Wall St Market & Tochka 2.0's IP addresses exposed?

I'm just relaying some info that I found at /r/onions.

/r/onions/comments/77jfd1/wall_street_markets_ip_address_is_exposed/

Hello everyone.

Today I present to you the following claim: that Wall Street Market's IP address is 62.138.14.136 and the hostname is loft24104[.]dedicatedpanel[.]com. For reference, the market uses the onions wallstyizjhkrvmj[.]onion and wallst4qihu6lvsa[.]onion.

How do we know this? Visit http://62.138.14.136 ...

It always bypasses the DDoS protection page.

You can sign up on both and authenticate to both. Register on onion, login on clearnet. Vice versa. Neither accept fake credentials, either.

No code is different between the two. For example, Bitcoin addresses, QR codes, and all all other data are identical. Even the server time (lower right) on both are the same.

HTTP headers look identical as well with timestamps and order matching 1:1.

Both use Nginx for the webserver, as confirmed by Nmap.

You could think that 62.138.14.136 is a proxy, but I doubt it. The clearnet IP is much more responsive than the .onion page, loading very quickly. A proxy will have to route through onionland to the hidden service and always be slower than the realsite. Plus, a proxy is never going to bypass the DDoS protection page on every load.

I post this as-is. Judge for yourselves.

Update: It seems that within the last 10 minutes (Friday, October 20, 2017 @ ~14:20 GMT) the clearnet IP returns a 404 error. However, this exposure was caught independently by others using a separate IP (85.35.139.36) 12 hours before I found this: https://twitter.com/x0rz/status/921016966596440066

So far known IPs:

62.138.14.136

185.35.139.36

As /u/ichundes pointed out, these might be placed in front of the real server.

and the tochka post:

/r/onions/comments/77m6na/tochka_20s_ip_address_is_exposed_new_darknet/

Like Wall Street Market, I found the IP of Tochka 2.0. This market was created in the last few days and appears to be gaining some support.

I am pretty sure this is right. Below is the evidence that I present. As always, judge for yourselves.

Onion = http://tochka2xxk576oc3.onion Clearnet = http://200.74.240.142

Nmap scan showing same headers

Clearnet Bitcoin address = Onion Bitcoin address

Referral link taken from clearnet IP = onion address

http://ln6vyadk4hv3dnyt.onion/i/1bst0t3rq.png

Censys result

http://ln6vyadk4hv3dnyt.onion/i/1bssvuk4b_1.png

Shodan result

http://ln6vyadk4hv3dnyt.onion/i/1bssvuk4b_6.png

I doubt this is a phishing site. You can create accounts on both, log in to both with the same creds, neither accept fake credentials, etc. The clearnet IP loads much faster and Nmap confirms both use the exact same web server.

Also, since this is a newer market it's much less likely to have phishing clones because there isn't much incentive on a new market.

Judge for yourselves :)


Comments


[16 Points] DNSecurityConsultant:

Yep. The Wall Street one was confirmed by others on Twitter today. I tried informing everyone yesterday on this subbreddit but the mods refused to approve it. Just an FYI.


[12 Points] throwaway33339393939:

I am the one that made those reddit posts. I cannot post in this subbreddit with my account because the mods banned me while trying to post the Wall Street one here yesterday. I suppose they think I'm just trying to spread FUD even though the Wall Street leak was confirmed by others.

The IP exposure warning went on for over 24 hours before anyone in /r/darknetmarkets even caught wind. That is just sad.

Ya'll need a new place to congregate. This isn't the first time the mods removed posts and banned users for expressing legit concerns.


[6 Points] stabBarbie:

Well Wall St use to be available on the clearnet but removed it following some concerns so it could be related to that, and for Tochka 2.0 as a rule I expect any market that leeches off the name of others to be completely incompetent and this one is no exception


[6 Points] None:

Mods here were warned of this previously, apparently, but deleted the warning given because there wasn't enough proof


[4 Points] InsanityDRM:

Anyone else find it amusing all these markets are getting their IPs exposed whilst Dream just adds fake headers & commented code in the page source but has yet to have it's IP leaked.


[2 Points] tripdawg420:

Goddamned I wish I was smart af


[1 Points] None:

[deleted]


[1 Points] xlickmix:

its not the site but one of its phishing clones


[1 Points] scattrbrn:

Haven't been able to reach any WSM sites since the initial leak. Down goes another?


[1 Points] Alcibiades_DNM:

I dont think its legit. When I visit that IP it times out but Wall Streets onion addresses both load fine. I vend on Wall Street and havent had any problems with it.