Full Report
The Iran-based administrator behind a darknet marketplace was sanctioned by the Treasury Department on Tuesday, one year after the platform was taken down in a law enforcement operation.
Analysis Summary
# Threat Actor: Behrouz Parsarad (Nemesis Administrator)
## Attribution & Identity
The primary threat actor identified is Iranian national **Behrouz Parsarad**, identified as the sole administrator of the darknet marketplace **Nemesis**. He is sanctioned by the U.S. Treasury Department.
## Activity Summary
Parsarad operated the Nemesis darknet marketplace from its founding in 2021 until its takedown in March 2024 raids conducted by German police in cooperation with U.S. and Lithuanian agencies. The platform facilitated the sale of drugs (including fentanyl and synthetic opioids), compromised data, fake documents, and cybercrime services. The platform reportedly facilitated nearly $30 million worth of drug sales between 2021 and 2024 and had over 150,000 users. Parsarad earned profits from transaction fees and cryptocurrency laundering for vendors. Post-takedown, Parsarad has reportedly been trying to re-establish a new darknet marketplace.
## Tactics, Techniques & Procedures
- Administration and operation of a large-scale darknet marketplace hosting illicit sales.
- Cryptocurrency management and laundering services for transaction proceeds.
- Charging transactional fees to generate revenue.
- (Implied) Facilitating the organization and sale of cybercrime services (ransomware, phishing, DDoS).
## Targeting
- Sectors: Not specified, but involved in transnational criminal enterprises focusing on narcotics, fraud, and cybercrime services.
- Geography: The platform served a global user base. Approximately 20% of the estimated 1,100 sellers were believed to be based in Germany. The administrator is based in Iran.
- Victims: Global drug buyers/traffickers, and organizations targeted by services sold on the platform (e.g., ransomware victims).
## Tools & Infrastructure
- **Malware families used:** Services offered implicitly included ransomware, phishing, and DDoS capabilities, though specific malware families utilized by Parsarad himself are not detailed.
- **Infrastructure (C2, domains, IPs):** Infrastructure used to run Nemesis was seized in coordinated law enforcement raids in March 2024. 49 specific blockchain addresses linked to him for fund storage and laundering were identified by the Treasury Department.
## Implications
Parsarad represents a continued threat as a major facilitator of illicit trade, particularly the distribution of severely harmful narcotics like fentanyl. His attempt to re-establish a marketplace suggests a high level of operational resilience typical of sophisticated darknet administrators, requiring ongoing monitoring by law enforcement and financial intelligence specialists. The action indicates increased cooperation between financial enforcement (OFAC) and traditional law enforcement (FBI-led JCODEN Team) against dark Web facilitators.
## Mitigations
- Continuous financial monitoring of associated cryptocurrency pathways and the identified 49 blockchain addresses.
- Vigilance regarding the emergence of successor darknet marketplaces associated with former Nemesis vendors.
- Law enforcement monitoring for new platform launches attributed to Behrouz Parsarad.