Darknet Underground Meanderings

Darknet underground

Author note: This originally appeared at the defunct Norse Darkmatters blog during the summer of 2015: Meandering Through the Darknet Underground (with minor edits).

. . .

Darknet Underground

I’ve been meandering through the Darknet underground again, mainly peeking into hidden forums, marketplaces, the onion-pastebin, and the Evil search engine. Along the way, I’ve managed to stumble across a vast array of  premium vendors promoting “fresh” data for sale, amongst other illicit wares.

Deviant Mindsets

Wandering through some of these perverse wastelands, can literally make me nauseous. I often wonder how law enforcement can set up pedophile stings without having these sad, broken images of damaged children permanently seared within the crevices of their mind.

The Onion-pastebin

The onion-pastebin included the usual cesspool of browser hijacks, carding deals, doxxing, drugs, human trafficking, mail dumps, money laundering, porn, revenge sites, scams, weapons, and the regular digital vagrants begging for bitcoin.

One paste brags that he has girls for sale and the only means of connecting with the vendor is via a safe-mail.net address. Another paste offers hitman services that is  one-hundred percent discreet and anonymous and only operates through the TOR network.

Let’s quit the pastes for now and take a trek through the forums…

Darknet Scams

While perusing Darknet forums, I was drawn to the snivelers who lost some bitcoin because the poor dears became victims of a scam. Oh my, the drama simply kills me! Gullibility and greed are just as prevalent on the Darknet as it is in social media. Some of the more prominent scams that abound on the Darknet are:

  • BTC Multiplier: Crackbitcoin claims that you can multiply your bitcoins tenfold in 24 hours by paying a minimum of 0.1 BTC to get 1 BTC. The bitcoin address to make the deposit is listed on a .onion website.
  • BTC Multiplier 3x: By emailing btc2go@sigaint.org, they allow one test run transaction for 0.0050819 BTC ($1.21 USD). After completing the test run, you are requested to submit a minimum of 0.26 BTC ($61.63 USD) and in 15-30 minutes your bitcoin will increase 3x.
  • Blockchain Exploit: Claims that the blockchain has a bug and by depositing 0.6 BTC  ($142,44 USD) to a specific bitcoin address the recipient will receive two transactions (0.6 + 0.53 BTC) within 6-8 hours
  • Credit Cards (ATM only): $2500 minimum and up to $5000. Requested payment of 50 percent up front
  • Professional Human Trafficking: Girls 10-19 years for 80 BTC ($19007.67 USD). Purchase the file from satoshibox.
  • Rent-A-Hacker: Law enforcement continues to seize these sites, but they continue to breed like rabbits.

It is unclear at this time if the Lucky You carding .onion is a scam:

“Our team has been working since 2013 and everyday we help people to find their way to wealth. Responsibility and wide experience made us experts in this business. If you are in search of true professionals and a reliable team to help you find stability and get rich, then you’ve come to the right place. Write to us as other satisfied customers did, and we will help you!”

Darknet underground carding

Next stop: It’s not purgatory…

To Hell and Back

The defunct Olympus Hacking Forum is  now the Hell forum. It may have been something else prior to Olympus, but I can’t recall the original forum name. If you have not heard of Ping or Hell Ping is a perfect example of generic pseudonymity concealed within the sleeve of anonymity this is one character that will continue to elude the Feds, that is until the cows come home.

The Hell forum crawls with an assortment of clever hackers and noobs. To become a member [an elitist with the admins] of the hell crew you must:

  1. Hack a website(s) that is designated for you to hack (they choose).
  2. Take the oath of an outlaw.
  3. Steal from the rich and give to the poor.

Though membership criteria (listed above) smacks of Robin-Hood-type-stuff or a Sons of Anarchy rebellion, they appear to be quite serious regarding the first inclusion prerequisite.

Other Hell-related Stuff

Recently Infosec Institute wrote about Hacking Communities in the Deep Web, and the only disappointment (from Hell) was that their forum was introduced alongside rent-a-hacker websites. Not that they mind media exposure (they love it)   but, there is a lot of negative connotations on the Darknet lately regarding hackers-for- hire.

Though the anonymity and pseudonymity of the Darknet offers a cyber-criminal the means to delve much deeper into criminal activities, like any real-life criminal, getting busted is not the name of the game.

Next stop: The AlphaBay Market…

AlphaBay Market (AB)

I’ve been hanging out at AB quite a bit lately because it is run by carders (just like EVO was), and I’ve been lurking (like somebody’s stalker) because I’m always curious about fresh data…unfortunately I can’t afford to buy it.

Zabbrbi has been on AlphaBay Market since March 22, 2015 and has only sold 7 hotel flight carding guides at $60.00 a pop (0.274 BTC). Zabbrbi’s guide offers two carding methods : Direct carding or gift vouchers and is targeted at both newbies and pros. Lifetime updates and support is also included.

Other items in Zabbrbi’SQL dump store include:

3.8 European emails with a starting bid of $501.00 (2.0614 BTC), and a buy price of $800.00 (3.2983 BTC). The vendor will give the buyer the SQL injection vulnerability link and the tools to extract the data from an online database. If the poor little buyer is clueless about SQL the vendor will step up to the table and provide online support.

450K US emails that include username and password (hashed + salt that buyer has to decrypt) for a starting bid of $401.00 (1.6491 BTC). The vendor will give the buyer a text file containing the SQL vulnerability link and this sale does not offer online support.

1,000,000 email addresses and passwords (hashed) from a big US computer hardware online store with a starting bid of $1001.00 (4.1229 BTC), and a buy price of $1500.00 (6.1843 BTC). You get the text file with the vulnerability link and another text file that contains only 200K email addresses and passwords.  Because the vendor did not dump the entire database (this takes approximately 4-5 days to do so).

50K US email address and passwords (no bidding) for a fixed price of $250.00 (1.0307 BTC). This data was gathered from a website database via SQL injection.

Zabbrbi has been selling for 8 weeks now. One of the vendors auctions provides information about the SQL injection vulnerability plus the tool and  link to extract 3.8 million European emails. For the SQL clueless   the vendor will provide the buyer with online support too. The current bid is for $501 USD or you can buy it now for $800.00 USD (3.3007 BTC). Sound familiar?

Zabbebi is also selling 50K U.S. email addresses with the passwords that he gathered from a website using a SQL injection, for a fixed price of $250.00 USD (1.0315 BTC)

AlphaBay introduces the first Darkmarket digital contract

This month AlphaBay (AB)  introduced Digital Contracts, that allow two users to make long-term business arrangements. The contract fee is a modest $5.00 per contract (payable by the initiator) and is signed by an AlphaBay PGP server key as proof-of-deal.

Typical uses of such a contract could entail:

  • Bulk seller guarantees to deliver x quantity to resellers every x week of each month.
  • Employer guarantees that an employee will receive regular payments for services rendered for one year.

On Saturday DeSnake, an AB forum security admin stepped up to the ladder and introduced Multi-Trust Contracts that allegedly gives total control to the community.

Next stop: The AlphaBay Forum…

Carding e-commerce sites

An AB forums member is seeking someone to card this high traffic Chinese e-commerce site. (DHGate.com connects buyers from around the world to sellers and factories in China).

Another forums member is curious to know how easy it would be to card street e-commerce site:Karmaloop, A vendor responded “card the shit out of them, because I doubt their systems are up to par.”

The Darknet is sometimes like the wild, wild West where anonymous hackers and data collectors either give a magnanimous amount of personal data away for free, or they tease you with a sticky sampling of succulent “fresh” data.

Darknet underground stolen data

Data also has an expiration date

Whether these miscreants are selling Uber accounts, gambling A+ databases (most likely from the recent Hard Rock Hotel & Casino breach), health credentials, or CC/CVV credit cards  —  Indeed, stolen data has an expiration date.

Though Uber claims that their site was never breached — Uber accounts are selling dirt cheap on the Darknet now. Why? Because Uber data is no longer fresh and is nearing the end of its shelf life.

Vendor Alphabay 10K1 is selling Random Mixed Uber Accounts! 10K1 claims that you can use these accounts to travel in luxury vehicles as long as it is in your area. When using these accounts the following protocol is suggested :

  • Change Phone Number & Password. (Password is optional but it can keep the owner out the account for longer).These accounts will last depending on when the owner realizes. So accounts may last a few rides or even maybe a week.
  • You can use any account in any country.

All the accounts are delivered in this format:


Captured Keys:


First Name: Karen

Last Name: Merxxxx

Phone Number: +1 713-703-7xxx

Country: US

Card Type: Visa

Card Bin: 444796

Card Expiration: 2015-09-01


I am not clear on inclusion of the CVV though.

There is great value in fresh data

**Fresh Gambling Databases** A+ Databases

Do you wonder what casino hack this data might be from?

This listing is for freshly hacked gambling email addresses. All lists are cleaned and tested for open percentage and bounce rates. The vendor removed bad addresses so that the buyer always receives fresh active leads.

With these lists the buyer can expect 5-10 percent opens and less than 2 percent bounce rates (depending on how the buyer sends the email, as well as the content of the email).

Closing thoughts…

Back in the late 90’s I took a fascinating college course on Social Deviant Behavior, though it did not involve an Internet component back then — it certainly set the stage (in my mind) by what means criminals utilize available tools and strategies in order to conduct illegal activities on the Darknet.

When I am down below, in the darkness — I get a glimpse of how criminals conduct business. Sometimes (not often enough), I receive an invite or stumble into areas that make me cringe in disbelief.

I also visit regions of the Darknet that hold promise and that give me confidence — that out of the darkness, there is still hope.

Darknet underground Galaxy 2


Part II: Exploring the Dark Recesses of the Deepweb 
Part III: Down the Darknet Rabbit Hole Again 

This post originally appeared at the now defunct Norse Corporation Darkmatters blog. This concludes Part 1 of the beginning series of Darknet adventures.

Leave a reply