Theory: AlphaBay was brought down because of an exploit in the Magento framework

I'm a programmer that mostly uses PHP / Python. Months before AlphaBay was shut down, I was learning the Magento framework, an enterprise-grade platform for building marketplaces. When I was learning Magento, I thought it looked awfully familiar to a site I frequently liked to use - AlphaBay. I went to AlphaBay's forums and inspected the CSS, and I was right; some of the CSS classes were identical to the ones used in Magento. Fast forward a few months later to April 2017, and a major security headline was that over 200k Magento merchants were compromised with a remote code execution vulnerability.

 

In Cazes indictment that was published by the feds, we learned that he used the email address 'pimp_alex-91@hotmail.com' to send out a welcome email in the early days of AlphaBay. Before Cazes was arrested, the feds used a remote command exploit to shut down the servers, so the Thai police could raid him while he was at his computer.

 

To conclude, a welcome email was never sent out containing Cazes email address. When Cazes was setting up Magento on his server, he had to enter in an email to complete the setup of Magento. Once the feds were in the server with the exploit, they found that email in the source code. They then had to lie in the indictment because they could not say they hacked into the servers, so they said some bullshit about a welcome email (which couldn't be really proven or disproven, if Cazes didn't keep logs).

I did not connect the dots until now, I hope you enjoyed reading.

 

References:

https://threatpost.com/high-risk-zero-day-leaves-200000-magento-merchants-vulnerable/124965/

https://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/

https://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerability

Forum example:

https://nestify.io/wp-content/uploads/2016/12/Forums-Magento-Forum-Qualified-Magento-Tips.png


Comments


[118 Points] ardubeaglepi8266:

I am a certified Magento 1 and 2 developer(have been a Magento dev for ~5 years and have dropped around $8000 in to those certs) and when I visit a DNM its a hobby to peek at their source. Alphabay did not use Magento for its cart system; the urls were wrong for a Magento system. OP, look at the URL for any magento product and compare that to what they looked like in Alphabay - Alphabay was much shorter - yes you can shorten them using Magentos routing but its unlikely for administrative reasons. Look at the category URLs in Magento, once again they are nothing alike.

Also the resources in the site were not Magento like. Magento caches and stores files in specific places and those URLs were not in the source anywhere. The URL are very noticable when you know what you are looking for, any Magento dev would recognize a Magento template looking at the source. Ex: /pub/static/{cache}/{site}/frontend/{vendor}/{store}/{lang}/{asset} nothing like that existed in Alphabay source code. To change this would require a massive rewrite to the core of the system. This is the killer issue of your theory. To change this would pretty much be a rewrite of Magento as the core depends heavily on this structure and if you know Magento you know this and you know why. The entire system depends on very important URL structures to "fallback" in to the proper content and layout. This URL structure is the bread and butter in the "fallback" system of how Magento works. Without things like store and vendor, Magento implodes. Things like pub, static, and frontend are necessary for Magento, and they just weren't in the source anywhere.

The CSS styles you say you saw were not in the carts section. You may have found them in the forums, but Magento is not a Forum system, those systems in Alphabay were 2 separate systems. Finding a few similar CSS styles in the forums is not finding Magentos actual css styles in their cart such as: product-image-photo, product-item and so on, also finding similar CSS style doesn't mean a lot as "product-item" is VERY generic and could be in any cart system. I actually never went to Alphabays forums so I don't know what they used, but Magento is not a forum system so it doesn't really matter what styles you found in the forums as they would have been 2 different systems and also explains why they had two different logins instead of one - they did not share the same DB for users.

Magentos Checkout Sytem is drastically different than Alphabays flow, they just weren't the same system. Magento would have to create Magento admin accounts for every merchant(which is possible and likely) but I know that merchants in the back end did not get a Magento admin to manage their products. They would have had to rewritten much of the admin system if it was Magento. Ask a vendor on the site if they had to manage attribute sets, store views... The admin in Alphabay was drastically more simplified. Edit: Just to clarify this, I do not know about the Admin of Alphabay, I am talking about how the Vendor Admin of products and fulfillment are handled inside the system. The way Magentos admin works would would not allow for this due to how the DNMs sites checkout and fulfillment works - they are two drastically different "flows" and systems.

I always look to see if a cart is woo, magento, Xcart, OScommerce/zencart, interspire(bigcommerce)... on just about every shop I go to on the internet out of professional curiosity, Alphabay was not Magento 1 or 2. I am 99.9% sure of that - that .1% is if they really did decide to rewrite massive amounts of the core which is just stupid because doing so would mean they could never upgrade their system and any developer knows thats a terrible idea - especially when dealing with a DNM site.

Alphabay looked like a generic cart to me, nothing stuck out to me that made me think it was Magento... If anything I would have said it looked more like ZenCart or Xcart but once again the URL and assets in the source just didn't match up for them either. IMO Magento is a poor choice for a DNM cart anyway - its the most bloated cart you could find. If you arent going to use different store fronts, languages, multiple templates, the advanced product types(grouped, configurables, bundles...) or the ability to extend the Mage object outside of Magento(I didn't see this happen anywhere but maybe it happened in the forums?? Where products able for purchase or review in the forums?) why use Magento at all?

Edit: Spelling, grammar and clarity.


[23 Points] MandyThatGirl:

So you use mostly PHP/Python? Is that like 5-meO-DipT FOXY because i use that and it fucks me UP..... Well anyway you must be using allot of it if (whatever it is) if you think the feds would actually lie to get an indictment.


[15 Points] CloudDrop:

"the feds used a remote command exploit to shut down the servers"

It was mentioned that LE raided one of the server location in Canada and shutdown the server to get Alexandre Cazes to SSH into it. If AB really used Magento then LE may have exploited that RCE vulnerability; but I'm skeptical that it's related to the shutdown of the server.


[11 Points] None:

[deleted]


[7 Points] cdimeo:

You might be right, you might be wrong, but you're probably wrong, and here's why:

In this version, you're saying there was no email, and the LE lied on the charging document. This is unlikely for a few reasons. First, although I'm sure it happens, perjury is a big deal. LE agents don't take that lightly. You don't just lose your job, you go to jail for perjury. Second (and bigger), LE isn't going to risk the entire case on that supposed lie, because it's easy to disprove once it gets to court. It actually doesn't even get to trial at that point. The case probably gets thrown out if the government can't prove the existence of the email.

Now, that doesn't mean they didn't use this exploit to figure out who ran alphabay. It's just that they would have to use parallel construction to build a case through legally-obtained evidence.

Personally, I think it's more likely that they arrested someone who signed up early on AB, that person handed over their passwords, and the email was there. I just don't see them digging the email address out of a db dump, whether it be somewhere in the (then) current db or in a 3 year old dump (id assume he was smart enough to search his server for info tying himself to the site).


[2 Points] junkythrow2017:

LOL what dude? "Learning Magento framework"

So you're saying AlphaBay was running Magento? and your "proof" is some css matched (mind you, not the css from the market. css from the forums). Even if it was from the market itself, still wouldn't mean a thing.

How about all the other exploits released around the same time? Joomla, wordpress, peoplesoft, etc etc also had published vulnerabilities around that time. So what?

and whats the whole theory about a welcome email being how he was caught? in the "source code" no less, lol. no idea where you pulled that theory from, it seems like thin air. in any case, the email wouldn't be in source code -- rather it'd be stored in the DB. Even the most novice of developers (high school kid) working on their first Database driven site would know that.

From a simple Google search, the welcome emails / reset password emails both contained 'pimp_alex-91@hotmail.com' in the header. He also used that email on LinkedIn / something else (PayPal or something). No "hacking" necessary, just resetting a password.

I really hope I'm just being trolled.


[1 Points] peeKthunder:

What are the benefits of programming in Python?


[1 Points] St4rspace:

points


[1 Points] thecryptonian17:

It's possible that Cazes was tortured in Thailand, and poisoned in prison. Similarly possible that he may have been threatened (i.e. kill yourself or your family get it) indirectly by Thai authorities.

http://docdro.id/Qrm8Si7 <- interesting stuff around things which may have happened in the UK during the investigation...


[0 Points] None:

This makes a bit more sense. We all know nobody was getting e-mails from cazes@AlphaBay.


[-2 Points] Shameless42088:

Great read. Good theory, I bet there's truth to it..


[-6 Points] mutilatedrabbit:

programmer

mostly uses PHP / Python

Pick one. heuheuheuheu.


[-12 Points] basjin:

I did not connect the dots until now, I hope you enjoyed reading.

not really, sorry.