As I began writing this post about the deep web, news broke that the number one deep web marketplace, AlphaBay, had been compromised by a hacker known only as Cipher0007. This sent a wave of panic through an underground community that is already fueled by hyper-paranoia.
It seems that the hacker found two bugs on the site that allowed him access to over 218,000 unencrypted messages between buyers and sellers. Such messages on AlphaBay were supposed to be encrypted by default. Oops. It now seems that it was possible for anyone knowing this vulnerability to see who was buying what from whom and where that merchandise was being sent. The following is a screenshot given by the hacker to prove the validity of his hacking claim.
User login information was also compromised. You cannot ask for a greater disaster for a site that depends entirely on anonymity. And if you wander around the deep web, you know who its users fear the most. That’s right, the federal government. There is concern, and very valid concern, that federal law enforcement agencies (known in deep web jargon as ‘LE’, law enforcement) may have known about this vulnerability all along and were secretly using it to accumulate data on AlphaBay users. This is not paranoia. It’s a justified fear.
Unsurprisingly, AlphaBay tried to downplay the vulnerability. They claimed that this exploit was done by a single hacker who they had subsequently paid for finding the bugs. The amount they paid was undisclosed. They also stated that only users who had done business on the site during the last 30 days were affected. My observation on this is…really? That’s only true if this vulnerability was only known to Cipher0007. Let me cite a few occurrences that may show that others may have also found this vulnerability.
AlphaBay users should have been suspicious when, in September, a hacker compromised an AlphaBay account and remotely viewed a chat about Philadelphia ransomware. Was this hacker also aware of this bug?
Even earlier in the year, fraudsters tricked AlphaBay users with phishing scams that involved a fake AlphaBay login page. In May, another phishing scam saw hackers posing as AlphaBay administrators. This scam temporarily shut down the site. Below is one of the phishing messages used to trick users. Visiting the link in the message would require the victim to login with personal information that would be captured by the attacker and later used to wipe out the victim’s account. (Notice the grammatical errors which should have alerted users that something was wrong.)
All account’s have been locked until verification is complete, This is to ensure the safety of all our Alphabay user’s!
Please copy & paste the link below into your browser:
*NOTE* Members who do not protect there account’s will not be able to access the market, once this is done you should be able to access your account within the next few hour’s!
We apologize for the inconveniences,
If these events don’t make users nervous, then the arrests of some AlphaBay users last year should; especially since AlphaBay was cited as a key element in these arrests. Here are some of the most prominent AlphaBay-related arrests.
In December, 2016, Aaron James Glende, aka, IcyEagle, was sentenced to 4 years for selling stolen login credentials.
Former Australian police officer, James Goris, was arrested for selling stolen police ID and fake police, airport, and port authority identification.
Cary Lee Ogborn, of Houston, was arrested for trying to buy explosives.
Chrissano Leslie, aka, Owlcity, was arrested for selling drugs.
Abudullah Almashwali and Chaudhry Ahmad Farooq were arrested for selling drugs.
It is possible that other, minor arrests were made, but no information on these is available. It appears that federal law enforcement agencies are only interested in larger vendors or in those individuals who may pose a security threat. The fact that the feds can target whomever they choose should make users take notice. If this and other deep web sites are infiltrated or even run by law enforcement, the agencies involved would certainly want to maintain a low profile and would not want to bother with small time criminals. It would blow their cover if they started to arrest large numbers of small time buyers of drugs, for example.
AlphaBay was originally established by Russian carders and may still be legitimate. In this case, it is possible that Cipher0007 really did find previously undiscovered bugs. AlphaBay administrators are not commenting on what vulnerabilities were discovered. However, if I were to guess, I would suspect that AlphaBay stored unencrypted information on users and user messages somewhere on the site before encryption was applied. It may have been in a file that automatically deletes itself after a certain period of time, such as 30 days. This is why most users writing on the topic insist that everyone use client-side encryption (PGP). They also wondered why sites like AlphaBay don’t require such encryption, but the answer to this is easy. Many users of these deep market sites are looking for something that’s easy to use. As one European user noted on Reddit, “It just seems like these American kids want Amazon for drugs and that just doesn’t exist.”
PGP (Pretty Good Privacy) is a good first step towards keeping your information secure, but it is not flawless. In short, it’s just as the name implies: pretty good. It does have vulnerabilities and some say it is past its pull date. Still, many deep web sites do require users to use PGP, and, consequently, do not have the number of clients that AlphaBay has. After the hack, AlphaBay put up the following warning/suggestion on users’ pages after they log in.
Though the implication is that PGP will give better security, they stopped short of requiring that you use it. It remains just a suggestion.
Short of the government actually taking down the site, nothing will really stop users from going to AlphaBay for what they need. It is, for the most part, a well-designed online market site which, despite the fact that it uses Bitcoins and sells unusual merchandise and services, will be recognizable to anyone who has shopped on Amazon. Denizens of deep web markets will not be leaving them soon. Here, hope and personal gratification inevitably triumph over paranoia. Too many people depend on these deep web markets for a variety of reasons. Let’s face it. Some may simply be drug addicts. The discussions in many forums, following the AlphaBay breach, revolved around which deep web markets are safest, with the conclusion being that none of them are or ever will be completely safe. True, but they will continue to thrive.
In my next post I will look more at what is available on the deep web and what innovative markets are sprouting up there. In this regard, there have been some interesting and even frightening developments over the past year.