Many Dream vendors compromised

A user alerted us about several dream vendors that have listed the PGP key of the Dutch National Police [DNP] on their profile on Dream market.

In the following the list of vendors that listed the DNP key when I checked it:

00DRGREEN00

BoulderMedical

cannab1z

cocaMG

dutchcandyshop

GlazzyEyez

Gridlockdope

guessguess

ibulk

iCoke

MarcoPolo420

mushroomgod

wolfydutch

DrPoseidon [see https://www.reddit.com/r/DarkNetMarkets/comments/6pa47l/many_dream_vendors_compromised/dlx2w1m/ ]

Note that they do not appear on the DNP hidden service so they are probably fresh.

I do not know why they would put the DNP key in the vendor profiles, since a malicious key that at least looks like the real vendor's key would result in users falling for it. Maybe they already achieved that and now make the names of the compromised vendor accounts public by listing the DNP key.

The DNP stated that they seized vendor accounts on other markets with the data they gathered from running Hansa, maybe these vendors were the target of it. It appears that some of the listed vendors have the DNP key up for some time now but apparently new vendors [the ones in the list above] started listing it now too

The vendor

UKLadyBuds

has listed a weird PGP key which is not the DNP key but also does not resemble the vendor name at all. They key is also different from the one listed on grams. Plus he posted on reddit that he is locked out of his Dream account.

kingodua

has apparently also no access to his Dream account and his PGP key is changed to a different one, but the account is still taking orders.

The list will be updated as I check more vendors. Here the original post by /u/hugbitchesfuckmoney but it contained some vendors that had their usual key listed when I checked them.


What does that mean for me?

No vendor would willingly list the DNP key. Either the vendors are compromised [more likely] or the Dream admins, or maybe both. Regardless, if you have ordered from one of the listed vendors, clean your house now (remove everything illegal and suspicious) and research a lawyer**.


The vendors:

medicalzNL

rxchemist

turn up when searching for the DNP key on grams, i.e. entering the key on this page. However they have currently not listed the DNP key on their profile. This means that grams probably crawled them some time ago and they had the DNP key listed at that point. After-wards they changed it back.

I am not sure why law enforcement would do that, but the customers from these vendors should also proceed as explained above to be safe.

DrRelax

has a brand new PGP key created on July 20. If somebody has his old key, one could ask him to sign his new key and then verify the signature.

However thanks to /u/hugbitchesfuckmoney who posted publicly about the PGP key changes to warn fellow DNM users.


Comments


[60 Points] Chemical_Love_Story:

Great to know, it might be a good idea to keep an updated list of "compromised vendors" in the side bar, at least for a while. Being able to do a quick Ctrl+f to look for a vendor that you are about to use would be nice.

You'd think the DNP would at least try to be a bit sneakier about this. Glad they aren't though.


[26 Points] haikumofo:

I do not know why they would put the DNP key in the vendor profiles, since a malicious key that at least looks like the real vendor's key would result in users falling for it.

4D chess possibility: they knew people would be suspicious so they did something obvious to a few accounts as a distraction, and have other compromised accounts using less obviously changed keys to serve as little mini honeypots

2D tic-tac-toe possibility: Someone fucked up and did something stupidly obvious unintentionally.


[18 Points] Buckets_O_Dank:

This shit is getting wild af


[18 Points] None:

Add iCoke to the list


[11 Points] Just4theDrama:

What causing stress at me is the following situation. Vendors that used the same credentials on Hansa and Dream BUT had pgp login as well reported still that They were compromised. Means somehow the police could still use the accounts beside 2factor login enabled. How is that possible. ? Only things compromised or they copied the 2factor from Dream and let the vendor decrypt on Hansa than. No idea though if Dream used in the pgp login the Marketname or if they expired. If not than that method Obviously is Easy to use beside those crucial points.

Something aside of That. I Think AB forum were Compromised since few month at least. Including some staff. If not anyway some stuff was a fed all the time. They made a sure alex bought why they want To link forum And market forumaccounts and chatted with Alexandre the time Of the raid. So pc Was Not encrypted. Probably Even The wife was turned around to alarm them When the right time to move in would be. Probably showing All His posts from Rooshv and telling Her she will be get placed before court For certain stuff as well. Or the had installed surveillance to see when leaves his computer alone for a while.

Last conspiracy thought I had. AB was planned to be online as honeypot for longer time. But with the fent pressure and the Medical Thing from Australia they had to move on. As the thread was to big from that Things and pressure from international politicians was huge

No matter what I would take extremely cautions even if You weren't on Hansa if you had your market account with much Transactions linked to Your forumaccount.


[10 Points] pxx51092:

This is VERY IMPORTANT, someone please post this as a new threat, as I'm a new user, reddit doesn't allow me to make new post. It can save many vendors' life

I looked into the loctime xlsx file. it's basic a zip file containing many plain text xml files, you can change the file name from .xlsx to .zip and open with your zip viewer. I looked into the xml files one by one and guess what I find, the IP address of the hansa server.

in folder xl/drawing/_rels

<Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="http://217.182.159.33:9998/img/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/logo/logo.png" TargetMode="External"/><Relationship Id="rId6" Target="/xl/media/image2.png" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" /> the "xxxxx" is a long generated unique code, I guess each vendor has a unique one, this way when you open the xlsx file, excel send request to the IPv4 IP address for the image and they know your IP address without Tor protection. That's why they said they were able to get IP addresses of users

When you try to open the IP address, it shows exact the same image as hansa's onion domain

If you ever opened the file without IP address protection, you are fucked, your real IP address is leaked! clear your house ASAP

One more thing to say, athough there's this beacon image, but there's no hidden malware or macro VB code in the file, maco code can not be saved into a xlsx file, it can only be saved into a xls, xlsm and slxb file, so you don't need to worry about malware


[7 Points] Pupporoni:

Vendors should start changing their PGP key to the Dutch LE's PGP key and continue business as usual. Then they can act like they already got snagged and hide under the radar


[8 Points] mrmcepic69:

And we all know that Dream market won't do shit about it.

Why do people use this market again?


[5 Points] thenorm123:

Perhaps they've done it to keep everyone confused and frightened trying to guess what they've done it for.


[3 Points] JakeTheDog420420:

Wow! Good find! Sort of baffles me that LE would be stupid enough to use the same PGP key in compromised vendor accounts... They could have easily made new ones that weren't linked to them and probably fooled a lot more users! Worrying tbh :S Hope everyones okay and safe! Clean house if you've ordered from these vendors and be ready for a knock on the door.


[4 Points] Eyeh8uAll:

Maybe the fbi is finally going to out up this seizure notice I saw a while ago

mobile. twitter. com /OTM/status/888203267909574657/photo/1


[3 Points] hodor1993:

And thus, I've cancelled my order and withdrew my coin


[3 Points] gangstahippy:

I'm one of these vendors. same password on dream and hansa without 2fa enabled on dream// thats how they did it. Dutch police ran a script to collect these passwords from hansa when they mirrored the site. I purged all my messages on dream i rarely used it, and i didn't get started vending on hansa yet. Any customer who ordered from me, i hope they notice the pgp key as dutch national police. I was fairly inactive on both of these markets, stupidily i did use the same password and login.

i warned the mods directly in the dream market forum, the day it went down! and the admin known as speedstepper absolutely know some of these vendors are compromised - they posted in the forum and told him - the admim of dreammarket is likely dutch national police. dream is a runaway market.

speedstepper - the admin of dream market said verbatim 2 of dream market servers where seized, they are moving to new servers, and that the recent seizure of alphabay or hansa directly led to the seizure of dream market servers.

it's my personal opinion dream market is rogue market ran by police or officials on the inside trying to steal money and gather intelligence.


[3 Points] InsanityDRM:

Please add UKLadyBuds [Dream] to the list. https://www.reddit.com/r/DNMUK/comments/6p7yzy/ukladybuds_announcement/


[2 Points] MuchoLoco:

Good shit


[2 Points] RandomNumsandLetters:

I'm guessing they made it obvious so if it's not obvious people won't be suspicious


[2 Points] None:

Thank you so much for spreading this knowledge out to people. No homo, but I have a great admiration and boner for your works.


[2 Points] None:

[deleted]


[2 Points] outofideastx:

Couldn't some vendors have changed their PGP key as a way to exit scam without scrutiny? I don't use the markets, so I don't know if they make you type in an authorization code that was encrypted using your new public key when you change your public key.


[2 Points] HeWhoHatesPuns:

I'm a newbie here. Can anyone answer me one question?

Who exactly is seizing the markets?

Im european. Should I be worried, or is this an FBI/USA thing? Also (idk if Im allowed to ask this but,) what are the safest markets right now?


[2 Points] DNMTiger:

/u/wombat2combat please add kingodua to this list he was on dream ab and hansa and when everything went down his pgp got changed to dutch police and then was changed two days later to one that has just his name and no email, i have talked to him through his real pgp and he said that he did not create any new pgp and that those were not him and he is not taking orders on the market at the moment


[2 Points] DarkNet_Shill:

GG


[1 Points] ForLol_Serious:

All this drama has got me excited. What's gonna happen next?


[1 Points] skankhunt92:

Yes some of these vendors are on other markets as well I've heard. Good to know.


[1 Points] _PrinterPam_:

Jesus Christ? Really!? Let's assume this is true. In no fucking way does this point to Dream being compromised. It points to those vendors being compromised. Considering the very high percentage of vendors who don't make use of 2FA if not forced, and the fact that so many probably use the same passwords as used on Hansa (which was seized), the only thing this proves (if, again, it's true) is that those individual vendors were compromised by LE (or someone else) simply using collected passwords.

I'm on Dream, and my key hasn't changed. AND, where are those vendors and why aren't they personally screaming 'bloody murder' right here and everywhere else? If they had 2FA enabled, they might very well be locked out of their vendor accounts. You'd hear from them LONG before you heard from some 'user'.

ADDITION: Why on Earth would LE do something so stupidly obvious? Are we now saying they were so ingeniously clever in their takedown of AB & Hansa, but have suddenly, overnight, transformed into retards?

SELF-POST LINK COVERING STUFF LIKE THIS: https://www.reddit.com/r/DarkNetMarkets/comments/6p987r/on_the_art_of_reducing_wellintentioned_doomsaying/

EDIT: I've confirmed that the quick handful of vendor accounts I check do indeed have the same key. This still only means that it's those vendors who might be compromised due to negligent practices on the vendors parts, not the market itself. Steer clear of those vendors for the time being, for certain.


[1 Points] None:

[deleted]


[1 Points] None:

[removed]


[1 Points] jjjackson65:

List is bigger then that. I fell for the hansa switcharoo as well but I'd have to be retarded to give that name up here as well. Just stay away for now boys n gals


[1 Points] 1coolthrowawayisay:

I FE'd an order from "B1GD4WG" on Dream Market 5 days ago. He started off by saying he shipped the package. When it didn't show, he said he would check and then apologized and said it slipped his mind and would ship. That was two days ago. Yesterday I get another encrypted message from him that I couldn't decrypt (I haven't been able to decrypt other messages from him either). I let him know that I couldn't decrypt his message and he sends me this back:

*k what im trying to say the whole time is i couldnt decrypt your address. then when you finally messaged me back i forgot what we were talking about because i cant decrypt messages i sent to you. so just send me your address and ill send it out. you might have to send it clear text bro if we cant decrypt each others messages

B1GD4WG 08:47 *


[1 Points] None:

[removed]


[1 Points] iCokeDM:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

hey all - my private key is still safe, this is why they've changed the public key to disable my access to the dream account. there is no dream support so am strugging to get them to add my publick key back in for me to access. i have active accounts on some new markets and will be running out of them soon, any vendor who doesnt change their public key should be deemed safe to use.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2

iQEcBAEBCAAGBQJZeJK5AAoJEPCTUOs9diKFEesH/RuVTl3sY5wlfN9TnyMKfJv+ YHuYOazbeHWUMF42jyLglqJ+yipU+9OfPxvEjzeLvqnFQw5H72LN83w5U/Il+I9N IkNFVwcdhqxGACnAHVstNtKyhmWgOb7fbNxD5aUQl9J6ja4SNZ03AX1xQCRLCJMe i7HHbJPBg7stIr0Hgl3GCLQcft6igQLlR9K1Y2Lf4IBhLXFpPPyW2M1UCetVA8LN pMfM525PqKQZJ44Ad2PSHyftK5GksLVWrsXXosLu3M+AYs7vTLg8T87RyYxD25/v kTtHedt4CJ1xHtW1WspdqQoZCZOLiA5frTmCwvwfEuezP0FU0Ij//VhUIu54JLI= =iFTC -----END PGP SIGNATURE-----


[1 Points] Theeconomist1:

I've been trying to follow up the drama, has this been posted yet? http://mashable.com/2017/07/21/dark-web-marketplace-drugs-dream-market/#Uv.mN36cFmqk

So did luckquack or whatever actually predict the Hansa bust beforehand??


[1 Points] M_237:

Unable to connect to Dream Market as of Jun 26 1:52 EST


[1 Points] None:

[deleted]


[1 Points] tecman69:

Yup, dream pawned, confirmed.


[1 Points] methbat:

have you guys ever encountered vendors who offer all these free samples, talk to you and guarantee its shipped and nothing comes and they get banned? there was a guy on a.b. named "theapothecary" who was real personal with me and seemingly honest and said he spent over 1 btc in samples. i ordered and nothing came and a week later he was banned...couldnt figure out his endgame since no coin was spent. from what i've researched there is a legit vendor with that name so i dont know what this clown was up to but i cant help but wonder if there's a connection.


[1 Points] CruzLevel1:

Can someone please help me access The site, I've tried the past day & its fucked me over


[1 Points] MotherOfMeatballs:

They allowed PGP or Password login option, not just explicitly one of those. That's basically it. They didn't pay attention.


[1 Points] DarkNet_Shill:

REKT LOL GG


[1 Points] DarkNet_Shill:

people are getting seriously fucked


[1 Points] PillyHoliday:

Just wanted to say that I verified littlemissy on Dream with her old key. Didn't want to create a new thread just to say that, but I will post a review about her when I'm able to make an order.


[1 Points] Jaybobtothejim:

DiazepamDirectUK compromised on Dream too, using the DNP key


[1 Points] throwawayyyyyyyy32yb:

Dream is a such a scamming piece of garbage market, and yets its the only viable one, Sorcery, trading route and all the other ones have close to no listings, I will wait on ordering some 2cb and ketamine for now I still think dream is compromised completly (and if the not - the staff is still scamming pieces of trash)


[1 Points] throwawayyyyyyyy32yb:

/u/MUSHBUD can you please post a PGP Message with a recent btc block so I know you are okay?


[1 Points] None:

[deleted]


[1 Points] reconrose:

Anyone aware of the legitimacy of USAmp and Bruiser99 following the recent busts?


[1 Points] thatskank:

RXChemist was busted way back like last year on AlphaBay


[1 Points] big_seanGang:

I would rather call them SNITCHES than compromised accounts 👌👌


[1 Points] Fuckbudmates:

BUDMATES is LE too


[1 Points] dncrumbs:

Should I be concerned if two different vendors are using the same public key?


[1 Points] None:

[removed]


[1 Points] DrPoseidonShop:

Could you please remove my name from the List? (DrPoseidon). My account on dream is since over 1 Month inactive and secured by admins.


[0 Points] shillface:

These vendor accounts stupidly used the same passwords as Hansa and didn't have 2fa enabled on Dream. Dutch LE hasn't suddenly got access to the old messages and the vendors themselves are fine

Nobody needs to clean house if they placed an order in the past

Buyers just need to avoid placing orders with these vendors until they're banned on Dream or support gives access back to the actual vendors

No need to scaremonger so damn hard