Imagine logging on to your favorite e-commerce site, finding your favorite author’s newest book for sale, making the purchase, and then… nothing. Your payment has been taken but no book ever arrives in a neat package on your doorstep. Then when you try to contact customer support, they have vanished too!

Tough luck, you think, but luckily there are other sites I can use. Yet when you try to access other e-commerce platforms, they all seem to be down.

Something is going on.

You do some digging online and check with other users who have experienced the same issues, and soon you know exactly who to blame for all the inconvenience:  your favorite site that failed to deliver the book!

Not only have they taken your money, but they are also responsible for taking down the other sites you tried. What gives?

Now imagine that your favorite online store is actually the dark web marketplace, Apollon, the book you wanted to buy is some illicit product or service, and the other e-commerce platforms you try are in fact Apollon’s competitor sites. The above scenario then becomes exactly what many users in the dark web community have experienced over the past couple of months.

 

Apollon’s New Tactic

Since late January 2020, Apollon has allegedly been conducting an “exit scam” while carrying out an extensive Distributed Denial-of-Service (DDoS) campaign targeting several prominent English-language forums and marketplaces. Exit scamming—running away with all of the users’ money deposited into a cybercriminal site—is quite common on the dark web market scene, but targeting a number of dark web forums and marketplaces in an extensive DDoS campaign at the same time is very unusual behavior for marketplace administrators.

This new tactic did not go unnoticed and created a stir in the community. What was really going on? The immediate response from many has been to complain loudly, then simply abandon Apollon (cybercriminals don’t like being the victims of deception apparently… ironic, some may say…).

So, is this soap opera-worthy double hoax going to be the season finale for Apollon? Probably not…

 

Apollon: The Background of the Dark Web Marketplace

According to a user on the cybercriminal forum Torum, Apollon began the exit scam process on the 26th of January 2020. Although the exact date of the exit scam’s beginning cannot be confirmed, it was around this time that various comments and threads emerged on several forums (including Torum, Reddit, and Reddit’s darker cousin Dread) stating that Apollon was indeed exit scamming.

One Dread user gave an early warning of the Apollon exit scam on the 28th of January, indicating that vendors had been locked out of their accounts and the ability to withdraw funds from the market had been disabled, although customers could still login and deposit funds without issue. Similar comments soon followed: Users shared their experience of losing money and access, the Torum administrators added a banner on their forum warning about the exit scam, and the owner of Kilos, the dark web search engine, announced that they would be delisting Apollon from Kilos’ index.

At the same time, the cybercriminal community experienced two waves of DDoS attacks. The first wave was advertised on Torum by user “42W242W2”, who indicated that the dark web services The Hub, Envoy, and Apollon would be offline throughout the day. However, it later transpired that although both The Hub and Envoy were indeed inaccessible, Empire marketplace had instead taken the place of Apollon, with the latter remaining unaffected.

The second wave of DDoS attacks occurred not long after. However, this time the impact was much wider, and the attacks affected even more forums and marketplaces simultaneously, including Torum, Empire, Dread, DarkBay, DarkMarket, Avaris Market, Envoy, The Hub, Avengers, and possibly other unreported platforms. (Incidentally, most of the affected sites were listed on the dark web repository service ‘Dark Fail’… coincidence?) Several of these platforms experienced downtime but some, like Torum and Dread, reacted quickly and provided mirror links or additional security measures so that users could access the forum as normal.

 

Dread prompting users dark web

Dread prompting users to complete a CAPTCHA task due to “on-going DDOS attacks”

 

Chatter soon emerged claiming that Apollon, which remained unaffected during both DDoS waves, was in fact behind the ongoing DDoS attacks. Allegations started flying in all directions, turning the incident into a tale of he-said-she-said, with twists and turns that could compete against the most ardent soap opera plot on TV.

 

3 Possible Motivations

There are three possible motivations, or a combination of them, that could have led the Apollon administrators to conduct an exit scam and DDoS attacks at the same time, if the rumors are true.

  1. The first originates from a Dread moderator who alleged early on during the first DDoS wave, that Apollon was paying for a coordinated DDoS attack against Dread, Avengers, The Hub, Envoy, and Empire in an effort to cover up an exit scam. The community has largely supported this allegation, with many expressing similar claims that the Apollon owners conducted the DDoS attacks in order to divert buyer traffic to their site, and subsequently exit scam unknowing users. As one Dread user expressed it, the Apollon owners created “the perfect opportunity to get as much money as possible and bail out”.
  2. The second was an accusation that the Apollon exit scam might expand beyond simply extracting its users’ money and bail out. A user on Dread claimed that not only was Apollon locking vendors out from their accounts, stealing their credentials, and changing their Personal Identification Number (PIN), but it was also testing the Apollon vendor logins on other marketplaces to see if they could make further withdrawals. There have been no mentions of specific marketplaces implicated in this claim, but such actions would indicate more elaborate exit scam tactics by the Apollon administrators than those normally observed in the dark web market scene.
  3. The final motivation was detailed by Torum user “apollonhasfallen”, who claimed that Apollon’s server had a vulnerability that could be exploited to identify the site’s IP address, and that the site was now trying to stop the information from spreading. The vulnerability had been detected by an unnamed user who allegedly approached the Apollon administration with the IP address and requested a bug bounty. Apollon refused to pay the bug bounty and patch the vulnerability, but ultimately “grew concerned” and initiated the exit scam to “dip out early”, conducting DDoS attacks to stop the dissemination of the sensitive information.

 

Does Apollon’s silence speak a thousand words?

There have been no official announcements from the Apollon administration team to counter or confirm any of the above claims. However, a user purporting to be an Apollon moderator commented on Dread that the Apollon administrators orchestrated the entire operation themselves, keeping the remaining Apollon staff/affiliated users in the dark. All members of the Apollon moderation team allegedly lost their privileges, just like all other Apollon users, but so far no other Apollon affiliated users have confirmed or denied this allegation.

 

apollon moderator dark web

Alleged Apollon moderator claiming their innocence

 

The purported Apollon moderator made further comments on Dread, stating that the DDoS attacks were in fact conducted by a user called “gustav” and not the Apollon market staff as suggested. This was quickly disregarded with a counter claim by another Dread user who alleged that Apollon was in fact paying “gustav” for daily attacks, and that “gustav” had allegedly admitted to this. Procuring DDoS-as-a-Service is not uncommon in the cybercriminal underground but no further information could be sourced to validate these claims and “gustav” remains a ghost in the dark for the time being.

 

apollon DDoS dark web

Claims of Apollon paying “gustav” for DDoS services

 

Apollon not deterred by their reputational damage?

With so many allegations against Apollon swirling within the community, you would almost expect Apollon to pack its bags and disappear, repeating the life cycle of so many other of its predecessors, such as Evolution and Berlusconi. However, the actual “exit” has not yet happened. At the time of writing, Apollon is still online, and as recently as 03 Mar 2020 a Dread user indicated that Apollon still was exit scamming and stealing users’ deposits. Furthermore, Dread still displays a warning stating that “due to ongoing DDOS attacks” users are prompted to solve a CAPTCHA task in order to access the site, though this does not confirm whether the alleged DDOS attacks from Apollon are still ongoing.

The Apollon exit scam story with a DDoS twist appears to leave us with a cliffhanger for now.

Will they bail out?

Will the administrators simply abandon and leave the marketplace to languish?

Or will Apollon live on and redeem itself as one of the most popular marketplaces in the dark web community?

Apollon will likely continue to exit scam and live on as long as unknowing users keep using the market and depositing funds. We have seen it before with Empire Market. Empire has been known for its controversies in the past, yet it still lives on and recently hit its 1 millionth member mark.

Marketplaces remain a popular resource for cybercriminals, and as long as there is demand, there will always be another platform ready to supply the community’s needs.

The behavior of the Apollon administrators is not likely to change this trend and, as very eloquently put by a Dread user, “No ones scared off by exit scams. We just move on. [sic]”

Dark Web Monitoring: The Good, The Bad, and The Ugly