AlphaBay: Some info from your friendly neighbourhood Spider-man

I can't say exactly what happened, because of the raids that coincided with the shutdown of AlphaBay, however I can provide some sort of insight that I am now happy to reveal due to no contact from any of their Admins.

On Sunday July 2nd, I contacted Support to get in touch with a high level Admin immediately. I was directed to create a Forum account and speak with the head admin regarding a huge vulnerability I found which exposed a lot of data and allowed me to identify a separate server IP address tunneling some of their API requests, this server was located in Europe. I rooted this server and was able to send malicious queries through the API to return vendor messages, order details and insert my own orders, which could have allowed me to empty their wallet.

I was told to provide some more info and discussed a large bug bounty with them on Monday 3rd. This was the last contact I had with them before the site promptly going dark, so-to-speak.

The vulnerability found was relatively simple, I hadn't attempted to fuck with the API before and I think it's a bad idea to have any sort of API similar to theirs on any other market. It may seem convenient and allow for integration with other sites, however the security of this is absolutely essential and it's not worth spreading your playing-field in such a way that you compromise your user's security, as the displayed in the past with the amount of data that was able to be leaked.

My theory here is that they have exit scammed on July 4th due to the amount of sales for the holiday weekend and the sheer volume of coin that would have been on the market at that current time and they may have been worried to trust me as I could have still easily outed them after receiving a bug bounty in many ways. They could have also already planned to exit scam on this date already.

The other option of course is the raids. I think this is ENTIRELY coincidental personally as this would have been apparent by now, unless they are still investigating. Taking down the market and no contact from the admins would be a sign to other staff to pack their shit and leave however and they would have all the info they need to find them (if any). If they did seize their servers, there is a high chance that they also found the vulnerability that I mentioned, considering I have ran short tests on the API before and yielded no results, it may have been a recent update that allowed for this flaw to occur.

So why am I telling you all this now? To try and help with some closure on knowing that there is a much bigger chance that this is an exit scam and because I feel I am in the clear, as I was left very paranoid regarding the raid and me having accessed their servers, albeit securely and anonymously, you're never 100% secure and I doubted myself many times over the past week or so.

I also want to raise this now, so we can put an end to this happening. It shouldn't still be possible in 2017, we're almost 4 years from the Sheep Marketplace exit scam and still we don't seem to have learned a thing. Don't think this excludes you if you've moved to Multi-sig only - you too. This is a community effort that needs to pave the way for this to become standard across the board.

/u/wombat2combat /u/theeconomist1 /u/CrushOnJenny /u/pinochetHA

Change the rules, penalize the markets not using true multi-sig only, for the sake of everyone. You can't blame people being too lazy to change in their ways, we actively teach standard market escrow processes. Allow for an announcement, a warning that any markets using centralized escrow will be archived/removed from the Superlist, make it a standard for any new markets that want to launch here, focus all DNMNoobs guides on Multi-sig 100%, adjust/remove any old steps, force people to make the move otherwise more markets will carry on to do the same, even offering both multi-sig and centralized escrow.

Please consider contacting market admins who currently run such shit excuses from markets looking at you Dream. 3 strikes and you're out on security too - people lose their lives due to sloppy security on the markets end.

On a brighter note, I'd like to provide some security reports soon on some markets including new ones such as Sourcery and Wall Street, they had some initial small bugs that I found, not security related however. They are in good standing from what I have saw though.

I will post some extensive reports within the next week or so and going to setup my own onion service for penetration tests, security checkup services and market reports, so users can choose their go-to based on a security rating as well as it's core features.

Signing off.


Comments


[30 Points] writingpoli:

Thanks for all you do.


[20 Points] wombat2combat:

Change the rules, penalize the markets not using true multi-sig only

indeed, we mods of the superlist will publish a bunch of new market listing criteria in this week which includes multisig. so all new markets will have to support it. existing markets should also be pushed to this step.

On a brighter note, I'd like to provide some security reports soon on some markets including new ones such as Sourcery and Wall Street

I am curious what you found. however you may just want to save your resources for markets that are listed on the superlist and not the ones that did not make it on it [like wall street market https://www.reddit.com/r/DNMSuperlist/wiki/not-listed ].


[7 Points] None:

[deleted]


[6 Points] Jcool4:

I thought it's been confirmed raids in Quebec and Thailand were alphabay related.


[5 Points] None:

[deleted]


[5 Points] SpecialAgentDildo:

I agree 4 years after sheep we all need to say enough is enough. I would like to eccho the words of one of our most intellectual presidents here in Murica but I think I should let him tell us his message....

https://youtu.be/eKgPY1adc0A


[5 Points] quebec_meth:

Everyone can write stuff and claim stuff


[3 Points] TheDunk80:

lol, all that writing and turns out to be a bunch of bullshit. People need to get a life.


[2 Points] HugBunter:

/u/wombat2combat /u/theeconomist1 /u/CrushOnJenny /u/pinochetHA


[2 Points] AManWithoutQualities:

The only facts we know are:

1) Alpha bay has shut down.

2) There have been raids in Canada and Thailand which have resulted in the arrest and suicide of a 26-year old computer programmer.

3) LE are saying the arrest and investigation is related to drug and arms trafficking over the dark web.

Seems pretty straightforward to link the two.

Set against this, we have speculation without proof from some anonymous guy on Reddit claiming he talked with the admins a week ago and thought something was shady. OK.


[2 Points] AndroidHelp:

Oh it's you


[1 Points] AutoModerator:

/u/wombat2combat - You have been summoned in this thread by /u/HugBunter.

This convenience is brought to you by AutoMod. Submissions do not automatically summon users like comments do. AutoMod is trying to be helpful.

For others, it should no longer be necessary to summon the referenced user in a comment any more. AutoMod has done the heavy lifting for you. You're welcome. Bow before me.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.


[1 Points] onionland_star:

You're so full of shit.

You will never convince me they were hitting any clearnet IPs.

Shit, even The Hub had (has?) a better setup than what you are describing...


[1 Points] None:

[removed]


[1 Points] Jethro23:

blackbank was "multi-sig" and they exit scammed


[1 Points] None:

I got so hard when you mentioned taking off centralized marketplaces from the Superlist. I couldn't agree more, multi-sig is the future of marketplaces to come I can almost feel it to my very core. Thanks Ross for paving the way.


[1 Points] tecman69:

Don't think this excludes you if you've moved to Multi-sig only - you too.

Definitely support your advice on a multi-sig standard, just not sure hansa's is the way to go. Is that what you are saying with the above?


[1 Points] mymuse100:

Didnt someone else say they found a leaky ip thru the forums a few days back and others reported at the same time and that a bounty for everyone was in the works and everyone was able to negotiate higher? And how that this ip from the forums could lead to a server trace?


[1 Points] AndroidHelp:

I will post some extensive reports within the next week

No, you will post proof now or I'm calling bullshit.


[1 Points] deep_touch:

Glad to have you around.


[1 Points] None:

[removed]


[1 Points] None:

How do DHL and Hansa rank in your system?


[1 Points] None:

[removed]


[1 Points] yellyinbelly:

I also noted problems with the vendor API the last days of alphabay... wait... yesterday, I posted this in the "A coincidence? Perhaps vendors knew.. " thread:

First off, cudos to my vendor he immediately fixed my order and sent my package after AB went down!! He´s my favourite! The story: I made an order on Saturday and it got stuck on "Processing..." even though this vendor EVERY TIME WITH NO EXCEPTIONS in the past changed the order to ">Shipped" within 5 minutes from ordering.. I sometimes thought how this is even possible ..even with nighttime orders.. he seemed to be lurking on AB all day to check for orders.. After some time I figured that he maybe used the vendor API of alphabay and had a script doing the job collecting orders and setting them to "Shipped"..... I get to the point of this in a minute. So AB went down and I never received my package which usually everytime popped up in my mailbox after 1 day.. somestimes two at the latest... I was lucky and found the vendor on Dream and messaged him about that it is a shitty situation with AB being down and asking him about my order. He then immediately apologized ,asked for my address again and also told me that he is quite pissed of by the whole situation since he lost 15.000 € by AB being down... So, basically same thing here....my suspection is that the server which does the vendor API stuff maybe went down even before the whole market...the fact that the vendor lost so much cash undermines this..why would he lose the cash when he knew about AB going down. Many big and medium "sized" use the API so apparently did my vendor.. he also apparently did not know whats going on otherwise he would have got the money ot there. Just a guess based on the facts I gathered tl;dr: Maybe vendor API problems before AB went down. Status "Processing" till server down, then my vendor after contacting him on dream finally sent my package and complained abot loosing 15000 due to AB is down.


[1 Points] chipmixer:

You have found flaw and market is offline. Can you publish flaw?


[1 Points] Anotherwonton:

Please give us update soon on some of the security of these remaining markets much appreciated.


[1 Points] KingDigital:

What tools are you using to scan some of the darknet sites?


[1 Points] ecstasais:

Oh thanks for this. This also proves that somebody has to rise the bar of security not only on Front end but also on back end level.


[0 Points] None:

[deleted]


[-4 Points] None:

[deleted]