ElHerbolario homepage

The takedown of three major Dark Web markets by law enforcement officials over the summer has driven many vendors of illegal products to set up their own shops that, in many cases, are not properly configured and are leaking the underlying server's IP address.

In case of Dark Web portals, leaking the real-world IP address means law enforcement can move in, seize the server, and possibly track down the illegal shop's owner and much of his clientele.

Researcher loves tracking down Dark Web portals

Over the past two months, one security researcher, in particular, has been quite efficient at finding Dark Web shops festering with criminal activity that are also leaking their real IPs.

Going online by the pseudonym of Sh1ttyKids, the researcher's latest victim is a cannabis-selling shop named ElHerbolario, which he tracked down to two Dutch IP addresses (188.209.52.177 and 185.61.138.73) that were being used by BlazingFast, a well-known bulletproof hosting company operating out of Ukraine.

With the information the researcher made public, Dutch authorities can now physically seize the server from the data center where that particular machine is running, and analyze its data, tracking down customers and sharing information with other law enforcement agencies across the world

ElHerbolario clear web site

Two weeks before tracking down ElHerbolario, at the end of October, the researcher found an IP leak for the Italian Darknet Community (IDC), a hacking forum for Italian-speaking users.

According to the researcher, that IP address —176.123.10.203— led back to a web host in Moldova, which the researcher said he reported to authorities.

Drug portal exposed IP, database backups

Another case that Sh1ttyKids tracked down is of a Dark Web portal named "DrugStore by Stoned100," a site that was selling a large collection of illegal products such as amphetamine, ecstasy, hash, MDMA, sildenafil, weed, and even ransomware.

The site was running a vanilla WordPress install, leaked its IP, and even exposed database backup files, allowing access to copies of its database with one click.

Before DrugStore, the researcher told Bleeping Computer that he also tracked down a Dark Web portal that was selling performance-enhancing drugs to an IP address based in Ukraine —195.189.227.135.

Human error to blame in all cases

"It is the administrator's mistake that the IP is leaking," Sh1ttyKids told Bleeping Computer in a private conversation.

The researcher's assessment is dumbfounding if we take into account that there are dozens of automated server setup scripts that can than install a web server for Tor-based usage, automated scripts that remove information that can lead to IP leaks.

In all cases, the researcher used small details, like an onion site's unprotected SSH fingerprint, to track down the real-world server and its IP address using search engines like Shodan or Censys.

Big Dark Web markets takedowns have played a role

Sh1ttyKids' technique is simple and is easy to defend against by an experienced web server administrator. The catch is that none of the people running these newly set up (and IP-leaky) Dark Web portals are an "experienced web server administrator."

Most are former vendors who sold on services like AlphaBay, Hansa, or RAMP, all taken down in July 2017 by US, Dutch, and Russian authorities respectively.

Those three portals were run by experienced coders who provided a point-and-click interface for vendors to set up merchant profiles and sell their illegal products.

Once these markets went down, many of these vendors were left with stockpiles of product they had to sell and no place where to sell it.

Some vendors moved to competitors like Dream Market, Valhalla, or Wall Street Market, others started selling products via Telegram channels or XMPP spam, but some decided to set up their own onion sites.

Without the proper skills to secure their shops, these latter crooks are now the easy prey of researchers investigating the Dark Web —like Sh1ttyKids— and law enforcement agencies, who for the past year have been prioritizing going after criminals active on the Dark Web and have far more time and resources on their hands compared to lone security professionals.

Related Articles:

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Ransomware as a Service and the Strange Economics of the Dark Web

Misconfigured Firebase instances leaked 19 million plaintext passwords

200,000 Facebook Marketplace user records leaked on hacking forum

AT&T says leaked data of 70 million people is not from its systems