WIXLIB

institutions. Due to the nature of illegitimacy, membersalso share another problem: OPSEC. Specifically, theinterests in OPSEC have evolved at two levels. At the“system level,” market platforms are vulnerable to therisks of hacking, theft, and infiltration by lawenforcement; at the “process level,” vendors candeceive buyers (e.g., not shipping a promised product)[15].3.2. PracticeA community of practice is where members learnabout “becoming a practitioner, not learning aboutpractice” [26, p.48, italics original]. Therefore, theprocess of knowledge sharing in communities ofpractice is oriented toward pragmatic, experientiallearning. The illicit market forum members have ashared goal of becoming a “successful” practitioner:buying or selling drugs without being busted. Theprimary aim of the forums, therefore, is to documentand exchange technical and practical knowledgeneeded to securely participate in high-stakes activities.Other motives such as punditry, leisure, orsocialization may be observed but they are auxiliarydrivers of social interactions in these forums.3.3. KnowledgeInteractionsEmbeddedinSocialLearning is the main function of communities ofpractices [9]. Unlike formal training or structuredteaching, knowledge is gained through informal socialinteractions in which not only “objective” knowledgebut also, and more importantly, “insider” know-how isembedded [26, p.48]. Learning in communities ofpractice thus translates to internalizing the culture ofcollectives such as viewpoints, vernaculars, andbehavioral rules [26].The dark web market forums are where marketusers with different levels of experience get together toshare with and learn from peers’ knowledge andexperiences. While some forums include wellformatted technical tutorials on how to use markets, thelargest portion of communicative activities observed inthese forums is in the form of real-time questions andanswers [20]. Novices seek tips and advice;experienced users share previous experiences, which inturn constitute a collective narrative of the dark webmarket history; the involved members share up-to-dateinformation about markets’ status and share vendorreviews. Such learning occurs in the midst of informaldiscursive interactions.3.4. Self-selectionA community of practice is not a formalorganization. Unlike project group assignments ororganizational divisions, members voluntarily chooseto be a part of the community [24]. Individualmembers’ positions in the community are thusdetermined not hierarchically but based on the level oftime and effort they spend in the community at theirown will.Such informality and meritocracy are definingcharacteristics of dark web market forums [20].Whereas actual marketplaces are run by more or lesscanonical rules (e.g., imposing mechanisms of socialcontrol and administrative authority to ban certainvendors and buyers), most discussion forums are run asan open, self-regulated network of voluntary members.The level of expertise, experience, or technicalsophistication are not criteria for membership, althoughthere is an implicit expectation that a user shouldachieve some level of expertise through both informallearning in forums as well as actual engagement inmarket activities to become a true member of thecommunity.3.5. Self-organized Knowledge CollaborationBased on informal social interactions and selfselective membership, communities of practice can beunderstood as a self-organized knowledge sharingsystem. An essential characteristic of a virtual selforganizing system is its fluidity [27]. A fluidorganizing system lacks traditional structuralmechanisms such that organizational positions, roles,and boundaries are loosely defined [27]. Instead,fluidity allows “highly flexible and permeableboundaries” of communities, making it difficult “tofigure out who is in the community and who is outsideat any point in time, let alone over time” [p.1226].Furthermore, the dynamics of knowledge collaborationdo not rely on predefined role structures or adhesive“people-to-people relations” [p.1235]. Rather, thecollaborative network changes its configurationconstantly based on the flow of ideas, externalconditions, and the nature of problems that thecommunity collectively encounters. Scholarship hasreferred to such organizational flexibility forknowledge collaboration as “emergent network” [28—30] or “generative response” [27].The dark web market forms are a space for fluidcollectives in that there is no strict protocol to enterand exit, insofar as a user has a basic ability to getaccess to it anonymously. Although administrators maymoderate community interactions to some extent, thecommunity does not impose a formal hierarchy.Anonymous social interactions make the communityeven more permeable because members’ real identitiesPage 2733

are concealed from one another and thus socialinteractions are assumed to be inherently temporaryand transitory [31].In sum, as a self-organized system, knowledgesharing dynamics in illicit market forums can be highlyadaptive to the nature of problems, level of uncertainty,and who has what types of knowledge at a givenmoment. Given that few studies have examined theemergence of knowledge sharing networks in the darkweb market forums, the current study attempts tocontribute to understanding the self-organizing aspectof these communities.4. Empirical Context and ResearchQuestionsThis study presents a case of the cryptomarketcalled AlphaBay. AlphaBay was shut down in July2017. Initially suspected as an exit scam (i.e., a fraudby the market administrators), it later turned out thatthe shutdown was caused by an international lawenforcement team comprised of the U.S., Canada, andThailand. On July 15, 2015, Alexandre Cazes, a cofounder of the market who was arrested on the sameday as the shutdown, was found dead in jail inThailand. AlphaBay was the largest cyber-undergroundmarket to emerge since the shutdown of the legendarymarket SilkRoad, with 600,000 to 800,000 in dailyrevenue.Several major forums served as communities ofpractices for AlphaBay users, including AlphaBayfrm(an AlphaBay market-specific forum hosted in Tor),The Hub (a multi-market forum hosted in Tor), andseveral subreddits on Reddit.com. This paper focuseson one of the subreddit communities, r/AlphaBay.This paper is particularly interested in theemergent network structure of the illicit market forum.As a self-organized knowledge sharing collective, thecommunity dynamics may reveal fluid knowledgeflows depending on the types of problems that userscollectively face. Specifically, in ordinary times, theproblems users encounter may be more routinized,centered around vendor credibility and proceduralissues related to access, transactions, and shipping.However, when a system-level defect in the marketplatform is abruptly experienced, the non-routinesituation may pose more severe collective risks with ahigher level of uncertainty. Facing a non-routine,highly uncertain event could change the interactiondynamics.We contend that such change should be manifestin two forms: (a) We anticipate changes incommunication network structures. According tocommunication network evolution perspective, a crisisevent plays a role in changing the structure ofcomputer-mediated communication networks. Forexample, a study of an inter-organizational emailnetwork showed that both communication volumes andnumber of communicators have increased whenmembers faced an organizational uncertainty. Also, thenetwork tends to form a giant component rather thanbeing fragmented into subgroups [32]. More recently,Twitter research in the context of natural disaster(Japanese earthquake and Tsunami) found that affectedusers (i.e., Japanese users) intensified their degree ofinteractions than non-affected users (i.e., nonJapanese). Such interactions, however, have increasedamong the existing users, with less activity of newlyjoining or quitting a community [33]. (b) Along withnetwork change, the nature of communicative contentshared among members may also change. For example,prior research has shown that, along with the averagelength of individual messages being shortened,conversations became less diverse and moreconcentrated toward problem-solving [32, 33]. Also,decentralized problem-solving efforts and concernsabout safety and wellness of community membersbecame prominent in the electronic messagesexchanged during the crisis period [34]. Whileexisting studies were based on legitimate communitiesor organizational networks, little is known whetherillicit, hidden cyber communities will exhibit similarpatterns in network changes and communicationcontents when they face a highly uncertain situation.As a preliminary study, this paper posits two researchquestions.RQ1: How does the structure of the knowledgesharing network change in an illicit market forumwhen the community collectively experiences a criticalmarket defect?RQ2: How do communicative activities change inan illicit market forum when the communitycollectively experiences a critical market defect?5. Methods5.1. Data CollectionThe subreddit data (r/AlphaBay) was provided bya cybersecurity firm that has partnered with theuniversity where the authors are affiliated (Companyname will be identified upon the paper acceptance).Whereas mainstream media reported that AlphaBaywas seized on a specific day (July 4, 2017), the marketusers’ experience was not a one-day event. Instead,users experienced errors and irregularities for multipledays around the time of the seizure. To identify thetimespan of the market defect more precisely, wePage 2734

adopted a previous study’s method that was used todetect the anomaly period in social media activities[35].Specifically, we first examined the longitudinalpattern of daily posting volumes over a year, from June2016 to July 2017. The daily average of total postingwas 48.48 posts a day (SD 62.34) and the dailyaverage number of newly created topic threads was6.03 (SD 5.73). Second, we used the number of newlycreated topic threads as a criterion to identify theanomaly in activity volumes. We used the topic threadsinstead of total post activities because it is possible thata certain old topic could continue to drawconversations over time regardless of the shutdownevent. Beginning a new discussion thread, however,may be more reflective of what is happening at a givenmoment. Next, we defined days were considered partof the anomaly period if a daily number of newlycreated topic threads exceeded two standard deviationsfrom the mean ( 17.50). Lastly, we reviewed the actualposts made during the identified anomaly days tounderstand what had happened and whether thehappening was indeed related to a non-routine problemwith a high level of uncertainty.From the procedure above, we identified twoabnormal periods, one in December 2016 and anotherin July 2017. The review of the posts suggested that themarket was offline temporarily on December 13 and14, 2016; and the market defect, which eventually waslinked to the permanent shutdown, was experienced forabout 10 days from July 5 to July 14, 2017 (Figure 1).This study focuses on the identified ten days of themarket defect in July 2017. The total number of topicthreads that were created during the market defectperiod was 346, and the total number of posts was1,587. For comparison, we also examined a similarnumber of topic threads and posts made prior to thebeginning of the market defect period, which spannedfrom May 19, 2017, to July 4, 2017. We defined thistime window as a “routine period,” which included thecreation of 383 topic threads and 1,663 posts. As aresult, a total of 3,250 posts were analyzed.sociometric matrix based on co-postings in the sametopic threads (Figure 2a and 2b).Figure 1. Daily creation of topic threadsbetween June 2016 and July 2017. Redmarkers are the days with a sudden increasein volume ( 17.5).Figure 2a. An example of transforming a twomode (user-by-thread, directional) matrix tothe corresponding one-mode (user-by-user,nondirectional) network. Diagonal values (bluecells) in the one-mode matrix indicate eachuser’s total posting frequency.5.2. Network AnalysisNetwork analysis requires two sets of variables:nodes and edges. In this study, nodes are anonymoususers involved in discursive activities in the examinedsubreddit forum. Edges are defined as non-directionalties that represent co-posting behaviors. The defaultformat of the network data was a two-mode (user-bythread) matrix that informs which users contributed towhich topic threads. The default format wastransformed into a one-mode (user-by-user)Figure 2b. Sociograms of two-mode networkvs. one-mode network based on thesociometric data exemplified in Figure 2a.Page 2735

The co-posting matrix is more useful in this studythan the original user-by-thread matrix because itallows for examining who were exposed to whoseideas/knowledge as well as who were the most activecontributors across different topics.That said, the transformation of a two-modenetwork into a one-mode network loses one importantproperty of the data: the absolute total number of poststhat a user contributed. For example, suppose users iand j contributed one post to the same thread A. Theco-posting-based edge weight between user i and jwould be 1 (Eij 1). If user i made three posts acrossthree different topic threads A, B, and C, and user jalso made three posts across the three same threads A,B, and C, the edge weight between i and j would be 3(Eij 3). However, if user i made three posts acrossthreads A, B, and C, while user j also made three postsyet only in thread A, the co-posting-based edge weightbetween i and j will be just 1 (Eij 1) even if user j’stotal number of posts was 3. Furthermore, suppose useri made three posts across threads A, B, and C, whereasuser j made three posts across D, E, and F. In this case,their co-posting-based edge weight will score zero(Eij 0) irrespective of how many contributions eachuser has made.Considering that the one-mode transformationengendered the loss of the total posting information,we created a node attribute that indicates the totalnumber of posts a user contributed across all topicthreads during each period (i.e., routine and marketdefect period). As presented in a later section, we usedboth co-posting-based degree centrality and the totalpost frequency as key performance indicators (KPI).5.3. Content AnalysisConsidering that an essential goal of communitiesof practice is knowledge sharing for problem-solving,we analyzed whether a post contains strategicassessment that helps improve the situation or solveproblems. Organizational uncertainty managementliterature suggests that group members reduceuncertainty in two ways. First, they collectively makesense of the status of the situation (e.g., how likely theconcerned outcome is to occur or how severe theoutcome would be) [33]. The group informationprocessing perspective [34] defines such type ofuncertainty management as “closure,” which refers toreaching a conclusion of how to define the state of thesituation. Second, community members manage theuncertainty by sharing specific resources andknowledge that help identify what actions should betaken to appropriately respond to the situation orproblems [33].Based on the literature, a post was defined ascontaining a strategic assessment if the message had aconclusive statement that definitively diagnosed thesituation or if the user suggested actionable item(s) toresolve or improve the situation or problems. About10% of the posts were analyzed for intercoderreliability, reaching 90.23% agreement and a Cohen’sKappa coefficient of .685, suggesting substantialagreement.6. Results6.1. Network Structure OverviewThe number of posts included for the market defectperiod ( 1,587) was less than the routine period( 1,663). Nonetheless, the co-posting network analysisrevealed that more users and more co-posting edgeswere included in the market defect period than theroutine period. Specifically, 709 users created 24,320co-posting ties during the market defect period,whereas 592 users created 6,296 ties during the routineperiod. The large number of co-posting ties alsoresulted in higher average degree centrality (weighted)during the market defect period ( 36.181) than theroutine period ( 11.196)Conventionally, a network tends to have a lowerdensity as its size grows because density is computedagainst the total number of all possible edges. This wasnot the case in this study, however. Even if there weremore users involved in discussions during the marketdefect period, the co-posting activities were soextensive that the network density ( .048) was alsonoticeably higher than the routine period ( .018).Along with density, other structural characteristicssimilarly suggested that the market defect periodshowed more concentrated and centralized knowledgesharing patterns than the routine period, including ashorter network diameter and shorter average pathlength, and a larger clustering coefficient and largercentralization coefficient. Table 1 compares thenetwork structural characteristics between the routineand market defect period. Also, Figure 3a and 3bvisualize the co-posting network structure configuredin each period.Table 1. Co-posting network analysis results.Network propertiesRoutineMarketDefect# of posts included16631587# of nodes592709Page 2736

# of edges62962432011.19636.18197Graph density.018.048Avg. clustering coefficient.797.826Avg. path length3.4922.771Centralization (degree).236.474Avg. degree (weighted)Network diameter6.1. Key Players IdentificationDegree centrality and total posting frequency wereused as KPIs to identify “key players” in each timeperiod. Specifically, we first selected the top 10% ofusers based on the degree centrality during the routineand market defect period, respectively. Then weselected another top 10% of users based on the postingfrequency during each time period. Some users hadboth high degree centrality and posting frequency andthus were selected repeatedly. As a result of using bothKPIs, we identified a total of 174 key players. Eighteen(10%) of these key players appeared in both routineand market defect periods, 64 (37%) were associatedonly with the routine period, and 92 (53%) uniquelyemerged during the market defect period. In otherwords, those who emerged as active participants duringthe market defect period were different users fromthose active during the routine period.Figure 3a. Co-posting network during themarket defect period. Some peripheral nodeswere removed from the visualization. Nodesare colored based on degree centrality, withred ( 150), blue (100-149), green (50-99), andyellow ( 50).6.2. KnowledgeAssessmentSharingforStrategicThe content analysis resulted in 356 posts thatcontained strategic assessment during the routineperiod (21.4% out of 1663 posts) and 369 posts duringthe market defect period (23.25% out of 1587 posts).Although key players constituted only a small fractionof users engaged in each period, they were incrediblyactive in sharing strategic knowledge in both periods,accounting for 55% (post N 198) of the total strategicknowledge sharing during the routine period and 57%(post N 210) during the market defect. The rest ofstrategic knowledge sharing was contributed by nonkey players (Table 2 and Figure 4).Table 2. Strategic assessment posts made bykey players (KP) and non-key players.RoutineFigure 3a. Co-posting network during theroutine period. Nodes are colored based ondegree centrality, with red ( 150), blue (100149), green (50-99), and yellow ( 50).Market DefectUser NPost NUser NPost NAll-time KP1844(12%)1849(13%)Periodspecific KP64154(43%)92161(44%)Non 0%)Page 2737

The distribution of strategic knowledge sharingacross the three user types—all-time key players,period-specific key players, and non-key players —were similar between the two time periods. In otherwords, the proportion of contributions from each groupwas consistent between the routine and market defectperiod.However, when the actual messages were reviewed,the nature of shared knowledge was distinctivebetween the two time periods. Specifically, during theroutine period, the strategic knowledge sharing wascentered around (a) how to use AlphaBay securely,e.g., “if you are using ab without a vpn then your ispalready knows what you’re doing. If you have a vpnthen net neutrality elimination shouldn’t be asignificant problem”1; (b) information related toshipping and transactions, e.g., “paper is a hard thingto find among thousands of other packs of paper.” 2;and (c) vendor information, e.g., “if you don’t mindinternational then gammagoblin with over 250 spentgets tracked so you have that safety.”Meanwhile, during the market defect period, theattempt for closure was made by co

Arizona State University khkwon@asu.edu Weiwen Yu Arizona State University weiwenyu@asu.edu Steve Kilar Arizona State University skilar@asu.edu Chun Shao . Private Network (VPN), and cryptocurrency enhanced the security of transactions, contributing to the expansion of the illicit digital economy. As of April