Black Market Reloaded, a black market site that was gathering strength after the demise of Silk Road, closed and then re-opened this week following a security flaw that saw parts of its source code posted online. That leak wasn’t the result of FBI counter-intellience, underworld hackers, or devious hosting firms. When someone visited the site, it apparently just handed the source code over.
The founder of the site, nicknamed Backopy on the Black Market Reloaded (BMR) forum, originally pulled the site after finding its source code posted on a forum. They promised to get people their bitcoins back, and said that the site would have to be redeveloped following the leak. A day later, Backopy had a change of heart, reinstating the site at a different address.
Backopy originally posted a forum message informing the public that the site had been compromised. They explained that a virtual private server (VPS) had been used to host the site, and blamed the administrator of that server for stealing the site’s source code. That turned out to be wrong, following further posts from the people that put the code online.
A VPS is a virtualised operating system running on a larger physical server, which looks and feels like a dedicated computer server to a customer. Backopy found the index.php file of the BMR website (the code that delivers the website’s contents on browsers) posted by someone on an online forum.
“During these days I’d to commit [sic] the worse of the sins to get the site online; use a VPS! The VPS admin had stole the code and leaked it,” said Backopy in a post (accessible only via the Tor network). The message pointed to source code posted in an online forum, hosted as part of a site offering information about hidden services as part of the dark web.
But the person who posted the code in the forum linked to by Backopy denied that the virtual private server hosting firm had stolen the code. Rather, a glitch appeared to have rendered the code for the site, written in the PHP language, inexecutable for a short time, according to a post. That enabled the .php file to be downloaded rather than making it run and display a website on the page, which is what is meant to happen.
The person who posted the source code in the forum said:
“It was not our aim to bring BMR down, we just published the leak because if we had it, enforcement and private hackers could have it as well, trouble could arise if the leakage would have been exploited without people to know. We have no contact to anyone of the involved parties [sic], neither backopy nor VPS admin.”
Backopy later appeared to backtrack on the earlier statement. “I believe it to be true, probably the server load went so high that apache, unable to process anything, decided to simply handle the PHP code,” said a subsequent post. “I’ve to thank you to warn me about this and it’s something I’ll keep in my mind for future projects.”
Then, early Friday, Backopy popped up on the forum again.
“After reviewing my code over and over I came to realize that I can still put it back up. I know I’ll be facing now direct hits to secondary files, but they’re all well protected and even if the attacker gets the source won’t be able to do much other than look at it,” they said. “Unfortunately as I don’t know if the old certificate was compromised, I’ve to change BMR’s URL.”
What isn’t clear is whether Backopy could have done something to the .htaccess configuration file or some other part of the Apache server to stop it simply handing over the site’s source code in the first place. Regardless, none of this bodes well for the reputation of black market sites. BMR was one of the longest-standing and popular black market sites after Silk Road. With two heavy-hitter sites having bitten the dust due to basic operator errors, confidence in these systems will be shaken. One of the remaining sites is Sheep Market, although this has also come under criticism after someone claimed to have found the operator’s real IP.
[post-quote]
Much has been said of the black market sites’ proliferation after the death of Silk Road. The argument goes that where one falls, another ten will spring up. But if they’re all run by amateurs tripping over their own shoelaces, what does it matter?
“I honestly think the online black market could change into something far more local than Silk Road, the international giant,” said Thomas Kerin, developer of online anonymous marketplace engine BitWasp. “The pitfall with the current model is that it requires the postal system. If people used bitcoins to buy things, and were told a drop point, then the more local system would evolve.”
BitWasp is one of several black market engines that appear to be either proposed, or under active development. Designed for users to download and operate themselves, BitWasp can be set up to be accessible via the Tor network if users choose to operate it that way, explains founder Cameron Ruggles, although clearweb instantiations are certainly possible.
The development team is aware of the need for anonymity, although it focuses more on making it difficult to obtain information from a marketplace if seized. “We’re not putting a lot of effort into keeping it concealed right now,” said Kerin.
Information on a BitWasp-based marketplace can be configured to be purged after it hits a certain age, Kerin explains. BitWasp will use RSA encryption to protect its messages, based on a user PIN and a salt, hashed to produce a 2048-bit RSA key. It also includes Javascript encryption on the client side. This makes it difficult for messages to be read by an attack like SQL injection (see our mention of that here), unless there’s something more serious like an active attack while the user is logged in.
The software will include a rudimentary escrow feature, in which users top up an account. Funds will hang “in limbo” until a purchase is finalized (and an admin will step in to arbitrate where necessary). Kerin said:
“Eventually I’d like to change that to using a two of three signature transaction, making it truly impervious, but for now this will have to do.”
Currently-available features include a bitcoin topup/cashout system, and working transactions. The developer is working on a review system, and finishing up the code for dispute resolution, along with implementing more ways to back up wallets. The team hopes to release an alpha version in December.
In any case, the BMR community was highly supportive during the whole incident. “I’m very satisfied with how conservative and cautious you have been,” said one commenter. “You communicate well and I’m guessing that you’re on facebook and LinkedIn much less than my previous fearless leader ;-),” referring, presumably to Ross Ulbricht, the founder of Silk Road, who was indicted earlier this month.
“Keep it up Backopy, we appreciate your hard work and services, and even if it doesn’t work out we are still thankful for BMR when we had it,” said another.
Normal service has resumed, following a one-day period where Backopy prevented any bitcoin deposits as a safety measure.
What do you think about BMR? Do you trust it?