NCA arrests 24 Brits over ties to global dark web criminal network

National Crime Agency (NCA) logo on a plaque attached to its headquarters
Shutterstock (Image credit: Shutterstock)

The UK's National Crime Agency (NCA) announced Wednesday that it had arrested 24 British citizens for their alleged involvement in an international dark web criminal network.

The NCA labelled the operation that led to the arrests as "one of the largest ever international operations targeting a criminal dark web marketplace".

The six-month-long UK portion of the international operation, known as Dark HunTOR, was coordinated by the NCA in collaboration with UK policing partners. As part of the wider investigation, law enforcement agencies in Australia, Bulgaria, France, Germany, Italy, the Netherlands, Switzerland, and the United States were involved, with international coordination efforts led by Europol and Eurojust.

The overall effort resulted in a total of 150 arrests, with more than £22.5 million seized in cash and virtual currency, 234kg of drugs, and 45 firearms.

UK law enforcement seized £220,000 in suspected criminal cash and Bitcoin, and a drugs haul of more than 50 kilos comprised of cocaine, MDMA, cannabis, methamphetamine, and ketamine.

Following an analysis of data by officers at the Dark Web Intelligence, Collection and Exploitation team (DICE), information on those individuals identified as presenting the highest threat in the UK was then distributed to regional dark web operations teams around the UK, who then made the arrests on suspicion of selling criminal goods online.

Dark HunTOR began earlier this year when German authorities arrested an individual thought to be the chief operator of a major dark web marketplace.

The arrest in Germany gave agencies access to the group's wider criminal infrastructure, which then enabled information on other marketplace vendors to be shared around international law enforcement agencies.


HP Wolf Security: Threat insights report

Equipping security teams with the knowledge to combat emerging threats


“The individuals we have targeted who are supplying drugs via the dark web are ultimately preying on the vulnerable and destroying communities," said Damian Barrow, senior NCA manager in the dark web intelligence collection and exploitation team.

“This operation shows that those who try to use the dark web to anonymously commit crimes can be identified and will be tracked down."

Dark web marketplaces are typically used to sell drugs, weapons, data, and other illicit digital goods. For years, they have been the targets of internationally coordinated efforts from law enforcement agencies attempting to shutter them. However, new marketplaces often launch in the wake of a major takedown, restarting the process for those fighting cyber crime.

European authorities were previously lauded for their work in bringing down prominent marketplaces such as Hansa and Alphabay in 2019.

"Law enforcement have become more technically savvy when it comes to the dark web and how it works, and are now able to monitor and track a person’s browsing behaviour, regardless of encryption," said Cliff Martin, cyber incident responder of GRC International Group to IT Pro.

"However, although the risk of being caught has significantly increased over the years, I don’t think that cyber criminals will be any more afraid - bad actors are very aware of the risks they are taking, and are continuously trying to find new ways to dodge around them."

Law enforcement agencies are cracking down on marketplaces and getting better at doing it with each operation. However, some experts believe geography may provide the ultimate hindrance in the long-run.

"While the tempo of law enforcement operations does appear to have increased, the seizures are somewhat limited by the geography in which the targets reside," said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows to IT Pro.

"Many significant actors within the cybercriminal community—notably those involved in ransomware attacks—are based in either Russia or the Commonwealth of Independent States (CIS), i.e. countries formerly a member of the Soviet Union. There are limited options available for international law enforcement in making arrests within these countries."

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.