Disclaimer: This is a theory based on known evidence of the SR2 vendor URL arrests.
I read about vendors accessing DNM's through the vendor URLs. While the market is painfully slow for buyers, the vendor URL runs extremely fast and lets vendors access the DNM to conduct activities. I don't want to spread fear unnecessarily but this could be a trap.
We've seen this trap executed before on SR2. So there is proof that law enforcement can and will use this method of interception. Looking at all the unproven analysis we have on how LE operate, what we know for certain is the method LE have used before successfully they will use again for the same or better results. This is how we can predict the movements of LE.
Vendors who used the SR2 vendor URL were arrested. Doctor Clu was also arrested and he used the vendor URL. The link between the arrests and the identification of the arrested users was found and confirmed to be the vendor URL.
Without the vendor URL then buyers and vendors are less distinguishable. Vendors can be distinguished when using a vendor URL because only the vendors access the website there. So identifying users who access the vendor URL are expected to be exclusively vendors, and we know these users are the main targets of law enforcement operations.
The DDOS has prevented buyers from accessing the DNM's but allowed vendors to use them with faster vendor URLs. This looks like calculated and targeted attack. The markets are prompted to implement vendor URLs which are watched. How? I don't know. But remember that the "vulnerability" or method used to identify vendors from the SR2 vendor URL was never patched.
Edits: Clearly stated as a theory. It's not possible to produce evidence of a covert LE operation. So think about what proof you are asking for before demanding it. The only thing that has kept this community at least marginally safe has been predicting the moves of law enforcement by looking at their prior movements and drawing logical conclusions. That's all this post is, drawing logical conclusions from known evidence.
Calculated attack or not the exclusive vendor URLs are a bad idea.
Edits: Insider code indicates a Tor vulnerability able to de-anonymize users, exactly what I specified could theoretically happen through the vendor URL attack. Not all the markets, some would be decoys. There's only one or maybe two markets that have implemented exclusive vendor URLs. I also think the Evo migration was a good cover for the DDOS attacks. By the time we realized that the Evo migration alone could not be 100% responsible for the DDOS, the attack had been performed and concluded. I see posts that the DDOS attack has now concluded.
My theory: The Evo exit scam caught law enforcement off-guard. It was unexpected, but LE realized the Evo migration could be the perfect cover for a DDOS de-anonymization attack. This is why the markets worked normally for 5 days following the Evo exit scam. LE was unprepared for Evo to disappear (as evidenced by their rushed subpoenas of Reddit accounts related to Evo informants) but lunged at the rare opportunity for a logical cover to mask their attack, mass Evo migration leading to stressed hidden services. LE worked as fast as possible despite being unprepared and began their DDOS attack 5 days after the Evo scam.
You are correct though /u/Mrg13 - an insider code attack using the vendor URL would mean the hidden service was compromised. More reason than ever that exclusive vendor URLs are a bad idea.
Good luck, I'm behind 7 proxies.