While I'm doing obits... So you may also have noticed that a recently-launched black-market named Black Goblin Market has been down for the past 3-4 days after its launch 5 days ago.
Goblin was not so much hacked as de-anonymized. You can see some information on its IP in the comments: http://www.reddit.com/r/DarkNetMarkets/comments/1wwjg3/black_goblin_market_is_now_open/cf64uhk
Naturally, for any black-market, being de-anonymized is about as bad as being hacked, since it means that any future law enforcement investigation knows exactly where to start: subpoena the host or ISP to get everything they know, like what's on the server, what IPs connect to it, who was paying for it, etc. And this means such a market can never get very big or last very long.
So while he left the landing page up for a day, he seems to have called it quits for good.
I'm afraid I have to claim credit for this one: about 3 hours after the Reddit post was submitted, I signed up for an account on BGM, gave it my real e-mail address when its signup form asked (I am aboveboard about the mirroring stuff and have nothing to hide), and a little while later, noticed in my inbox an email from... Black Goblin Market.
A little background here: Tor exit nodes generally forbid email because allowing email would result in a tsunami of spammers. If you ever read the Tor documentation (or read your /etc/tor/torrc
and noticed the discussion of blocking ports) about exit policies, you'd know that SMTP/email/port-25 is blocked by default; as the Tor Abuse FAQ explains in "What about spammers?":
First of all, the default Tor exit policy rejects all outgoing port 25 (SMTP) traffic. So sending spam mail through Tor isn't going to work by default. It's possible that some relay operators will enable port 25 on their particular exit node, in which case that computer will allow outgoing mails; but that individual could just set up an open mail relay too, independent of Tor. In short, Tor isn't useful for spamming, because nearly all Tor relays refuse to deliver the mail.
So it is unusual, to say the least, to ever get email from a hidden service. How did BGM pull it off‽, I instantly wondered. I opened up my email and looked at its headers ('Show Original' in the dropdown menu in Gmail, if you don't know what I'm talking about):
...
Received: from ua4aptglh45m5p6b.onion (p549469F8.dip0.t-ipconnect.de [84.148.105.248])
by mx-fwd-1.nearlyfreespeech.net (Postfix) with ESMTP
for <gwern@gwern.net>; Mon, 3 Feb 2014 19:28:16 +0000 (UTC)
Received: by ua4aptglh45m5p6b.onion (Postfix, from userid 33)
id 8A3BD2180319; Mon, 3 Feb 2014 20:28:10 +0100 (CET)
To: gwern@gwern.net
Subject: Account details for 1391455689 at Black Goblin
X-PHP-Originating-Script: 1001:system.mail.inc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8Bit
X-Mailer: Drupal
Sender: goblinking@noemail.com
From: goblinking@noemail.com
Message-Id: <20140203192810.8A3BD2180319@ua4aptglh45m5p6b.onion>
Date: Mon, 3 Feb 2014 20:28:10 +0100 (CET)
Answer: he didn't. The email was sent straight from his server and the IP (84.148.105.248
) was right there for anyone in the world to look at, and would have been for anyone who ever signed up with a working email (like, say, a Riseup or Safe-mail email address), and making the emails anonymous would be quite difficult (have to somehow proxy over HTTP to someone willing to do clearnet emails for you). The IP is easily checked against a master list of Tor exit nodes & found to not be an exit node.
Actually, the hilarious thing is that he may not have even realized his 'hidden service' was doing this: the X-Mailer
is "Drupal" and the return address is "noemail.com", and apparently this is some sort of Drupal default functionality. (Not an issue for most servers where it doesn't matter if the IP is being leaked...)
I mentioned it to some other people, they did some nmap
probing and a simple correlation attack by DoSing the IP to see if the hidden service goes down simultaneously, and that was that. Black Goblin was toast.
The self-signed HTTPS nonsense and all the well-meaning security advice and elaborate precautions aside, the site never stood a chance. Really, all these new black-markets are so incredibly bad - I'm not a web dev, much less a pen tester, and I managed to de-anonymize a market? (And there's more in the offing...)
RIP Black Goblin Market (3-4 February 2014).
Good work man, it's good to see some people like you and the others that take security seriously and work hard to check out the new markets.