Will the Empire Strike Back? A Look at the Emergence of New Darknet Markets

Since the fall of AlphaBay and Hansa last July, purchasing goods and services on the darknet has come with great trepidation. A large international law enforcement operation seized servers in multiple countries, de-anonymized vendors and market owners, while simultaneously shattering the confidence of many loyal darknet marketplace consumers and sending a ripple of uncertainty across darknet forums and chatrooms throughout the second half of 2017.

Despite this, darknet vendors still needed to connect with their buyers, and Dream Market, a darknet marketplace since 2014, that one redditor calls the “murica of the DNMs”, quickly rose as the go-to market for drugs and digital services. However, a string of forum and reddit posts pointed to a number of inconsistent vendor PGP signatures and concerted DDoS attack triggering Dream Market to register almost 200 mirrors since last August.  This caused many to doubt the sustainability of the Dream Market and whether or not transacting on the darknet was safe and viable anymore.

Many seasoned vendors, such as OxyMonster, have been arrested or disappeared into the shadows while others have used the times of uncertainty to setup standalone vendor shops apart from the consolidated marketplaces. Pushing Taboo is a well known hidden service run by GammaGoblin Universe, supplying psychedelics and psychoactives such as LSD, MDMA, and Tryptamines to the darknet since Silk Road v1.

 Figure 1 Source Pushing Taboo on Tor

Figure 1 Source Pushing Taboo on Tor

“If you came here, you must know what these places have in common. Centralized markets sooner or later become seized, hacked or their admins perform exit scams. In both situations neither vendors nor users can get their funds back .…. We’ve decided to allow our dear customers to bypass one of these points of failure and let you to make purchases directly with us via our own hidden service.”
— Extracted from the Page Titled "About Us", Authored by GammaGoblin Universe

There are hundreds of vendors like GammaGoblin offering personalized vendor shops outside of centralized marketplaces. With numerous Tor and i2p users coming online everyday, naïve to the significance of the historical market takedowns, new darknet users and consumers still seek a centralized marketplace on the scale of Hansa or AlphaBay to stand up and provide the cooperation and counsel they crave.

Since last November, we have witnessed a surge in new centralized markets across the world. The invite-only / referral market, Liberitas has a simple, clean design with a deep green background with a small selection of drugs and digital offerings for world-wide shipping. It is the first Monero-only marketplace and they offer a reputation history for vendors across other markets to aid purchasers deciding on their personal vendor. Their market announcement on reddit alludes to a “special server setup” ironically mentioning not relying solely on technology to protect the security and anonymity of the market.

 Figure 2 Source Liberitas Market

Figure 2 Source Liberitas Market

Special server setup (We have gone to great lengths to ensure the
anonymity of our server from the technical angle: Our server’s IP address
is very far removed by many many degrees of separation, achieved through the use of specialized hardware configuration, virtualized networks, VPNs, customized TOR squid proxies and other secret techniques - as well as the nontechnical angle: we do not rely solely on technology).
— Redit Post

A couple of weeks ago, a new marketplace called Rapture appeared with the same look and feel to the former market TradeRoute. The market currently has a referral system and affiliate program to encourage new vendors to offer their goods at this market. At the time of writing the market had over 500 drug-related listings and just over 400 digital goods. The market accepts both Bitcoin and Monero and supports a personal messaging system for private conversations between users of the market, vendors, and administrators.

 Figure 3 Source Rapture Market Place

Figure 3 Source Rapture Market Place

Unfortunately, without purchasing goods on these markets one cannot be completely certain the market is not a scam. UnderMarket appeared in the spring of 2017 and on the surface looks and feels like a legit marketplace with a solid set of vendors (60) and listings (439). UnderMarket appears to cater to the carding community with over a dozen vendors and separate categories just for PayPal and commercial gift cards. Unlike other markets that feature their listings based on category, this market presents the listings by vendors and, like Rapture, offers an internal private communication platform to coordinate orders and ask questions of the vendors. The market also has a separate hidden service dedicated to communicating the market’s status with a vendor listing, providing customers a comprehensive location to read and assess reviews of the vendors that trade at Under Market.

 Figure 4 Source Under Market Landing Page

Figure 4 Source Under Market Landing Page

Despite how legitimate UnderMarket appears, darknet forums and many reddit users have unleashed an uproar for months against the market claiming it is a complete scam with fake vendors and users. Many users have placed orders and received bogus tracking numbers and order confirmations from the admin that are never resolved.

 Figure 5 Hidden Answers Darknet Forum on Under Market

Figure 5 Hidden Answers Darknet Forum on Under Market

Since December, various “new markets” have had similar streamlined registration and authenticated logins all to end up with submitting registration information and not being able to access the main market site. Despite multiple registrations, our analysts were unable to successful connect with Berlusconi Market, Train Road, Nucleus, and OpMarket. Either the hidden service is no longer accessible, the captcha fails, or JavaScript would be required .  Perhaps these markets are plagued with vulnerabilities and security issues like Bermuda Marketplace for which an OnionLand user zbricktop posted he successfully hacked back November 2017. The market supposedly ran on Windows 10 with overly simplified username-password combinations such as u: testvendor and pass: testvendortestvendor.

 Figure 6 Post in the Market Discussion Category of Onion Land on Tor

Figure 6 Post in the Market Discussion Category of Onion Land on Tor

Other markets, Wall Street and T•chka (Rebranded as Point Marketplace) have had mixed reviews despite their longevity on the darknet. After the DDoS that struck many of the markets in the fall, many users have reported bitcoin withdrawl issues and lack of support from the market admins. Some forum posts have suggested the issues with withdraws is due to the falling price of bitcoin at the new year, while others conspire about possible law enforcement compromise. Wall Street Market was removed from the DNM SuperList on Reddit for having a Clearnet mirror, a lack of understanding of the darknet, and attempted “shilling” over a dozen times with multiple accounts. On T•chka / Point, many vendors have also reported that they are struggling to get enough customers to justify the trouble being on the marketplace in the first place insinuating that darkweb market paranoia may be hindering the formation and confidence of new vendor-buyer relationships.

The legacy of the AlphaBay and Hansa marketplaces recently had the darknet community momentarily excited over the prospects that Hansa was returning with the administrators seeking donations to assist with the cost to rebuild the servers and interface. The Hansa Rebuild hidden service with the bitcoin address for donations was only available for a few weeks and at the time of writing is offline. This site like many others is likely a scam preying on the hopes of the former supporters of the Hansa community. The post sounded as though it was the former admins of Hansa speaking, but we know from reports last summer that the two market masterminds from the North Rhine-Westphalia of Germany were arrested prior to the site converting into a law-enforcement run honey pot.

 Figure 7 Source http://oidtdhh4mtvsprh6[.]onion (Screen Taken 20 December 2017 offline as of 6 March 2018)

Figure 7 Source http://oidtdhh4mtvsprh6[.]onion (Screen Taken 20 December 2017 offline as of 6 March 2018)

The memory of Canadian Alexandre Cazes, the 27-year old administrator of AlphaBay who allegedly took his own life while detained in Thai Police custody, is positioned to carry on with the founders of the brand-new Empire Market creating a nearly identical replica of the centralized marketplace with the same color scheme and layout as the original AlphaBay’s. The landing page of the hidden service features a footer with the server time on the right, a Copyright tag in the center, and the line “In Memory of Alexandre Cazes” on the left-hand side.

Empire Market’s straightforward user registration included submitting a username, password, pin number, and exactly like AlphaBay’s registration, a personal phrase that is displayed on the main marketplace page to ensure the user is on the legit centralized marketplace and not a phishing clone. Like its AlphaBay predecessor, the market includes features such as two factor authentication (2FA), trust levels, an advanced notification system, a support system, and exif data remover for product images. The market accepts Bitcoin, Litecoin and Monero.

Several vendors are already trading on the marketplace with over 1500 active listings, despite the fact the market only came online in late January 2018. It’s unclear whether the administrators of Empire Market were affiliated with AlphaBay; nevertheless, the market’s forum administrator goes by the name “Sydney.”

 Figure 8 Source Empire Market

Figure 8 Source Empire Market

 Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

This market also allegedly had some security loopholes that reddit-posting hackers caught within weeks of the market’s launch. The redditor, penthat, claimed he was able to successfully access the market’s backend database and uploaded leaked configuration files. He revealed a list of their current users, stated there was no Cross-Site Request Forgery (CSRF) protection for forms related to funds withdrawls, and even managed to access all private communications sent between users. Interestingly, many of the usernames he posted were also on AlphaBay including the moderators and admin’s usernames alpha02 and DeSnake.  The moderator, EmpireMarket, put the author of the post on the spot, claiming he did not actually breech the server, but instead merely extracted the usernames by incrementing a number within cleartext URLs in the market. They also opined that each withdrawl form is tokenized to provide CSRF protection despite the author’s claims. The moderator added in a later comment they had patched the possibility of extracting usernames from the URLs. There was no further comment from the so-called hacker, penthat.

Given the transient nature of darknet markets as of late, our analysts will continue to watch whether or the Empire Market strikes back and exit scams its users like many others before them. 
— Reddit user "penthat"

With the ever-increasing uncertainty of darknet marketplaces, it is a mystery why darkweb users continue to flock to a centralized marketplace architecture. Darknet forums have suggested OpenBazaar 2.0, if setup with Tor proxy, may be a viable decentralized solution to darkweb vending. In the spring of 2014, Amir Taaki and a team of developers created the foundational design for OpenBazaar in a proof of concept project called “DarkMarket” at the Bitcoin Hackathon in Toronto, Canada. While Taaki had no intention to pursue development after the conference, developer Brian Hoffman encouraged Taaki to economize and help establish the company, OB1, to work specifically on development of the OpenBazaar protocol. In 2016, Hoffman and Taaki along with their team of developers successfully launched a networked version of the market designed to facilitate a series of 2/3 multi-signature moderated transactions with a wide range of cryptocurrencies. Each step of the transaction is cryptographically signed making the marketplace a highly-secured version of e-commerce websites such as Amazon and e-bay. In November of 2017, further upgrades to the protocol yielded Open Bazaar 2.0 with over 10,000 peer-to-peer nodes. The 2.0 version of the system is a completely new network from OB1 built upon the InterPlanetary File System (IPFS), allowing users to access vendor stores when the owner (host) is offline.  Because OpenBazaar is a Clearnet protocol, it is no surprise the top listings are common household purchases such as: food, clothing and books.

Given its decentralized and IPFS architecture, darknet drug and digital goods providers are keen to use OB2 anonymously. In order to use the market anonymously, OpenBazaar supports running the market on top of the Tor proxy for added privacy and security. Some Tor-based vendors have questioned OpenBazaar’s usability with complaints that they regularly miss orders. Unfortunately, there is no technical solution to date, although, OpenBazaar admins attribute the vendor’s complaints to “unsupported operating systems (OS) like Whonix.”OpenBazaar users who are interested in selling or purchasing illegal goods are strongly advised to consider additional security protocols beyond Tor, such as VPNs and thoroughly establish good operational security, e.g. PGP encrypted communications, etc.

 Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Our darknet experts have witnessed a number of darknet drug vendors discussing adding OpenBazaar to their market portfolios. We also regularly check OpenBazaar 2.0, a forthcoming feature of the Darkowl Vision platform, for additional insights into how this new decentralized marketplace can influence and shape the atmosphere and consciousness of the darknet as we know it.

2017: A year in review from the perspective of darknet intelligence

It's hard to believe we're one month in to 2018, but here we are. And what a busy month it's been! Just look at what's already happened so far: 

The public was introduced to the computer bugs Spectre and Meltdown, results of a major chip flaw that has the potential to impact nearly every computer chip on the planet. The highly publicized discovery of the bugs led to widespread panic and multiple class action law suits against tech-giant Intel

240,000 current and former employees of the Department of Homeland Security had their sensitive, personal data exposed as the result of a data breach.  

A mysterious, devastating cyber weapon named Trisis sat in the public for nearly a month.

And, in sharp contrast to the highs seen towards the end of last year, bitcoin is now on course for the worst month in three years

Looking back, it's hard to believe that the Bitcoin breaching the $1,000 benchmark was landmark news just a mere year ago. But, so it was! Here's a look back at 2017 and the key events that took place along the way. 


A strong start for cryptocurrency and a hard-hit for Tor Hidden Services

In January 2017, the Bitcoin hit an all-time record high of $1,100 USD despite the fact China’s Central Bank, the People’s Bank of China (PBOC), urged investors to “take a rational and cautious approach to investing in the digital currency.” During the same time, Microsoft added Bitcoin support to its infamously popular Excel spreadsheet program to allow users to track, calculate, and analyze Bitcoin data.

In February, hacker-group Anonymous targeted Tor service provider Freedom Hosting II, taking over 10,000 hidden services offline. Anonymous stated they hacked the web hosting provider for harboring and assisting in publishing illicit child content on over 5,000 of their services. Hackers dumped 74GB of files and 2.3GB of database content as well as the private keys of every site hit. This was the second time Anonymous targeted Freedom Hosting.

  Vault7 included hundreds of documents from CIA's Cyber Information Operations Center.

Vault7 included hundreds of documents from CIA's Cyber Information Operations Center.

March and April brought to light numerous major commercial data breaches, often compromised through a cocktail of SQL injection techniques. Thousands of records including leaked personal identifiable information appeared for sale across darknet markets and DarkOwl successfully harvested much of the data into its DarkOwl Vision engine to cross reference for customer queries. Major databases include Sony Playstation, Yahoo, LinkedIn, among others totaling millions of account data records.

WikiLeaks took the spotlight of the spring for “leaks” when it began sharing classified documents from the CIA called Vault 7. The first part of the series, called “Year Zero” documents the scope and direction of the CIA’s global covert hacking program and revealed how the CIA uses sophisticated zero-day exploits to spy on its enemies both domestic and abroad. Hackers across the darknet gained tremendous knowledge from the source code and documentation that accompanied this breach.

 
  The message Anonymous replaced hacked Freedom Hosting II hidden services

The message Anonymous replaced hacked Freedom Hosting II hidden services

 

In May, the WannaCry Ransomware hit more than 300,000 computers across at least 150 countries, crippling the UK National Health Service (NHS) impacting patient care in 16 hospitals. Two days after the WannaCry ransomware outbreak, French police seized a server running two Tor relays belonging to French activist Aeris, who said the server was confiscated in connection to the WannaCry attacks. The activist pointed out on his Twitter feed that tens of other Tor nodes in France all disappeared during the same time. 

 
   
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
     WannaCry Ransomware Instructions

WannaCry Ransomware Instructions

 

The attack was stopped by a young cybersecurity researcher, Marcus Hutchins who was arrested later in the year in Las Vegas after attending the international BlackHat & DefCon conference. US police charged the hacker, who used the moniker "MalwareTech," for allegedly creating the Kronos virus that aimed to steal peoples' banking details online. He could face up to 40 years in prison if found guilty.

At the same time the world was trying to figure out what ransomware was and how to prevent themselves from becoming WannaCry’s next victim, authorities sentenced Steven Chase, the administrator for popular darknet child predator forum, PlayPen, to 30 years in prison and arrested over 800 forum affiliates across the globe.

We also continued to find that medical patient confidentiality is at risk, when hacker Skyscraper posted the patient data of 500,000 children stolen from pediatricians for sale on a darknet market. 

Darknet markets are seized and cryptocurrency markets respond

   
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
     Seizure Sites for Hansa and AlphaBay Darknet Markets

Seizure Sites for Hansa and AlphaBay Darknet Markets

In the start of summer in June, cryptocurrency holders were enthusiastic to see the price of bitcoin hit $3,000 USD. In July, a joint international law enforcement effort, dubbed Operation Bayonet, shook the foundation of the darknet when authorities arrested Alex Cazes the creator and administrator of AlphaBay. The disruption of what was at the time the largest ever darknet market time sent thousands of AlphaBay darknet market vendors and buyers to Hansa market, which was simultaneously functioning as a honeypot by the Dutch Police, as we found out when the moderators were also arrested in June. Cazes was found dead in his Thailand jail cell days after the arrest, allegedly opting to take his own life rather than face international cyber criminal prosecution.

The subsequent panic that flooded the darknet when AlphaBay and Hansa came down still pervades the darknet today. Many redditors and users of darknet forums were found asking, “where can I find my vendor?” or “what darknet market can I trust?” … Dream Market was believed to be the only safe market to transact with, until rumors of their compromise began circulating as well.

 
  Paranoia about Dream Market Survival

Paranoia about Dream Market Survival

 

With the demise of AlphaBay and Hansa, TradeRoute experienced a surge in listings and transactions, until security issues soon began plaguing the popular marketplace. In August, a hacker known only as HugBunter claimed to have breached the market and supposedly blackmailed TradeRoute administrators for weeks, bringing into further question the security of any darknet market.

Throughout this time, DarkOwl witnessed a drop in user relay activity reported by the Tor Project and an increase appearance in vendor-specific hidden services.

 
  HugBunter's post regarding TradeRoute Hack

HugBunter's post regarding TradeRoute Hack

 

  Wolf Creek Nuclear Operating Station, Burlington, Kansas

Wolf Creek Nuclear Operating Station, Burlington, Kansas

At the same time that darknet marketplaces were falling and panic was permeating the darknet, hackers breached a network of a US-based energy utilities.

Wolf Creek Nuclear Power Station in Burlington, Kansas was the first power facility to have their networks compromised. Luckily, the administrative network which was hacked was separate from networks controlling the plant operation. Rules enforced by the Nuclear Regulatory Commission require “air gaps,” i.e. the controls of a plant do not connect by hardwire or antenna to outside systems or the internet, to prevent impact to US power infrastructure. It was shortly after this DarkOwl launched their research and the Utilities Index, evaluating the darknet footprint of major US energy utilities


In the fall, even more data breaches surfaced on the darknet. OurMine and HBO had a full-on cyber war over the release of several episodes of HBO’s popular, Game of Thrones (GoT). Equifax was hacked, compromising 143 million American credit reports. Data from the Equifax breach has yet to appear legitimately for sale on the darknet, despite attempts by one group who call themselves Equihax0r. The popular darknet hacking forum Ex0du$ mysteriously disappeared, and TradeRoute shut down completely.

In October, the price of bitcoin rose slightly to $4,288 USD, while a Norwegian newspaper broke that the largest child abuse and illicit child content forum on the darknet, Child’s Play, had been seized by authorities. To execute the operation, dubbed Operation Artemis, Australian authorities ran the hidden service as a honeypot for over 11 months to trap child abusers. It remains the largest operation of its kind, and arrests are still ongoing for staff and members of the site. Child’s Play had over a million registered accounts and thousands of active users during the operation. 

The remaining darknet markets saw an intensive distributed denial of service (DDoS) attack against them resulting in Dream Market registering hundreds of Tor mirror sites to avoid shutdown. The darknet’s most popular social media site Galaxy 2 crashed after poor system administration in October.

On Thanksgiving in the US, we witnessed the public hack and exposure of the Facebook of Tor, Blackbook. Their 15,000+ membership account details were subsequently posted on public pastebin sites across the clearnet, and on several darknet sites as well. A hacker known as bRpsd took credit for the breach, claiming they exploited vulnerabilities with the hidden service’s SQL databases. The resulting doxxed data revealed that an extraordinary number of Blackbook members used popular email providers, such as Gmail, Yahoo or Hotmail for their account registration.

Holiday conversations focused around the price of bitcoin’s rapid surge in November, as many families learned what a cryptocurrency is. Hackers and legitimate website administrators turned to using JavaScript-based cryptocurrency miners to leverage the CPU power of their site visitor's PC to mine Bitcoin or other cryptocurrencies, known as cryptojacking. Malware experts revealed these scripts work well after you visited the website and even after closing the browser.

By the 16th of December the price of Bitcoin was in excess of $19,000.

 
  Mining Related Hidden Processes have extraordinary high CPU usage (courtesy MalwareBytes and The HackerNews)

Mining Related Hidden Processes have extraordinary high CPU usage (courtesy MalwareBytes and The HackerNews)

 

All was quiet in the darknet until the FCC’s reformation of net neutrality passed only the week before Christmas, leaving many astounded.

To end the year, Police arrested and sentenced multiple drug vendors from Dream Market and Agora. It was reported that police seized servers from the Russian marketplace Hydra, though the Russian administrators denied any police activity on their official Telegram channel, instead attributing any disruption in service to an alleged DDoS attack that had been perpetrated on their servers.

“Dear friends, guests and long-time Hydra users! We have just stopped all the timers. The decision to take this measure is connected with an unstable work of the market caused by DDoS attacks. Pre Orders, orders, disputes, rent payment are temporarily frozen. No need to worry. The situation is under control. Please, wait till the server operation is fully restored.”
— @hydraoniondeep

As 2018 continues, we anticipate that the darknet as we know it will continue to be a place of uncertainty and volatility with attempts to de-anonymize users through traditional browser vulnerabilities, creative traffic, and timing correlation techniques. A resurrection of previous darknet markets will be promoted and new darknet markets will emerge as they have time and time again post previous market seizures.

It is likely that Tor will continue to increase in popularity, especially with what we predict will be an increasing number of net neutrality activists and refugees. We predict that Tor’s increasing popularity will drive many to other darknets such as I2P and ZeroNet, both of which also saw a significant increase in usage throughout 2017. 


 Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.