Alert: website impersonating Global Ledger detected
Learn more
Skip to content
Schedule A Demo

What Are the Top 5 Darknet Markets in 2026?

 Data-Backed Research for CEX Security 
Anastasia Arashkevich

Anastasia Arashkevich

Crypto & Blockchain Expert

March 17, 2026 19 min read

Despite global law enforcement crackdowns, top darknet markets remain a major hub for illicit crypto activity in 2026.

To understand the scale of the ecosystem entering 2026, it is useful to look at activity from the previous year. According to a Global Ledger investigation, over $1.85 billion in Bitcoin transactions moved across five major Russian-speaking dark web marketplaces in January – September 2025:

  • MEGA

  • Kraken

  • BlackSprut

  • OMG!OMG!

  • Nova

Global Ledger research also shows that at least 20 centralized exchanges (CEXs) with 130 international licenses were indirectly exposed to wallets linked to active dark web markets. 

What makes these darknet platforms particularly relevant is their indirect exposure to regulated crypto businesses, which may unintentionally become cash-out points for illicit funds. Let’s take a closer look at the list of darknet markets in 2026 and compare their transaction volumes and the risks they pose to crypto businesses. 

Key Takeaways
  • Dark web marketplaces remain active despite major operations by law enforcement agencies.
  • Russian-speaking platforms such as Blacksprut, MEGA, and OMG!OMG! dominate the darknet ecosystem that emerged after the shutdown of Hydra.
  • More than $1.85B in Bitcoin transactions moved through five major Russian-speaking darknet marketplaces in Jan-Sep 2025.
  • At least 20 licensed CEXs were indirectly exposed to darknet activity through crypto transactions.
  • Bitcoin remains the primary payment method on most marketplaces.
  • Darknet funds often move through layered transaction paths, including intermediary wallets and OTC services, making the risk harder to trace.

Top darknet markets in 2026: a head-to-head comparison

Marketplace Launch Year Primary Region BTC Volume (2025 inflow) Key Risks for CEXs
BlackSprut 2022 Russia / CIS ~2.324 BTC Vendor aggregation wallets concentrating illicit funds
MEGA 2016 Russia / CIS ~1.086 BTC BTC → privacy coin laundering routes
OMG!OMG! 2021 International / Russia ~789 BTC Account deletion mechanisms complicating investigations
Abacus Market 2021 North America / Europe ~ 265.75 BTC Legacy vendor wallets & exit-scam redistribution
Russian Market ~2019 Russia / CIS N/A Sale of stolen credentials enabling account takeovers on crypto platforms

BlackSprut — the largest Russian-speaking darknet marketplace

BlackSprut is one of the most active dark web marketplaces operating on the Tor network. 

The platform emerged after the shutdown of Hydra in 2022 and now primarily operates in Russia. It relies on a “dead drop” distribution model, where buyers receive the geographic coordinates of hidden packages after completing a crypto payment.

Our Entity Exposure report shows that in 2025 wallets associated with BlackSprut received approximately 2.324 BTC in incoming transactions, while about 2.327 BTC were sent out of the marketplace, indicating a high level of transactional activity within the platform. 

These volumes highlight the scale of activity on the platform and confirm BlackSprut’s position as one of the largest dark web markets in the Russian-speaking darknet ecosystem.
Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.
Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.
For crypto exchanges, the main risk lies in indirect exposure to wallets interacting with the market, which may act as aggregation points for illicit funds before they enter the broader crypto ecosystem.

MEGA — the oldest Russian-speaking darknet market

MEGA is one of the longest-running dark web marketplaces, operating since 2016.

The platform became significantly more popular after the shutdown of Hydra and now hosts over 2,600 merchants, primarily in Russia. MEGA also features an internal exchange that allows users to swap Bitcoin for Monero, along with additional tools designed to obscure transaction flows.

Our Entity Exposure report shows that in 2025 wallets associated with MEGA received approximately 1.086 BTC in incoming transactions and sent about 1.089 BTC in outgoing flows, indicating continued activity on the platform.

This sustained transaction volume suggests that MEGA remains one of the key hubs for darknet activity in the Russian-speaking ecosystem.
Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.
Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.

OMG! OMG! — the most active darknet market interacting with exchanges 

OMG!OMG! is a darknet marketplace launched in 2021 and, alongside BlackSprut, is considered one of the most active darknet platforms interacting with crypto exchanges.

The platform is based in Russia but serves a more international audience compared to many other Russian-speaking marketplaces. Currently, OMG! OMG! hosts over 1,000 listings. Payments on the platform are made in BTC to built-in wallets.

Our Entity Exposure analysis shows that in 2025 wallets associated with OMG!OMG! received approximately 788.95 BTC in incoming transactions and sent about 787.83 BTC in outgoing flows. The analysis also shows that around 29% of incoming funds originated from a crypto exchange, while about 24% of outgoing funds were sent to other dark web markets.

This indicates that OMG!OMG! continues to interact with both crypto exchanges and other dark web marketplaces.
Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.
Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.

Early 2026 data indicates that the same pattern continues. Wallets associated with OMG!OMG! received over 109 BTC in inflows between January and February 2026, with approximately 64% of the funds received coming from an exchange with a medium risk level. At the same time, a significant share of outflows continues to move toward other darknet marketplaces. 

Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.
Excerpt from the Entity Exposure report generated by the Global Ledger KYB toolset.
One atypical security feature unique to this market is called the kamikaze password, which fraud actors are trying to protect themselves with. It can be used in emergency situations to destroy their accounts. Such mechanisms complicate investigations, as illicit actors can instantly delete their accounts if they suspect dark web monitoring or investigative activity.

Abacus Market — the largest Western darknet marketplace before its shutdown

Abacus Market was one of the largest English-language dark web marketplaces, primarily serving North America and Europe.

Launched in 2021, the platform quickly expanded after the decline of earlier markets such as AlphaBay Market and at its peak hosted more than 40,000 product listings, becoming the dominant Western dark web market. 

However, the marketplace’s activity declined sharply after July 2025, when Abacus suddenly went offline and its infrastructure became inaccessible. The shutdown followed a series of enforcement actions against Western dark web markets, including the seizure of Archetyp Market earlier that year. While the exact reason remains unclear, the disappearance of Abacus triggered speculation about either a law enforcement takedown or a potential exit scam.

Our Entity Exposure report shows that wallets associated with Abacus received approximately 265.75 BTC in incoming transactions before the marketplace went offline. 

While the data reflects notable activity during its operational period, the volume remained considerably lower than that of BlackSprut. This is partly explained by the marketplace’s abrupt shutdown. 
Darknet markets volume. BTC incoming flows. Source: Global Ledger.
Darknet markets volume. BTC incoming flows. Source: Global Ledger.
For crypto exchanges, the key risk lies in historical exposure to vendor wallets and intermediary addresses connected to the marketplace, which may continue circulating funds even after the platform’s closure.

Russian Market — the leading darknet ecosystem for stolen digital identities

Although the Russian Market is often mentioned alongside dark web marketplaces, it is not a traditional dark web market like BlackSprut, MEGA, or Solaris.

Instead, it operates as a specialized Russian-speaking cybercrime ecosystem focused on selling compromised digital identities and access data, including:

  • stolen credentials

  • logs collected by infostealer malware and other malicious software

  • stolen session cookies

  • compromised accounts and leaked API keys used to gain unauthorized network access

  • information originating from a data breach or large-scale data leaks 

  • stolen credit cards, or rather credit card data 

  • fake IDs and other identity documents.

According to a Global Ledger research, the scale of this ecosystem remains significant. Between January and September 2025, the five largest Russian-speaking darknet marketplaces (MEGA, Kraken, BlackSprut, OMG!OMG!, and Nova) processed more than $1.85 billion in Bitcoin transactions. What’s more, funds were traced to at least 20 CEXs with 130 international licenses, meaning how funds connected to darknet activity can reach even regulated platforms through intermediary wallets and OTC services. 

The scale of this ecosystem and the links between multiple dark web marketplaces increase the flow of illicit funds across the crypto ecosystem. This also raises the likelihood that such funds will eventually reach regulated CEXs.
BTC volume across top Russian darknet marketplaces, Jan–Sep 2025. Source: Global Ledger Research.
BTC volume across top Russian darknet marketplaces, Jan–Sep 2025. Source: Global Ledger Research.

According to the same report, across all analyzed darknet marketplaces, dozens of licensed CEXs have been found interacting indirectly with wallets linked to illicit platforms.

While the absolute transaction volumes between dark web markets and CEXs are modest compared to total darknet inflows/outflows, these exchanges are often used for topping up accounts via OTCs. Despite sanctions, Russia-linked illicit platforms continue to use the crypto ecosystem and major centralized exchanges to reroute sanctioned funds, as revealed in the 2022-2025 Global Ledger investigation.

Even regulated exchanges labeled as “safe” may still become conduits for illicit flows — not because of negligence, but because of structural blind spots in their infrastructure. To protect your exchange, it’s essential to detect early signals before they escalate into operational or regulatory consequences.

At Global Ledger, we help CEX compliance teams gain the clarity needed to uncover these patterns early. With blockchain visualization, smart AML risk scoring, real-time monitoring, and deep counterparty insights, you can identify sanctioned exposure, legacy risks, and indirect transaction routes — helping prevent your infrastructure from interacting with darknet-related flows. 

Schedule a Demo

Once-prominent darknet markets now inactive

Former dark web markets may no longer be active, but many of them played a significant role in shaping today’s ecosystem. Two notable examples include Solaris and CTS Market.

CTS Market — a darknet vendor network operating across multiple marketplaces

CTS Market operated primarily as a vendor network rather than a standalone dark web market.

The platform was active since the RAMP forum era and distributed its listings across multiple large marketplaces within the Russian-speaking darknet ecosystem. Transactions were conducted in BTC, and historical data shows that the CTS Market vendor infrastructure generated approximately 118.75 BTC in transaction volume in 2022.

However, recent monitoring indicated that CTS Market was suspended, with no significant independent marketplace activity observed.

Solaris — a former Hydra rival now inactive 

Solaris was once a major darknet marketplace that competed with Hydra in the Russian market ecosystem, operating since 2015.

After Hydra’s shutdown, Solaris attempted to attract vendors by hacking RuTor, one of the largest Russian dark web forums, and offering incentives for stores to migrate to the platform.

However, in 2023 Solaris was taken over by a rival marketplace known as Kraken darknet, after which the platform became inaccessible. Our entity exposure report shows almost no transaction activity associated with Solaris wallets, indicating that the marketplace is no longer operational.

How do darknet markets work? 

Darknet markets function as underground e-commerce platforms hosted on anonymizing networks such as Tor and accessed through the Tor browser.

Users create pseudonymous accounts and conduct transactions primarily in cryptocurrency. This allows buyers and vendors to trade illicit goods, stolen data, and illegal services without revealing their identities.

Many dark web markets replicate features of legitimate e-commerce platforms, including escrow payments, multi-signature transactions, vendor reputation systems, and encrypted messaging. These mechanisms help facilitate transactions while preserving anonymity.

In practice, darknet commerce generally operates through two main models:

Marketplace-based DNMs Guarantee or escrow services

Traditional dark web marketplaces that host listings, vendor profiles, and built-in escrow. Buyers send cryptocurrency to the platform, which holds the funds until the transaction is completed.

Deals are arranged directly between buyers and sellers (often on forums or messaging platforms), while a third party holds the cryptocurrency and releases it once the transaction is confirmed.

Cryptocurrency serves as the primary payment method on most darknet marketplaces, which closely connects them to the broader digital asset ecosystem.

As a result, funds often move through several layers before reaching regulated platforms, including:

  • multiple intermediary wallets

  • third-party services

  • OTC channels.

This multi-step transaction flow can make the original source of funds harder to trace. As a result, detecting early signals of risk becomes difficult without a proper KYT monitoring tool supported by blockchain analytics and cyber threat intelligence.

How do cyber criminals use darknet markets?

Darknet marketplaces facilitate the trade of illicit goods and also help move and obscure criminal proceeds within the crypto ecosystem. For regulated crypto services, these platforms often appear as intermediate nodes in laundering chains.

Cybercriminals or hackers typically use darknet markets in three ways:

1. Cashing out stolen or illicit crypto

In some cases, dark web marketplaces are used to convert stolen cryptocurrency into goods or services sold on the platform.

However, this is relatively rare. More often, dark web markets act as intermediate nodes in laundering chains, where funds move through multiple wallets and transactions before their origin becomes harder to trace. These ecosystems are also connected to data leaks, stolen identities, and services offering unauthorized network access. 

2. Layering transactions to hide the source of funds

Illicit actors often move funds through multiple wallets, vendors, and marketplace deposits in order to break the transaction trail. This technique is commonly referred to as multistage or fragmented laundering.

According to the Global Ledger Laundering Race report, multistage laundering was used in ~99% of hacks (255 incidents analyzed in 2025). 

For example, the BtcTurk hack involved funds moving through several services including unhosted wallets, CoinJoin, Wasabi Wallet, THORChain, Chainflip, and the Lightning Network. 

Review how funds moved in the Global Ledger tracing tool. 

Check Case Online

 

A similar pattern was observed in the Teen Spy Case, where the path of the funds strongly suggested laundering techniques such as splitting, mixing, and obfuscation.

3. Using OTC services linked to darknet ecosystems

Many darknet markets rely on OTC intermediaries that convert fiat to crypto through card transfers or peer-to-peer payments, creating additional entry points for illicit funds into the crypto economy.

These patterns show that dark web marketplaces are not isolated platforms, but rather part of a wider ecosystem where illicit funds move across multiple services before reaching a regulated platform. Because of this interconnected environment, risk does not always originate from obvious sources, and it can appear through indirect transaction paths that are not immediately visible.

So what risks emerge from dark web market activity for crypto businesses?

Darknet markets: hidden risks they pose for crypto exchanges

Darknet markets are usually a part of a broader ecosystem where illicit funds move across wallets, OTC desks, and multiple blockchain networks and services before reaching a centralized exchange.

Because of this layered structure, exposure to darknet-related funds is not always obvious and may appear through indirect transaction paths.

The core challenge lies in detecting and managing this exposure within everyday transaction flows. If these risks are not identified early, they can evolve into regulatory, financial, and operational issues for your business.

What are the main risks associated with darknet markets?

  • Regulatory risk
    Failure to detect darknet-linked transactions may lead to AML investigations, sanctions exposure, and regulatory penalties for crypto exchanges and VASPs.
  • Financial risk
    Funds linked to darknet
  • Operational risk
    Darknet funds often move through multiple wallets, mixers, and OTC services, making suspicious transaction patterns harder to detect.
  • Reputational risk
    Even indirect exposure to darknet activity can damage trust among regulators, partners, and users.
globalledger-image

How to protect your business from darknet exposure

Even as darknet marketplaces remain active despite law enforcement actions, you can protect your business by implementing some core strategies such as:

Real-time monitoring

Darknet-related funds rarely arrive through a single obvious transaction. Instead, they often move through several wallets and intermediaries before reaching an exchange. 

Dark web monitoring in real time helps detect these movements early, before illicit funds can mix with legitimate user activity.

Steps your compliance team can take right now:

  • Turn on proactive monitoring to ensure no threats go unnoticed. 

  • Use AI-powered alerts to prioritize high-impact risks. 

  • Build procedures to return “dirty” crypto to the source before it contaminates clean funds. 

  • Block sanctioned or terrorist-linked assets and submit a SAR/STR response quickly. 

With the Global Ledger KYT toolset, you can monitor addresses of interest in real time using a system that performs 500,000 AML checks each day to detect illicit activity. Instant alerts notify you about deposits from known entities and suspicious movement of funds, helping support further evidence-based decisions.

2. Time-based triggers and cluster analytics

Darknet exposure is often indirect and unfolds over time. To respond effectively, your compliance team needs to detect patterns across transaction timing, behavioral signals, and wallet clusters, rather than focusing only on isolated transactions. 

Steps your compliance team can take right now: 

  • Set up automatic triggers based on behavioral and time-based signals, rather than static rules tied to single transactions. 

  • Aim for a 15-minute internal SLA for reviewing suspicious flows — similar to incident response in cybersecurity. 

  • Use risk bursts — clusters of similar activities within short timeframes — to identify coordinated or staged laundering attempts. 

  • Try to apply cluster-level analytics to identify behavioral patterns, transaction paths, and timing anomalies. 

With the Global Ledger tracing platform, you can visualize transaction flows, explore all activity linked to specific addresses, and identify wallet owners in just two clicks. Real-time alerts can also be delivered through operational tools like Slack, Jira, or Telegram channels, ensuring high-risk events trigger immediate action and speeding up risk detection. 

Transaction tracing in the Global Ledger platform.
Transaction tracing in the Global Ledger platform.

 3. Enhanced due diligence (EDD) 

As attack activity becomes more fragmented and funds increasingly pass through multiple intermediaries — such as bridges, mixers, or services with limited or no KYC controls — deposits coming from unclear or high-risk sources to centralized exchanges require closer scrutiny. 

 3 ways EDD helps protect your platform: 

  • Apply stricter rules for deposits from instant, non-KYC sources. 

  • Trigger EDD reviews for flows linked to mixers, bridges, or sanctioned wallets. 

  • Use hold-and-review policies to freeze funds while the investigation unfolds. 

To identify non-KYC and other high-risk services quickly, your compliance team can rely on the Global Ledger entity database, covering 92K+ entities with detailed information on ownership, service type, jurisdictional restrictions, and risk indicators.

View Who You're Dealing With
Request a Demo Report for Any Entity
Request Demo Report

Conclusion

When Hydra was shut down, many expected the Russian Market to collapse with it. Instead, the opposite happened: users and vendors quickly migrated to new marketplaces such as BlackSprut, MEGA, and OMG!OMG!, and transaction flows continued to grow across the ecosystem.

The real takeaway is not just the volume of illicit transactions, but how easily these flows move between marketplaces, intermediaries, and eventually regulated platforms. Blockchain analytics provides an early signal of these movements, helping detect risks long before they become regulatory or operational incidents.

Global Ledger helps compliance teams detect darknet-related risks before they escalate. With real-time monitoring, AML risk scoring, and detailed counterparty analysis, you can identify hidden exposure routes and stop illicit flows before they reach your platform. See how it works in real time. 

Frequently asked questions (FAQs) 

1. What is a darknet market?

A darknet market (DNM) or black market is a decentralized, unindexed, unregulated part of the World Wide Web that is only accessible using certain browsers, such as the so-called “Onion Router,” or “Tor network”. 

The dark web has become a massive hub for criminal activity, often offering services linked to the drug trade. Today, it functions as a black market economy where buyers and sellers trade banned goods and services without fear of detection. These platforms also facilitate credit card fraud, fake IDs, and the sale of stolen data...

2. When was Hydra taken down?

Hydra, once the dominant Russian-speaking dark web market, was shut down in April 2022 during a joint international law enforcement operation. After its closure, users and vendors migrated to new platforms such as BlackSprut, MEGA, Solaris, Kraken, OMG!OMG!, Abacus Market, Huione Guarantee, and more. 

3. Does law enforcement monitor darknet markets?

Yes. Although darknet markets operate on anonymized networks, blockchain transactions remain traceable. Law enforcement agencies use сyber threat intelligence tools to analyze transaction flows, identify wallet clusters, and investigate illicit activity, which has led to major takedowns such as Hydra or Silk Road.

4. Are all darknet market transactions untraceable?

No. While tools such as mixers or bridges can make tracing more difficult, most transactions still leave a record on public blockchains due to users’ operational mistakes or interactions with traceable services. Investigators can analyze transaction patterns and operational vulnerabilities to uncover connections to illicit activity.

5. How many darknet markets are there?

The exact number constantly changes, as new marketplaces appear while others shut down or migrate. Many vendors also advertise on cybercrime forums before migrating to dark web marketplaces. At any given time, dozens of active dark web marketplaces may operate across different regions and ecosystems.

6. Is it illegal to visit a dark web site?

In most countries, simply visiting a dark web site is not illegal. However, participating in illegal activities or purchasing illicit goods through darknet markets can lead to criminal liability.

7. Are darknet markets still active?

Yes. Despite frequent law enforcement actions and the shutdown of major platforms such as Silk Road, dark web marketplaces continue to operate and evolve, often reappearing under new names. 

8. How does Global Ledger help identify darknet exposure?

Global Ledger provides blockchain intelligence tools that help compliance teams detect exposure to darknet marketplaces. By combining wallet screening, transaction monitoring, and counterparty analysis, Global Ledger enables businesses to identify high-risk flows and investigate potential connections to illicit activity.