The dark web has turned into a bustling marketplace for cybercriminals selling malicious software. What used to be a hidden corner of the internet is now a full-blown business where malware gets traded just like any regular product. If you’re into security research or IT, understanding how this stuff works isn’t optional anymore—it’s essential.
How These Marketplaces Actually Work
These dark web markets work surprisingly like Amazon or eBay. You’ve got vendor ratings, customer reviews, and yes, even customer support. Until mid-2025, Abacus Market was the king of Western darknet platforms. By 2024, it handled 70% of all Bitcoin transactions on Western darknet sites, processing over $100 million in Bitcoin alone. When you add in Monero payments, experts think the platform moved somewhere between $300 and $ 400 million in total.
But here’s where it gets interesting. In early July 2025, Abacus Market just vanished. Users started complaining about payment delays in late June, and within two weeks, daily deposits crashed from $230,000 to just $13,000. The admin, who went by “Vito,” blamed it on DDoS attacks and too many new users flooding in from Archetyp Market (which got shut down by police). But let’s be real—most people think Vito just ran off with everyone’s money. This is what happens when criminals do business with criminals.
Other markets like TorZon are still running, offering everything from malware and ransomware to DDoS services. The scary part? You don’t need to be a tech genius to use these sites. Anyone can browse, read reviews, and buy ready-to-use malware in minutes.
Malware-as-a-Service
Here’s where things get really worrying. There’s this whole thing called Malware-as-a-Service, or MaaS for short. Think of it like Netflix, except instead of movies, you’re subscribing to cybercrime tools. No coding skills needed—just pay your monthly fee and launch attacks.
Take “loaders” for example. These are programs that sneak other malware onto victim computers. Basic ones are cheap, but specialized versions average around $3,566. Stealer malware subscriptions go for about $1,024. The pricing looks just like normal software—basic plans, premium features, the whole deal.
Stealers
Information stealers have become increasingly popular over the past couple of years. These programs run silently in the background, grabbing your passwords, bank info, crypto wallet data, and personal files without you knowing.
Lumma and RisePro are two newer stealers that got big in 2024. Both focus heavily on stealing cryptocurrency. In 2025, a platform called “Russian Market” became one of the go-to spots for buying stolen credentials.
Here’s what makes stealers so dangerous: one infected computer can hand over hundreds of login credentials. These get bundled up and sold as “logs” on underground forums. Posts selling Redline stealer logs tripled from 370 per month in 2022 to 1,200 in 2023. We’re talking social media accounts, banking logins, everything—all organized and ready to use.
Police Crackdowns in 2025
Law enforcement has been busy. In June 2025, police from six countries took down Archetyp Market, which had been running since May 2020. Then in May 2025, Operation RapTor arrested 270 people across ten countries—targeting both sellers and buyers on dark web markets.
But here’s the thing: when one marketplace gets shut down, others just expand to fill the gap. When Archetyp got seized, Abacus Market saw monthly sales jump to $6.3 million in June 2025. Of course, that was right before it disappeared, taking everyone’s money with it.
Cryptors
As antivirus software gets better, criminals have fought back with “cryptors.” These tools disguise malware code so security programs can’t spot it. Basic cryptor subscriptions start at $100 per month, but high-end private versions can cost up to $20,000.
Vendors keep updating their cryptors to stay ahead of antivirus signatures. Some even guarantee their malware will stay “fully undetectable” for a certain time. If it gets caught, they’ll re-disguise it for you as part of your subscription.
Crypto Drainers
As more people got into cryptocurrency, criminals developed a new type of malware specifically designed to steal crypto. In 2024, researchers noticed a huge spike in “drainers”—tools designed to automatically empty cryptocurrency wallets, including tokens and NFTs.
These drainers often operate through fake websites that mimic real crypto platforms. The barrier to entry is low, but the potential payoff is massive, making this one of the fastest-growing malware types.
How They Spread This Stuff
Dark web sellers have gotten creative about distributing malware. “Black traffic schemes” stayed popular through 2024—basically, criminals run deceptive ads on regular websites that lead people to malicious pages. This shows how dark web threats have spilled over into the normal internet.
Attackers have even abused GitHub, a trusted platform that developers use. They’ve hidden the Lumma Stealer malware in GitHub comments, exploiting people’s trust in legitimate development sites.
The Big Picture
The numbers from 2025 are honestly terrifying. Dark web-related activities now generate about $3.2 billion globally each year. That’s not small change—we’re talking $1.1 billion from drug sales alone, $700 million from cybercrime-as-a-service platforms, and $520 million from fraud and scam services.
By March 2025, over 3 million people were accessing dark web platforms daily, with illegal websites making up about 60% of all domains. The Tor network saw its daily users jump from 2 million at the start of 2025 to over 3 million by March—that’s massive growth in just a few months.
In 2023, there were 880,418 internet crime complaints in the U.S. alone, resulting in $12.5 billion in losses—a 22% jump from 2022. And it’s only getting worse. Global cybercrime costs are projected to hit $10.5 trillion annually by 2025, making it one of the largest wealth transfers in history.
The dark web economy has become incredibly sophisticated. BlackSprut Market now dominates with a 28% market share, followed by Mega Darknet Market at 22%. These aren’t amateur operations—92% of major marketplaces now offer escrow and dispute resolution services, and 77% require vendors to pay license fees averaging $3,000. They’re basically running like Amazon at this point.
AI has also changed the game in 2025. AI-driven cybercrime tools are now involved in 32% of all dark web transactions. Over 11,000 AI-generated scam kits were sold in Q1 2025 alone. Criminals are using AI to create realistic phishing emails, deepfake identities, and even voice cloning services for phone fraud.
What Does This All Mean
The dark web malware market isn’t going anywhere—it’s growing. With Malware-as-a-Service making cybercrime accessible to anyone with an internet connection and some cryptocurrency, the problem’s only getting worse.
The bottom line? Malware used to require serious technical skills. Now it’s just another business model. Anyone can subscribe and start attacking. That should worry all of us.
For security professionals, understanding these marketplaces isn’t just interesting—it’s necessary for effective defense. The dramatic collapse of Abacus Market in 2025 shows both how big these operations have become and how unstable they are. Staying ahead means understanding how the criminals think, how their economy works, and how their tactics keep changing.