Alphabay Security Measures & Follow-up

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I am the root admin of Alphabay and I have been made aware of the issue with
BigMuscles asking someone for a private key. My manager posted some pretty
good explanations on reddit earlier today but I will add some more information.

First, I went through the database and removed all messages containing a
private key. A total of 11 users gave it, so the messages were deleted. There
is no evidence of any breach so your information is safe. Every moderator can
set his own templates for replying to tickets to make it quicker and to avoid
having to retype the same thing too many times. For example, many moderators
have templates asking for PIN, mnemonic and last transaction history if a user
claims to be locked out of his account, or templates asking for BTC address / txid
for missing deposits. I can confirm that BigMuscles' template included a request for
a private key, but I can also confirm that it was purely a language mistake and that
is has now been edit. He meant a message signed with the private key, which is the
standard method of verification in many markets.

As I am the only one having access to the moderator logs on the marketplace, I
confirm that nothing was ever compromized, and that nobody lost money. In short:

- - It was just a language mistake
- - All messages containing private keys have been hard deleted
- - The template has been edited
- - All staff has been warned to be very careful about that
- - This moderator had a perfect record with us and pratically no complaints before
- - This moderator cannot change balances, PINs, or passwords

Nevertheless, if it can make you feel safer, change your PGP key if you gave it. Hopefully
this should convince the community to calm down on what is now 100% resolved and
nothing else to worry about, and again, on behalf of Alphabay, we truly apologize for
the problem. We would also like to remind you of some more security features that
were recently added:

1) Phishing

All new members will see a warning at the top of EVERY message warning them to be
careful about phishing links, do not FE, and the usual security stuff. The warning
message will disappear after a while, over time.

2) BTC addresses

All withdrawals are sent in batches from different addresses, therefore eliminating
wallet profiling techniques. We also employ a special process: every 2 days, we export
all required private keys (user deposits addresses and change addresses with balance),
and re-create the hot wallet from scratch. This means that after an address expires, or
after a change address (which can be MANY levels deep) sends coins to a user, its
private key gets removed from the server, so even the police getting the hard drive
of the server would never be able to prove that an address has ever been ours. This
should comfort some people who made mistakes in the past. What you see on
WalletExplorer is the old wallet, which people keep sending money to despite knowing
that we erase all records after 7 days for security reasons.

3) About the "exploit" allowing orders to finalize earlier

This is a MYTH. We have put our programer on the case as soon as it got reported on
reddit, to find out that it wasn't true. Once the order gets placed, its "listing type" is sent
with it, so any change made to the listing does not affect orders who already got placed.
Nevertheless, we added a security protection preventing vendors from putting "digital
listings" in physical categories like Drugs, etc. to eliminate possible scamming.

Thanks for being a customer on Alphabay and we will be implementing additional measures
in the future to make sure that we are totally safe from LE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJW49GJAAoJEOAZpE/dncxme5IH/ii4En4cUZU/Qki0Xka08qRR
BPZx0knPipxJQy4F9zkQNYclhMAx0tWfro13vbqYhv/CR0pzOSTo7dowGPI9xqjk
X9hYQ8Jxv5byNFCZIPhHS9Q0MUOHDiJ3CJ+bXtXF+k9dRmwV5TKo5Ahog63wJKAj
P18Mf+ei3N2JnZHuxm3RDrGV4of1MAZklvuWumQwVxdeNWafb0so/bUAeps2PD1b
ue79i2JUrl2IBjpOZ3pe1aPc9J7erbVUdUyCrtXRt18lJ98M6LgIl1AAF7d6umxJ
MINBuwYpoubQVZ7aydl46klWUnQxK96wZUX8RKDu53jcBOHLgCcn4DOSgxGNNCI=
=mvbB
-----END PGP SIGNATURE-----


Comments


[4 Points] None:

[deleted]


[3 Points] potatogobbler69:

I'm watching you guys...


[3 Points] octomarvel:

"Never attribute to malice what can be adequately explained by incompetence."

But this is the era of skepticism, expensive bitcoins and faceless fonts so...

"Never attribute to incompetence what can be adequately explained by malice."

Stay safe people.

=)


[2 Points] Example1337:

his English seemed fine to me.


[2 Points] Ketsa:

Obviously not "Just a language mistake"


[2 Points] Kazaa99:

Should this "support" employee haven't figured out himself that something was wrong when customers wrote they didn't want to give him their private PGP key, and also more so make him see that something was wrong when he got 11 public keys in his response when asking for a signed pgp message?

I mean his response to receiving a private key should instantly be that he cant use this private key for anything, and instead say he needs a signed message (calling this mistakenly private, public or whatever pgp/key then). It shouldn't take so long, causing it to be discovered by users rather than himself. (Otherwise he is to incompetent to be a support staff)


[1 Points] DNM-Accountant:

Well they are indeed trying to cover up the shitstorm.

Atleast nice to see Alphabay working this hard for it.


[1 Points] None:

fail lol lolz


[1 Points] Sunline_Inc:

Not cool...and as we know the drug business is run by "cool people", so we must strive to maintain that paradigm at all costs for the health and safety of all involved, because lame people trip,and they trip hard, and also tend to be fragile, so they shatter into pieces when they fall.........Are you picking up what I'm putting down? Are you..........gathering what I'm scattering?


[1 Points] Anti-Hero_AU:

It was meant to go down like this.


[1 Points] Vendor_BBMC:

Those "old" wallets aren't accidentally getting deposits sent to them by customers.

https://www.walletexplorer.com/wallet/AlphaBayMarket

They are wallets inside the tumbler now. here's a typical one

https://www.walletexplorer.com/wallet/39450a16925d8549

The amounts seen going in look too small to be used to buy drugs. It looks like marketplace commission to me. That means its all going to end up in the bosses wallet.

I assume alphabaysupport is the boss if he is the only person who can access the admin logs. I was expecting him to be Russian.


[-4 Points] Lucia-Anil:

Thank You, keep up the great work. Alpha has always run flawlessly and I hope it will continue to do so