This post has a follow up — A look back on Crimewave’s “rotten onions” scamThe trust model on the dark web has always been pretty fractured.With random lists, wikis and brazen clearnet phishing sites, with so much money to be made ripping off darknet market visitors, it isn’t any surprise the scum of the darknet are incentivised to do so?Don’t forget to donate via Bitcoin!Back in the 2014’s the Onion Cloner was the premier script for duplicating sites and tampering with key fields such a forms and bitcoin addresses.Coupled with a little wiki-vandalism and a scammer could expect to find a steady stream of marks handing over their market credentials and bitcoins, without any legal or financial recourse.Despite some public-spirited user attempts to crash it, it represented a standard in darknet fraud.This is a cloned phishing login.Note how the form asks for the pin on login, it should only be on paymentSo prolific were the cloned sites, that when in November 2014 Operation Onymous saw 276 onions seized, it turns out that up to 153 of these were cloned sites or other scams.Of course dark web scams have not gone away since then, and nor will they any time soon and darknet markets with their high illegal bitcoin turn-over continue to be a popular target.So the latest tool on the scene is a tool called ‘Rotten Onions’ I found on a domain that laughably suggests people actually memorised onion domains.

Let’s take a look:~~~~~~~~~~~~~~~~~ ROTTEN ONIONS ~~~~~~~~~~~~~~~~~WHAT IS IT?Rotten Onions is an extension for mitmproxy made to launch MITM-like phishing attacks on darknet markets and bitcoin anonymizers for the purpose of stealing money from users who are too stupid to check that they’re on the right URL.It’s a bit of a spiritual successor to the infamous Onion Cloner, but unlike Onion Cloner, it doesn’t suck.~~WHAT DOES IT DO?The current features are as follows:* Functions properly on onion.link, onion.to, etc (which is only noteworthy because Onion Cloner did not)* Store login and registration data* Check account balances upon login (currently working on most but not all major DNMs and mixers)* Replace valid bitcoin addresses with attacker-owned bitcoin addresses* Alter withdrawal requests and send coins to attacker-owned bitcoin addresses* Thoroughly spoof HTTP headers to prevent detection and avoid most Tor-friendly CSRF protection methods* Store cookies and PHP sessions to bypass 2FA login protectionPlanned features:* Bypass Tor with Javascript + STUN server calls to harvest real IP addresses* Replace PGP keys with automatically generated lookalikes, then intercept messages encrypted with our malicious PGP keys, decrypt and store the messages, then encrypt the data with the original PGP key and pass it on to its intended destination~~HOW WELL DOES IT WORK?I’ve had a total of 11 malicious onion domains up since late January 2016, targeting 3 darknet markets and 2 bitcoin mixers.ethereum will surpass bitcoin

(I am not going to link to them, so please don’t ask me.)So far, I’ve stolen ~8.5 BTC.I plan to expand this attack to more markets and more mixers in the future though.~~WHO MADE IT?Crimewave, the owner of the indestructible castle in the sky~~~CAN I HAVE IT?If you want to buy the code, you can email me or contact me on XMPP with an offer.If you do decide to purchase it, I will include all future updates free of charge.btw op bitcoinsMy contact details and PGP key can be found in contact.txt.dogecoin carIf you send me anything that isn’t encrypted, I will ignore it and cease all communication with you.The features offered by Onion Cloner seems legit, however one specific claim to “Bypass Tor with Javascript + STUN server calls to harvest real IP addresses” seems highly suspect since only non-Tor users are affected by this vulnerability.I am going to hazard a guess that whilst ‘Crimewave’ did build, and may sell this tool, he’ll be a lot happier taking people’s bitcoins for nothing, as is the way of a scammer.Oh, but where can you find reliable onion sites and links?bitcoin mining i7 cpu

On the Wikipedia article ‘List of Tor Hidden Services’ of course, mostly populated by me.This post has a follow up — A look back on Crimewave’s “rotten onions” scamShareThe key to keeping your Bitcoin transactions from being traced back to you is preventing others from knowing which addresses are yours.If you’re trying to remain anonymous (or more precisely, pseudonymous) with Bitcoin, read on for the most common ways people’s true identities are forever associated with their Bitcoin addresses.litecoin price december 2013And try to avoid them.top 5 litecoin poolIt might also be worth checking out Using Bitcoin Anonymously for other best practices and pro tips.Who Knows Your Address: anyone on the internet Gary has received over 71 BTC to this address.This is a no-brainer and it’s the most common way ownership of a Bitcoin address is revealed.

Lots of folks on the internet publicly display a Bitcoin address with their name attached to it in hopes that others will send them bitcoins.A few examples: Writing a personal blog with your real name on it and posting a Bitcoin address for donations.Using your real identity on a forum and putting your Bitcoin address in the post signature.Launching a website with your Bitcoin address anywhere on it and registering the website’s domain name with your real name.Unfortunately, once published, this knowledge becomes available to anyone with an internet connection.Specific Bitcoin addresses are easy to lookup with a search engine.And thanks to things like Google Cache and The Way Back Machine, it will probably be like that forever.Who Knows Your Address: the exchange Nearly every exchange that handles national (fiat) currency is subject to money laundering regulations, making it necessary for customers to prove their identities by providing scans of their government IDs, bank statements, and utility bills.

Unless you can fake these types of documents, the exchange will know exactly who you are and will retain these records indefinitely.You’ll be associated with all incoming and outgoing Bitcoin transactions on your exchange account, which can indicate your ownership of any addresses related to those transactions.Who Knows Your Address: the merchant and/or payment processor Revealing who you are when you make purchase with Bitcoin can’t easily be avoided.The recipient of your Bitcoin payment can identify your sending address, plus any change address that your client sends extra bitcoins to.Unless you’re purchasing downloadable digital goods, you’ll usually need to provide a name and shipping address.If the merchant uses a payment processor like Coinbase or Bitpay, your sending address may not be revealed to the merchant, but the payment processor will certainly keep a log of the transaction’s details and your personal details.Who Knows Your Address: server administrators Thin clients don’t have a local copy of the block chain, so they query a single SPV server that does.

These queries reveal all the Bitcoin addresses that belong to your thin client, plus your IP address, to whomever operates the SPV server.While thin clients have the capability to mask which addresses are yours using bloom filters, most thin clients do not sufficiently utilize them.Hosted wallets have first hand knowledge of your Bitcoin addresses because your wallet resides on their servers.Any additional information you provide to them (such as phone number, location, or email address) can also offer clues to your true identity.Both of these types of wallets leak both your IP address and your addresses to third parties.Your IP address may not immediately reveal your true identity, but it can be used to help discover it.Who Knows Your Address: your internet service provider (ISP) Bitcoin does not have any built-in encryption when it comes to broadcasting transactions across it’s P2P network.When your client relays transactions over the network, they pass through your ISP’s gateway servers in plain text.

Your ISP can intercept and analyze this traffic, and then determine which of these transactions belong to your IP address (versus those transactions which you are only relaying).The transactions that belong to you will first appear on the network via your IP address, differentiating them from transactions that have already been propagated by other nodes.And then your IP address can be used by your ISP to lookup your personal identity — they have it on file from when you subscribed to their service.Using Bitcoin with an encrypted VPN or Tor can effectively mask your real IP address, helping to disassociate your Bitcoin traffic from you.Who Knows Your Address: anyone on the internet customer on a public forum, and then used his administrative privileges on Blockchain.info to lookup this person’s IP address, phone number, and other personal information using the customer’s Bitcoin address — all of which ended up being posted on the forum as well.Because the BitcoinStore accidentally refunded an extra $50 worth of bitcoins to the customer, and the customer didn’t return the extra coins.

Presumably, he felt posting the customer’s details would help identify the customer to other merchants… or maybe it was to just settle a score.The take-away here is that people with access to both your personal info and Bitcoin address can choose to publish them any time they please.Who Knows Your Address: anyone who takes your picture or cuts off your arm In early 2014, a man from Washington state had his public address tattooed onto his forearm in the form of a QR code.It’s not clear if he was ever able to get the QR code to scan (I couldn’t).But if it works, he’ll have a convenient way of getting paid in person with bitcoins.And it will be just as convenient for anyone who sees him in a short sleeve shirt to know exactly how much he has at that Bitcoin address.Even if the link between you and a Bitcoin address was only logged by a single merchant, server admin, or exchange owner, it might not always stay that way.Server records can be hacked and leaked onto the internet.