A
couple of weeks ago I was checking out page source code of the markets
that survived Onymous, I don't code but I have a basic understanding of
web HTML / CSS etc. I didn't really expect to find anything interesting.
Anyway, I was on Agora and found a string that for some reason looked
interesting to me so I googled it thinking it was part of some open
source githubcode that I would find by googling it. I found this
pastebin (rehosted and edited because it contains dox): http://paste2.org/J9gpGZgX
Wait what? Is this actually the html source of boosie5150s vendor
profile? Yes it is. It is the inbox of Boosie, save it as HTML and open
in your browser
for easy viewing. The original pastebin was posted "By: a guest on Jun 7th, 2014"
and it had been viewed about 170 times when I first opened it. The
pastebin has made its way to multiple people by now, including the mods
so I thought I'd share it publicly. The pastebin also shows up on the
8th page if you Google the guy that didn't encrypt his details, I don't
know whether the 170 hits are all people who knew what they were looking
at or mostly bots.
Contents
The contents reveal quite a bit and show some pretty severe opsec
mistakes. I tried to look up 2 of the buyers' profiles and found social
media accounts,
posts requesting free porn passwords, school sites etc. I don't
understand why people think it's a smart idea to use a username that's
already been used on
a clearnet website, especially when it's a made up username with only a
couple of hits on google, all of which are theirs.
You can also see that one of the 7 Gram MDMA orders contains an unencrypted address, he put his address and then the public
key of boosie5150 (no words...).
I looked him up, the guy has 2 prior arrests for possession of Cocaine,
Crack Cocaine and MDMA and started using his middle name after these
arrests, too
bad he doesn't have a third name. He uses almost the same username on
twitter..
The pastebin also gives some insight in turnover and amount held in escrow, on june 6th Boosie had $89,72 in his wallet and $25,197.70 in escrow.
I summed up all orders from june 5th, 22 orders totalling 5.27865919 BTC or $3,460.79 (with BTC price at $655.62). Pretty nice turnover for 1 day huh?
How?
Now to the more important part, how did this happen? My first thought
was boosie5150 for some reason was in a rush and needed a quick way
to save the addresses of the orders so he could look it up in another
location later. Another option was boosie5150 being hacked, phished or
otherwise had
his account compromised and the attackers didn't get his PIN so couldn't
steal from him (there was only $89,72 in cleared funds in it anyway),
they put up this paste and tried to blackmail him for some BTC. Well, I
made a dummy account on Agora and contacted boosie(also let him know
that I was going to make a post on reddit):
boosie5150: Looks like their database got dumped somehow, I didn't have anything to do with this
me: it's not their database being dumped, this is the html source of
your control panel. So someone who had access to your control panel
posted this
boosie5150: Okay well nobody else has access to it,
never has. And I realize its my panel being dumped, but nobody has had
access to my account and I have never had my account compromised. I'm
sorry those people had their addresses leaked, but this is over 6 months
old and I have never given someone the opportunity to access my
account.
me: Could it have been you that uploaded it to pastebin for whatever reason and forgetting to remove it?
boosie5150: There is one person I think could have
done it. My best friend is a programmer and he made me a program that
exports the orders, converts them into .CSV format, changes the status
of orders, etc. He may have uploaded this online for some purpose while
he was making the program and forgot to delete it. I have texted him
asking him and if it was him we will try to have it removed asap.
boosie5150: He says it wasn't him, very sure also.
me: Have you always used pgp auth for your account?
boosie5150: Yes.
me: Any chance you got phished? Or weak password or something? If not
the only way this could've leaked was if Agora somehow got compromised.
And if they were for some reason only your profile got leaked.
boosie5150: It's never been compromised and I also
have 2fa enabled. I'm not sure how it happened but I know that's the
only leak I could find and it was 3 months old. I also have since
updated all my passwords and such since I noticed this.
Boosie denies ever being blackmailed, he also says he changed all his
passwords and such after I made him aware of this, his PGP key is still
the same however.
pub 2048R/55FCA225 2014-04-07 [expires: 2019-04-06]
uid lilboosie5150 <lilboosie5150@tor.com>
So eh... if it wasn't boosie5150 that posted the pastebin, what
happened? If boosie5150 was compromised in june they could have accessed
his account from then until now. Boosies account was pgp protected
so the only way he could log in was if there somehow is a phishing site
that acts like some kind of gateway to Agora, as far as I know the known
phishing sites
are mirrors(could be wrong here). In any case, if they actually have his
password and PGP private key they are sitting on a goldmine of dox from
orders from at
least june 5 until now, I am thinking this might be the case since
boosie5150 is positive he never got mitmed.
Boosie doesn't seem to have the best OPSEC: gambling on clearnet sites using the same username, showing his hand and room interior
in product photos, giving his programmer friend full access to his
account, etc. I have found multiple other clearnet accounts that could
be boosie(I am aware that lilboosie is a rapper and know what 5150
means), none with personally identifiable information though (unless this is him).
[+][deleted] (4 children)
[deleted]
[–]impost_r[S] 3 points4 points5 points (3 children)
[–]gwern 3 points4 points5 points (1 child)
[–]Boosie5150 3 points4 points5 points (0 children)
[–]ApricockApecot 0 points1 point2 points (0 children)
[–]wombosio 3 points4 points5 points (1 child)
[–]Boosie5150 9 points10 points11 points (0 children)
[–]DankNetMarket 2 points3 points4 points (1 child)
[–]Boosie5150 3 points4 points5 points (10 children)
[–]reekleek 0 points1 point2 points (0 children)
[+][deleted] (2 children)
[deleted]
[–]Boosie5150 0 points1 point2 points (1 child)
[+][deleted] (2 children)
[deleted]
[–]Boosie5150 0 points1 point2 points (1 child)
[–]jerzze18 0 points1 point2 points (1 child)
[–]reekleek -1 points0 points1 point (0 children)
[+][deleted] (10 children)
[deleted]
[–]Boosie5150 2 points3 points4 points (9 children)
[+][deleted] (8 children)
[deleted]
[–]Boosie5150 1 point2 points3 points (7 children)
[–]cocaine4breakfast 0 points1 point2 points (1 child)
[–]Boosie5150 -1 points0 points1 point (0 children)
[–]xeddmc -4 points-3 points-2 points (4 children)
[–]Deafcunt 1 point2 points3 points (1 child)
[–]Boosie5150 0 points1 point2 points (0 children)
[–]reekleek -1 points0 points1 point (0 children)
[+][deleted] (8 children)
[deleted]
[–]Boosie5150 2 points3 points4 points (7 children)
[+][deleted] (5 children)
[deleted]
[–]Boosie5150 3 points4 points5 points (1 child)
[–]Boosie5150 0 points1 point2 points (2 children)
[–]spaceykayce 0 points1 point2 points (1 child)
[–]Boosie5150 0 points1 point2 points (0 children)
[–]xeddmc -1 points0 points1 point (0 children)
[+][deleted] (1 child)
[removed]
[–][deleted] 1 point2 points3 points (0 children)
[–]Theeconomist1 1 point2 points3 points (2 children)
[–]impost_r[S] 0 points1 point2 points (1 child)
[–]Theeconomist1 0 points1 point2 points (0 children)
[–]TheAnonProgrammer 1 point2 points3 points (2 children)
[–]impost_r[S] 0 points1 point2 points (1 child)
[–]TheAnonProgrammer 0 points1 point2 points (0 children)
[–]Boosie5150 0 points1 point2 points (2 children)
[+]boosiegetafkclue comment score below threshold-6 points-5 points-4 points (1 child)
[–]Ereeert 0 points1 point2 points (0 children)
[–]durgsrbad 0 points1 point2 points (3 children)
[–]Boosie5150 3 points4 points5 points (1 child)
[–]durgsrbad 0 points1 point2 points (0 children)
[–]drpnit 0 points1 point2 points (0 children)
[–]s3an112 0 points1 point2 points (1 child)
[–]Theeconomist1 1 point2 points3 points (0 children)
[–]attilathehunn 0 points1 point2 points (0 children)
[+][deleted] (7 children)
[deleted]
[–]impost_r[S] 0 points1 point2 points (6 children)
[+][deleted] (5 children)
[deleted]
[–]impost_r[S] -1 points0 points1 point (4 children)
[–]gerundive 2 points3 points4 points (0 children)
[–]xeddmc 0 points1 point2 points (1 child)
[–]gerundive 2 points3 points4 points (0 children)
reddit gold
In Summation
Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.
Please select a payment method.
Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.
Would you like to learn more about giving gold?
reddit gold
In Summation
Want to say thanks to %(recipient)s for this submission? Give them a month of reddit gold.
Please select a payment method.
Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.
Would you like to learn more about giving gold?