Wired, AlphaBay and the Grand Wizard

Edit: Another safety tip: never click on links you get in messages, e-mails or forum posts. The URL listings at DNStats.net, DNM Avengers, the Reddit superlist and Deepdotweb are reliable: those at the Hub generally so, although there was a recent case of a phishing link being posted as an AlphaBay URL. If you get a message from ReallyTheMarketAdminHonest telling you to click on gxwbitcoinsucker.onion and log back in to test the new interface, DON'T DO IT. A little caution can go a long way against MiTM attacks. Kudos to /u/AdventureTimeSupply for his input.

After getting quoted in Wired, the Grand Wizard wanted to speak up about a few things.

First, Wired neglected to mention that GWL AlphaBay reopened not long after that comment was posted to Reddit. The Grand Wizard has managed heels who got more love than AlphaBay -- but while buyers may complain and complain and complain about the place, they appear reluctant to shop anywhere else. And we always give our customers what we want, especially when they give us the satoshis we want.

This has been a recurring theme in darknet history. Consider how many will spend hours bitching about exit scams and how few will take 15-30 minutes to learn 2-of-3 multisig. And until DNM users start taking responsibility for their financial safety we're going to keep seeing the same issues and hearing the same complaints.

Many seem unclear on how 2FA works, for example. If everybody used 2FA on the DNMs we might never again hear another "phishing" complaint. With 2FA a phished address/password combo is only half the battle: if the phisher doesn't have access to your private key he can't decrypt the challenge. 2FA makes it much harder to gain unauthorized access to an account: there's a reason it's the gold standard for corporate logins.

(Yes, someone with root privileges on the server might still be able to gain access to your satoshis -- but getting root on a server is a whole lot harder than social engineering access to an individual user account. Even a junior admin might not be able to -- SHOULDN'T be able to -- transfer money from your wallet to his. And getting a password is a lot easier than copying somebody's secret keyring).

Question for AlphaBay admins: have you considered implementing PGP Login? Outlaw and Dream Markets both offer this and it could go a long way toward silencing "phishing" complaints. Of course, it could also lead to hysterical screeds from people who lost their PGP key, but nothing is perfect.

The Grand Wizard has had 2FA since signing up for AlphaBay in April of 2015. During that time we have never had issues with disappearing funds or with misdirected withdrawals. We also get funds offsite as soon as we see them: we send enough to buy then send back the change as soon as the transaction is completed on our buyer accounts. And at present we don't offer conventional escrow, although that might change if we crunched the numbers and found it would be in our best fiscal interest.

We still have problems with AlphaBay's history of online drama. Nucleus is of comparable size to AlphaBay and had a rocky start. Yet they don't get tagged with half the allegations we see aimed at AlphaBay. We don't know exactly why they draw this kind of negativity, but we know their public relations team isn't helping. To put it mildly.

We have had funds disappear on other markets: it happened to us once on our Agora buyer account. We still don't know what happened -- and we know several other people reported missing funds at the time -- but we know that the problem never repeated itself after we started using 2fa on our accounts.

We would like to see AlphaBay get this public relations program under control because it is costing us money. If people don't trust AlphaBay -- and it's pretty clear from reading this subreddit that a lot of people don't -- they aren't going to shop there. Right now the ongoing clown show is taking food out of our mouths and sequins off our turbans. We think our business on AlphaBay could double or better if there wasn't a constant cloud of melodrama hanging over the place.


Comments


[13 Points] None:

[deleted]


[11 Points] FuckingNewGuy666:

Can't believe I'm typing the following sentence: BBMC is right.

Alpha Bay is run by carders.

Drug dealers think carders are scum. Carders think drug dealers are scum.

I don't trust anyone in this game, including Alpha Bay. But they do offer more in the way of security than the alternatives. While only a fraction of the user base is using it, they do offer multi-sig. Not using multi-sig tells the market that you believe they won't steal your money (as long as they pinky swear). Multisig means that the buyer and vendor can get all the money from their transactions back, even if the market exits. Still have to get the other guy to cooperate. You can still be fucked with multi-sig, but you can keep it away from the market.

The noise-to-signal ratio here is already high, with scammers and shills innundating us daily with suspision and accusations. When AlphaBay is the topic, there is much more bullshit to wade through. And it's because they are backed by a different stripe of criminals.

I'd rather a bunch of hackers watch the money and keep the ship tight than some benzo pressers or tweakers with A+ certification.

Thanks for the post GrandWizard. In the context of the article, your statements sounded unwizardly. My world makes sense again.


[7 Points] Vendor_BBMC:

Other marketplaces don't employ a reddit PR, but they don't suffer such bad publicity because their origins aren't in credit card fraud.If you know a carder, you'll know that all they want to talk about is new ideas for ripping people and companies off. They think about it in bed, they think about it when they brush their teeth.

Untraceable currency taken from drug users who can't go to the police was a target somebody dreamed up at Evolution. I'm surprised nobody at alphabay has thought of it, because it's very low risk compared to credit card fraud.

Most marketplace users don't read reddit, they read deepdotweb which loves alphabay.

Multisig escrow is mainly designed to protect your escrow funds from the police if the server is compromised. there are a hundred ways the marketplace owner can steal your escrow funds, the very idea that somebody can be relied upon to write code to prevent themselves from stealing is ludicrous, there will never be a software feature to prevent marketplace exit scams, so the safety of the marketplace all comes down to the integrity of the owner.

I don't trade on alphabay for the same reason as Evolution. How long did Evo run before it's exit scam? It seemed like a long time. I can't quite tell if grandwizzard is complaining about more customers not using alphabay, or about too many customers using alphabay, or alphabay!

The vendor has to make this decision, because customers follow us to the marketplace. Once we are there, we have to completely trust the owner to concentrate on keeping our bitcoin transactions invisible from LE, so the most important feature of any marketplace is as a COIN MIXER.

Individual escrows are fundamentally incompatible with this. There shouldn't be actual BITCOIN travelling directly from your customer to you across the site, because that customer might be a cop.

his bitcoin should have gone into a bucket with everybody elses, then you get paid from the bucket when he releases the escrow.


[7 Points] None:

why dont people like nucleus?


[1 Points] imnotatree:

Well put.


[1 Points] Bobrosshappytreesman:

Do you plan on joining DHL at any point? They make 2FA mandatory to open an account.


[1 Points] Spa__ce:

Based on all my readings I think a big part of it comes down to how alphabay handles disputes. Which seems to be very poor compared to previous markets. I'm going to assume the grand wizard doesn't get many of those bc he does things properly.


[1 Points] FIX_O_BOT:

If people don't trust AlphaBay -- and it's pretty clear from reading this subreddit that a lot of people don't

I'm surprised to see this comment from an established vendor and buyer. Here's the facts - the amount of people that read this sub are a small fraction of 1 percent of AB buyers. The total people on this sub that distrust AB, which include many that only distrust because throwaway12345 spams bad shit - is less than a fraction of a fraction of AB buyers. The term statistically insignificant is WAY TOO significant to describe the amount of people that mistrust AB.

The Grand Wizard should factor this reality into his future vending plans. AB is/will be far and away the number one site until the day they steal EVERYONE'S money and disappear.

Incidentally, almost 100% of those that hate AB and are actual customers of darkmarkets are current buyers at AB from necessity.

You make great points on the issues of poor adoption rates of 2FA and multi-sig tho.


[1 Points] CandyKoloredKlown:

When you managed heels did you have people shooting at you like Bobby Heenan?


[1 Points] TheRealDealMarket:

2fa can easily get bypassed if the server side security is not done correctly.

Imagine being presented with the 2FA taken in real time from the real site, after the pishing site uses your user/password to login.

Once you solve that 2FA and fully login, the attacker takes your session cookie and uses it. Simple.

Not saying attackers are smart enough for this at this point though...


[1 Points] None:

I stopped buying from you because your shop's menu has shrunk to the point where I no longer am interested in what you offer. Whatever happened to the "Greatest Mind in Psychedelics"?


[0 Points] coffeencreme:

What do you say Traps? u/Trappy_Pandora


[0 Points] d3emSt3rz:

I'm pretty sure that at least half of the idiots that come here only to talk shit on Alphabay, use Alphabay as their primary market. There doesn't seem to be any way to get ppl to stfu about Alphabay... If you use Alphabay properly (i.e. use 2fa, don't leave a significant balance in your AB wallet, don't FE if you don't know/trust the vendor), you really shouldn't have too many problems with Alphabay.


[-1 Points] AdventureTimeSupply:

You're a good guy u/GrandWizardsLair but you're providing incorrect info on how 2FA works on the darknet. I really think you should delete your post so the wrongness of it doesn't spread, but that's up to you. I'm just going to copy/paste comments I made in another thread yesterday.

2FA has no impact on phishing. All it prevents is someone guessing or brute forcing your password.

Phishing sites capture the victims every keystroke and serves all the content. If you go to withdraw funds, they serve you a fake version of that page. You enter your PIN, they withdraw to their wallet and serve you a fake successful withdraw page.

If someone uses a phishing link once, they're likely to use it again. Now they have your username, password and PIN. If you're a vendor and have buyers finalizing orders the phishing site waits for you to decrypt the 2FA login code, withdraws your coins and serves you fake page showing the finalized orders are still in escrow. Every time you log in to see if your buyers have finalized the phishing site takes the new funds, and all you see is the orders are still in escrow.

They need to hijack it quick after theyre in.

No they don't. Once they're in, the hijack has already occurred and they can stay logged in as long as they choose. They control what is sent to the market and what is sent to the victim. The victim has no control because they are talking to the phishing site, not the actual market. Clicking logout will just be clicking a fake logout button, which would serve up a fake logged out confirmation page. The phishing site stays logged in as long as it wants.

You also say this:

Question for AlphaBay admins: have you considered implementing PGP Login? Outlaw and Dream Markets both offer this and it could go a long way toward silencing "phishing" complaints.

PGP Login is no different than 2FA, and is actually less secure than requiring a password and and proof of key ownership. Neither PGP Login or 2FA prevent phishing.