Boosie5150 questionable security practices - Agora account compromised in June

A couple of weeks ago I was checking out page source code of the markets that survived Onymous, I don't code but I have a basic understanding of web HTML / CSS etc. I didn't really expect to find anything interesting. Anyway, I was on Agora and found a string that for some reason looked interesting to me so I googled it thinking it was part of some open source githubcode that I would find by googling it. I found this pastebin (rehosted and edited because it contains dox): http://paste2.org/J9gpGZgX

Wait what? Is this actually the html source of boosie5150s vendor profile? Yes it is. It is the inbox of Boosie, save it as HTML and open in your browser for easy viewing. The original pastebin was posted "By: a guest on Jun 7th, 2014" and it had been viewed about 170 times when I first opened it. The pastebin has made its way to multiple people by now, including the mods so I thought I'd share it publicly. The pastebin also shows up on the 8th page if you Google the guy that didn't encrypt his details, I don't know whether the 170 hits are all people who knew what they were looking at or mostly bots.

Contents

The contents reveal quite a bit and show some pretty severe opsec mistakes. I tried to look up 2 of the buyers' profiles and found social media accounts, posts requesting free porn passwords, school sites etc. I don't understand why people think it's a smart idea to use a username that's already been used on a clearnet website, especially when it's a made up username with only a couple of hits on google, all of which are theirs.

You can also see that one of the 7 Gram MDMA orders contains an unencrypted address, he put his address and then the public key of boosie5150 (no words...). I looked him up, the guy has 2 prior arrests for possession of Cocaine, Crack Cocaine and MDMA and started using his middle name after these arrests, too bad he doesn't have a third name. He uses almost the same username on twitter..

The pastebin also gives some insight in turnover and amount held in escrow, on june 6th Boosie had $89,72 in his wallet and $25,197.70 in escrow. I summed up all orders from june 5th, 22 orders totalling 5.27865919 BTC or $3,460.79 (with BTC price at $655.62). Pretty nice turnover for 1 day huh?

How?

Now to the more important part, how did this happen? My first thought was boosie5150 for some reason was in a rush and needed a quick way to save the addresses of the orders so he could look it up in another location later. Another option was boosie5150 being hacked, phished or otherwise had his account compromised and the attackers didn't get his PIN so couldn't steal from him (there was only $89,72 in cleared funds in it anyway), they put up this paste and tried to blackmail him for some BTC. Well, I made a dummy account on Agora and contacted boosie(also let him know that I was going to make a post on reddit):

boosie5150: Looks like their database got dumped somehow, I didn't have anything to do with this

me: it's not their database being dumped, this is the html source of your control panel. So someone who had access to your control panel posted this

boosie5150: Okay well nobody else has access to it, never has. And I realize its my panel being dumped, but nobody has had access to my account and I have never had my account compromised. I'm sorry those people had their addresses leaked, but this is over 6 months old and I have never given someone the opportunity to access my account.

me: Could it have been you that uploaded it to pastebin for whatever reason and forgetting to remove it?

boosie5150: There is one person I think could have done it. My best friend is a programmer and he made me a program that exports the orders, converts them into .CSV format, changes the status of orders, etc. He may have uploaded this online for some purpose while he was making the program and forgot to delete it. I have texted him asking him and if it was him we will try to have it removed asap.

boosie5150: He says it wasn't him, very sure also.

me: Have you always used pgp auth for your account?

boosie5150: Yes.

me: Any chance you got phished? Or weak password or something? If not the only way this could've leaked was if Agora somehow got compromised. And if they were for some reason only your profile got leaked.

boosie5150: It's never been compromised and I also have 2fa enabled. I'm not sure how it happened but I know that's the only leak I could find and it was 3 months old. I also have since updated all my passwords and such since I noticed this.

Boosie denies ever being blackmailed, he also says he changed all his passwords and such after I made him aware of this, his PGP key is still the same however.

pub 2048R/55FCA225 2014-04-07 [expires: 2019-04-06] uid lilboosie5150 <lilboosie5150@tor.com>

So eh... if it wasn't boosie5150 that posted the pastebin, what happened? If boosie5150 was compromised in june they could have accessed his account from then until now. Boosies account was pgp protected so the only way he could log in was if there somehow is a phishing site that acts like some kind of gateway to Agora, as far as I know the known phishing sites are mirrors(could be wrong here). In any case, if they actually have his password and PGP private key they are sitting on a goldmine of dox from orders from at least june 5 until now, I am thinking this might be the case since boosie5150 is positive he never got mitmed.

Boosie doesn't seem to have the best OPSEC: gambling on clearnet sites using the same username, showing his hand and room interior in product photos, giving his programmer friend full access to his account, etc. I have found multiple other clearnet accounts that could be boosie(I am aware that lilboosie is a rapper and know what 5150 means), none with personally identifiable information though (unless this is him).


Comments


[9 Points] None:

[deleted]


[5 Points] None:

[deleted]


[7 Points] wombosio:

great post!


[6 Points] DankNetMarket:

boosie5150: Looks like their database got dumped somehow,

Sigh....


[4 Points] Boosie5150:

None of these other clearnet sites, are me, I am more than sure of it. Feel free to add them as much as you want and put on blast any of their personal information as none of them are related to me in anyway.

All of my product pictures do not have any personal information revealing my personal appearance on them as you can all verify, as well as no geo data or anything else linking them to any other doxable data. The only reason the BHO picture out of all my other product pictures reveals the persons hand, is because it was sent from a customer with minimal revealing physical appearance besides his possible race as white and that there is a brown roof above him! I removed all geo data/doxable info and decided to just leave it as it is not linking any personal information to them.

NONE, of these clearnet sites are me as well. It is purely coincidence that a sequence of words and numbers the rapper Lil Boosie used in various songs were adopted by random fans around the USA. I have no idea how this source code was released over 6 months ago, but I have taken every security precaution and improvement to our security ensuring that there is no one else with possible access to my account and never has over the last few months. It's also notable that no withdraw addresses or other listings/wallet information were edited. noticed anything being updated on my account. All customers should have no concern over the safety of their addresses being leaked or saved, there was as single address that was UNENENCRYPTED, and he has been contacted to warn him of the situation, which will be bothing to worry bait.

I have been completely complaint with the user that has contacted me informing me of the slight breach and am very appreciative of him bringing this to my attention, ever since being notified I have dedicated all my time to get to the bottom of this and to try and get the pastebin removed and ensure that no other leak of this sort ever happens again in the future.

I really am taking this leak seriously and have always taken my OPSEC seriously. I do not download any programs onto my business computer,never login to wallets over Tor, and take all the proper OSPEC steps that a vendor with a responsibility like mine has for the safety of my customers.

Also the programmer that OP is referring to is a very close friend, someone who believes more for the cause of what I'm doing than the financial benefit he receives. I can guarantee any possible intrusions that could have been made were not due to him as he understand the seriousness of what is posted publicly online and has ensured me that he did not make any public posts to pastebin and would never put our source out there.

Please feel free to contact me with any questions or concerns anyone may have. I am taking this very seriously and am eager to try and ease any concerns people may have, I am taking this just as

I really do not feel anyone is at risk that has always PGD'd their addresses, and I also have already contacted the user that did not ENCRYPT their leaked address to let him know what has happened.


[3 Points] None:

[deleted]


[3 Points] Boosie5150:

I would also never has a selfie as a profile picture. Maybe it was a mistake to make my profile name a common username for various sites as this could've been for forseen problem.


[2 Points] None:

[removed]


[2 Points] None:

Alright, so if I read it correctly, you searched through source, found some information, dug a little, doxed, and then proceeded to post his information on here?


[2 Points] Theeconomist1:

So I'm guessing the program that the friend wrote does screen scrapping. When was this program written? Was it around the time that this HTML source was captured? I'd imagine his program does the parsing in-memory as there is very little reason to save it to file, then reload into memory to scrape. However, I can totally imagine that the programmer when first writing and testing his program saved the HTML as a source file to build the logic of the parser around - that way he's not actually accessing the live site while testing hte parser which would be a pain the ass - much quicker to just load from local filesystem while writing up the logic, then when its done, switch it over to load from the site.

OR, worse yet, the program written RELIES on the HTML page being saved as a file. This is the much easier way to write the program. Otherwise, if the program were to actually load the page live, the program would need to have logic to do the login, the screen captchas, the whole 9 yards. The whole point of catpchas is to avoid programs from logging in.

So my suspicion is that this program relies on the use of the HTML page being saved to a file, then this program is run, loads the file up, and does it parsing, which saves to yet another file, the CSV file.

Pure speculation. Hopefully these files are saved in Tails and at least encrypted!!! I don't know anything at all about hte vendor, so everything I say should be taken in context with his reputation. This is just my guess from a technical perspective. Whether or not this is the source of the leak, I have no clue. But it could fit. Is it possible that the source files were not deleted or secured and accidentally got out there? Also, I'm not familiar enough with Agora, so I don't know if this page is even the same page as the one that parses the orders. I'm guessing so if it contains addresses and such.


[2 Points] TheAnonProgrammer:

I am the programmer working for "Boosie5150", I am posting this to clean up the mess that paste has made.

When I started working on the application I created my own account on agora to make the program log in to the site. At this point it connected to agora beta through tor just like tor browser, got the login page and captcha and showed it to user so he could type it in. And here came the problem, I had no orders on my account so I couldn't make the application grab the orders, this is when I directed boosie to give me source of agora orders page via pastebin. It never was intentional to leak this thing to the internet. We sorted that problem later and nothing more was posted on pastebin.

I also want to add that this application is even more secure than Tor Browser, it only parses the code, no javascript will be ever executed by accident. No html is saved to HDD, only csv is exported when user needs it, rest is done in memory - decrypting, parsing etc.

His account was never compromised nor hacked.


[1 Points] None:

[deleted]


[1 Points] durgsrbad:

I can't fathom the quantity and size of the bricks Ol' Boosie is shitting now.


[1 Points] drpnit:

Could someone with an understanding of coding and what the OP did please ELI5? This seems incredibly important.


[1 Points] s3an112:

I can vouch that none of the information posted is sufficient just because somone else leaked HALF A PAGE OF 7 MONTHS ORDERS doesn't mean he's an incompetent vendor.


[1 Points] attilathehunn:

This post shows why dark net markets should offer up features where vendors can quickly and easily collect addresses and details.

It must be pretty annoying to copypaste and maybe decrypt hundreds of times to get the addresses. It seems natural to want to automate this.

So markets, make a 'click to download CVS file' button.