Top Dark Web Marketplaces 2026: Active Markets, Forums, and Telegram Channels

Darknet marketplace activity stayed resilient through 2025 even as enforcement agencies landed ten distinct events inside the year. Chainalysis's 2026 Crypto Crime Report measured aggregate DNM flows of nearly US$2.6 billion in 2025, up from roughly US$2 billion in 2024. TRM Labs's July 2025 Abacus blog and the Europol announcement of the Archetyp takedown put hard numbers on the year's biggest two Western losses: Archetyp had over 600,000 registered users and at least EUR 250 million in transaction volume; Abacus held an estimated US$300 to US$400 million in total volume across Bitcoin and Monero. The supply chain restructured rather than collapsed, and the post-2022 lesson held: every shutdown forces migration, but the underlying demand finds a new home within weeks.

Three forces drove the 2025-2026 picture. Russian-speaking ecosystem dominance. Per Global Ledger research summarized by Whale Alert, the five largest Russian-speaking DNMs (Mega, Kraken, BlackSprut, OMG!OMG!, Nova) processed US$1.85 billion in Bitcoin during January to September 2025; Kraken DNM alone handled approximately US$1.3 billion. Forum reshuffling. The XSS forum administrator was arrested in Kyiv on July 22, 2025 after running a 50,000-member, 12-year forum. DarkForums grew 600% between April and June 2025 as it absorbed BreachForums refugees. Currency divergence. TRM Labs measured nearly 48% of newly launched 2025 markets adopting Monero exclusively, while established Russian-speaking markets stayed Bitcoin-heavy to maintain fiat-onramp liquidity after the February 2024 Binance Monero delisting. The data is for CISOs setting threat-intelligence priorities, fraud teams shaping detection rules, and journalists translating Tor activity into headline-ready stat lines.

This post is the Stingrai research team's canonical 2026 reference for the dark web marketplace landscape. It assembles 80+ numeric and structural claims from named primary publishers, including Chainalysis, TRM Labs, the US Department of Justice, the US Treasury Office of Foreign Assets Control (OFAC), Europol, Eurojust, the FBI, the FBI Internet Crime Complaint Center (IC3), DarkOwl, Flashpoint, Recorded Future / Insikt Group, Bitsight, Searchlight Cyber, ReliaQuest, ZeroFox, Trustwave SpiderLabs, Rapid7, Sekoia.io, Krebs on Security, Elliptic, the Tor Project, Comparitech, the World Economic Forum, and Global Ledger. Lead data is full-year 2024 and 2025 telemetry where the publisher has reported it; the Chainalysis 2026 Crypto Crime Report (released February 2026, covering full-year 2025), the TRM Labs Abacus and Archetyp blogs (July 2025 and June 2025), and the DarkOwl 2025 dark-web year-in-review (December 2025) are the freshest available; primary publishers have not yet released full-year 2026 retrospectives as of April 2026, so any 2026 figures cited reference Q1 events with explicit dates. Every figure carries its source, year, and methodology window so any claim can be audited inline. For per-item dark-web pricing of cards, fullz, stealer logs, and access listings see Stingrai's complementary Dark Web Data Pricing 2026; for the deanonymization, financial tracing, and infiltration methods that produced these seizures see How Law Enforcement Tracks Dark Web Criminals; and for the credential-economy mechanics that feed stealer-log markets like Russian Market and 2easy see Compromised Credential Statistics 2026.

TL;DR: 12 labeled key data points

• Aggregate darknet marketplace flow (Chainalysis 2026, FY 2025): nearly US$2.6 billion in on-chain DNM flows (Chainalysis 2026 Crypto Crime Report).

• Russian-speaking five-largest DNMs (Mega + Kraken + BlackSprut + OMG!OMG! + Nova), Jan to Sep 2025: US$1.85 billion in Bitcoin via 20+ centralized exchanges holding 130+ international licenses (Global Ledger via Whale Alert).

• Kraken DNM 2024 inflows + 2025 BTC handled: US$737 million in 2024 (+68% YoY); approximately US$1.3 billion in BTC during Jan to Sep 2025 (Chainalysis darknet markets 2025; Global Ledger via Whale Alert).

• Archetyp Market scale at June 16, 2025 takedown: over 600,000 registered users, at least EUR 250 million in transaction volume, eight arrests, EUR 7.8 million in asset seizures (Europol announcement; Eurojust release).

• Abacus Market exit-scam estimate, early July 2025: US$300 to US$400 million in total volume across Bitcoin and Monero, with up to ~75% of sales settling in XMR (TRM Labs).

• XSS forum at July 22, 2025 admin arrest: more than 50,000 registered users, 12-year run since 2013, approximately EUR 7 million in profits earned by the administrator (Europol announcement; The Hacker News).

• DarkForums activity surge, April to June 2025: +600% growth, accumulating 12,700+ members as it absorbed the BreachForums English-language audience (DarkOwl 2025 year in review; SiliconAngle on the post-BreachForums migration).

• BidenCash carding marketplace lifetime, at June 2025 takedown: US$17 million in revenue, 117,000+ customers, over 15 million payment cards traded since 2022, 145 domains seized, plus a 3.3 million record free-promotional card dump in October 2022 to February 2023 (CoinDesk on DOJ + Secret Service; BleepingComputer).

• Operation Talent (Cracked + Nulled) outcomes, January 30, 2025: Nulled had over 5 million users, 43 million+ posts, ~US$1 million annual revenue; 17 servers + 50+ devices + ~EUR 300,000 cash and crypto seized (DOJ press release).

• Russian Market H1 2025 inventory: approximately 30,000 bots offered for sale per month, over 180,000 infostealer logs total in H1 2025; standard bot price around US$10 (Rapid7 Labs).

• New 2025 markets adopting Monero exclusively: nearly 48% of newly launched DNMs (TRM Labs Monero in 2025 report).

• Cybercrime-focused Telegram groups and channels: over 50,000, with usage by cybercriminals up more than 100% YoY; over 14 million groups and channels were blocked by Telegram in H1 2025 alone (Broadchannel summary referencing Trustwave + UNODC).

Key takeaways

• The cybercrime ecosystem treated 2025 as a stress test and passed. Despite Operation Talent (Cracked + Nulled, January 30, 2025), the Garantex domain seizure (March 6, 2025), the BreachForums claimed MyBB zero-day (April 28, 2025), the Lumma stealer takedown (May 2025), Archetyp (June 16, 2025), BidenCash (June 5, 2025), the Paris arrests of ShinyHunters and three other BreachForums actors (June 25, 2025), Abacus's likely exit-scam (early July 2025), the XSS administrator arrest in Kyiv (July 22, 2025), Grinex sanctions (August 14, 2025), and another BreachForums domain seizure in October 2025, Chainalysis still measured a higher aggregate 2025 marketplace volume than 2024. The DNM ecosystem has rebuilt the post-Hydra muscle to absorb shutdowns within weeks.

• Russian-speaking markets are the new center of gravity. The five largest Russian-speaking DNMs moved US$1.85 billion in Bitcoin between January and September 2025, with 130+ international exchange licenses serving as off-ramps. Kraken DNM alone (the post-Hydra successor) handled US$1.3 billion. By contrast, Western-facing on-chain BTC flow shrank further after Archetyp and Abacus closed, with TorZon emerging as the dominant Western-facing DNM but at a fraction of the Russian-speaking aggregate volume.

• Currency mix is bifurcating, not converging. TRM Labs found that nearly 48% of new 2025 markets adopt Monero exclusively. Simultaneously, Chainalysis observed established markets returning to Bitcoin after the February 2024 Binance XMR delisting reduced fiat-onramp liquidity. The two paths reflect different operator priorities: new entrants prioritize anti-tracing, established markets prioritize accessibility for buyers.

• Forum migration patterns are now the most reliable forensic signal of marketplace health. When AlphaBay went down in July 2017 the Hansa userbase grew from 1,000 to 8,000 vendors per day before its own seizure took out 27,000 transactions plus ~10,000 buyer addresses outside the Netherlands. Eight years later the same pattern repeats: DarkForums grew 600% as BreachForums collapsed, TorZon absorbed Abacus and Archetyp users, and large amounts of fraud volume migrated to Telegram channels. The migration is the story of every shutdown.

• Forum-level OPSEC is hardening. The relaunched RAMP forum required either an existing XSS or Exploit account with 2+ months tenure and 10+ posts, or a US$500 registration fee to keep researchers and infiltrators out. Even so, the FBI seized RAMP on January 28, 2026, confirming that operational vetting plus paid-entry barriers do not protect against multinational law enforcement collaboration. The same vetting layer applies on Exploit, where membership has been gated since 2005.

Methodology

Sources used: Chainalysis 2026 Crypto Crime Report (February 2026, FY 2025 data), Chainalysis 2025 darknet markets report, and the Chainalysis OFAC Hydra and Garantex blog; TRM Labs blogs on Abacus exit-scam (July 2025), Archetyp takedown (June 2025), Garantex and Grinex and the A7A5 token (March and August 2025), and Monero in 2025; US Department of Justice press releases on Cracked + Nulled (January 30, 2025), BidenCash (June 5, 2025), and the BreachForums founder resentencing (September 16, 2025); US Treasury OFAC press releases JY0701 (Hydra and Garantex sanctions, April 5, 2022), JY1388 (Genesis Market, April 5, 2023), and SB0225 (Grinex and A7A5, August 14, 2025); Europol announcements on Archetyp (June 16, 2025), the XSS forum (July 22, 2025), Operation Endgame (May 30, 2024 plus Season 2 May 2025); the Eurojust release on Archetyp; FBI press releases on Genesis Market (Operation Cookie Monster), BreachForums seizures, RAMP (January 28, 2026), and the FBI Internet Crime Complaint Center 2024 Internet Crime Report; DarkOwl's 2025 dark-web year-in-review and Q1 2026 product update; Flashpoint 2025 Global Threat Intelligence Report and the Flashpoint blog on 2easy; Recorded Future / Insikt Group's Dark Covenant 3.0 report (October 23, 2025); Bitsight State of the Underground 2025; Searchlight Cyber's 2025 ransomware report and Cerberus marketplace module; Rapid7 Labs on Russian Market (December 2025) and the Rapid7 IAB H2 2025 update; Krebs on Security on the XSS arrest, Cracked + Nulled, and Incognito Market sequence; Elliptic on Solaris; the Tor Project blog and Tor Metrics; Comparitech on the leaked RAMP database; the World Economic Forum coverage of Operation Cookie Monster; and Global Ledger research summarized by Whale Alert.

Date cutoff: April 25, 2026. Lead data is full-year 2024 or 2025 telemetry where a primary publisher has released it. The Chainalysis 2026 Crypto Crime Report and the DarkOwl 2025 year-in-review are the most-recent publisher feeds. No full-year 2026 retrospectives exist yet, so 2026 figures cited cover only specific named operations with explicit dates (RAMP, January 28, 2026). Statistics that could not be reached on at least one verification pass against a named primary source were dropped rather than estimated. Where aggregator publications report on a primary source, the post links to the aggregator only when the primary report is paywalled or when the aggregator is the public record of a price tag, member count, or transaction figure that the primary publisher has not republished in a structured way.

Figure 1: Darknet marketplace aggregate on-chain flow, 2021 to 2025 (USD billions). The 2022 Hydra seizure halved aggregate volume; 2025 closed at about US$2.6B despite ten distinct enforcement events. Source: Chainalysis Crypto Crime Reports 2022, 2023, 2024, 2025, 2026; the 2021 figure triangulates from Hydra holding approximately 75% of global DNM revenue at US$1.7 billion in 2021.

Headline marketplaces in 2026

The dark web marketplace catalog in 2026 splits into five layers: Russian-speaking drug DNMs, Western-facing drug DNMs, stealer-log and credential markets, carding shops, and cybercrime forums. Each layer obeys its own structural logic, so collapsing them into one ranked list (the typical aggregator approach) hides the 2025 story.

Russian-speaking drug DNMs

The post-Hydra Russian-speaking ecosystem is the dominant slice of the 2026 marketplace economy by on-chain volume. Global Ledger research traced US$1.85 billion in Bitcoin from the five largest markets into at least 20 centralized exchanges with 130+ international licenses during January to September 2025. Chainalysis's 2026 report names Kraken, OMG!OMG!, Mega, and Blacksprut as the four most active platforms in the Russian-speaking synthetic-substances trade.

Kraken DNM billed itself as Hydra's successor and the 2024-2025 numbers vindicate the claim. Per Chainalysis, Kraken DNM received US$737 million on-chain in 2024, a 68% YoY rise; by the September 2025 cut-off in Global Ledger's study it had handled approximately US$1.3 billion. The hostile-takeover history is part of the lore: Kraken hacked Solaris on Friday January 13, 2023, taking over a US$150 million Russian-language market.

Western-facing drug DNMs

The Western slice of the marketplace economy has been disproportionately impacted by enforcement. Two of 2025's three biggest takedowns landed here.

Archetyp Market was the longest-running Western-facing DNM at takedown, operating for over five years from May 2020. The Eurojust-coordinated operation on June 11-13, 2025 deployed approximately 300 officers across six countries. Archetyp accepted Monero only; the 30-year-old administrator was arrested in Spain alongside seven other suspects.

Abacus Market disappeared in early July 2025 days after Archetyp. TRM Labs measured average daily Abacus deposits of US$230,000 across 1,400 transactions during June 1-27, 2025, then a sudden drop to US$13,000 across just 100 deposits during June 28 to July 10, 2025. TRM's US$300-400 million total-volume estimate accounts for approximately 75% of sales settling in Monero plus about US$100 million in Bitcoin volume measured directly on-chain. Chainalysis tracked Abacus 2024 BTC inflows at US$43.3 million, +183.2% YoY.

TorZon emerged as the named successor in Chainalysis's 2026 report, supporting Monero (0.5% fee), Bitcoin (2% with integrated CoinJoin mixing), and Litecoin. The mixed-currency stance keeps BTC liquidity for buyers while offering XMR for privacy.

Stealer-log and credential markets

Stealer logs are the raw material of the credential economy. Two markets dominate the retail tier in 2026.

Russian Market is the dominant darknet marketplace for stolen credentials. Per Rapid7 Labs, Russian Market emerged in early 2020 (some sources date its first appearance to February 2019). H1 2025 metrics tracked by Rapid7:

• Approximately 30,000 bots offered for sale per month.

• Over 180,000 infostealer logs offered in H1 2025.

• Standard bot price around US$10, in a historical range of US$1 to US$100.

• US-origin bot share: 26%. Argentina-origin bot share: 23%.

• Top three vendors held nearly 70% of all bot listings since 2021. The H1 2025 leaders were "Nu####ez" 38%, "bl####ow" 24%, "Mo####yf" 19%.

• Infostealer families: Raccoon, Vidar, Lumma, RedLine, StealC. Rhadamanthys and Acreed gained share in H1 2025.

2easy.shop is the long-running competitor. Per BleepingComputer's reporting, 2easy launched in 2018 (with significant volume from 2020) and lists stealer logs from RedLine, Raccoon, and Vidar at prices as low as US$5 per log. Per Flashpoint's blog, 2easy's operations ceased in mid-January 2025 and the marketplace was inactive a month later, before posting a return announcement on March 22, 2025. Russian Market and 2easy together dominate credential sales, and stealer logs and credentials now appear on Telegram channels within hours of theft.

For the credential-economy mechanics behind these markets, including the 2.9 billion unique compromised credentials Bitsight tracked in 2024, see Stingrai's Compromised Credential Statistics 2026; for per-log retail prices and PhaaS subscriptions see Dark Web Data Pricing 2026.

Carding shops

The carding tier has been heavily disrupted across 2024-2025. BidenCash was the most prominent recent takedown.

The BidenCash takedown was led by the US Secret Service's Frankfurt Resident Office and Cyber Investigative Section, with the FBI's Albuquerque Field Office, Dutch National High Tech Crime Unit, Shadowserver Foundation, and Searchlight Cyber. The US Treasury blacklisted 44 Bitcoin and 5 Monero addresses linked to the operator which had received over US$850,000. Notable promotional history: BidenCash released 3.3 million stolen credit card records for free between October 2022 and February 2023 to advertise its inventory.

Cybercrime forums

The forum tier is where credentials, RaaS deals, IAB listings, and zero-day brokerage transact. 2025 was its hardest year on record.

The BreachForums saga is the most-read forum story of the past three years. Conor Brian Fitzpatrick founded BreachForums in March 2022 at age 19 as "pompompurin". His March 2023 arrest transferred ownership to ShinyHunters, then Baphomet, then ShinyHunters again. The forum was seized June 2023 and again May 2024. In April 2025 administrators published a PGP-signed statement claiming a MyBB zero-day takedown. The June 25, 2025 Paris arrests took down four BreachForums actors. On September 16, 2025 Fitzpatrick was resentenced to three years. In October 2025 the FBI seized the latest clearnet domain after ShinyHunters revived the forum for a Salesforce-leak portal.

The XSS forum disruption was the most consequential single-arrest event of 2025. Europol's announcement put XSS at more than 50,000 users and a 12-year run since 2013. The 38-year-old administrator, alleged to have nearly 20 years in cybercrime, earned approximately EUR 7 million in advertising and facilitation fees. He allegedly also ran thesecure.biz, a private messaging platform built for cybercriminals.

RAMP, the Russian Anonymous Marketplace, operated from August 2021 until the FBI seizure on January 28, 2026. Per CloudSEK and the Comparitech leaked-database review, entry required either an existing XSS or Exploit account with 2+ months tenure plus 10+ posts and a positive reputation, or a US$500 registration fee. The leaked database held 333 threads offering compromised network access and 60 threads in the RaaS section with affiliate splits as high as 90%. Continuous-presence groups included DragonForce, Qilin, Medusa, GLOBAL Group, Eldorado, and LockBit. Rapid7's H2 2025 IAB update measured RAMP's average IAB base price at approximately US$6,400.

Figure 2: Active and recently disrupted dark web marketplaces and forums, grouped by primary product class. Status reflects April 2026. Russian-speaking DNMs in deep red; Western-facing DNMs in orange; stealer-log + credential markets in mid-blue; carding shops in navy; cybercrime forums in dark blue. Sources: Chainalysis Crypto Crime Reports 2025 + 2026; TRM Labs blogs on Abacus + Archetyp + Garantex; DOJ + Europol + Eurojust press releases; Rapid7 IAB H2 2025; DarkOwl 2025 year-in-review; Searchlight Cyber 2025 ransomware report.

The seizure and exit-scam timeline, 2017 to 2026

Nineteen named operations have hit the dark web marketplace and forum economy since 2017. The cadence accelerated through 2025; ten distinct enforcement events landed inside the year.

Figure 3: Vertical timeline of major dark web marketplace and forum seizures, exit scams, and disruptions, 2017 to 2026. Sources: DOJ + Europol + Eurojust + Treasury OFAC + FBI press releases for each named operation; Chainalysis darknet markets reports; Krebs on Security; TRM Labs Abacus blog; DarkOwl 2025 year-in-review.

2017: AlphaBay, Hansa, Operation Bayonet

AlphaBay was shut down on July 4, 2017 with over 200,000 customers and 40,000 vendors, ten times larger than Silk Road. Founder-administrator Alexandre Cazes (alias "Alpha02") was arrested by Thai authorities on July 5, 2017. Hansa was the companion takedown: Dutch police ran it as a sting through July 19/20, 2017, while the userbase grew from 1,000 to 8,000 vendors per day as AlphaBay refugees migrated in. Authorities collected evidence on 27,000 illegal transactions plus approximately 10,000 buyer addresses outside the Netherlands.

2021-2022: Slilpp and Hydra

Slilpp was seized on June 10, 2021. Active since 2012, it offered over 80 million records of stolen credentials from more than 1,400 victim providers, with at least US$200 million in US losses tied to credentials bought there.

Hydra Market was the largest darknet market in history at the April 5, 2022 OFAC sanction and German BKA server seizure: approximately US$5.2 billion in cryptocurrency since 2015, 17 million customers, 19,000+ vendor accounts. German Federal Criminal Police seized US$25 million worth of bitcoin. Per Chainalysis, Hydra alone received US$1.7 billion in 2021 and represented over 75% of global darknet market revenue.

2023: Genesis Market and hostile-takeover wars

Operation Cookie Monster shut down Genesis Market on April 4-5, 2023. Launched 2018, Genesis offered access to data stolen from over 1.5 million compromised computers containing over 80 million account access credentials, with at least US$8.7 million in revenue and over 450,000 bots for sale at the time of takedown. The operation produced 119 arrests, 208 property searches in 13 nations, and 11 domain seizures across 17 countries.

On Friday, January 13, 2023, Kraken DNM hacked Solaris, taking over the infrastructure of an approximately US$150 million Russian-language market and redirecting all traffic. Earlier, in October 2022, Solaris had paid pro-Kremlin hacker collective Killnet ~US$50,000 for a DDoS attack against rival forum RuTor.

2024: Operation Endgame and Incognito Market

Operation Endgame, Europol's "largest ever operation against botnets," ran May 27-29, 2024, targeting IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot droppers. Outcomes: four arrests, 100+ servers across 10 countries, 2,000+ domains seized. One main suspect had earned at least EUR 69 million in cryptocurrency renting infrastructure. Season 2 launched May 23, 2025.

Incognito Market exit-scammed in March 2024, with admin "Pharoah" disappearing with an estimated US$10+ million in BTC and Monero, then attempting to coerce additional payments by threatening to leak 557,000 orders and 862,000 transaction IDs. Founder Rui-Siang Lin was sentenced to 30 years in 2025.

2025: Operation Talent through the XSS arrest

The 2025 calendar reads as a sustained enforcement push:

Each event was followed by displaced demand finding a new home. After BreachForums took its April hit, DarkForums absorbed the English-language audience, surging 600% in members between April and June. After Archetyp closed, vendors migrated to Abacus and TorZon; after Abacus exited, vendors migrated to TorZon. The pattern is consistent: shutdowns concentrate activity but rarely reduce supply. For the deanonymization, financial tracing, and infiltration methods that produced these seizures, see How Law Enforcement Tracks Dark Web Criminals.

2026: RAMP

The first major 2026 marketplace event landed on January 28, 2026 when the FBI seized RAMP in a multinational operation. RAMP had remained one of the most-vetted forums in the ecosystem, with the US$500 entry barrier and the XSS or Exploit corroboration requirement filtering out most researchers. The seizure confirmed that operational vetting plus paid-entry barriers do not stop multinational law enforcement collaboration when targets become high-priority enough to warrant the resources.

Currency mix in 2025-2026

The 2025 currency mix is bifurcating.

Figure 4: Currency mix on new darknet markets launched in 2025. Nearly 48% adopted Monero exclusively; 52% supported Bitcoin or mixed. Sources: TRM Labs Monero in 2025; Chainalysis 2026 Crypto Crime Report; Global Ledger via Whale Alert; CryptoSlate on Archetyp Monero-only.

XMR adoption in new markets. Per TRM Labs, nearly 48% of newly launched darknet markets in 2025 support Monero exclusively. Monero offers built-in privacy through ring signatures, stealth addresses, and confidential transactions; unlike Bitcoin, Monero hides sender, receiver, and amounts by default.

BTC retention in established markets. Chainalysis tracked established markets reverting to Bitcoin after liquidity pressure: Binance delisted XMR February 2024; OKX delisted XMR plus DASH and ZCH end of 2023. The five-largest Russian-speaking DNMs moved US$1.85 billion in BTC during January to September 2025 into 20+ centralized exchanges with 130+ international licenses.

Monero-only on Western drug DNMs. Archetyp accepted Monero only and was described as the world's largest XMR-only DNM at takedown. Abacus settled approximately 75% of sales in Monero per TRM Labs. The split reflects market priorities: Russian-speaking markets choose accessibility through licensed exchanges; Western-facing markets choose anti-tracing because their threat model centers on multinational enforcement.

Russian vs Western language ecosystems

The aggregate marketplace economy splits roughly into Russian-speaking and Western-facing slices, plus a small remainder.

Figure 5: Darknet market BTC flows by language ecosystem, 2023, 2024, and Jan-Sep 2025 (USD billions). The Russian-speaking ecosystem grew while the Western-facing slice contracted further after Archetyp + Abacus shutdowns mid-2025. Sources: Chainalysis 2025 darknet markets report; Global Ledger research summarized by Whale Alert; TRM Labs on Abacus exit-scam; Eurojust on Archetyp.

Russian-speaking ecosystem characteristics. Five-largest DNMs (Mega + Kraken + BlackSprut + OMG!OMG! + Nova) handle the bulk of on-chain BTC volume. Market governance is informal but strong: Kraken DNM hostile-took-over Solaris in January 2023; markets DDoS each other through proxy hacker collectives. Forum tier is gatekept (XSS, Exploit, RAMP all require vetting or paid entry). Money-laundering runs through specialized exchanges (Garantex, Grinex) plus licensed exchanges that have been the focus of recent OFAC actions. Recorded Future / Insikt Group's "Dark Covenant 3.0" (October 23, 2025) tracks an evolving "controlled impunity" framework between Russia-based threat actors and the state, with multiple ransomware-impersonator groups (RebornVC, Babuk 2.0, Bjorka Spirit, GD LockerSec, FunkSec, Dispossessor, Rabbit Hole) emerging in 2024-2025.

Western-facing ecosystem characteristics. Marketplace tier is concentrated in fewer larger entities; TorZon dominates post-mid-2025. Forum tier is more porous and more enforcement-vulnerable: BreachForums repeatedly seized; DarkForums fills the vacuum but administrators "AnonOne and Knox" lack the operational sophistication of predecessors. Currency mix leans XMR: Archetyp was XMR-only; Abacus was 75% XMR; TorZon supports BTC + XMR + LTC.

The Telegram economy

A growing slice of cybercrime activity has migrated to Telegram. Trustwave research summarized by Broadchannel measures over 50,000 cybercrime-focused groups and channels on Telegram, with usage by cybercriminals growing more than 100% YoY. Telegram itself blocked over 14 million groups and channels in H1 2025 alone. The migration is partly enforcement-driven: dark web shutdowns push displaced demand toward platforms that combine end-to-end-encrypted DMs with public-channel broadcasting.

The most consequential telegram-native segment is the Chinese-language guarantee markets. Per Chainalysis 2026, Chinese-language Telegram fraud networks process larger transfers than their Russian counterparts, indicating wholesale-focused operations. Examples named by Chainalysis: Xinbi Guarantee and Haowang/Huione Guarantee, processing tens of billions of dollars in crypto fraud transactions with individual channels showing tens of thousands of members. Stealer logs and credentials surface on Telegram channels within hours of theft, faster than equivalent listings on Russian Market or 2easy.

Tor network usage in 2025

The Tor network underpins most non-Telegram dark web markets. Per the Tor Project metrics and the project's blog summaries, Tor served approximately 2 to 3 million daily direct users during 2025; some periods saw daily users grow from ~2 million at the start of 2025 to over 3 million by March 2025. As of July 2025, the Tor network ran approximately 8,000 active relays. Of those daily users, the majority browse regular websites via Tor rather than .onion sites. Hidden-service engagement is the smaller slice.

Searchlight Cyber's Cerberus tooling provides one of the larger live trackers of marketplace activity. As of the March 2025 product update, the module covered data on 140 marketplaces. Of those:

• 76% sell drugs.

• 49% sell stolen credit card data.

• 11% sell weapons.

• 51% ship to the United Kingdom.

• 49% ship to the United States.

• 45% ship to France.

Searchlight's 2025 ransomware report tracked 94 ransomware groups listing victims in 2024, a 38% YoY increase, with 49 newly observed groups inside the year.

Forward outlook

Primary publishers have been cautious about projecting 2026 marketplace volume. Chainalysis's 2026 report describes the marketplace economy as "increasingly interconnected through wholesale relationships," with markets functioning as suppliers to other DNMs rather than retail endpoints alone, implying aggregate flow will hold near 2025 levels even if individual marketplaces fall. The ENISA Threat Landscape 2025 (4,875 incidents analyzed July 2024 to June 2025) calls the underground ecosystem resilient: "displaced or disrupted RaaS brands will continue to be promptly replaced by emerging programmes." Confident expectations: Russian-speaking dominance by on-chain volume; new market launches tilting further toward Monero-only; Telegram absorbing fraud displaced from shutdowns; forum-level OPSEC tightening further in response to the XSS, BreachForums, and RAMP losses.

What this means for defenders

• Track marketplace migration paths, not individual marketplaces. The 2025 takedowns demonstrate that any single marketplace will be displaced within weeks; threat-intelligence pipelines that chase a specific URL or .onion address miss the structural signal. Track displacement events (forum migration, vendor-base re-emergence, escrow-volume shifts) instead.

• Watch the Russian-speaking BTC off-ramps. US$1.85 billion in BTC moved from five DNMs into 20+ exchanges holding 130+ licenses in nine months of 2025. The off-ramp surface is narrower than the marketplace surface; KYC enforcement at exchange level remains the most leveraged disruption point.

• Treat Telegram as a primary monitoring surface. Stealer logs and credentials surface on Telegram within hours of theft. Compromised-credential exposure for a specific company is more likely to appear on Telegram than on Russian Market or 2easy.

• Stress-test pentest cadence to match the IAB market. Rapid7's H2 2025 update reported the average IAB base price climbing from US$2,726 in 2024 to US$113,275 in H2 2025. The IAB-to-ransomware pipeline is feeding corporate-network footholds at scale; defensive cadence needs to clear access claims before they hit the brokerage tier. Stingrai's PTaaS service and external network pentest engagements are designed for this cadence; for methodology see Penetration Testing Methodologies.

• Hardening order: identity, then network, then endpoint. Stealer logs are the single largest credential-economy input. See Compromised Credential Statistics 2026 for identity-hardening interventions and Phishing Statistics 2026 for the AiTM PhaaS economy that converts logs into post-MFA sessions.

Frequently Asked Questions

What is the largest dark web marketplace in 2026?

Among Western-facing drug DNMs, Chainalysis's 2026 Crypto Crime Report names TorZon as the dominant marketplace following Abacus's July 2025 exit-scam and Archetyp's June 2025 seizure. Among Russian-speaking DNMs, Kraken DNM handled approximately US$1.3 billion in Bitcoin during January to September 2025 alone per Global Ledger / Whale Alert, making it the largest single marketplace by on-chain volume. The five-largest Russian-speaking DNMs in aggregate (Kraken, Mega, BlackSprut, OMG!OMG!, Nova) handled US$1.85 billion in BTC during the same period.

Is BreachForums still active in 2026?

BreachForums has been seized multiple times. The most recent FBI domain seizure was in October 2025 after a Salesforce-leak extortion portal revival. A successor forum, DarkForums, has absorbed most of the English-language audience and grew 600% between April and June 2025 to over 12,700 members. Founder Conor Brian Fitzpatrick was resentenced on September 16, 2025 to three years in federal prison. Several BreachForums actors operating under aliases ShinyHunters, Hollow, Noct, and Depressed were arrested in Paris on June 25, 2025.

What share of darknet markets accept Monero in 2025?

Per TRM Labs's 2025 review, nearly 48% of newly launched darknet markets in 2025 support Monero exclusively. At the same time, Chainalysis observed many established markets returning to Bitcoin after Binance delisted XMR in February 2024 reduced fiat-onramp liquidity for the privacy coin.

How big was Hydra Market before its 2022 seizure?

Hydra Market received approximately US$5.2 billion in cryptocurrency since 2015 before its April 5, 2022 seizure. It served 17 million customers and 19,000+ vendor accounts. Per Chainalysis, Hydra alone received US$1.7 billion in 2021, representing over 75% of global darknet market revenue that year. German Federal Criminal Police seized US$25 million worth of bitcoin during the takedown; the US Treasury OFAC simultaneously sanctioned the platform.

Which dark web forums are still active in 2026?

Active in April 2026: DarkForums (English-language, post-BreachForums successor; 12,700+ members), Exploit (Russian-language; founded 2005; oldest active major forum), and a number of smaller successors to Cracked + Nulled (seized January 30, 2025). XSS has been disrupted since the July 22, 2025 administrator arrest in Kyiv and trust on the platform has eroded. RAMP was seized by the FBI on January 28, 2026. BreachForums has been seized repeatedly (most recently October 2025).

How does Archetyp Market compare to Abacus and TorZon?

Archetyp Market was the longest-running Western-facing DNM at the time of its June 16, 2025 seizure, with over five years of operation, more than 600,000 registered users, and at least EUR 250 million in transaction volume. It accepted Monero only. Abacus Market was the largest Bitcoin-enabled Western DNM with an estimated US$300 million to US$400 million in total volume (about 75% in XMR) at the time of its July 2025 likely exit-scam. TorZon has emerged as the post-Abacus successor and is the dominant Western-facing DNM in early 2026; it supports Bitcoin (with integrated CoinJoin mixing), Monero, and Litecoin.

What is the difference between dark web marketplaces and forums?

Marketplaces transact specific products: drugs, cards, fullz, stealer logs, IAB listings, drainer kits. They charge transaction fees and operate escrow systems. Examples: Kraken DNM, BlackSprut, Abacus, Archetyp, Russian Market, 2easy, BidenCash. Forums are gathering points for credential brokers, IAB sellers, RaaS operators, exploit traders, and reputation-building among threat actors. They monetize through advertising, vouching fees, and access-tiered membership. Examples: BreachForums, DarkForums, XSS, Exploit, RAMP. Some platforms blend the two: BidenCash had a forum component; BreachForums had a leak-trading marketplace component. The structural difference is that marketplaces concentrate transactional risk while forums concentrate reputational risk.

Where do users go after a marketplace seizure?

Migration patterns are predictable. After Hansa was seized as a sting in 2017, its userbase had been growing from 1,000 to 8,000 vendors per day from AlphaBay refugees. After Hydra fell in 2022, the Russian-speaking ecosystem rebuilt around Mega, Kraken, BlackSprut, and OMG!OMG!. After BreachForums was seized in April 2025, DarkForums absorbed the English-language audience. After Archetyp closed in June 2025, vendors migrated to Abacus and TorZon. After Abacus exited in July 2025, vendors migrated to TorZon alone. Each shutdown concentrates activity rather than reducing supply. For more, see How Law Enforcement Tracks Dark Web Criminals on the operational details of each named operation.

References

1. Chainalysis. Drugs and Darknet Markets: 2026 Crypto Crime Report. February 2026. https://www.chainalysis.com/blog/crypto-drug-sales-darknet-markets-2026/. Aggregate DNM flows in 2025; named active platforms.

2. Chainalysis. Darknet Market and Fraud Shop BTC Revenues Decline Amid Years-Long International Law Enforcement Disruption. 2025. https://www.chainalysis.com/blog/darknet-markets-2025/. 2024 DNM BTC inflows; Kraken DNM revenue; Abacus 2024 figures.

3. Chainalysis. OFAC Sanctions Hydra Following Shutdown of the Darknet Market. April 2022. https://www.chainalysis.com/blog/hydra-garantex-ofac-sanctions-russia/. Hydra 2021 receipts; share of global DNM revenue.

4. TRM Labs. Abacus Market Conducts Likely Exit Scam Amid Increasingly Unstable Western Darknet Marketplace Landscape. July 2025. https://www.trmlabs.com/resources/blog/abacus-market-conducts-likely-exit-scam-amid-increasingly-unstable-western-darknet-marketplace-landscape. Abacus daily deposit figures; XMR share; volume estimate.

5. TRM Labs. Europol Leads International Takedown of Longest Running Darknet Market Archetyp. June 2025. https://www.trmlabs.com/resources/blog/europol-leads-international-takedown-of-longest-running-darknet-market-archetyp. Archetyp scale and law enforcement details.

6. TRM Labs. Monero in 2025: Persistent Use and Emerging Network-Layer Insights. 2025. https://www.trmlabs.com/resources/blog/monero-in-2025-persistent-use-and-emerging-network-layer-insights. 48% XMR-only adoption on 2025 new markets.

7. US Department of Justice. Cracked and Nulled Marketplaces Disrupted in International Cyber Operation. January 30, 2025. https://www.justice.gov/opa/pr/cracked-and-nulled-marketplaces-disrupted-international-cyber-operation. Operation Talent details; Nulled metrics.

8. US Treasury OFAC. Treasury Sanctions Russia-Based Hydra, World's Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex. April 5, 2022. https://home.treasury.gov/news/press-releases/jy0701. Hydra customers, vendors, revenue.

9. US Treasury OFAC. Treasury Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion and Cyber Criminals. August 14, 2025. https://home.treasury.gov/news/press-releases/sb0225. Grinex and A7A5 sanctions.

10. Europol. Largest illegal trading platform for drugs taken down. June 16, 2025. https://www.europol.europa.eu/media-press/newsroom/news/largest-illegal-trading-platform-drugs-taken-down. Archetyp users, volume, arrests.

11. Europol. Key figure behind major Russian-speaking cybercrime forum targeted in Ukraine. July 22, 2025. https://www.europol.europa.eu/media-press/newsroom/news/key-figure-behind-major-russian-speaking-cybercrime-forum-targeted-in-ukraine. XSS members; admin profits.

12. Europol. Largest ever operation against botnets hits dropper malware ecosystem. May 30, 2024. https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem. Operation Endgame metrics.

13. FBI. 2024 Internet Crime Report. April 2025. https://www.fbi.gov/news/press-releases/fbi-releases-annual-internet-crime-report. US$16B in losses; cyber-enabled fraud share.

14. DarkOwl. 2025 - A Year of Constant Upheaval on the Dark Web. December 2025. https://www.darkowl.com/blog-content/2025-a-year-of-constant-upheaval-on-the-dark-web-darkowl/. DarkForums growth; year overview.

15. Flashpoint. 2025 Global Threat Intelligence Report. March 2025. https://flashpoint.io/resources/report/flashpoint-2025-global-threat-intelligence-gtir/. 3.2B credentials; 23M infected devices; infostealer share.

16. Recorded Future / Insikt Group. Dark Covenant 3.0: Controlled Impunity and Russia's Cybercriminals. October 23, 2025. https://www.recordedfuture.com/research/dark-covenant-3-controlled-impunity-and-russias-cybercriminals.

17. Bitsight. State of the Underground 2025. February 2025. https://www.bitsight.com/blog/state-of-the-underground-2025. 2.9B unique compromised credentials; +43% forum data-breach posts.

18. Searchlight Cyber. Same Game, New Players: Ransomware in 2025. February 2025. https://www.businesswire.com/news/home/20250211424558/en/Searchlight-Cyber-Report-Shows-38-YoY-Increase-in-Active-Dark-Web-Ransomware-Groups.

19. Searchlight Cyber. Cerberus Marketplace Search and Insights module. March 2025. https://www.businesswire.com/news/home/20250311473548/en/Searchlight-Cyber-Launches-New-Dark-Web-Marketplace-Module-for-Law-Enforcement-Government-and-Security-Professionals.

20. Rapid7 Labs. Inside Russian Market: Uncovering the Botnet Empire. December 2025. https://www.rapid7.com/blog/post/tr-inside-russian-market-uncovering-the-botnet-empire/.

21. Rapid7 Labs. Initial Access Broker H2 2025 Update. March 2026. https://www.rapid7.com/blog/post/tr-initial-access-broker-shift-high-value-targets-premium-pricing/.

22. Krebs on Security. Incognito Darknet Market Mass-Extorts Buyers, Sellers. March 2024. https://krebsonsecurity.com/2024/03/incognito-darknet-market-mass-extorts-buyers-sellers/.

23. Elliptic. Friday the 13th on the Dark Web: $150M Solaris Hacked by Kraken. January 2023. https://www.elliptic.co/blog/analysis/friday-the-13th-on-the-dark-web-150-million-russian-drug-market-solaris-hacked-by-rival-market-kraken.

24. CloudSEK. The Rise and Fall of RAMP. 2025. https://www.cloudsek.com/blog/the-rise-and-fall-of-ramp-inside-the-forum-where-ransomware-was-always-welcome.

25. Comparitech. Inside RAMP: What a Leaked Database Reveals. 2025. https://www.comparitech.com/news/inside-ramp-what-a-leaked-database-reveals-about-russias-ransomware-marketplace/.

26. Global Ledger via Whale Alert. Russian darknet markets moved $1.9B in BTC Jan-Sep 2025 into 20+ exchanges. October 2025. https://whale-alert.io/stories/cd5a795eff16/Global-Ledger-Russian-darknet-markets-moved-19B-in-Bitcoin-JanSep-2025-into-20-licensed-exchanges-Kraken-handled-13B.

27. Tor Project. Tor Metrics. 2025. https://metrics.torproject.org/.

28. ENISA. ENISA Threat Landscape 2025. October 2025. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025.

Audit your dark web exposure with Stingrai

Stingrai's Toronto-headquartered offensive-security team has been red-teaming financial-services, healthcare, SaaS, and public-sector clients since 2021, with team members holding OSCE3, OSCP, OSWE, OSED, OSEP, CREST CRT, CISSP, CRTO, GCPN, CRTE, and eWPTX certifications. The team has 18 published CVEs (Ivan Spiridonov 10, Moaaz Taha 5, Victor Villar 3) and a 5.0/5.0 rating across 19 Clutch reviews. Our PTaaS service and external network pentesting close off the corporate-network footholds that feed the IAB market documented above; our compliance program covers SOC 2, ISO 27001, HIPAA, PCI DSS 4.0, NIST SP 800-53 / 800-171, DORA, and NIS2. Snipe, our AI-pentesting agent trained on 6,000+ HackerOne reports, augments the team across web-app and API engagements. To map your dark-web exposure or to see how your access surface compares to the IAB pricing tiers documented in Dark Web Data Pricing 2026, reach out for a discovery call.