Nemesis Market: The Cybercrime-as-a-Service Bazaar

Ransomware and phishing kits alongside drugs — seized March 2024.

Nemesis Market is the case that breaks the "just drugs" picture of the dark web, because alongside narcotics it sold attacks. Ransomware, phishing kits, and stolen data sat in the same catalogue as fentanyl and cocaine, which made Nemesis less a drug bazaar than supply-chain infrastructure for crime that reaches ordinary businesses. Seized in March 2024 and traced back to a single Iranian administrator who was sanctioned and indicted a year later, its story runs longer than the takedown itself. If you are searching for a Nemesis link, the market is gone, and what replaced the search results is mostly bait.

What did Nemesis Market sell?

Hands typing on a laptop overlaid with lines of programming code, suggesting cybercrime services for sale — Ransomware, phishing kits, and malware traded beside the drugs — crime as a service.

Founded in March 2021, Nemesis grew into a hybrid marketplace that complicates the usual story of the dark web. On one side it ran a conventional drug catalogue, more than 400,000 orders between 2021 and 2024, including over 55,000 for stimulants like methamphetamine and cocaine and more than 17,000 for opioids, fentanyl and heroin among them. OFAC estimates it moved nearly $30 million in drugs over its lifetime.

On the other side, and this is what set Nemesis apart, it brokered cybercrime-as-a-service: ransomware, phishing kits, DDoS-for-hire, stolen financial data, forged identity documents, counterfeit currency, and malware. The platform was even built with money-laundering features baked in, and it settled primarily in Bitcoin and Monero. A market that sells both the drugs on a street and the ransomware that locks a hospital is not a niche bazaar; it is a node in a far wider criminal economy, which is precisely why it drew the enforcement attention it did.

How Nemesis Market was seized in 2024

Police and DOJ officers standing beside a laptop showing the Nemesis Market homepage, with a handcuffed figure in the foreground — The end of an 18-month investigation: servers seized 20 March 2024.

The takedown came on 20 March 2024, the culmination of a roughly 18-month investigation led by Germany's Federal Criminal Police Office (BKA) and the Frankfurt cybercrime prosecutor (ZIT), working with US and Lithuanian authorities. In coordinated raids the agencies seized the market's server infrastructure and confiscated around €94,000 (about $102,000) in cryptocurrency. The dollar figure was modest next to a giant like Hydra, but the disruption to a cybercrime supplier mattered well beyond the sum recovered.

The lineup of agencies tells you how these cases work now. A German-led core, BKA and ZIT, paired with international partners is the same coordinated structure that closed Kingdom Market months earlier and would later end Archetyp. An operator no longer faces one national police force; they face a standing coalition that shares servers, intelligence, and blockchain analysis across borders.

The seizure banner and the lag behind it

The bilingual BKA seizure banner reading 'THIS PLATFORM HAS BEEN SEIZED' and 'DIESE PLATTFORM WURDE BESCHLAGNAHMT', with logos of the BKA, ZIT, DOJ, FBI, IRS-CI and others — The BKA splash that replaced Nemesis — the one unambiguous signal a market has fallen.

When the raid landed, the bilingual BKA banner above replaced the Nemesis homepage: "This platform has been seized," in English and German, stamped with the seals of the BKA, ZIT, the US DOJ, FBI, and IRS-CI. That banner is the one thing in this whole archive that removes ambiguity, it is the visible confirmation that a market fell to police rather than to its own operators.

The catch is timing. A seizure banner is the end of a process, not the start, and it can appear days or even months after a market actually goes dark, which is why a silent outage tells a user almost nothing in real time. Archetyp went offline two days before its banner; Abacus vanished with no banner at all. Until a signed message or an official banner resolves it, an unreachable market is genuinely unknowable, which is the entire argument for verifying an address yourself rather than reading meaning into downtime.

The manhunt that outlived the market

Most case studies end at the seizure. Nemesis is unusual because the most revealing chapter came afterward. For a year the man behind it stayed a question mark, until in 2025 US authorities named him: Behrouz Parsarad, an Iranian national based in Tehran, the market's founder and sole administrator, who had held full control of its wallets and skimmed a fee from every transaction.

In March 2025 the Treasury's OFAC sanctioned Parsarad, the first action OFAC took as part of the FBI-led JCODE darknet-enforcement team, and published 49 cryptocurrency addresses tied to him, 44 Bitcoin and 5 Monero. A US indictment followed, charging him with conspiracy to traffic drugs and to launder money. And here is the detail that makes Nemesis worth studying: even after the seizure, Parsarad was reported to be discussing a replacement market with former Nemesis vendors. The sanctions were aimed as much at strangling that comeback as at punishing the past.

Two lessons fall out of this tail. First, a server seizure is not the finish line; the financial trail and the person behind it can be pursued for years, and being in Iran put Parsarad beyond easy extradition but not beyond sanctions that freeze his ability to cash out. Second, a dead market's operator may try to rebuild under a new name, which is exactly why the next section's warning matters.

Is there a Nemesis Market link?

No. Nemesis was seized on 20 March 2024, its servers taken and its homepage replaced by a police banner, and it has not returned. There is no genuine Nemesis address, and there will not be one. Any "Nemesis Market link," "Nemesis URL," or mirror you find today is a phishing clone built on the name to harvest logins and coins.

Nemesis carries a sharper-than-usual version of this warning. Because its own founder was reported to be courting former vendors for a successor market, a site claiming to be "Nemesis reborn" is not just generic bait, it is exactly the kind of relaunch the sanctions were designed to stop, and you have no way to know who now holds the keys. Treat every Nemesis address as hostile, enter nothing, and verify a live market yourself with a PGP-signed canary instead of trusting a familiar name.

Nemesis Market alternatives in 2026

Since Nemesis is gone, the practical question is where to trade with the least exposure now. The markets actually operating are tracked in tordark's verified darknet market directory, where general-purpose options like Nexus and TorZon cover broad catalogues. None should be trusted on reputation, the property that means nothing once a market is seized or rebuilt under new control.

Nemesis also sharpens the payment lesson. Its 49 sanctioned addresses, 44 of them Bitcoin, show how readable the chain is to investigators years after the fact, which is why the surviving privacy-minded markets settle in Monero; DrugHub and DarkMatter are reported to refuse Bitcoin outright. Whatever you weigh, confirm the current address against a signed canary, and keep nothing in escrow beyond an open trade.

Common questions about Nemesis Market

Is there a working Nemesis Market link?

No. Nemesis Market was seized by German, US, and Lithuanian authorities on 20 March 2024, and a BKA banner replaced its homepage. There is no genuine Nemesis address anymore, so any "Nemesis Market link," mirror, or onion URL today is a phishing clone trading on the name. Do not enter credentials or send funds to it; verify a live alternative instead.

What happened to Nemesis Market?

It was dismantled in a coordinated raid on 20 March 2024, the end of a roughly 18-month investigation led by Germany's BKA with US and Lithuanian partners. Servers were seized and around €94,000 in cryptocurrency confiscated. A year later, in 2025, the US named its sole administrator, sanctioned him, and indicted him.

What did Nemesis Market sell?

Both drugs and digital crime. Alongside narcotics, including stimulants, opioids, and fentanyl, Nemesis brokered cybercrime-as-a-service: ransomware, phishing kits, DDoS tools, stolen data, forged documents, counterfeit currency, and malware. That dual catalogue is what set it apart from drug-only markets and widened the harm it caused.

Who ran Nemesis Market?

US authorities identified the sole administrator as Behrouz Parsarad, an Iranian national based in Tehran who founded the market in March 2021 and controlled its wallets. In March 2025 the Treasury's OFAC sanctioned him, listing 49 crypto addresses, and the DOJ indicted him for drug-trafficking and money-laundering conspiracies. Based in Iran, he remains beyond easy reach of US extradition.

How big was Nemesis Market?

At its peak it had more than 150,000 registered users and over 1,100 vendors, roughly a fifth of them in Germany, and processed more than 400,000 orders between 2021 and 2024. OFAC estimates it facilitated nearly $30 million in drug sales over that span.

What can I use instead of Nemesis Market?

Only a market whose current address you can verify against a PGP-signed canary. The markets operating now are tracked in tordark's verified directory. Confirm the signature first, prefer Monero settlement, and treat any "Nemesis reborn" a former vendor points you toward as a likely trap, especially since its own founder was reported to be plotting a replacement.