Nearly seventy thousand healthcare patient records for sale on darknet hacker forum

TheDarkOverlord has resurfaced on Kickass Forum

TheDarkOverlord, one of the threat actors that DarkOwl analysts routinely monitor, has apparently resurfaced last week. In a recent series of posts, an entity claiming to be TheDarkOverlord is advertising a database of personal health information as well as user information taken from an unnamed gaming site - both of which are being offered for sale to willing buyers.

TheDarkOverlord is a hacker - or potentially a collection of personas - who regularly targets the healthcare industry, leaking thousands to millions of patient records.

TheDarkOverlord claims to have hacked “several medical practices”

In the post (pictured below), TheDarkOverlord advertises that they have over 67,000 patient records for sale, stolen from medical and dental practices in California, Missouri, and New York.

The forum listing advertises that these databases include personal and health information including full names, physical addresses, phone numbers, DOBs, driver’s license numbers, SSNs, medical histories, and much more. A specific price point was not provided; rather, the prices are “negotiable.” Interested buyers were instructed to send TheDarkOverlord an encrypted message using the forum’s private messaging system.

TheDarkOverlord also states that they’d be willing to entertain higher offers for data that “no one else will have,” giving the potential transaction a level of exclusivity that will likely attract a certain type of buyer and grab even more public interest.

  Screenshot of TheDarkOverlord posting about medical records on Kickass Forum

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum

  Screenshot of TheDarkOverlord posting about medical records on Kickass Forum (as displayed in DarkOwl Vision)

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum (as displayed in DarkOwl Vision)

Also for sale: a stolen database from a gaming website

On the same day, TheDarkOverlord posted a listing on the same Kickass Forum’s marketplace for 131,000 records from an “unnamed gaming website.” As advertised, these records include users’ email addresses, passwords, DOBs, IP addresses, and much more.

So far, it would appear that TheDarkOverlord is taking serious inquiries only. For example, in the comment section for the post below, someone asked for the name of the gaming website in questions, and TheDarkOverlord responded that they would like “proof of funds and intent to purchase” before disclosing any additional information.

  Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum

Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum

  Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum (as displayed in DarkOwl Vision)

Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum (as displayed in DarkOwl Vision)

Both postings on Kickass Forum remain live at time of publication. DarkOwl analysts will continue to track TheDarkOverlord and post updates here.

For more coverage on this particular threat actor, check our previous reporting.

 

New Princess Ransomware Surfaced Earlier than Reports Suggest

News broke out mid-August that Princess Evolution, a revamped form of the infamous Princess Locker ransomware that was first seen several years ago, is back with a fresh toolkit (see this article for example).

News coverage at the time suggested that the Princess Evolution ransomware had only recently surfaced. However, after further digging into the “newly uncovered” iteration of the ransomware, DarkOwl analysts discovered that Princess Evolution has actually been offered on darknet marketplaces dating as far back as this past April.  

What is the Princess Ransomware? 

Princess Evolution is a form of ransomware that encrypts most files on the infiltrated computer system and holds them hostage until the targeted user pays enough money to regain access to them. During the encryption process, the ransomware changes affected file extensions to a randomly generated string of characters.

To notify the targeted party that their files have been compromised, users are notified via a ransom note telling them that their files are locked, followed by instructions on where and how to pay the ransom sum. As of August 8 2018, users were instructed to pay the amount of 0.12 bitcoin (equivalent to US$773 as of that date). The malicious software is currently being advertised on 0day forum as RaaS (ransomware as a service) and is soliciting associates to help spread the malware to unsuspecting victims.

  Screen capture of a DarkOwl Vision result – scraped in April of this Year – that depicts the ransomware Princess Evolution being sold on a darknet marketplace.

Screen capture of a DarkOwl Vision result – scraped in April of this Year – that depicts the ransomware Princess Evolution being sold on a darknet marketplace.

  A similar posting on 0day forum; responses haven’t slowed down since the original post earlier this year.

A similar posting on 0day forum; responses haven’t slowed down since the original post earlier this year.

Interested members are instructed to leave their Jabber ID as a thread comment or to send it in a private message to the 0day account “PR1NCESS.”  Our analysts calculate that there have been over one hundred comments from individuals interested in joining the campaign since the original post scraped by DarkOwl Vision in April.

Princess4.png
 

(Above, Right) Profiles of PR1NCESS on Codex and Kickass forums.

Princess3.png

What is 0day?

0day is a popular darknet carding and hacking forum first established in 2015. Users are required to register an account before accessing any content on the forum. Additionally, once registered, user accounts must go through an activation process to receive full access to the forum.

The forum’s main purpose is to act as a marketplace for buyers and sellers of illicit goods, such as stolen credit cards, hacked accounts for legitimate websites, malwares and exploits, as well as other services. Some prolific sellers also advertise their own websites in the message boards.

The below image shows just a sample of the items offered for sale on 0day, as captured in DarkOwl Vision.

  Example of items being sold on the 0day forum.

Example of items being sold on the 0day forum.

So, what should you do if you find yourself infected with the Princess Evolution ransomware? We recommend that you refer this article, which has a great step-by-step guide for regaining control of your computer and your files: https://www.pcrisk.com/removal-guides/10531-princess-ransomware. And, as always, organizations should continue to be proactive against ransomware threats by adhering to security best practices and actively educating all of their employees on their internal security plan.

 

 

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

Not So Anonymous

Critical Vulnerabilities in Darknet Tools Could Expose Its Users

In recent weeks, analysts at DarkOwl have witnessed a number of vulnerability issues in key utilities used for dark web (i.e. deep web and darknet anonymous network) intelligence collection and analysis. Last week, analysts found the official Chrome extension for MEGA.nz’s file sharing service was harvesting sensitive user data; while Tor Project’s latest browser release based on Firefox Quantum, was deployed with default settings that could potentially compromise users’ identities.

On which side is the Tor Project?

The Tor Project is a non-profit organization that prides itself on providing users free software and an open network for securely browsing the Internet. Tor’s Browser, developed collaboratively with Mozilla, allows users with any operating system (OS) to freely visit clearnet, deep web, and darknet anonymous websites or sites that might be blocked in countries with Internet censorship. With little to no configuration changes nor detailed understanding of networking protocols, Tor Browser prevents somebody watching your Internet connection from learning what sites its users visit and thwarts the sites its users visited from discerning one’s physical location through location identifiable information such as IP and/or MAC Addresses.  

Digital Fingerprints

One historical security feature of Tor Browser has been user agent obfuscation. Every browser sends its user agent (UA) to every website it visits. The UA is a string of text that identifies the browser and the operating system to the web server, or host of the website visited. There are millions of different UA combinations given how they change with both software and hardware. The web server uses this information for a variety of purposes. In the Surface Web, website creators use the UA to help optimally display the website to different browsers for the “best possible browsing experience.” Knowing the UA also assists when a web server hosts both desktop and mobile versions of a site, e.g. serving up content adjusted for the screen size of the device.

Example User Agents

 For more example user agents check out  this site .

For more example user agents check out this site.

The default Tor Browser user agent has historically included a mixture of Mozilla and Windows OS UA’s with the following string:  Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0. The revision “rv:52.0” and “/52.0” strings correlate to the version of Tor browser installed. 52.0 corresponded Tor Browser 7.0a4.  In the recent 5 September release of Tor Browser 8.0/8.5a1, the user’s actual OS is exposed in the UA.

Exposing this information presents risk to Tor users. Darknet web servers could maliciously use this information to identify anonymous users or link users based on speech and UA across multiple forums and chatrooms. While including the user’s OS in the UA does not reveal one’s physical location, in a world where anonymity is irreplaceable, this issue could prove disastrous. 

In order to update or change the UA in Tor Browser, the following steps are required:

  1. Enter about:config in the URL bar and accept the risks

  2. Search for: general.useragent.override, right click on the user agent, and select Reset.

If you want to replace the UA with another unique or custom text string, right click on the user agent and choose “Modify.” The pop-up that displays is editable. Enter whatever string you wish, then click OK.

 Figure 1 Tor Browser about:config useragent override popup

Figure 1 Tor Browser about:config useragent override popup

Tor users who want to delay their upgrade to 8.0/8.5a1, might want to reconsider as Zerodium released yesterday on Twitter details around a NoScript “bug” discovered in all Tor Browser 7.x versions that subjects the user to embedded code on the hidden service regardless of whether or not NoScript was “actively blocking all scripts.” (Source)

 Figure 2 Zerodium Tweet posted on 10 September 2018 ( Source )

Figure 2 Zerodium Tweet posted on 10 September 2018 (Source)

Javascript = Yes? Or No?

Another issue DarkOwl analysts found with the latest Tor Browser release is the default configuration settings for Javascript. Tor users are mixed between browsing with or without Javascript enabled. As Tor becomes more inclusive of media and dynamic content, more and more Tor websites include embedded Javascript code. If Javascript is disabled, then the web sites may appear to be broken, missing content, prevent authentication, and frustrate the most patient of Tor users.  However, the community should also recognize that Javascript is a vulnerable vector that is leveraged by blackhat attackers. In 2014, law enforcement utilized injected Javascript code to infect everyone who visited any Tor server hosted by “Freedom Networking” with malware that exposed their real IP address. (Source)

In Paolo Mioni’s article entitled “Anatomy of a malicious script: how a website can take over your browser” the author gutted what seemed like an innocuous embedded piece of Javascript to outline how the elementary script was configured to redirect the user to a specific URL and could be simply adapted to arbitrarily inject other malicious scripts such keyloggers and cryptominers. (Source)

Coinhive, tagged as one of the largest threats to web users in the Spring of 2018, is an online crypto-service which provides cryptocurrency miners crypto mining malware, that can be installed on websites via embedded Javascript. The JavaScript miner runs in the browser of the website visitors and mines coins on the Monero blockchain. Unfortunately, the Coinhive code has been exploited by hackers for use as malware to hijack the end customer’s personal data and processor resources. This summer, independent security researcher, Scott Helme identified more than 4,000 websites, including many belonging to the UK government, infected with Coinhive malware.

 Figure 3 Darknet Forum where Coinhive Exploit use is Discussed (633c61aaa0289fa0572b15b163f11b04)

Figure 3 Darknet Forum where Coinhive Exploit use is Discussed (633c61aaa0289fa0572b15b163f11b04)

Not MEGA.nz too…

MEGA.nz is a controversial but free cloud storage service, similar to Dropbox, that is a popular resource for blackhat and whitehat hackers. Over the last few years, data from many of the major commercial data breaches has been reliably posted to the MEGA.nz storage site and links shared across darknet forums. Despite previous concerns regarding the security of using the website, it proved a fruitful resource for personally identifiable information (PII) and credential data collection. Last week, DarkOwl analysts discovered a compromised version of the official Google Chrome extension for MEGA.nz, version 3.39.4, was published with malicious codes to harvest user credentials and private keys for cryptocurrency accounts. ZDNet broke the news of the hacked extension indicating that for the four hours after it was uploaded to Google's Chrome Web Store, the extension sent users’ stolen data to a server located at megaopac[.]host, hosted in Ukraine. (Source)

Unsurprisingly, MEGA.nz has expressed significant dissatisfaction with Google over this security breach blaming Google’s recent policy to disallow publisher signatures on Chrome extensions. An updated version of the extension, v3.39.5 is now available on the Chrome Web Store.

While the Firefox version of the MEGA plugin was not compromised, Mozilla recently removed 23 Firefox Add-ons that illegally tracked user’s browser data. In August, Mozilla released a list of compromised add-ons which included one called "Web Security," a security-centric Firefox extension with over 220,000 users, that was caught sending users' browsing histories to a server located in Germany.

DarkOwl Vision recently archived a May-2018 post from Junior Member on a popular darknet forum offering custom Chrome malware. The self-promoted malware developer advertised a trojanized YouTube Video Downloader in their post, but emphasized their ability to develop custom malware, supporting the possibility that even more compromised Chrome extensions like MEGA.nz could be published in the future.

 Figure 4 Darknet Forum Post about Custom Chrome Extension Malware (c726797ae6dcd1ac889aff630d2855eb)

Figure 4 Darknet Forum Post about Custom Chrome Extension Malware (c726797ae6dcd1ac889aff630d2855eb)

Anonymity Impossible

The unfortunate and harsh reality in the world of the deep web and darknet anonymous networks is that anyone on these networks whether they be privacy conscious individuals, journalists, whitehat or blackhat hackers, must remain vigilant and hyper-aware that the tools and resources that advertise anonymity and security may be secretly exposing critical information of its users. Virtual Private Networks (VPNs) and Virtual Machines along with persistent endpoint protection may be the new norm for individuals who navigate potentially dangerous networks and sites; whereas DarkOwl Vision provides secure access to over 650 Million darknet and deep web pages to those who want to avoid the risk all together.

IRC Protocol: Instant Messenger of the Darknet

Before the age of social media, messaging specific applications, and even SMS text on your mobile phone, computer and networking enthusiasts communicated via an open internet protocol known as IRC, or internet relay chat. This text-based “instant messaging” application first surfaced in 1988, by a Finnish software developer using the alias of “WiZ” who in real life is Jarkko Oikarinen. IRC was codified in 1993 as RFC 1459 as an open source networking protocol, and does not belong to any specific person or group. This means that IRC is not going away anytime soon and will continue to outlive social media instant messaging chat applications. 

If it is not logic, it’s magic.
If it is not magic, it is female logic.”
— Jarkko Oikarinen

Everything you need to know about IRC

IRC follows a standard server/client networking model consisting of a collection of servers hosting multiple channels where multiple users can connect via a standalone chat application or web interface client. There are a number of Windows, Mac, and Linux based IRC clients available to dive into the hidden social network of IRC; however, because most clients are supported by academic or recreational open source software developers, continued support and up to date IRC client applications can be challenging if not impossible to find. Another downside to IRC is that all IRC servers send and receive messages via plaintext making IRC one of the most insecure protocols used in the internet. For this reason, many IRC servers recommend users use a Virtual Private Network (VPN) in addition to a Tor proxy to guarantee anonymity prior to connecting to certain channels or discussing sensitive subjects. Some servers also provide additional support with IP/host cloaking to protect users’ IP addresses from disclosure to the rest of the users connected. 

The people behind an IRC server are as diverse as the topics available for discussion. Individuals and groups of individuals across the world host IRC servers creating a decentralized network of endless chat possibilities. The “channels” available to connect to on an IRC server are akin to “rooms” within a building where people gather to discuss the channel’s subject of interest or topic.  Some IRC servers will have hundreds of channels to choose from, such as Freenode, which publically lists over 52,000 unique channels across their servers. The exact number of live IRC servers is unknown. Even so, irc.netsplit.de lists over 500 publically advertised IRC servers, but there are many Tor-based IRC servers not advertised.

Specific channels on an IRC server are preceded by a hastag “#” and vary across a broad set of discussion topics. As one would expect, many of the topics are specific to computing such as #linux, #python, or #networking, but others range from sports to special interests or even religious beliefs. IRC can be an excellent resource for troubleshooting software or asking technical questions, as many program developers, like those contributing to Linux distributions or mobile applications, (e.g. #iPhonedev), are active on IRC and eager to answer questions and help beginners. On the other hand, some IRC conversations are extremely general and an overly complicated form of social interaction for those who choose to connect virtually with others instead of in person.

Once a user successfully connects to a given IRC server, the command /join #<channel name> allows the user to enter the room of their choice, unless the room is set to private requiring an invitation and a password or the room has been locked by a moderator who wants to ban abusive users from entering the channel. In some special instances, the user might strongly believe they deserve access to a locked or private channel and have been unfairly denied access. If that is the case, the user can type /knock <message>, where message is the user’s custom message sent only to the channel admins. Similar to real life, if one knocks insistently on the door, it might not get one access but instead annoy the admins and get the user banned from the server entirely.

Most IRC users avoid using their real names on the servers and instead connect using a “nickname” or alias for the chat. Frequent visitors to IRC channels register their “nick” with nickserv to prevent other users from using their name. Using the command /nickserv register password e-mail in the main server window (not the unique channel) associates the email to the user and prevents the user’s nickname from being used by any other guests on the server. Users concerned with anonymity or connecting from the darknet would register a nick with an anonymous email address such as secMail or TorBox and not a Clearnet (e.g. gMail or Yahoo) address that is associated with their personal identity or could be used in any way to identify them.

Popular uses of IRC Channels

Over recent years of darknet intelligence collection and interacting in the grey world of computer security, our analysts have found wide-spread use of IRC-based coordination, collaboration and communication across darknet and deepweb regulars on everything from hacking to carding. Anonops and other cyber offensive collectives, offer Tor-hosted IRC servers and channels covering topics such as #hackers, #hardchats, #tor, #ddos, and numerous “#op”-prefixed chaannels for specific operations targeting everything from the NSA to Russia.  

User submitted posts on Verified Carder, a popular Deep Web carding forum, explain how IRC can be used to verify stolen or hacked credit card numbers and the benefit of connecting with “cashiers” who can help make money from the stolen credit card.

 
  Figure        SEQ Figure \* ARABIC     1       Discussion on Finding "Cashiers" on IRC on a Popular Carding Forum

Figure 1 Discussion on Finding "Cashiers" on IRC on a Popular Carding Forum

 

For this reason, Darkowl has active autonomous data collection across hundreds of IRC servers/channels and queries filtered to IRC captured conversation are available using the search pod “Protocol->IRC.” DarkOwl Vision has successfully collected numerous conversations where stolen credit card information is offered for sale or for verification.

 Figure       SEQ Figure \* ARABIC
   2       Vision Capture from DarkIRC Carding Verification on 11 May 2018

Figure 2 Vision Capture from DarkIRC Carding Verification on 11 May 2018

Once connected to an IRC server, conversations in the channels are known for their brightly colored text; however, the text color can also be sometimes altered in the chat client user preferences, depending on the chat client application of choice. A few sample screenshots from various chat clients are listed below.

  Figure        SEQ Figure \* ARABIC     3       Quassel Application Sample IRC

Figure 3 Quassel Application Sample IRC

  Figure        SEQ Figure \* ARABIC     4       HexChat Sample Chat

Figure 4 HexChat Sample Chat

  Figure        SEQ Figure \* ARABIC     5       Weechat Sample Chat

Figure 5 Weechat Sample Chat

But, many IRC servers offer web-based chat clients, which is useful for users having the desire and the bandwidth to run IRC within Tor Browser. In order to run web-based IRC over Tor, Javascript must be enabled.

  Figure        SEQ Figure \* ARABIC     6       AnonOps WebChat Login

Figure 6 AnonOps WebChat Login

  Figure        SEQ Figure \* ARABIC     7       AnonOps Web Interface Sample Collection

Figure 7 AnonOps Web Interface Sample Collection

When viewing IRC conversations in DarkOwl Vision, the exact text is extracted without the color or emphasized font faces. In the result from a recent IRC protocol search in DarkOwl Vision, the date and time stamp of each message is displayed along with the nickname of the user in capital letters preceded and proceeded by “--“ and the message of the user submitted to the channel that was collected. If the conversation included any hyperlinks (Clearnet or Darknet), the engine captures this information as well.

As with any result in DarkOwl Vision, the Metadata Details are included and any data containing personally identifiable information such as email addresses, social security numbers or credit cards is tagged appropriately.

  Figure        SEQ Figure \* ARABIC     8       Vision IRC Collection from 24 May 2018

Figure 8 Vision IRC Collection from 24 May 2018


Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

Will the Empire Strike Back? A Look at the Emergence of New Darknet Markets

Since the fall of AlphaBay and Hansa last July, purchasing goods and services on the darknet has come with great trepidation. A large international law enforcement operation seized servers in multiple countries, de-anonymized vendors and market owners, while simultaneously shattering the confidence of many loyal darknet marketplace consumers and sending a ripple of uncertainty across darknet forums and chatrooms throughout the second half of 2017.

Despite this, darknet vendors still needed to connect with their buyers, and Dream Market, a darknet marketplace since 2014, that one redditor calls the “murica of the DNMs”, quickly rose as the go-to market for drugs and digital services. However, a string of forum and reddit posts pointed to a number of inconsistent vendor PGP signatures and concerted DDoS attack triggering Dream Market to register almost 200 mirrors since last August.  This caused many to doubt the sustainability of the Dream Market and whether or not transacting on the darknet was safe and viable anymore.

Many seasoned vendors, such as OxyMonster, have been arrested or disappeared into the shadows while others have used the times of uncertainty to setup standalone vendor shops apart from the consolidated marketplaces. Pushing Taboo is a well known hidden service run by GammaGoblin Universe, supplying psychedelics and psychoactives such as LSD, MDMA, and Tryptamines to the darknet since Silk Road v1.

 Figure 1 Source Pushing Taboo on Tor

Figure 1 Source Pushing Taboo on Tor

“If you came here, you must know what these places have in common. Centralized markets sooner or later become seized, hacked or their admins perform exit scams. In both situations neither vendors nor users can get their funds back .…. We’ve decided to allow our dear customers to bypass one of these points of failure and let you to make purchases directly with us via our own hidden service.”
— Extracted from the Page Titled "About Us", Authored by GammaGoblin Universe

There are hundreds of vendors like GammaGoblin offering personalized vendor shops outside of centralized marketplaces. With numerous Tor and i2p users coming online everyday, naïve to the significance of the historical market takedowns, new darknet users and consumers still seek a centralized marketplace on the scale of Hansa or AlphaBay to stand up and provide the cooperation and counsel they crave.

Since last November, we have witnessed a surge in new centralized markets across the world. The invite-only / referral market, Liberitas has a simple, clean design with a deep green background with a small selection of drugs and digital offerings for world-wide shipping. It is the first Monero-only marketplace and they offer a reputation history for vendors across other markets to aid purchasers deciding on their personal vendor. Their market announcement on reddit alludes to a “special server setup” ironically mentioning not relying solely on technology to protect the security and anonymity of the market.

 Figure 2 Source Liberitas Market

Figure 2 Source Liberitas Market

Special server setup (We have gone to great lengths to ensure the
anonymity of our server from the technical angle: Our server’s IP address
is very far removed by many many degrees of separation, achieved through the use of specialized hardware configuration, virtualized networks, VPNs, customized TOR squid proxies and other secret techniques - as well as the nontechnical angle: we do not rely solely on technology).
— Redit Post

A couple of weeks ago, a new marketplace called Rapture appeared with the same look and feel to the former market TradeRoute. The market currently has a referral system and affiliate program to encourage new vendors to offer their goods at this market. At the time of writing the market had over 500 drug-related listings and just over 400 digital goods. The market accepts both Bitcoin and Monero and supports a personal messaging system for private conversations between users of the market, vendors, and administrators.

 Figure 3 Source Rapture Market Place

Figure 3 Source Rapture Market Place

Unfortunately, without purchasing goods on these markets one cannot be completely certain the market is not a scam. UnderMarket appeared in the spring of 2017 and on the surface looks and feels like a legit marketplace with a solid set of vendors (60) and listings (439). UnderMarket appears to cater to the carding community with over a dozen vendors and separate categories just for PayPal and commercial gift cards. Unlike other markets that feature their listings based on category, this market presents the listings by vendors and, like Rapture, offers an internal private communication platform to coordinate orders and ask questions of the vendors. The market also has a separate hidden service dedicated to communicating the market’s status with a vendor listing, providing customers a comprehensive location to read and assess reviews of the vendors that trade at Under Market.

 Figure 4 Source Under Market Landing Page

Figure 4 Source Under Market Landing Page

Despite how legitimate UnderMarket appears, darknet forums and many reddit users have unleashed an uproar for months against the market claiming it is a complete scam with fake vendors and users. Many users have placed orders and received bogus tracking numbers and order confirmations from the admin that are never resolved.

 Figure 5 Hidden Answers Darknet Forum on Under Market

Figure 5 Hidden Answers Darknet Forum on Under Market

Since December, various “new markets” have had similar streamlined registration and authenticated logins all to end up with submitting registration information and not being able to access the main market site. Despite multiple registrations, our analysts were unable to successful connect with Berlusconi Market, Train Road, Nucleus, and OpMarket. Either the hidden service is no longer accessible, the captcha fails, or JavaScript would be required .  Perhaps these markets are plagued with vulnerabilities and security issues like Bermuda Marketplace for which an OnionLand user zbricktop posted he successfully hacked back November 2017. The market supposedly ran on Windows 10 with overly simplified username-password combinations such as u: testvendor and pass: testvendortestvendor.

 Figure 6 Post in the Market Discussion Category of Onion Land on Tor

Figure 6 Post in the Market Discussion Category of Onion Land on Tor

Other markets, Wall Street and T•chka (Rebranded as Point Marketplace) have had mixed reviews despite their longevity on the darknet. After the DDoS that struck many of the markets in the fall, many users have reported bitcoin withdrawl issues and lack of support from the market admins. Some forum posts have suggested the issues with withdraws is due to the falling price of bitcoin at the new year, while others conspire about possible law enforcement compromise. Wall Street Market was removed from the DNM SuperList on Reddit for having a Clearnet mirror, a lack of understanding of the darknet, and attempted “shilling” over a dozen times with multiple accounts. On T•chka / Point, many vendors have also reported that they are struggling to get enough customers to justify the trouble of being on the marketplace in the first place, insinuating that darkweb market paranoia may be hindering the formation and confidence of new vendor-buyer relationships.

The legacy of the AlphaBay and Hansa marketplaces recently had the darknet community momentarily excited over the prospects that Hansa was returning with the administrators seeking donations to assist with the cost to rebuild the servers and interface. The Hansa Rebuild hidden service with the bitcoin address for donations was only available for a few weeks and at the time of writing is offline. This site like many others is likely a scam preying on the hopes of the former supporters of the Hansa community. The post sounded as though it was the former admins of Hansa speaking, but we know from reports last summer that the two market masterminds from the North Rhine-Westphalia of Germany were arrested prior to the site converting into a law-enforcement run honey pot.

 Figure 7 Source http://oidtdhh4mtvsprh6[.]onion (Screen Taken 20 December 2017 offline as of 6 March 2018)

Figure 7 Source http://oidtdhh4mtvsprh6[.]onion (Screen Taken 20 December 2017 offline as of 6 March 2018)

The memory of Canadian Alexandre Cazes, the 27-year old administrator of AlphaBay who allegedly took his own life while detained in Thai Police custody, is positioned to carry on with the founders of the brand-new Empire Market creating a nearly identical replica of the centralized marketplace with the same color scheme and layout as the original AlphaBay’s. The landing page of the hidden service features a footer with the server time on the right, a Copyright tag in the center, and the line “In Memory of Alexandre Cazes” on the left-hand side.

Empire Market’s straightforward user registration included submitting a username, password, pin number, and exactly like AlphaBay’s registration, a personal phrase that is displayed on the main marketplace page to ensure the user is on the legit centralized marketplace and not a phishing clone. Like its AlphaBay predecessor, the market includes features such as two factor authentication (2FA), trust levels, an advanced notification system, a support system, and exif data remover for product images. The market accepts Bitcoin, Litecoin and Monero.

Several vendors are already trading on the marketplace with over 1500 active listings, despite the fact the market only came online in late January 2018. It’s unclear whether the administrators of Empire Market were affiliated with AlphaBay; nevertheless, the market’s forum administrator goes by the name “Sydney.”

 Figure 8 Source Empire Market

Figure 8 Source Empire Market

 Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

This market also allegedly had some security loopholes that reddit-posting hackers caught within weeks of the market’s launch. The redditor, penthat, claimed he was able to successfully access the market’s backend database and uploaded leaked configuration files. He revealed a list of their current users, stated there was no Cross-Site Request Forgery (CSRF) protection for forms related to funds withdrawls, and even managed to access all private communications sent between users. Interestingly, many of the usernames he posted were also on AlphaBay including the moderators and admin’s usernames alpha02 and DeSnake.  The moderator, EmpireMarket, put the author of the post on the spot, claiming he did not actually breech the server, but instead merely extracted the usernames by incrementing a number within cleartext URLs in the market. They also opined that each withdrawl form is tokenized to provide CSRF protection despite the author’s claims. The moderator added in a later comment they had patched the possibility of extracting usernames from the URLs. There was no further comment from the so-called hacker, penthat.

Given the transient nature of darknet markets as of late, our analysts will continue to watch whether or the Empire Market strikes back and exit scams its users like many others before them. 
— Reddit user "penthat"

With the ever-increasing uncertainty of darknet marketplaces, it is a mystery why darkweb users continue to flock to a centralized marketplace architecture. Darknet forums have suggested OpenBazaar 2.0, if setup with Tor proxy, may be a viable decentralized solution to darkweb vending. In the spring of 2014, Amir Taaki and a team of developers created the foundational design for OpenBazaar in a proof of concept project called “DarkMarket” at the Bitcoin Hackathon in Toronto, Canada. While Taaki had no intention to pursue development after the conference, developer Brian Hoffman encouraged Taaki to economize and help establish the company, OB1, to work specifically on development of the OpenBazaar protocol. In 2016, Hoffman and Taaki along with their team of developers successfully launched a networked version of the market designed to facilitate a series of 2/3 multi-signature moderated transactions with a wide range of cryptocurrencies. Each step of the transaction is cryptographically signed making the marketplace a highly-secured version of e-commerce websites such as Amazon and e-bay. In November of 2017, further upgrades to the protocol yielded Open Bazaar 2.0 with over 10,000 peer-to-peer nodes. The 2.0 version of the system is a completely new network from OB1 built upon the InterPlanetary File System (IPFS), allowing users to access vendor stores when the owner (host) is offline.  Because OpenBazaar is a Clearnet protocol, it is no surprise the top listings are common household purchases such as: food, clothing and books.

Given its decentralized and IPFS architecture, darknet drug and digital goods providers are keen to use OB2 anonymously. In order to use the market anonymously, OpenBazaar supports running the market on top of the Tor proxy for added privacy and security. Some Tor-based vendors have questioned OpenBazaar’s usability with complaints that they regularly miss orders. Unfortunately, there is no technical solution to date, although, OpenBazaar admins attribute the vendor’s complaints to “unsupported operating systems (OS) like Whonix.”OpenBazaar users who are interested in selling or purchasing illegal goods are strongly advised to consider additional security protocols beyond Tor, such as VPNs and thoroughly establish good operational security, e.g. PGP encrypted communications, etc.

 Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Our darknet experts have witnessed a number of darknet drug vendors discussing adding OpenBazaar to their market portfolios. We also regularly check OpenBazaar 2.0, a forthcoming feature of the Darkowl Vision platform, for additional insights into how this new decentralized marketplace can influence and shape the atmosphere and consciousness of the darknet as we know it.