takedowns. Retrieved December 22, 2022 from https://www.darkreading.com/attacks-and-breaches/microsoft-fbi-trumpet-citadel-botnet-takedowns/d/d-id/1110261.Google Scholar
[114] Schwartz Mathew J.. 2015. Dorkbot Botnets Get Busted. Retrieved December 22, 2022 from https://www.bankinfosecurity.com/dorkbot-ddos-botnets-get-busted-a-8728.Google Scholar
[115] Segura Vicente and Lahuerta Javier. 2010. Modeling the economic incentives of DDoS attacks: Femtocell case study. In Economics of Information Security and Privacy. Springer, Boston, MA, 107–119. .Google ScholarCross Ref
[116] Shadowserver. 2017. Kelihos.E Botnet—Law Enforcement Takedown. Retrieved December 22, 2022 from https://www.shadowserver.org/news/kelihos-e/.Google Scholar
[117] Shadowserver. 2018. Avalanche 1,2,3... Retrieved December 22, 2022 from https://www.shadowserver.org/news/avalanche-123/.Google Scholar
[118] Shrobe Howard, Shrier David L., and Pentland Alex. 2018. Fixing a hole: The labor market for bugs. In New Solutions for Cybersecurity. MIT Press, Cambridge, MA, 129–159.Google Scholar
[119] Signal. 2020. 5 Dark Web Marketplaces Security Professionals Need to Know About. Retrieved December 22, 2022 from https://www.getsignal.info/blog/5-dark-web-marketplaces.Google Scholar
[120] Signal. 2020. 7 Dark Web Forums You Need to Monitor for Improved Cyber Security. Retrieved December 22, 2022 from https://www.getsignal.info/blog/7-dark-web-forums-for-improved-cybersecurity.Google Scholar
[121] Silva Sérgio S. C., Silva Rodrigo M. P., Pinto Raquel C. G., and Salles Ronaldo M.. 2013. Botnets: A survey. Computer Networks 57, 2 (2013), 378–403. DOI:Google ScholarDigital Library
[122] Sirois Craig. 2020. New McAfee Report Estimates Global Cybercrime Losses to Exceed $1 Trillion. https://www.mcafee.com/en-us/consumer-corporate/newsroom/press-releases/press-release.html?news_id=6859bd8c-9304-4147-bdab-32b35457e629.Google Scholar
[123] Sood Aditya K., Bansal Rohit, and Enbody Richard J.. 2012. Cybercrime: Dissecting the state of underground enterprise. IEEE Internet Computing 17, 1 (2012), 60–68.Google ScholarDigital Library
[124] Sood Aditya K. and Enbody Richard J.. 2013. Crimeware-as-a-service—A survey of commoditized crimeware in the underground market. International Journal of Critical Infrastructure Protection 6, 1 (2013), 28–38.Google ScholarCross Ref
[125] Staff and Berlin Agencies in. 2019. German police shut down one of world’s biggest dark web sites. The Guardian. Retrieved December 22, 2022 from https://www.theguardian.com/world/2019/may/03/german-police-close-down-dark-web-marketplace.Google Scholar
[126] Stone-Gross Brett, Cova Marco, Cavallaro Lorenzo, Gilbert Bob, Szydlowski Martin, Kemmerer Richard, Kruegel Christopher, and Vigna Giovanni. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 635–647. DOI:Google ScholarDigital Library
[127] Stone-Gross Brett, Holz Thorsten, Stringhini Gianluca, and Vigna Giovanni. 2011. The underground economy of spam: A botmaster’s perspective of coordinating large-scale spam campaigns. In Proceedings of the 2011 USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’11). 1–8. https://www.usenix.org/legacy/event/leet11/tech/full_papers/Stone-Gross.pdfGoogle Scholar
[128] Strategyzer. 2020. Business Model Canvas. Retrieved December 22, 2022 from https://www.strategyzer.com/bmc_thank_you?submissionGuid=9a5690b9-b0d9-4274-b423-a121993570ec.Google Scholar
[129] Sully Matt and Thompson Matt. 2010. The Deconstruction of the Mariposa Botnet. Defence Intelligence.Google Scholar
[130] Tarver Evan. 2019. What Are the Primary Activities of Michael Porter’s Value Chain? Retrieved December 22, 2022 from https://www.investopedia.com/ask/answers/050115/what-are-primary-activities-michael-porters-value-chain.asp.Google Scholar
[131] Team Digital Shadows Analyst. 2017. Innovation in the Underworld: Reducing the Risk of Ripper Fraud. Retrieved December 22, 2022 from https://www.digitalshadows.com/blog-and-research/innovation-in-the-underworld-reducing-the-risk-of-ripper-fraud/.Google Scholar
[132] TheDarkWebLinks. 2020. Torrez Market | Torrez Market Links | Torrez Dark Web Links. Retrieved December 22, 2022 from https://www.thedarkweblinks.com/torrez-market/.Google Scholar
[133] Thompson Iain. 2017. International team takes down virus-spewing Andromeda botnet. The Register. Retrieved December 22, 2022 from https://www.theregister.com/2017/12/05/international_team_takes_down_virusspewing_andromeda_botnet/.Google Scholar
[134] Thomson Iain. 2016. Online criminals iced as cops bury malware-spewing Avalanche. The Register. Retrieved December 22, 2022 from https://www.theregister.com/2016/12/01/cops_shutter_avalanche_dark_net/.Google Scholar
[135] Brett Stone-Gross, Tillmann Werner, and Bex Hartley. 2018. Farewell to Kelihos and ZOMBIE SPIDER. https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/.Google Scholar
[136] Tor. 2019. Tor: Onion Service Protocol. Retrieved December 22, 2022 from https://2019.www.torproject.org/docs/onion-services.Google Scholar
[137] Traynor Ian. 2007. Russia accused of unleashing cyberwar to disable Estonia. https://www.theguardian.com/world/2007/may/17/topstories3.russia.Google Scholar
[138] Trendmicro. 2021. Ransomware. Retrieved December 22, 2022 from https://www.trendmicro.com/vinfo/us/security/definition/ransomware.Google Scholar
[139] Wang Ping, Aslam Baber, and Zou Cliff C.. 2010. Peer-to-peer botnets. In Handbook of Information and Communication Security. Springer, 335–350.Google ScholarCross Ref
[140] Wang Ping, Wu Lei, Aslam Baber, and Zou Cliff C.. 2009. A systematic study on peer-to-peer botnets. In Proceedings of the 2009 18th International Conference on Computer Communications and Networks (ICCCN’09). IEEE, Los Alamitos, CA, 1–8. DOI:Google ScholarDigital Library
[141] Wright Rob. 2018. Botnet takedown snares 3ve, Methbot ad fraud campaigns. TechTarget. Retrieved December 22, 2022 from https://searchsecurity.techtarget.com/news/252453401/Botnet-takedown-snares-3ve-Methbot-ad-fraud-campaigns.Google Scholar
[142] Wright Rob. 2019. FBI: How we stopped the Mirai botnet attacks. TechTarget. Retrieved December 22, 2022 from https://searchsecurity.techtarget.com/news/252459016/FBI-How-we-stopped-the-Mirai-botnet-attacks.Google Scholar
[143] Zeitlin Sam. 2015. Botnet takedowns and the fourth amendment. New York University Law Review 90 (2015), 746.Google Scholar
[144] Zhao Ziming, Sankaran Mukund, Ahn Gail-Joon, Holt Thomas J., Jing Yiming, and Hu Hongxin. 2016. Mules, seals, and attacking tools: Analyzing 12 online marketplaces. IEEE Security & Privacy 14, 3 (2016), 32–43.Google ScholarDigital Library

Index Terms

Botnet Business Models, Takedown Attempts, and the Darkweb Market: A Survey
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy

Recommendations

Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Read More
Analysis of a Botnet Takeover

Botnets, networks of malware-infected machines (bots) that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program ...
Read More
Dissecting SpyEye - Understanding the design of third generation botnets

Botnet malware is improving with the latest (3rd) generation exemplified by the SpyEye and Zeus botnets. These botnets are important to understand because they target online financial transactions, primarily with banks. In this paper, we analyze the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 55, Issue 11
November 2023
849 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3572825
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 February 2023
- Online AM: 15 December 2022
- Accepted: 21 September 2022
- Revised: 23 June 2022
- Received: 25 June 2021
Published in csur Volume 55, Issue 11

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Cybercrime
botnets
economics
business models
attacks
takedowns
marketplace
forum
darkweb
Qualifiers
- survey
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 1,008
  Total Downloads
- Downloads (Last 12 months)577
- Downloads (Last 6 weeks)58
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

View Full Text

HTML Format

View this article in HTML Format .

View HTML Format

Botnet Business Models, Takedown Attempts, and the Darkweb Market: A Survey

ACM Computing Surveys

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

Honeypot detection in advanced botnet attacks

Analysis of a Botnet Takeover

Dissecting SpyEye - Understanding the design of third generation botnets