Posted by: Christian
June 1, 2015
Perhaps a more fitting choice of words would best be used to describe the situation as customers, vendors, and market administrators alike were reminded of the increasingly competitive and divided nature of online drug-dealing marketplaces over the past few weeks.
Just now recovering from a two-week-long raid by DDoS attackers, most of the larger darknet markets are, as of May 31, functional and accessible once again; an exception to this is BlackBank, whose admin MDparity has been AWOL for several weeks. While many fear an exit scam has occurred, this scenario seems unlikely as the hot wallet does not appear to have been emptied and sits at its roughly constant balance of approximately 600 BTC. Nonetheless, darknet market users around the globe are heaving sighs of relief as the vast majority of DNMs have finally returned to stability, including buyers who have been waiting to place orders from their favorite vendors and also the vendors themselves, many of whom have spent the last fortnight crying themselves to sleep out of fear that thousands of dollars in a market wallet would simply slip away as the result of forces unseen. Finally, it’s back to business as usual.
The attacks caused quite a ripple throughout the deep web, and seem to have begun around Friday, May 8 as Agora customers began complaining of downtime, with withdrawal / deposit and wallet generation issues springing up over the next few days and many vocalizing concern over rumors of DDoS attacks. Buyers and vendors alike sat waiting for just a few minutes of site uptime that would grant them the access they needed to remove their money from a potentially crumpling market (or, worse, fleeing market administrators), and for the next few weeks, requests to many of the largest darknet markets would fail entirely or, in the case of Middle Earth Market, display a static webpage informing users that the site was down for maintenance.
While scary and oftentimes effective, DoS attacks are nothing new for DNMs. Ross Ulbricht—aka Dread Pirate Roberts, administrator of former drug bazaar Silk Road and just yesterday sentenced to life in prison—detailed in his journals that he had paid several ransoms to attackers in order to keep his site stable; in April 2013 alone, Ross paid a 10,000 BTC ransom (at roughly $136.85/BTC) to DoS attackers, followed by a $100,000 ransom and then $50,000 a week for two weeks, eventually forking over a figure in excess of $1.5 million to the attackers in order to preserve the functionality of the Silk Road marketplace.
The recent attacks, however, were a lot cheaper to stop and, interestingly enough, a lot easier to prevent; despite many markets (such as Agora) having only resumed legitimate uptime within the past few days, a Tor patch and guide to immunize hidden services from this particular breed of DoS attacks was posted over 10 days ago. The attack was also surprisingly simple in design: DDoSers would simply spam a hidden service with RELAY_BEGIN cells, establishing thousands of streams through a few circuits, eventually crashing the hidden service itself and hampering the Tor service altogether. The solution? Put a cap on the number of streams a circuit can establish. Simple enough, right?
But in the world of illegal marketplaces, administrators are hesitant to implement an unofficial Tor patch without proper review and testing, which is the most likely explanation for the week-long delay in recovery. Initially unaware of the motivation behind the attacks, many assumed this was another raid orchestrated a faceless organization in search of easy money; indeed, the perpetrators, known as the “DDoS Mafia,” were originally freelance—all large markets were attacked and ransomed indiscriminately, from the most popular, such as Agora, to the less popular, such as Mr. Nice Guy’s Market.
However, as revealed yesterday, the attacks were quickly commandeered by a market administrator who sought to turn the attacks to his advantage—Mr. (not-so) Nice Guy of the eponymous marketplace who, as mentioned before, was originally a victim of their extortion himself. The conversation between the administrator and user “DDOSFORSALE” began on May 13 when Mr. Nice Guy himself was asked to pay a ransom of 8 BTC (over $1,800) in order to stop the attacks on his market; the whole charade is rather comical as the two parties contrive a scheme in fractured English, with Mr. Nice Guy dumbly pointing out that he will not be able to read the ransomer’s messages if they are DDoSing the market through which they are communicating. Two days later, he realizes that he can turn this situation to his advantage.
“If other markets are down,” he said on May 15, “I grow and make money and this happens fast! […] For any market being down, meaning showing red on the deepdotweb.com list I will pay you.”
In the same message is included the following prioritized list of marketplaces for the DDoS Mafia to attack in lieu of Mr. Nice Guy’s Market:
If these terms are complied with, the attackers will be paid $200 a day, or $6,000 a month; if his market grows with exceptional speed, Mr. Nice Guy continues, he may be in a position to pay up to $20,000 a month to ensure that the other, competing markets are defunct for long periods of time (indefinitely, if possible). Originally, the attackers decline, clearly aware that the administrator can be milked for a lot more than just six grand a month and cited costs related to resource use—some people just don’t appreciate the value of a good DDoS these days.
The exact counteroffer made by Mr. Nice Guy on May 16 cannot be deduced fully from the screenshot, though he mentions “getting rich in six months” before encouraging the DDoS Mafia to continue ransoming the other sites, asking the Mafia to accept the other markets’ money while forbidding them to ease up on the attacks. It is likely that attackers were offered a slice of the market’s bitcoin-pie at some point in the future, as the two parties considered themselves “partners” and a similar, more detailed, agreement would be reached in less than a week.
“All this is agreed, and discretion is guaranteed,” the DDOSFORSALE account replies the same day. In a world without firm handshakes, sing-song rhymes will have to do.
On May 17, the DDoS Mafia confirms that Agora, BlackBank, Middle Earth, and Abraxas are all down as a result of their efforts. They receive a request from Mr. Nice Guy the next day to provide a private email for him to add to his “gangster contact book” (yes, his words). Our source did not provide screencaps of messages in between the 17 and the 22, and so there are five days missing from our record—however, we can assume that things were going quite splendidly, and that the two darknet pals were content in their accord so far.
On May 22, Mr. Nice Guy adjusts his list of priorities (now arranged by number of market listings), placing Agora and Nucleus first and moving Alphabay to #3, Middle Earth to #4, BlackBank to #5, Outlaw to #6, Abraxas to #7, and dropping Dream Market altogether. It is crucial, according to the administrator, that Agora and Nucleus are always down; the rest are secondary. In exchange, Mr. Nice Guy will pay the attackers regularly per his original proposal, and also 5% (10% of half) of the market’s bitcoin supply at some point in the future (which he expects to be $40 million for some reason), altogether promising them a hefty sum of $2 million once the market has taken off.
On May 25, Mr. Nice Guy conspired to use this website as a part of his plan, with the intent of impersonating the DDoS Mafia in the hopes of convincing the public that markets “without DDoS protection will not survive anymore”—bear in mind that the Tor patch which makes a hidden service impervious to these attacks had already been released for over five days—and informing the website’s readers that markets would be allowed to resurface for short periods of time in order to allow users and vendors to pull their funds out in order to avoid being exit-scammed. Mr. Nice Guy also highlights that he hopes that these markets do steal users’ funds, as this would remove one more contender from the list and allow them to divert all of their resources to keeping the remaining markets offline. This plan was not brought to fruition.
On May 30, the DeepDotWeb administrator received screenshots of the conversation between Mr. Nice Guy and the DDOSFORSALE account from a source who had been extorted by the group and had managed to gain access to the attackers’ account. When asked for a comment, Mr. Nice Guy initially plays dumb—he claims that he paid daily ransoms to save his site, instituting repetitive overhauls to save his market and his users; upon being called out, he realized that he would have to “fight this head on,” citing a defense along the lines of “desperate times call for desperate measures.”
“There was simply little choice,” he said. “Do or die [..] Under those circumstances, being forced to pay, who in their right mind would not use it strategically?”
He goes on to clarify that he will accept all withdrawals, and does not intend to steal his users’ money. At the time of writing, he seems to be honoring this pledge, claiming that his market is being attacked in retaliation of the leak, and that he is fighting hard to resist these attacks so that users and vendors may withdraw their funds.
The reader is left with are several questions: Is there such thing as fair play in the competitive, dog-eat-dog world of underground darknet markets? Would the markets still have suffered a week or two of downtime regardless, even if the attackers had not accepted MNG’s proposal? What would have been a more responsible (or moral, effective, etc.) decision? How should DDoS attacks and ransoms be dealt with in the future? Feel free to voice your opinion in the comment field below.