Addressing the AlphaBay issues

What is this post about?

This post is about issues regarding AlphaBay and what impact they have on the DNM community as well as this sub.


Who wrote this post?

It was written and checked by the mods of /r/darknetmarkets and reflects their opinion.


What happened?

To focus on the four major issues of Alphabay:


What does that mean?

Referring to the points from above:

We would also like to thank /u/Cipher0007 for handling the disclosure of the vulnerability immensely exemplary. He could have easily leaked all the private data or sell the vulnerability to law enforcement. But he did not. Thank you /u/Cipher0007.


What are the consequences?

We, the mod team of /r/darknetmarkets, think that even only one of the above four reasons would be enough to purge a smaller market from the superlist. AlphaBay made four of them. AlphaBay showed that they can not run a market securely and care little about the well-being of their users. The size of the user base should not be an excuse to let such a danger for the community be listed on the superlist.

We are therefore in favor of removing AlphaBay from the superlist for now. We would also like to replace it with detailed warnings about the four issues mentioned above.

We could mention other well-known link sources like deepdotweb.com and dnstats.net on the superlist where users can still find AlphaBay links. Furthermore automod still only allows white-listed onion links (that includes AlphaBay links) to be posted. So the possibility that someone gets phished because AlphaBay is not directly listed on the superlist, is basically non-existent.


What should I do now?

We are aware that this is not a step we can simply make without the community. We therefore ask you to tell your opinion on that issue in the comments. Do you think that it is the right step? Then make a short comment saying that. Do you think that is not the right step? Then tell us why you think AlphaBay should still be on the superlist.

Whatever you comment: keep it down-to-earth and support it with strong arguments and facts. This will ensure that your comment will be read and is a useful part of the discussion. Comments that for example insult people or are off-topic are not welcomed.

Regardless of what we eventually do, AlphaBay will continue to exist because there are many AlphaBay users who do not visit this sub and will probably continue to use the market.

We have not yet discussed under which circumstances a market (not just AlphaBay) gets relisted on the superlist. If you have ideas for it, please share them in the comments too.


What can I do to protect myself in the future?

Besides reading and following the guides on /r/darknetmarketsnoobs there are a few points we would like to mention here:


Comments


[1 Points] None:

For those that think these things go unnoticed.

http://www.ibtimes.co.uk/alphabay-leak-over-200000-private-messages-dark-web-drugs-marketplace-hacked-1602824

https://www.bleepingcomputer.com/news/security/bug-allowed-access-to-over-218k-private-messages-on-dark-web-marketplace-alphabay/


[42 Points] DareToHope:

While I agree that AB has had some bugs that have been fairly bad for user security (IE all the private message issues) I would think that you (the mods) would simply follow what was done in the past when a service had evidence of bad behaviour against it. for example bitcoinfog.

Bitcoinfog has 26 links next to its name as evidence of misconduct yet it remains on the list. while I know these are all essentially the same evidence of misconduct. It still remains on the list, which lets the user decide if they wish to use that service or not. I would think the correct course of actions would be to simply make a warning next to Alphabay with each infraction and links to support each claim of the infraction and then carry on.

I know you want to protect the community and give the users the most information possible to make an informed choice, I feel simply linking to another site that provides the same urls doesn't solve the problem or help users make an informed decision.

I would also maybe add them to the archived warning list (at the bottom)

just my 2 cents, do whatever the community at large decides in the end.


[28 Points] None:

[deleted]


[20 Points] hhayn:

Dude fuck you guys. Alphabay might have some asshole mods (but then again, so does this subreddit) and some shady phishing links and opportunists waiting to capitalize on the unsuspecting, but any market that size will have those unseemly characters and traits. It's a black market for fuck sake. And IMHO the best and most stable of the top tier markets, with the best team running it.

This sub has become just as shady as you claim AB is. Pot, meet kettle.


[17 Points] DerkNatMerkats:

TEMPORARY WARNING ON THE SUPERLIST WITH ALL THE LINKS!

this is just going to get people phished if they can't find the AB link easily and reliablly


[14 Points] None:

[deleted]


[14 Points] alphabaysupport:

We will find a way to implement a "security hotline". We had a similar thing in the past (bug reports forum) but it kept getting flooded with support requests and shitposts. We're looking for a new solution.

Feel free to put any warning beside the link, but phishers are eagerly awaiting the link removal so they can put "bakcup links" up.


[12 Points] murderhomelesspeople:

When the proper people were reached the bug got fixed quickly enough. I don't claim to understand the dynamics of this bug and have no reference for how noobish of a mistake this is which makes it hard for me to judge them on that aspect, which I feel is true for most users here. The fact that it affected two sites, well I dunno, does that mean we have an issue of sites being run incompetently or is this issue a little trickier then it seems. Currently all we have to go by in u/wombat2combat opinion on the bug, no offense to him but he is against AB and his sight could be slightly skewed, it would be nice to hear the sources opinion on that before we start making conclusive statements, which I believe was in the mod rules.

I would echo some of the thoughts here that removing the site would lead to an increase in phishing. u/MLP_is_my_OPSEC is correct when saying having more reference points is only a benefit to the community, the more legitimate links floating around the safer people will be. We also know that one extra click is far too much for most people to handle, especially the noobs.

Can we address the big elephant in the room, fucking BigMuscles. Not only was he the one who did all the shit with the PGP keys (twice) but he's also the mod who dealt with the support tickets u/Cipher0007 created. It's unfortunate that ab took the stance they did and kept him, this could be due to the internal dynamics of AB and they are unable to remove him without causing trouble but it does not excuse it. I think if it's decided that the links should be removed, they should be given the chance of removing BigMuscles instead of losing their spot on the list. For me that would balance out things a lot. He is a big rippling problem.

I get one dumb argument okay. It's called the fucking superlist. If you remove AB their will be nothing super about it since it's missing the largest market around. Let's stop playing politics and make bigger redder warnings, let adults choose for themselves who they want to use. AB as an entity did nothing malicious to its customers and does not deserve to be removed, what we have is a problem mod and coding issues.

edit:typos

edit2: I wouldn't have started to use this place if not for AB being on the superlist. This could even steer users away from this place as they are not seeing the content, possibly leaving them more vulnerable.


[8 Points] s_e_x_x_y:

Just leave it on the list with the big red warnings still there.

Hiding the link will just lead to people to find their information elsewhere, to places where they won't see the warning.


[8 Points] None:

[deleted]


[9 Points] SmokeMethFuckCats:

Alphabay works. Everybody knows it works. My dog knows it works.

Software vulnerabilities happen. Professional software developers fuck up all of it the time, even when making commercial software which handles millions of dollars.

Alphabay, so far, has outlasted and outperformed the competition. There is a reason it is the most widely used marketplace.

Attempting to prevent people from using a functional marketplace REEKS of either personal greed or law enforcement infiltration. The motive is extremely obvious.

PLUS, the leak only affects those who were communicating in cleartext through market messages. This shouldn't even be problem.

NEVER TALK ABOUT IMPORTANT SHIT IN CLEAR TEXT YOU FUCKING RETARDS


[7 Points] Lonestar76:

This is idiotic, you're going to see issues like this pop-up with any market of this size and magnitude. It's just the nature of the beast.


[5 Points] Nayu37:

The bigger the market, the bigger are the chances that something like this happens. But AlphaBay quickly fixed the bug... I think they deserve a second chance. Not to mention this is a newb-friendly market with the best design, one of the biggest catalogs, and well-structured.


[4 Points] pinochetHA:

Alphabay has demonstrated a weak security posture. The fact that any web application will be vulnerable in some way does not excuse noob101 mistakes. The previous API leak, and this recent leak of private messages implies sloppy coding, a lack of testing for weakspots and indifference to their customers safety. The fact that AB staffers were warned before the Reddit post, but didn't do anything, is disappointing.

Everyone blaming customers and vendors for not using gpg encryption are entirely correct; not using gpg to protect yourself is dangerous. However Alphabay alone is responsible for securing their platform. If the operators of AB cannot secure their darknet market against basic threats then they should never have opened a darknet market. If you want to play in the big leagues then you have to know your game and you have to play it well.

In my view their links should be replaced with warnings and links to deepdotweb/dnstats. They should be readded after a long enough period of no security fuckups or shitty mod behavior. That isn't too harsh and might encourage them to improve their opsec and market operations.


[3 Points] wombat2combat:

sorry forgot to page /u/alphabaysupport /u/trappy_AB


[4 Points] None:

I don't support the removal of the alphabay link but I think that a warning should be placed in it from here on out.


[5 Points] st4rlit12343:

I agree with what you've done, props for having the balls to do so


[3 Points] DarkMarkThroAway:

There are so many comments and I have already expressed my feelings in multiple subs on this matter. My most relevant qualm I have at this point is that were this any of the smaller markets they would be removed from the superlist, put on the wall of shame, end of argument. If we do not hold all markets to the same standards how can we call ourselves a credible community?

You can also think about it this way. Let's try to equate this to a real world scenario. If a major dealer lost a notebook with all the names of his clients and transcriptions of their personal deals would you go back to that dealer? Would you continue to recommend him to your friends? Let's take this a little further... Luckily, the notebook was picked up on the street by another client who knew the power that lied in its words. Said client chooses to do the right thing and try return it to the dealer because he is a good Samaritan. Let's call him Sam.

Sam calls the dealer. He texts the dealer. He writes the dealer a fucking email and instead of receiving an immediate response like, 'Yo thanks bro. I didn't even notice it was gone. You saved my life'. The dealer outright IGNORES Sam. Sam then starts getting in touch with other people he knows who use the same dealer and they try to contact him as well to no avail. So, now tons of people are trying to warn the dealer about this major problem but he ignores it until the whole town shows up at his door Dr. Frankenstein style with pitch forks and fire.

NOW, the dealer does something about it. He tries to downplay it by saying we are all human and we all make mistakes. But as many of you have said it is not the mistake but rather how the mistake is handled that makes the difference.
If someone asked me for that dealers number in the future I would say, "Look dude, this guy doesn't handle his shit properly. I would recommend you try this guy and here is his number. Or this guy... Or this guy...." So on so forth. "If you really want to go to a shady dealer, you can get is number from someone else. I am not going to be responsible for you getting arrested, fucked up the ass, or both."

The superlist is essentially a list of markets we would recommend to a friend that is totally new to the game. They don't have the knowledge yet to what these warnings are or what they mean to them as dnmuser. This isn't about current users getting the link to the site. We already have our markets bookmarked. This is about NEW users... and until AB ups its game and shows a proven record of taking security threats seriously... it is not a market that I would feel comfortable recommending to a friend new to all this.

That is my opinion on the matter.


[4 Points] My6thRedditusername:

I can't help but get the feeling that the mods have ulterior motives going on here.


[4 Points] AgoraRises:

They fixed the issue, please put the links back up you are only inconveniencing everyone at this point. A simple warning is sufficient.


[2 Points] dnmnubbin:

Can a bot be made to reply with alphabay's whitelisted address?

These penalties seem appropriate. How about keep these sanctions in place for approximately one month and then allow them to reapply for the market superlist and test them to ensure they have the amount of security expected of other superlist members.


[3 Points] None:

If people used proper ospec this bug doesn't even matter. PGP your messages and I don't see how this could effect anyone. Plus, who the fuck is retarded enough to give there private keys... noobs have to learn the hard way sometimes. Either learn wtf things are and security measures or lose you coin and go to jail. It's simple, you can't hold everyone's hand and take AB off the super list because people don't practice good ospec


[2 Points] coedineants:

Amen. I detest using Alphabay, but being the biggest market sometimes it is unavoidable. God I miss Evo.


[2 Points] Thoughtsofamaniac:

So which other market is paying the mods for this tainting of the rep of the competition?

Sarcasm aside, I do not think this is the right call. Marketplaces have bugs, it's a simple fact of life and part of the learning process. I think we were all a bit spoiled by Agora and how comparatively smoothly it ran; in the years I used the place the only real complaint I had was how frequently it was down. But it simply cannot be ignored that Alphabay is the largest market out at the time with the widest selection of vendors, and is still a growing market. Taking the link off the superlist because of some mistakes, 3 of which were the result of a single sloppyass/potentially scamming mod, seems a bit too much. To their credit I think it's actually quite commendable that Alphabay hasn't shut doors and made off with the money when it was most profitable to do so. We've seen many markets, even markets on the prized "superlist," which have turned exit scam and only been removed from the superlist at a later time.

Hansa even had the same bug regarding the messages, and had an earlier scenario where refunds held in escrow were able to be stolen, yet they only have two small warnings and links still up? Meanwhile Alphabay had the same message bug and an incompetent/scheming member of staff several months ago, and that warrants bold red print warnings and a complete removal of the links? Yeah, although I may not personally 100% buy into the conspiracy theories floating about, that just sounds fishy as all fuck. It makes it seem like the mod team in this sub either has some grudge against AB, or are being paid by another market to take whatever shots at a competitor that is possible.

Also, as far as the widespread publicity regarding this matter, personally I feel it was a bit tactless on Cipher's part to make the reddit posts as he did. Yes, I appreciate that he alerted people and didn't sell the data, and I understand that he apparently tried security tickets before posting... But still, for fucks sake. This is a subreddit that we know journalist idiots pull info from to spare themselves from having to do their own research, from shitsites like VICE to broader audience networks like ibtimes. It's also quite common knowledge that AB in the past has had incompetent staff. Which is why I don't understand, why wasn't a post simply made on here, addressing /u/alphabaysupport or even /u/trappy_AB? It didn't have to include every detail of what had went on, just make an urgent post addressing those users either in this subreddit or on the AB subreddit, and they would have received a reddit notification themselves and not had to wait on a public outcry. Sure, users wouldn't have necessarily known, but it would have almost certainly been handled and had it not, then it would have been appropriate to sound the firebells. Now that it's out there, and has been made public, it has drawn widespread attention and fanned a lot of the wrong flames. A more cynical person might even imply that the publicity was an intentional effort to broadcast and advertise possession of the data for interested parties, but I've had enough conspiracies for one day.

In short, I feel like AB should be readded to the superlist. Keep the warnings if that's what makes the modteam giddy, but for fucks sake at least play it fair considering there are other markets that have had even more severe issues (Hansa, Dream) which are still up and floating.


[2 Points] None:

[deleted]


[1 Points] dnwhat:

This is by far my favorite market, but this is the only thing to be done with them. These security breeches are unacceptable, and the alphabay team response has been laughable.

I have a couple orders made on AB right now, and I'm will put the rest of my coins there in a vendor tip jar. (~$3... Not tryna transfer that.)

I'd like to try DHL at some point (hopefully they go public soon, or got one.) Until then I'll be shopping on Hansa.

To be clear. I 100% support the removal of AB links. This community has given them too many chances, and they just keep dropping the ball. RIP Alpha.

*** Got an invite. Thanks /u/BarForBar for the advice


[1 Points] chef234:

They got all the vendors though and I need my drugs so.


[1 Points] PokemonGoesResearch:

If some rando hacker got in guaranteed LE also infiltrated right? It's just a question of what they're gonna do with the info?


[1 Points] None:

[removed]


[1 Points] I5uEQKrv4u5KR3fb7yyC:

I just went on AB's forums to see if they told there users about this, and I didnt see a single post about it? Am i blind or are they trying to keep this on the dl?


[0 Points] None:

This is the right decision, that is a piss poor way to both run a market and deal with a vulnerability disclosure. It's disappointing that so many replies here don't care about the biggest DNM having such terrible OPSEC. I hope this encourages more vendors to use Hansa so I never have to bother with AB again, currently I only use it for vendors who are not on Hansa anyway.


[-1 Points] Seraphim_X:

Wombat, I have seen concerns that not having the links up might lead people to harmful sites. Can we put up just the main address un-linked at least, allowing the community to have another source to cross reference the address from other sites? It could also be used to manually copy/paste into the URL bar.