Home » Featured » DHL Goes Down After Hacker Exposes Clearnet IP Address
Click Here To Hide Tor

DHL Goes Down After Hacker Exposes Clearnet IP Address


Reddit user known as /u/t0mcheck publicly disclosed “crippling” vulnerabilities in two darknet markets: DHL and Sourcery Market. As usual, the posts increased the number of heated conversations between users and moderators. Eventually everything came down to DHL. According to a DHL representative, was not new to marketplace staff—they had known for two years. Now, along with Sourcery Market, both marketplaces vanished.

Either may come back, but Reddit users called exit scam. “Yeah, I don’t think we’ll see them around anymore,” one user wrote.

As of August 5, the two stickied posts in that subreddit are market warnings. One post is the vulnerability disclosure of both marketplaces. The second, though, is a post titled “DHL Market – Current problems – Consider avoiding right now.” The vulnerabilities were serious enough to warrant the removal of the formerly stickied post about a significant number of Dream vendor accounts that the Dutch National Police controlled.

The Reddit user behind the disclosures claimed the DHL vulnerabilities took only 60 minutes to find. In the Gist, he published three major issues.

  1. Vulnerability 1: Reflected XSS in Main Search
    1. “XSS in main search field. Does not filter any characters”
  2. Vulnerability 2: Persistent XSS in PGP key upload
    1. “PGP key comments can contain HTML and Javascript and it isn’t escaped.”
  3. Vulnerability 3: Persistent XSS In Support Forum
    1. “While reporting the last two bugs to support I noticed that pasting in the vulnerable code triggered an XSS in the support forum.”
    2. “To XSS support simply message them with: </textarea><img src=/ onerror=javascript:alert(1)>

The cross-site scripting in the main search drew attention, especially from the DHL “hidden moderator” account. The mod, under the handle “DHL-3,” pointed out that an entity had already created a forum post regarding the XSS vulnerability. The Reddit users exchanged words, another penetration tester verified the XSS vulnerabilities, and then t0mcheck dropped another surprise on the subreddit.

In “DHL Market Security Part 2,” t0mcheck expressed a new level of discontent with DHL admins and the subreddit moderators. “[We] are now disclosing that the market contains a very simple bug that allows anybody to read any message on the site. [Gist link…],” the user wrote.

“The administrators of DHL have not replied to any of our previous reports nor messages and it has been over 48 hours,” the entity wrote. “One more note – we are not going to put up with shit from admins, paid spokespeople or shill moderators any longer.”

In the Gist, the “watchful community member” outlined the process required to read any messages on the site. And he did. At roughly the same time, an I.P. address that connected to DHL surfaced. Accessing the site from the I.P. address allowed users to log into DHL. Oddly, some users could change their passwords on the DHL forums via the official hidden service and then use their old passwords to log into the marketplace via the clearnet server.

In the recent past, a hacker known as “Cipher0007” demolished Sanctuary Market, shutting it down prior to a true launch. The market was beyond repair, the hacker explained. A moderator of the darknetmarkets subreddit banned an account claiming to be Cipher0007 for posting “fake” I.P. addresses.

A post later appeared on the DHL forums that confirmed the I.P. leak as legitimate. The announcement reported “good” news: that DHL admins were about to launch a new version of the marketplace. The I.P. address was a test server for DHL admins, SeriousSam wrote in the forum post.

The announcement is as follows

A few more hours and we [will] have an answer to everything in its entirety. But we also have very good news. We are deploying the new market where everything is fixed earlier than we wanted e.g not feature complete. But what can we do :( The IP leak is true. That was one of our test servers. But we killed everything already and besides some fresh loaded but now worthless virtual credit cards nothing is left :( Apparently we had a traitor in our midst. The person doing various tests for us after each new version. Looks like he sold this info to the highest bidder. But encryption worked. Manual and automatic. Our system does not allow for any code changes inside read-only containers besides a signed push from our servers.

But yeah, we fucked up here. Gotta admit that for sure. But we’ll make very good on this within 24hours, I hope.

EDIT: Support will fix issues soon again. And we are waiting for a fresh btchost to complete syncing before we process payments again. But that should be only max 10-12 hours. Usually we have emergency machines around but we decided to burn everything for the redeployment. – SeriousSam


  1. all this pseudo-hackers powned the markets do only 2 things:

    1) crash balls to the community
    2) give help to LE

    they are just motherfucker.

    In any case, i have a news for all. Soon there will be a new generation of markets in which it will be impossible for these idiots to play this way …. and I emphasize “impossible.” Hackers and LE will have tough lives

    • t0mcheckDNMSHERO

      A respectable market would reward the hacker for finding the vulnerabilities. Don’t underestimate the LE: just because they didn’t bring the market down, doesn’t mean that they didn’t know about these vulnerabilities.

      As for the ‘new generation’ of markets, stop dreaming, nothing will change in the near future and when it will, there’s always going to be a way around. Its a hide and seek game that always comes to and end, just a matter of time.

      • “A respectable market would reward the hacker for finding the vulnerabilities”

        so the “hacker” (lol) need maintain secret about vulnerability. you not have do this. Why you have published all on reddit?

        “As for the ‘new generation’ of markets, stop dreaming, “…..

        bla bla bla… stay worried… trust of me

        P.S. about the “understimate the LE”.. LE using people like you for found bug on this market and probably paying it more of the market

  2. if you keep your mouth shut and never tell anouther soul ever and work with them to fix it these kind of markets pay INSANE bug bounties….

  3. Hope there will soon be a new market..

  4. for you this is a hacker? this dummy found javascript code injectable (XSS) on a field and becomes the hero of the situation? maybe with someone that don’t understand nothing of real hacking/cracking. not with me. Absurd! Incredible! what fuck people management this market? lamer like this pseudo hacker that found javascript:alert(1) injectable on a field? uahahahahahah…
    and admin of this markets paying this moron for found this bugs? ahahahahahahahha…. lamer.. lamer this pseudo hacker, lamer admin of this market. Ladies and gentleman security of user that join on this market is on hands of this idiots ahahahha


    • crashdick

      Dude, I love your broken English.

      “NOW YOU HAVE CRASH DICK” is absolute gold! A+.

      • the_Admin

        yes, i known. my english is poor but nice :) i can always make me understand good or bad :P

        P.S. ahh, i forgot: DHL has exit-scam, so say “thank you” to this 3l1te-hacker if you have lost money

  5. Did you know google pay out bug bounties too with reflected XSS’s? With this kind of vulnerability and with some creativity a person could do a lot of harm.
    But i bet you dont know that, probably a 15yr old kid sitting at his computer google dorking some sql injection.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *