A couple of weeks ago I was checking out page source code of the markets that survived Onymous, I don't code but I have a basic understanding of web HTML / CSS etc. I didn't really expect to find anything interesting. Anyway, I was on Agora and found a string that for some reason looked interesting to me so I googled it thinking it was part of some open source githubcode that I would find by googling it. I found this pastebin (rehosted and edited because it contains dox): http://paste2.org/J9gpGZgX
Wait what? Is this actually the html source of boosie5150s vendor profile? Yes it is. It is the inbox of Boosie, save it as HTML and open in your browser for easy viewing. The original pastebin was posted "By: a guest on Jun 7th, 2014" and it had been viewed about 170 times when I first opened it. The pastebin has made its way to multiple people by now, including the mods so I thought I'd share it publicly. The pastebin also shows up on the 8th page if you Google the guy that didn't encrypt his details, I don't know whether the 170 hits are all people who knew what they were looking at or mostly bots.
Contents
The contents reveal quite a bit and show some pretty severe opsec mistakes. I tried to look up 2 of the buyers' profiles and found social media accounts, posts requesting free porn passwords, school sites etc. I don't understand why people think it's a smart idea to use a username that's already been used on a clearnet website, especially when it's a made up username with only a couple of hits on google, all of which are theirs.
You can also see that one of the 7 Gram MDMA orders contains an unencrypted address, he put his address and then the public key of boosie5150 (no words...). I looked him up, the guy has 2 prior arrests for possession of Cocaine, Crack Cocaine and MDMA and started using his middle name after these arrests, too bad he doesn't have a third name. He uses almost the same username on twitter..
The pastebin also gives some insight in turnover and amount held in escrow, on june 6th Boosie had $89,72 in his wallet and $25,197.70 in escrow. I summed up all orders from june 5th, 22 orders totalling 5.27865919 BTC or $3,460.79 (with BTC price at $655.62). Pretty nice turnover for 1 day huh?
How?
Now to the more important part, how did this happen? My first thought was boosie5150 for some reason was in a rush and needed a quick way to save the addresses of the orders so he could look it up in another location later. Another option was boosie5150 being hacked, phished or otherwise had his account compromised and the attackers didn't get his PIN so couldn't steal from him (there was only $89,72 in cleared funds in it anyway), they put up this paste and tried to blackmail him for some BTC. Well, I made a dummy account on Agora and contacted boosie(also let him know that I was going to make a post on reddit):
boosie5150: Looks like their database got dumped somehow, I didn't have anything to do with this
me: it's not their database being dumped, this is the html source of your control panel. So someone who had access to your control panel posted this
boosie5150: Okay well nobody else has access to it, never has. And I realize its my panel being dumped, but nobody has had access to my account and I have never had my account compromised. I'm sorry those people had their addresses leaked, but this is over 6 months old and I have never given someone the opportunity to access my account.
me: Could it have been you that uploaded it to pastebin for whatever reason and forgetting to remove it?
boosie5150: There is one person I think could have done it. My best friend is a programmer and he made me a program that exports the orders, converts them into .CSV format, changes the status of orders, etc. He may have uploaded this online for some purpose while he was making the program and forgot to delete it. I have texted him asking him and if it was him we will try to have it removed asap.
boosie5150: He says it wasn't him, very sure also.
me: Have you always used pgp auth for your account?
boosie5150: Yes.
me: Any chance you got phished? Or weak password or something? If not the only way this could've leaked was if Agora somehow got compromised. And if they were for some reason only your profile got leaked.
boosie5150: It's never been compromised and I also have 2fa enabled. I'm not sure how it happened but I know that's the only leak I could find and it was 3 months old. I also have since updated all my passwords and such since I noticed this.
Boosie denies ever being blackmailed, he also says he changed all his passwords and such after I made him aware of this, his PGP key is still the same however.
pub 2048R/55FCA225 2014-04-07 [expires: 2019-04-06] uid lilboosie5150 <lilboosie5150@tor.com>
So eh... if it wasn't boosie5150 that posted the pastebin, what happened? If boosie5150 was compromised in june they could have accessed his account from then until now. Boosies account was pgp protected so the only way he could log in was if there somehow is a phishing site that acts like some kind of gateway to Agora, as far as I know the known phishing sites are mirrors(could be wrong here). In any case, if they actually have his password and PGP private key they are sitting on a goldmine of dox from orders from at least june 5 until now, I am thinking this might be the case since boosie5150 is positive he never got mitmed.
Boosie doesn't seem to have the best OPSEC: gambling on clearnet sites using the same username, showing his hand and room interior in product photos, giving his programmer friend full access to his account, etc. I have found multiple other clearnet accounts that could be boosie(I am aware that lilboosie is a rapper and know what 5150 means), none with personally identifiable information though (unless this is him).
[deleted]