DHL Market - Current problems - Consider avoiding right now

Update: ip leak is now confirmed

A DHL admin commented in their forum:

A few more hours and we have a answer to everything in its entirety. But we also have very good news. We are deploying the new market where everything is fixed earlier then we wanted e.g not feature complete. But what can we do :( The IP leak is true. That was one of our test servers. But we killed everything already and besides some fresh loaded but now worthless virtual credit cards nothing is left :( Apparently we had a traitor in our midst. The person doing various tests for us after each new version. Looks like he sold this info to the highest bidder. But encryption worked. Manual as automatic. Our system does now allow for an code changes inside read-only containers besides a signed push from our servers.

But yeah, we fucked up here. Gotta admit that for sure. But we'll make very good on this within 24hours, I hope.

EDIT: Support will fix issues soon again. And we are waiting for a fresh btchost to complete syncing before we process payments again. But that should be only max 10-12 hours. Usually we have emergency machines around but we decided to burn everything for the redeployment.

Additionally private messages leaks have been reported by t0mcheck. Post here

Message leaks have not been confirmed by a trusted third party yet, but seem possible given everything else.

If you have coin in the market it's time to think about getting it out of there. Stop using the market for any kind of business.


Recently there have been some serious warnings about DarkNet Heroes League.


The XSS

Three XSS attacks were discovered Post

Apparently there are many XSS vectors on DHL Comment

These are basic mistakes. Rooting out all XSS vectors is hard, but that isn't what's happening here. These mistakes indicate a failure to sanitize imputs where it should have been obvious to do so.


The IP address

An ip address has been discovered which allows users to log in to the market. Significantly it is only possible to log in with older accounts and if the password was changed recently only the old password works. This means that we are probably not just dealing with someone running a clone.

The possibilities:

DooshNozzzle was able to log in. See here

I was able to log in using a throwaway. This account had been created a few weeks ago. I hadn't enabled 2fa at the time because it was only for mod stuff. I recently enabled 2fa.

I was able to login without 2fa on the ip address. It only accepted the correct password. I changed my password on the real DHL onion and then tried to log in with the new password on the ip address, but could not.


What does this mean?

We don't know.

Worse case scenario: If the ip address is real and is that of the DHL server they are compromised.

At the very least it is possible that the user table of their database is either dangerously exposed through a ip they control but not the same ip as the market, or has been stolen.

DHL has promised us an official (and truthful) response but have not yet made it. Post here

We will update this when they respond.


What do you need to do?

Consider avoiding DHL until we have some clarity about what is happening. Recent events are very concerning and it is not worth placing yourself at additional risk just to cop right now.

Wait for the DHL admins to share their side of events.

Be wary of the DHL server. Turning of Javascript is great, but there are other threats to darknet users if a server is compromised.

If DHL data has already been leaked assume Law enforcement will get access to it. If you reused password change them now.


Comments


[52 Points] None:

Objectivity level 10/10.

I wish the rest of the mod team were as switched on.

Thanks for helping the community, Pinochet.

What's up wombat?


[9 Points] SloppyJoeLieberman:

Good move. Objectivity and yielding to the winds of caution are a good thing. If there were even a circumstantial possibility that a market was critically vulnerable or potentially compromised - I would hope the mods here would act accordingly in order to minimize the potential for harm until things were properly addressed.

Several points in the DHL topic are somewhat alarming to me:

Some of the mod responses are a bit caustic. The vitrolic and antagonistic comments towards /u/t0mcheck & others are unnecessary and largely unprofessional. If there is a disagreement regarding technical aspects of the argument, that's fine, but the desire to smear and insult a seemingly concerned user is unpalatable. Sure, we don't know the identity of t0mcheck nor do we know his motives but he does seem to have a fair grasp on the subject matter at hand. I think immediately dismissing his theories without overwhelming evidence of the contrary is damaging to the community as a whole and certainly decreases the reputation/trust of the mods.

Something as important as this deserves to be addressed without incivility and with an open mind. From my limited knowledge, the DHL issues and potential clearnet server ARE concerning even if it pans out to not be the case. Whether or not it turns out to be an issue, a reply similiar to /u/pinochetHA's is much more reputable and reasonable than some of the childish shit I've been reading. Harm reduction doesn't only pertain to drugs - it also applies to the entire microcosm ("DNMs") that we interact with - and this sub should reflect a level of concern that prioritizes users regardless of how tech savvy they are.

DHL really needs to come forth and clear this up in a non-patronizing manner. Their original response was about as disgusting as could be from the perspective of a concerned user and the attitude displayed is almost as concerning as the question(s) at hand. The snapshotted clearnet server is definitely of great concern especially if it is directly related to the real DHL server. If it isn't, there are still many important questions which need to be addressed ASAP.


[3 Points] JburnaDNM:

So was the person claiming to be cipher unbanned so we can get more info or did I miss something in regards to this?


[6 Points] throw_333_away:

My theory is, LE took over DHL somehow, and they migrated it to their own datacenter. The leaked IP is the actual DHL instance, and the onion URL is routed to LE(think of it like a fork, the actual/"good" DHL is now frozen in time because LE swapped it out with their fork).

Don't use DHL for now.


[5 Points] FuckTheM0dz:

Wombat usually does these. I wonder why he isn't around lately.


[3 Points] C66HH12OO6:

Its scary to think about the fact that Law Enforcement have definitely been aware of these compromises for awhile. All the pentesters have said themselves that they were trying out simple pen tests and did nothing extremely complex. Imagine what the feds with unlimited time and resources could have found. Not trying to spread FUD, just being realistic.

In uncertain times like these, its important we be practical and logical in our thought processes. I would shy away from any large market for awhile, and resort to DDs and personal hidden services. Just my opinion. Stay safe everyone.


[3 Points] hhayn:

Good. It is a shit market with a whole 6 vendors. This is the least concerning market breach/vulnerability disclosure in history.


[3 Points] UndeadMarine55:

Not to say I called it but... https://www.reddit.com/r/DarkNetMarkets/comments/6ox9uh/the_feds_strategy/?st=J5VCI2UU&sh=ff13755c


[3 Points] sharpshooter789:

All of this information suggests that DHL is owned by aliens.


[2 Points] tgif3:

Honestly who cares do direct pay with vendors on there it's bip32 so all law enforcement could do is see your pgo


[2 Points] SloppyJoeLieberman:

Ding ding! Guessed it? The surprise accouncement was a redesigned website (possibly due to all the issues with the current one in order to start from the ground-up)

https://www.reddit.com/r/DarkNetMarkets/comments/6qzeww/sourcery_and_dhl_market_vulnerabilities_exposed/dl1drge/


[2 Points] FbisGaY:

Seeing all this makes me wonder about this post a few weeks ago https://www.reddit.com/r/DarkNetMarkets/comments/6mxmq7/bug_with_dhl/


[1 Points] None:

[deleted]


[1 Points] Bigw0rmer:

Not to mention real names all over things , with signs pointing to a network admin


[1 Points] None:

[deleted]


[1 Points] Brookklyn:

Damn that's he only market I trusted


[1 Points] Ballashotcalla1:

Will do thanks for the warning


[1 Points] electricalnoise:

So, done with dhl i guess. Even a statement from the mods could be LE with access. You guys wanna risk it? Not this fuckin kid.


[1 Points] Prof_ricksanchezVEND:

Oh more great news......

Good thing I'm not doing markets for a while.

Only have a few homies doing DD's no way for feds to snatch those haha


[1 Points] SoulUndead:

If you have coin in the market it's time to think about getting it out of there. Stop using the market for any kind of business.

I'm experiencing problems withdrawing. Two others are as well:

https://www.reddit.com/r/DarkNetMarkets/comments/6rcgue/no_funds_or_transaction_history_on_dhl_account/


[1 Points] DarkNet_Shill:

Consider cashing out and flying somewhere nice and warm


[1 Points] ecstasais:

Oh, wow...


[1 Points] big_gaythrowaway:

Longtime dhl user with decent opsec, but by no means a comptuer wiz. Sent some tumbled coin to my account before I went out of town for a few days ago. What additional opsec steps you all would take if accessing the site and withdrawing coins besides the obvious tumble?


[1 Points] coffeencreme:

Jesus Christ DHL.


[1 Points] NextMoveBestMove:

Is DHL coming back any time soon?


[-1 Points] q123rumble:

a quick thought from a nobody that has no business even being here right now ... but ... Has anyone stopped to think that this "beta" market that has been in "beta" stage for what two year now, and is about to reveal their offical / stable market 1.0 launch soon, wouldnt you think that maybe this kind of operation would require thorough "examination" and/or "testing" of some kind at least before it was opened to the public or expanded further?

imho there is no better testing that one can have done to his/her "product" than for "it" to be stressed to the limits by the masses, and at the same time the "wolves" (i.e. mostly comprised of reddit fools and your basic fuckboy/LE/scammer) fed "blood" (i.e. instigation via keystroke warfare) to keep them licking the "knife" (i.e. attacking the site/mods/vendors and exposing "vulns").

now in between random bits and bytes of truthful information and straight FUD you see a very clear picture of what is really going on. You also see that the bar on the dnm scene is being set by DHL right before your eyes.

// i am who you think i am // i am who you think you are // everything is not always as it seems


[-5 Points] wombat2combat:

edit: yes down-vote me for telling the fact that tomcheck did not prove his claims till now.

thanks for making this post.

for now there is no proof that the two servers [clearnet server and dhl hidden service] are the same. and tomcheck was not able to provide proof for that. till he does that, his claims are not proven.

here some more details:

At the time of writing the claims that tomcheck made are still not proven and therefore false. He claimed that the two server are the same. While the some of the header fields in the response header from both servers are the same, they are easily fake-able.

The only thing that would be very hard to fake is the exact date of the server down to the millisecond-range. However both servers just use the same timezone (GMT) and this is just one line in a config file to change that. And tomcheck will never be able to prove that the time that both servers use is the same down to the millisecond as explained here.

Till tomcheck proves that the servers are using the exact same clock, not just the same timezone, his claim is unproven.


[-2 Points] wombat2combat:

to show how tomcheck is not seeing it as necessary to prove his claims, resorts to insults and is in the 'infosec business' despite not knowing that ubuntu full disk encryption covers more than just the home directory:

very first thread: https://anonimage.net/gallery/oa6K3Ko4yW

first thread: https://anonimage.net/gallery/TwHQj5VJ9B

second thread: https://anonimage.net/gallery/2QY1l6o83G