I'm just relaying some info that I found at /r/onions.
/r/onions/comments/77jfd1/wall_street_markets_ip_address_is_exposed/
Hello everyone.
Today I present to you the following claim: that Wall Street Market's IP address is 62.138.14.136 and the hostname is loft24104[.]dedicatedpanel[.]com. For reference, the market uses the onions wallstyizjhkrvmj[.]onion and wallst4qihu6lvsa[.]onion.
How do we know this? Visit http://62.138.14.136 ...
It always bypasses the DDoS protection page.
You can sign up on both and authenticate to both. Register on onion, login on clearnet. Vice versa. Neither accept fake credentials, either.
No code is different between the two. For example, Bitcoin addresses, QR codes, and all all other data are identical. Even the server time (lower right) on both are the same.
HTTP headers look identical as well with timestamps and order matching 1:1.
Both use Nginx for the webserver, as confirmed by Nmap.
You could think that 62.138.14.136 is a proxy, but I doubt it. The clearnet IP is much more responsive than the .onion page, loading very quickly. A proxy will have to route through onionland to the hidden service and always be slower than the realsite. Plus, a proxy is never going to bypass the DDoS protection page on every load.
I post this as-is. Judge for yourselves.
Update: It seems that within the last 10 minutes (Friday, October 20, 2017 @ ~14:20 GMT) the clearnet IP returns a 404 error. However, this exposure was caught independently by others using a separate IP (85.35.139.36) 12 hours before I found this: https://twitter.com/x0rz/status/921016966596440066
So far known IPs:
62.138.14.136
185.35.139.36
As /u/ichundes pointed out, these might be placed in front of the real server.
and the tochka post:
/r/onions/comments/77m6na/tochka_20s_ip_address_is_exposed_new_darknet/
Like Wall Street Market, I found the IP of Tochka 2.0. This market was created in the last few days and appears to be gaining some support.
I am pretty sure this is right. Below is the evidence that I present. As always, judge for yourselves.
Onion = http://tochka2xxk576oc3.onion Clearnet = http://200.74.240.142
Nmap scan showing same headers
Clearnet Bitcoin address = Onion Bitcoin address
Referral link taken from clearnet IP = onion address
http://ln6vyadk4hv3dnyt.onion/i/1bst0t3rq.png
Censys result
http://ln6vyadk4hv3dnyt.onion/i/1bssvuk4b_1.png
Shodan result
http://ln6vyadk4hv3dnyt.onion/i/1bssvuk4b_6.png
I doubt this is a phishing site. You can create accounts on both, log in to both with the same creds, neither accept fake credentials, etc. The clearnet IP loads much faster and Nmap confirms both use the exact same web server.
Also, since this is a newer market it's much less likely to have phishing clones because there isn't much incentive on a new market.
Judge for yourselves :)
Yep. The Wall Street one was confirmed by others on Twitter today. I tried informing everyone yesterday on this subbreddit but the mods refused to approve it. Just an FYI.