Alphabay staff, according to a Reddit post, paid an attacker for discovering a critical security flaw. The hacker attempted to notify Alphabay (AB) admins of the massive security vulnerability via three bug reports, but all went unanswered, he claimed. After the reports received no response, the hacker moved to /r/darknetmarkets to gain traction. It was there that Cipher0007 posted five screenshots of private conversations between vendor accounts and customer accounts. Additionally, he claimed to “have dumped all [referring to 200,000+] private messages of buyers and sellers.” Moreover, to top the post off, he announced that he also grabbed 1m+ usernames and IDs.
According to a follow-up statement by the Alphabay Support account, AB developers closed the loophole five hours after Cipher0007’s Reddit post. The support account backed up the claims made by the hacker in his first post. He accessed 218,000 private messages between the vendor and customer. The messages were “not older than 30 days,” the post explained. A brief history of the marketplace’s recent security enhancements summarizes the 30-day cutoff; three months ago, AB implemented an auto-purge feature that deleted conversations with 30 days of inactivity.
Excerpt from the official announcement, Alphabay to start purging old PMs after 30 days, starting tomorrow:
“After seeing customers and vendors getting arrested due to data found in old PMs, for example, the Silk Road server, we made the decision to implement an auto-purge feature on the PMs.
Starting tomorrow, 08:00 UTC, all marketplace conversations that haven’t received new messages in the last 30 days will get purged. This will happen retroactively, so if you have any valuable data in your PMs that you would like to save, please login now and copy it to an external place [via alphabaysupport].”
AlphabaySupport confirmed that accessed a list of usernames and user IDs. However, the official support account never announced the specific number Cipher0007 compromised.
Fear, Uncertainty, and Doubt
The marketplace support, though, commented on the topic only after a subreddit mod explained the situation in a sticky post on the subreddit’s front page. (In defense of the AlphabaySupport account representatives, Cipher0007 never mentioned them in his post.) Cipher0007 messaged the mods with the information and gave them the ability to verify that he did, indeed, have access to private messages. Wombat2combat, an active subreddit moderator, wrote: “I have verified it by creating two new accounts, sending a message between them, providing the user the message ID and he showed me the content of it.”
After the hacker explained that the breach only took two days with a silent bot, the situation escalated rapidly. Fear spread. “If we assume that /u/Cipher000 worked alone and was able to code the bot in a few days it would be trivial for law enforcement to do that,” one user wrote. On Reddit, practical information about anything either spreads uncontrollably or staggers to the “FUD” fate as many fictional tales do. However, after confirmation from a moderator and then the generous offer made by Cipher0007 where he allowed open testing via the Wombat2combat method, the news spread beyond Reddit.
The International Business Times wrote “AlphaBay leak: Over 200,000 private messages from Dark Web drugs marketplace hacked.” BleepingComputer, too, wrote “Bug Allowed Access to Over 218K Private Messages on Dark Web Marketplace AlphaBay.”
Alphabay and the /r/darknetmarkets superlist
Wombat2combat’s announcement, “Addressing the Alphabay Issues,” explained four “issues” and “how they affected the community.” The issues, while highly disputed, resulted in a proposed removal of AB from one of the most trusted superlist. (Here is an Anti-Phishing Tool that checks your link against both the /r/darknetmarkets and DeepDotWeb link lists.) Moreover, we have a marketplace directory with reviews for each marketplace.
The four issues in the announcement by Wombat2combat:
“1 – 11th March 2016: BigMuscles, an AlphaBay staff member and moderator asks a user for his private key. He made it very clear that he means the private key and not the public key of the user. AlphaBay responded. They stated that it was caused by the language barrier. (BigMuscles is not a native speaker)…”
2 – 15th March 2016: BigMuscles, an AlphaBay staff member, and moderator asked the same user for his private key again. Despite the recent trouble that his previous requests for private keys caused. Until this day, BigMuscles has not received any punishment. He is still an AlphaBay staff member and moderator.
3 – 26 April 2016: AlphaBay made their API public, and it was discovered that everybody was able to get thousands of private messages that users sent on AlphaBay. The link is to uneddit.com. Many comments in the original thread were deleted.
4 – 22 January 2017: The user /u/Cipher0007 made a post about being able to access over 200k private messages and a list of over 1 million AlphaBay usernames. The vulnerability has been verified by several users and us mods. Cipher0007 also stated that he opened three different tickets on AlphaBay explaining the security issue before his Reddit posts. Since he has not received a response, he decided to inform the community on Reddit. The bug was fixed after 5 hours.”
Shortly before the AB announcement where they acknowledged Cipher0007, the first mod post received an update with new information. A moderator added that the hacker messaged the mods and stated that he also found a vulnerability in Hansa marketplace. The update explained that “at the time of writing [this update] he has not delivered proof.” Moreover, then, not long after the AB announcement, Cipher0007 showed up and provided mods with the Hansa vulnerability. Hansa announced that their developers fixed the issue (which, notably, was far less severe that AB’s).
Alphabay safely made its way through numerous scandals and major security flaws for longer than almost every market in existence. Only Dream Marketplace and Outlaw rival the Alphabay’s ability to survive. This time, the fallout and future remain unknown. But if their past endurance is any indication if what may come, Alphabay is here to stay.