-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I am the root admin of Alphabay and I have been made aware of the issue with
BigMuscles asking someone for a private key. My manager posted some pretty
good explanations on reddit earlier today but I will add some more information.
First, I went through the database and removed all messages containing a
private key. A total of 11 users gave it, so the messages were deleted. There
is no evidence of any breach so your information is safe. Every moderator can
set his own templates for replying to tickets to make it quicker and to avoid
having to retype the same thing too many times. For example, many moderators
have templates asking for PIN, mnemonic and last transaction history if a user
claims to be locked out of his account, or templates asking for BTC address / txid
for missing deposits. I can confirm that BigMuscles' template included a request for
a private key, but I can also confirm that it was purely a language mistake and that
is has now been edit. He meant a message signed with the private key, which is the
standard method of verification in many markets.
As I am the only one having access to the moderator logs on the marketplace, I
confirm that nothing was ever compromized, and that nobody lost money. In short:
- - It was just a language mistake
- - All messages containing private keys have been hard deleted
- - The template has been edited
- - All staff has been warned to be very careful about that
- - This moderator had a perfect record with us and pratically no complaints before
- - This moderator cannot change balances, PINs, or passwords
Nevertheless, if it can make you feel safer, change your PGP key if you gave it. Hopefully
this should convince the community to calm down on what is now 100% resolved and
nothing else to worry about, and again, on behalf of Alphabay, we truly apologize for
the problem. We would also like to remind you of some more security features that
were recently added:
1) Phishing
All new members will see a warning at the top of EVERY message warning them to be
careful about phishing links, do not FE, and the usual security stuff. The warning
message will disappear after a while, over time.
2) BTC addresses
All withdrawals are sent in batches from different addresses, therefore eliminating
wallet profiling techniques. We also employ a special process: every 2 days, we export
all required private keys (user deposits addresses and change addresses with balance),
and re-create the hot wallet from scratch. This means that after an address expires, or
after a change address (which can be MANY levels deep) sends coins to a user, its
private key gets removed from the server, so even the police getting the hard drive
of the server would never be able to prove that an address has ever been ours. This
should comfort some people who made mistakes in the past. What you see on
WalletExplorer is the old wallet, which people keep sending money to despite knowing
that we erase all records after 7 days for security reasons.
3) About the "exploit" allowing orders to finalize earlier
This is a MYTH. We have put our programer on the case as soon as it got reported on
reddit, to find out that it wasn't true. Once the order gets placed, its "listing type" is sent
with it, so any change made to the listing does not affect orders who already got placed.
Nevertheless, we added a security protection preventing vendors from putting "digital
listings" in physical categories like Drugs, etc. to eliminate possible scamming.
Thanks for being a customer on Alphabay and we will be implementing additional measures
in the future to make sure that we are totally safe from LE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJW49GJAAoJEOAZpE/dncxme5IH/ii4En4cUZU/Qki0Xka08qRR
BPZx0knPipxJQy4F9zkQNYclhMAx0tWfro13vbqYhv/CR0pzOSTo7dowGPI9xqjk
X9hYQ8Jxv5byNFCZIPhHS9Q0MUOHDiJ3CJ+bXtXF+k9dRmwV5TKo5Ahog63wJKAj
P18Mf+ei3N2JnZHuxm3RDrGV4of1MAZklvuWumQwVxdeNWafb0so/bUAeps2PD1b
ue79i2JUrl2IBjpOZ3pe1aPc9J7erbVUdUyCrtXRt18lJ98M6LgIl1AAF7d6umxJ
MINBuwYpoubQVZ7aydl46klWUnQxK96wZUX8RKDu53jcBOHLgCcn4DOSgxGNNCI=
=mvbB
-----END PGP SIGNATURE-----
[deleted]