Investigating the supply on 17 underground hacker markets

Have you ever wondered what kind of malicious offerings can be found on dark web “hacker markets,” who sells them and how widely they are available?

underground hacker markets

Three researchers from Arizona State University have, so they scraped 17 such markets for six months for information about the tools and services offered, to create a general picture of the supply and demand in this particular industry.

A combination of automated (scraping and data clustering) and manual (labeling) labor that concentrated on the product title/name for indication about its capabilities and features has revealed that many items are cross-posted and nearly identical.

All in all, they found a total of 16122 products sold by 1332 vendors.

They identified 34 distinct categories of offerings – from email hacking tools to data dumps, PoS malware to physical layer hacking services, exploit kits and invitations to hacking groups to access to RDP servers and RATs.

Here is the complete list, including a calculation of market and vendor entropy:


A low marketplace entropy for a given cluster means these types of products were mainly found in a particular marketplace. Likewise, a low vendor entropy means the cluster’s products were mainly sold by a particular vendor.

These numbers allowed the researchers to come to some interesting conclusions.

They posited that:

  • The low market entropy for the Links cluster likely means that many markets “discourage the re-selling of lists of links, as much of this information can be found on dark web Wiki’s for free.”
  • The low vendor entropy for the Hacking Tools cluster indicates that only a few vendors sell them. “Specifically, only 2 vendors author 416 (50%) of this type of products. At first glance, this may be surprising as this appears to be a very general group. However, upon inspection of the contents, we find that many authors of these products are actually organizations,” the researchers shared. “We also note one of the most prominent vendor in this cluster was itself a marketplace – which is also reflected in the low marketplace entropy.”
  • The high market and vendor entropy for the Facebook and Keylogger clusters indicate that there are many vendors selling these types of malware on most of the scraped markets. While the widespread prevalence of keyloggers is not surprising, they say, the similarity in those two clusters’ trends might indicate an “increase in demand for Facebook-directed social media hacking products and information.”

The group acknowledged the limitations of their current research, and is planning further research with other methods that should make the picture clearer, including a investigation into the underlying social network of vendors.

Don't miss