Government of the Republic of Trinidad and Tobago

Cybercriminals Have Been Experimenting With a Blockchain Domain Name System (DNS)

Cybercriminals Have Been Experimenting With a Blockchain Domain Name System (DNS)

The takedowns of AlphaBay and Hansa in 2017 by law enforcement gave rise to much speculation about the future of dark web marketplaces. As I’ve discussed before, an environment of fear and mistrust are driving the cybercriminal community to incorporate alternative technologies to improve security and remain below the radar as they conduct illicit business online. One such technology is blockchain.

When most people hear the term “blockchain” they typically think of cryptocurrencies and other applications where transactions and interactions among a community of users must be executed with a high degree of trust, efficiency and transparency. However, if we consider the recent challenges that administrators of online criminal forums have encountered, it only makes sense that they would explore applications for blockchain. To that end, some have been experimenting with a blockchain domain name system (DNS) as a way of hiding their malicious activity and bullet-proofing their offerings.

A blockchain DNS is different from a traditional DNS. Typically, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book. It includes the name of the entity and then, after the “dot”, the extension known as the Top Level Domain (TLD), which could be .com, .gov., .edu, .uk, .de, etc. The TLD is controlled by a central authority such as Internet Corporation for Assigned Names and Numbers (ICANN) with a global reach, or regional authorities like Nominet in the U.K. or DENIC in Germany. In contrast, Blockchain DNS is a decentralized DNS. Blockchain TLDs – including .bit, .bazar and .coin – are not owned by a single central authority. DNS lookup tables are shared over a peer-to-peer network and use a different technology from traditional DNS requests.

Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. The following are just a few examples of bad actors using blockchain.

Back in January 2016, one of the first groups to employ blockchain DNS to create a .bazar domain in an attempt to better secure their operations was a group known as The Money Team. In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain. Users wanting to access the .bazar version of the site need to install a blockchain DNS browser extension or add-on. Other AVC sites and forums used to trade stolen account information have also been experimenting with peer-to-peer DNS technology.

Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces. Transactions are made using cryptocurrency and recorded as smart contracts on the blockchain. The aim is to improve trust among users of the site as all transactions are permanently recorded and scam vendors can be more easily identified.

Another marketplace using blockchain technology is the site OpenBazaar. This project began in April 2016 and its userbase has increased steadily since then. In the first half of 2018, the number of new users on the site has risen by roughly 4,000, while the items for sale have gone up from 18,000 to over 27,000. Despite these gains, OpenBazaar has not been used for cybercriminal activity to any great extent, and the majority of items listed on the site would not be classed as illicit.

Despite these examples, it’s important to remember that as with most things in life, there are tradeoffs. The use of blockchain for cybercriminal activity is no exception. The primary issue preventing its wider adoption is that with blockchain-based platforms all interactions are publicly recorded. This goes against the strong desire by many users to engage in private messaging. Many cybercriminals are choosing to conduct their business away from dark web marketplaces and underground forums altogether. Instead, they are using their site to advertise their service and then directing users to dedicated channels on Jabber, Internet Relay Chat (IRC), Skype, Discord and Telegram to conduct their business. Buyers can contact sellers directly through peer-to-peer networks and private chat channels and execute transactions using cryptocurrencies or electronic payment services.

As cybersecurity professionals, we should continue to monitor for an uptick in the adoption of blockchain for the buying and selling of illicit goods. And while we’re at it, we should also continue to assess other emerging technologies that could be used for nefarious purposes. Because as long as there is a market for what cybercriminals have for sale – everything from compromised accounts and stolen payment cards to counterfeit goods – you can be sure they’ll find new and creative ways to profit.