What is the dark web?
For those who are new to this, concept, the dark web is the third part of the internet which is not indexed by ordinary search engines and requires a specific web browser (a ‘TOR’ browser) to access. The other two parts of the internet are the surface web (what we all think of when we hear the term ‘internet’), and the deep web, which comprises often proprietary databases and data holdings which sit behind a firewall and generally require a subscription or password to access. A database of media articles is one example.
There are a number of illicit markets on the dark web selling everything and anything which is illegal in an anonymised way. These illicit markets also include illicit payment mechanisms for financial transactions which bypass the global financial system. Whilst it makes sense that IP would be sold here, until now this is not something I had heard much about aside from the sale of counterfeit products – shoes, medicine, passports etc. My working hypothesis is that much of the stolen IP on the dark web which is not counterfeit product is likely derived from ‘business espionage’.
Does this article resonate with you? Please vote below or subscribe to get updates on my future articles
What is business espionage?
We all know that information is power, but these days it is also a global currency. According to Forbes Magazine, innovation and intangible assets today comprised around 80% of a business’ value in 2014 (Juetten). In recognition of their value, the International Accounting Standards Board (IASB) adopted IAS 38 Intangible Assets in 2001 to prescribe the accounting treatment for intangible assets.
For simplicity here, I refer to all types of valuable business information, intangible assets or intellectual assets as ‘IP’. Business espionage is a term that I have borrowed from Bruce Wimmer (2015) to refer to the theft of commercial information from businesses including ‘industrial espionage’ (companies spying on their competitors) as well as ‘economic espionage’ (theft of IP by nation states for national security purposes).
The types of IP that is stolen includes:
| Research data | Pricing data |
| Confidential information | Customer lists |
| Trade Secrets | Product development data |
| Engineering schematics | Sales figures |
| Proprietary software code | Strategies and Marketing plans |
| Chemical formulas | Cost analyses |
| ‘Know how’ | Personnel data |
If I think about it simplistically, my hypothesis is there are two main ways someone could obtain this IP for sale: licit and illicit. The licit route would arise where a party has access to the IP and is authorised to copy or use that IP for a permitted purpose (such as under license or terms of confidentiality), but then chooses to use that information for a non-permitted purpose. Examples here could include:
- Where IP is provided to an outsourced service provider or business partner, such as a Contract Research Organisation, Contract Manufacturing Organisation, or IT managed services provider. When a contractual arrangement ceases the IP may not be properly destroyed, and could be used for unauthorised purposes later (such as to win a new contract with a previous customer’s competitor).
In contrast, the illicit route refers to cases where IP is stolen and then onsold. There are a number of potential vectors here including:
- Theft and / or exfiltration by trusted insiders (such as employees, contractors or suppliers)
- Targeting of business travellers in hotels, bars, etc
- Cyber criminals and hackers breach secured networks
- Opportunistic individuals who find valuable information on an unsecured corporate network
- Plus other similar examples
So, to recap, we have the scenario where commercially valuable information (IP) has been stolen – sometimes employees steal IP from an employer as they see it as ‘theirs’ and feel they are the legitimate creater or owner of this information, despite typically having assigned their moral rights to their employer via their employment contract. In this scenario, my experience is that employees rarely sell this information to a third party – but they will often use this information for personal advantage in future roles or positions. However, this is not the focus of this post. In this post, we are referring to the theft and sale of commercially valuable information on a large scale.
Is there a criminal value chain behind the illicit market for stolen IP?
It makes sense that someone who has access to sensitive IP which is valuable in the market and who has ulterior motives would want to sell it, but how does this work? Do they sell it exclusively to the highest bidder at auction? Do they sell it multiple times to multiple parties? If you are the highest bidder at auction, how do you guarantee you are the only buyer? Also, how do you guarantee the authenticity or quality of the information?
“It does little good to steal intellectual property if you do not have the expertise to use it”
James Lewis, SVP and director of the Center for Strategic and International Studies’ (CSIS) Technology Policy Program in Gates (2020)
I have so many unanswered questions here, but the presenter I referred to earlier mentioned the prices some buyers pay for stolen IP on these illicit marketplaces is in the millions of US dollars, and that about 90% of the IP on these illicit markets is authentic. These illicit market dynamics mean this is clearly something worth examining further. As a security consultant, part of my job involves ‘thinking like a criminal’ to identify how such a scheme would work – I have developed my hypothesis below based on my experience and knowledge of how other illicit markets work:
In my hypothesis shown above, I have assumed there is a degree of criminal specialisation in the stolen IP market, as there is in other aspects of cyber crime and cyber fraud. Just with legitimate online marketplaces, if I were a buyer I wouldn’t trust sellers I don’t know or who other people I trust haven’t verified, and I’m not going to pay anything more than a trivial amount or take the risk to buy IP which hasn’t been verified either as authentic (i.e. stolen from the company alleged to have produced it) or not fictional (i.e. garbage content). For a good overview of how online review systems work, look at this Harvard Business Review article from Donaker et al (2019).
In my mind, there must be information brokers who play a ‘trusted intermediary’ role and offer an independent validation and verification services – for a fee. However, this would also require access to pool of experts who would be paid to perform this work (e.g. scientists, doctors or engineers who are specialists in their field and open to a side hustle). Presumably some are complicit and know what they are doing, but are some also told this is legitimate and have no cause to question further? And what about the companies that are happy to take the risk both that the info might be fake and that they might get caught? As it stands I have more questions than answers, but the one thing I know is this is something I will be looking into further.
Further reading
- Andreas, P., & Wallman, J. (September 01, 2009). Illicit markets and violence: what is the relationship?. Crime, Law and Social Change : an Interdisciplinary Journal, 52, 3, 225-229.
- Curwell, P. (2022). Understanding the risk of organised crime infiltration in your business
- Curwell, P. (2022). Applying the critical-path approach to insider risk management
- Donaker, G., Kim, H., & Luca, M. (2019). Designing Better Online Review Systems. Harvard Business Review, 97, 6, 122-122. https://hbr.org/2019/11/designing-better-online-review-systems
- Gates, M. (2020). An Unfair Advantage: Confronting Organized Intellectual Property Theft, Security Management, July 2020, https://www.asisonline.org/security-management-magazine/articles/2020/07/an-unfair-advantage-confronting-organized-intellectual-property-theft/
- Hackers League (2018). What is Surface Web, Deep Web and Dark Web?, Medium.com, https://medium.com/@hackersleague/what-is-surface-web-deep-web-and-dark-web-cdbaf71b30d5
- IFRS Foundation (2001). IAS 38 Intangible Assets, International Accounting Standards Board, Standard 2021 (updated), https://www.ifrs.org/issued-standards/list-of-standards/ias-38-intangible-assets/#about
- IP Australia (2022). Internal policies and employee theft in IP for Digital Business, Canberra, https://www.ipaustralia.gov.au/ip-for-digital-business/establish/internal-policies
- Juetten, M. (2014). Pay Attention To Innovation And Intangibles — They’re More Than 80% Of Your Business’ Value, Forbes Magazine, https://www.forbes.com/sites/maryjuetten/2014/10/02/pay-attention-to-innovation-and-intangibles-more-than-80-of-your-business-value/?sh=11b258da1a67
- Nasheri, H. (2005). Economic espionage and industrial spying. Cambridge, UK: Cambridge University Press.
- Wimmer, B (2015). Business Espionage: Risks, Threats and Countermeasures. Butterworth Heineman Elsevier Inc, Massachusetts.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.