Will the Empire Strike Back? A Look at the Emergence of New Darknet Markets

Since the fall of AlphaBay and Hansa last July, purchasing goods and services on the darknet has come with great trepidation. A large international law enforcement operation seized servers in multiple countries, de-anonymized vendors and market owners, while simultaneously shattering the confidence of many loyal darknet marketplace consumers and sending a ripple of uncertainty across darknet forums and chatrooms throughout the second half of 2017.

Despite this, darknet vendors still needed to connect with their buyers, and Dream Market, a darknet marketplace since 2014, that one redditor calls the “murica of the DNMs”, quickly rose as the go-to market for drugs and digital services. However, a string of forum and reddit posts pointed to a number of inconsistent vendor PGP signatures and concerted DDoS attack triggering Dream Market to register almost 200 mirrors since last August.  This caused many to doubt the sustainability of the Dream Market and whether or not transacting on the darknet was safe and viable anymore.

Many seasoned vendors, such as OxyMonster, have been arrested or disappeared into the shadows while others have used the times of uncertainty to setup standalone vendor shops apart from the consolidated marketplaces. Pushing Taboo is a well known hidden service run by GammaGoblin Universe, supplying psychedelics and psychoactives such as LSD, MDMA, and Tryptamines to the darknet since Silk Road v1.

 Figure 1 Source Pushing Taboo on Tor

Figure 1 Source Pushing Taboo on Tor

“If you came here, you must know what these places have in common. Centralized markets sooner or later become seized, hacked or their admins perform exit scams. In both situations neither vendors nor users can get their funds back .…. We’ve decided to allow our dear customers to bypass one of these points of failure and let you to make purchases directly with us via our own hidden service.”
— Extracted from the Page Titled "About Us", Authored by GammaGoblin Universe

There are hundreds of vendors like GammaGoblin offering personalized vendor shops outside of centralized marketplaces. With numerous Tor and i2p users coming online everyday, naïve to the significance of the historical market takedowns, new darknet users and consumers still seek a centralized marketplace on the scale of Hansa or AlphaBay to stand up and provide the cooperation and counsel they crave.

Since last November, we have witnessed a surge in new centralized markets across the world. The invite-only / referral market, Liberitas has a simple, clean design with a deep green background with a small selection of drugs and digital offerings for world-wide shipping. It is the first Monero-only marketplace and they offer a reputation history for vendors across other markets to aid purchasers deciding on their personal vendor. Their market announcement on reddit alludes to a “special server setup” ironically mentioning not relying solely on technology to protect the security and anonymity of the market.

 Figure 2 Source Liberitas Market

Figure 2 Source Liberitas Market

Special server setup (We have gone to great lengths to ensure the
anonymity of our server from the technical angle: Our server’s IP address
is very far removed by many many degrees of separation, achieved through the use of specialized hardware configuration, virtualized networks, VPNs, customized TOR squid proxies and other secret techniques - as well as the nontechnical angle: we do not rely solely on technology).
— Redit Post

A couple of weeks ago, a new marketplace called Rapture appeared with the same look and feel to the former market TradeRoute. The market currently has a referral system and affiliate program to encourage new vendors to offer their goods at this market. At the time of writing the market had over 500 drug-related listings and just over 400 digital goods. The market accepts both Bitcoin and Monero and supports a personal messaging system for private conversations between users of the market, vendors, and administrators.

 Figure 3 Source Rapture Market Place

Figure 3 Source Rapture Market Place

Unfortunately, without purchasing goods on these markets one cannot be completely certain the market is not a scam. UnderMarket appeared in the spring of 2017 and on the surface looks and feels like a legit marketplace with a solid set of vendors (60) and listings (439). UnderMarket appears to cater to the carding community with over a dozen vendors and separate categories just for PayPal and commercial gift cards. Unlike other markets that feature their listings based on category, this market presents the listings by vendors and, like Rapture, offers an internal private communication platform to coordinate orders and ask questions of the vendors. The market also has a separate hidden service dedicated to communicating the market’s status with a vendor listing, providing customers a comprehensive location to read and assess reviews of the vendors that trade at Under Market.

 Figure 4 Source Under Market Landing Page

Figure 4 Source Under Market Landing Page

Despite how legitimate UnderMarket appears, darknet forums and many reddit users have unleashed an uproar for months against the market claiming it is a complete scam with fake vendors and users. Many users have placed orders and received bogus tracking numbers and order confirmations from the admin that are never resolved.

 Figure 5 Hidden Answers Darknet Forum on Under Market

Figure 5 Hidden Answers Darknet Forum on Under Market

Since December, various “new markets” have had similar streamlined registration and authenticated logins all to end up with submitting registration information and not being able to access the main market site. Despite multiple registrations, our analysts were unable to successful connect with Berlusconi Market, Train Road, Nucleus, and OpMarket. Either the hidden service is no longer accessible, the captcha fails, or JavaScript would be required .  Perhaps these markets are plagued with vulnerabilities and security issues like Bermuda Marketplace for which an OnionLand user zbricktop posted he successfully hacked back November 2017. The market supposedly ran on Windows 10 with overly simplified username-password combinations such as u: testvendor and pass: testvendortestvendor.

 Figure 6 Post in the Market Discussion Category of Onion Land on Tor

Figure 6 Post in the Market Discussion Category of Onion Land on Tor

Other markets, Wall Street and T•chka (Rebranded as Point Marketplace) have had mixed reviews despite their longevity on the darknet. After the DDoS that struck many of the markets in the fall, many users have reported bitcoin withdrawl issues and lack of support from the market admins. Some forum posts have suggested the issues with withdraws is due to the falling price of bitcoin at the new year, while others conspire about possible law enforcement compromise. Wall Street Market was removed from the DNM SuperList on Reddit for having a Clearnet mirror, a lack of understanding of the darknet, and attempted “shilling” over a dozen times with multiple accounts. On T•chka / Point, many vendors have also reported that they are struggling to get enough customers to justify the trouble of being on the marketplace in the first place, insinuating that darkweb market paranoia may be hindering the formation and confidence of new vendor-buyer relationships.

The legacy of the AlphaBay and Hansa marketplaces recently had the darknet community momentarily excited over the prospects that Hansa was returning with the administrators seeking donations to assist with the cost to rebuild the servers and interface. The Hansa Rebuild hidden service with the bitcoin address for donations was only available for a few weeks and at the time of writing is offline. This site like many others is likely a scam preying on the hopes of the former supporters of the Hansa community. The post sounded as though it was the former admins of Hansa speaking, but we know from reports last summer that the two market masterminds from the North Rhine-Westphalia of Germany were arrested prior to the site converting into a law-enforcement run honey pot.

 Figure 7 Source http://oidtdhh4mtvsprh6[.]onion (Screen Taken 20 December 2017 offline as of 6 March 2018)

Figure 7 Source http://oidtdhh4mtvsprh6[.]onion (Screen Taken 20 December 2017 offline as of 6 March 2018)

The memory of Canadian Alexandre Cazes, the 27-year old administrator of AlphaBay who allegedly took his own life while detained in Thai Police custody, is positioned to carry on with the founders of the brand-new Empire Market creating a nearly identical replica of the centralized marketplace with the same color scheme and layout as the original AlphaBay’s. The landing page of the hidden service features a footer with the server time on the right, a Copyright tag in the center, and the line “In Memory of Alexandre Cazes” on the left-hand side.

Empire Market’s straightforward user registration included submitting a username, password, pin number, and exactly like AlphaBay’s registration, a personal phrase that is displayed on the main marketplace page to ensure the user is on the legit centralized marketplace and not a phishing clone. Like its AlphaBay predecessor, the market includes features such as two factor authentication (2FA), trust levels, an advanced notification system, a support system, and exif data remover for product images. The market accepts Bitcoin, Litecoin and Monero.

Several vendors are already trading on the marketplace with over 1500 active listings, despite the fact the market only came online in late January 2018. It’s unclear whether the administrators of Empire Market were affiliated with AlphaBay; nevertheless, the market’s forum administrator goes by the name “Sydney.”

 Figure 8 Source Empire Market

Figure 8 Source Empire Market

 Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

This market also allegedly had some security loopholes that reddit-posting hackers caught within weeks of the market’s launch. The redditor, penthat, claimed he was able to successfully access the market’s backend database and uploaded leaked configuration files. He revealed a list of their current users, stated there was no Cross-Site Request Forgery (CSRF) protection for forms related to funds withdrawls, and even managed to access all private communications sent between users. Interestingly, many of the usernames he posted were also on AlphaBay including the moderators and admin’s usernames alpha02 and DeSnake.  The moderator, EmpireMarket, put the author of the post on the spot, claiming he did not actually breech the server, but instead merely extracted the usernames by incrementing a number within cleartext URLs in the market. They also opined that each withdrawl form is tokenized to provide CSRF protection despite the author’s claims. The moderator added in a later comment they had patched the possibility of extracting usernames from the URLs. There was no further comment from the so-called hacker, penthat.

Given the transient nature of darknet markets as of late, our analysts will continue to watch whether or the Empire Market strikes back and exit scams its users like many others before them. 
— Reddit user "penthat"

With the ever-increasing uncertainty of darknet marketplaces, it is a mystery why darkweb users continue to flock to a centralized marketplace architecture. Darknet forums have suggested OpenBazaar 2.0, if setup with Tor proxy, may be a viable decentralized solution to darkweb vending. In the spring of 2014, Amir Taaki and a team of developers created the foundational design for OpenBazaar in a proof of concept project called “DarkMarket” at the Bitcoin Hackathon in Toronto, Canada. While Taaki had no intention to pursue development after the conference, developer Brian Hoffman encouraged Taaki to economize and help establish the company, OB1, to work specifically on development of the OpenBazaar protocol. In 2016, Hoffman and Taaki along with their team of developers successfully launched a networked version of the market designed to facilitate a series of 2/3 multi-signature moderated transactions with a wide range of cryptocurrencies. Each step of the transaction is cryptographically signed making the marketplace a highly-secured version of e-commerce websites such as Amazon and e-bay. In November of 2017, further upgrades to the protocol yielded Open Bazaar 2.0 with over 10,000 peer-to-peer nodes. The 2.0 version of the system is a completely new network from OB1 built upon the InterPlanetary File System (IPFS), allowing users to access vendor stores when the owner (host) is offline.  Because OpenBazaar is a Clearnet protocol, it is no surprise the top listings are common household purchases such as: food, clothing and books.

Given its decentralized and IPFS architecture, darknet drug and digital goods providers are keen to use OB2 anonymously. In order to use the market anonymously, OpenBazaar supports running the market on top of the Tor proxy for added privacy and security. Some Tor-based vendors have questioned OpenBazaar’s usability with complaints that they regularly miss orders. Unfortunately, there is no technical solution to date, although, OpenBazaar admins attribute the vendor’s complaints to “unsupported operating systems (OS) like Whonix.”OpenBazaar users who are interested in selling or purchasing illegal goods are strongly advised to consider additional security protocols beyond Tor, such as VPNs and thoroughly establish good operational security, e.g. PGP encrypted communications, etc.

 Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Figure 9 Archived AlphaBay Market Main Page with Featured Listings (offline

Our darknet experts have witnessed a number of darknet drug vendors discussing adding OpenBazaar to their market portfolios. We also regularly check OpenBazaar 2.0, a forthcoming feature of the Darkowl Vision platform, for additional insights into how this new decentralized marketplace can influence and shape the atmosphere and consciousness of the darknet as we know it.