Empire Market Dark Web Takedown: Owner Pleads Guilty in $430M Cybercrime Plot
Executive Summary
In January 2026, U.S. authorities announced that Raheim Hamilton (“Sydney”/“ZeroAngel”), a co-founder of the notorious Empire Market, pleaded guilty to federal drug conspiracy charges. From 2018 to 2020, Empire Market operated as a large-scale dark web marketplace accessible via TOR, facilitating over $430 million in illegal transactions, primarily enabling drug sales but also distributing stolen credentials, hacking tools, and counterfeit currency. Hamilton and partner Thomas Pavey laundered illicit proceeds through cryptocurrency and designed the site to evade law enforcement, directly overseeing vendor disputes and operational security.
This prosecution underscores the ongoing threat and operational sophistication of dark web cybercrime marketplaces, even after earlier takedowns. As digital criminal platforms persistently adapt, law enforcement and organizations must address the evolving risks involving anonymized markets, cryptocurrency transactions, and the proliferation of illicit digital goods and services.
Why This Matters Now
With cybercrime-as-a-service ecosystems thriving and maturing on the dark web, the Empire Market case highlights the ease with which actors can monetize illegal goods and attack tools, evading detection via anonymity networks and cryptocurrencies. This evolution makes investigative and compliance efforts more urgent for regulators, security teams, and global law enforcement.
Attack Path Analysis
Attackers set up and operated a covert cybercrime marketplace on the dark web (TOR), bypassing conventional monitoring to enable illegal sales. Privileged access was obtained to hidden hosting and cryptocurrency wallets, supporting service scaling and operation. The infrastructure was laterally managed via encrypted east-west traffic to avoid detection, while command and control relied on anonymized, segmented channels. Exfiltration of financial assets and sensitive user data was facilitated through encrypted outbound routes and cryptocurrency transactions. Ultimately, the impact included large-scale illicit transactions, laundering, and the exposure of sensitive data for financial gain.
Kill Chain Progression
Initial Compromise
Description
Creation and operation of an underground dark web marketplace, leveraging TOR for anonymity and evading detection when establishing hosting and payment infrastructure.
MITRE ATT&CK® Techniques
ATT&CK mappings reflect common techniques used in operating cybercrime marketplaces and facilitating illegal digital transactions; further enrichment with full STIX/TAXII support is recommended for production.
Acquire Infrastructure
Stage Capabilities: Upload Malware
Application Layer Protocol: Web Protocols
Gather Victim Identity Information
Man-in-the-Middle: Web Protocols
Credentials from Password Stores: Credentials from Web Browsers
Credential Dumping
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Identity Verification and Credential Protection
Control ID: 3.1.1
NIS2 Directive – Implementation of Technical and Organizational Security Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Dark web marketplaces facilitate cryptocurrency laundering and stolen financial credentials trading, requiring enhanced transaction monitoring and anti-money laundering controls.
Computer/Network Security
Cybercrime-as-a-Service platforms selling hacking tools and stolen data necessitate advanced threat detection capabilities and zero-trust network segmentation implementations.
Law Enforcement
Multi-million dollar dark web investigations require sophisticated encrypted traffic analysis, digital forensics capabilities, and international cybercrime coordination frameworks.
Pharmaceuticals
Illegal drug distribution through encrypted marketplaces threatens regulatory compliance and requires enhanced supply chain security and counterfeit detection measures.
Sources
- Empire cybercrime market owner pleads guilty to drug conspiracyhttps://www.bleepingcomputer.com/news/security/empire-cybercrime-market-owner-pleads-guilty-to-drug-conspiracy/Verified
- Co-Creator of Dark Web Marketplace Pleads Guilty in Chicago to Drug Conspiracy Chargehttps://www.justice.gov/usao-ndil/pr/co-creator-dark-web-marketplace-pleads-guilty-chicago-drug-conspiracy-chargeVerified
- Owners of 'Empire Market' Charged in Chicago With Operating $430 Million Dark Web Marketplacehttps://www.justice.gov/usao-ndil/pr/owners-empire-market-charged-chicago-operating-430-million-dark-web-marketplaceVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident highlights the relevance of Zero Trust and CNSF controls in preventing the covert operation of a dark web marketplace. Robust segmentation, strict identity enforcement, and egress governance could have restricted attacker movement, concealed management, and the exfiltration of assets, enabling earlier detection and containment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Unauthorized marketplace deployments would have faced controls and visibility, greatly increasing detection and the ability to disrupt illicit provisioning.
Control: Zero Trust Segmentation
Mitigation: Access to privileged resources would require continuous identity verification and segmentation, reducing the attacker's ability to escalate privileges unnoticed.
Control: East-West Traffic Security
Mitigation: Unapproved lateral movement would have been detected and restricted, limiting the attacker's ability to expand control within infrastructure.
Control: Multicloud Visibility & Control
Mitigation: Suspicious command and control channels would be visible and subject to policy enforcement, hindering covert administrative communications.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound data transfers and cryptocurrency transactions could be detected, alerted, or blocked based on policy.
Comprehensive Zero Trust controls may have contained the incident earlier, reducing the likelihood or extent of financial and data-related impact.
Impact at a Glance
Affected Business Functions
- n/a
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and least privilege access for all cloud and hybrid resources supporting sensitive operations.
- • Apply robust east-west traffic security policies to detect and block unauthorized internal movement and service access.
- • Activate continuous multicloud visibility and monitoring for anomalous administrative or automated activity.
- • Implement strict egress security controls to prevent exfiltration of sensitive data and cryptocurrency assets.
- • Deploy inline IPS and threat detection for real-time identification and blocking of known exploit traffic where inspection is possible.
