Newly-cropped up dark web markets, run by inexperienced cybercriminals, have reportedly been leaking their sites' real IP addresses. The exposure of real-world IP addresses of the servers hosting these sites could leave them vulnerable to being shut down by law enforcement authorities.
Since the historic take down of AlphaBay and Hansa – two of the most prominent dark web marketplaces – dark web communities are believed to have been devolving. Security experts believe that as larger dark web markets were shut down, some dark web vendors may have been forced to sell their illegal products by opening up their own markets.
"Similar to drug cartels, once you remove one threat actor or forum, rivals will immediately take its place," Andrei Barysevich, director at security firm Recorded Future, recently wrote in a blog. However, in this case, it appears that the new dark web markets replacing the more established ones are run by cybercriminals with limited coding skills.
Bleeping Computer reported that over the past two months, a security researcher going by the pseudonym Sh1ttyKids has been uncovering dark web markets by leaking their IPs. On Thursday, 16 November, the researcher blogged about uncovering a Dutch dark web market selling cannabis called "ElHerbolario". The researcher reportedly tracked the dark web site to two Dutch IP addresses, which were being hosted by a known Ukrainian-based bulletproof hosting firm BlazingFast.
Bleeping Computer reported that two weeks before tracking down the Dutch dark web shop, the researcher found that an Italian dark web forum – the Italian Darknet Community (IDC) – was also leaking its IP address. The researcher reportedly found that the IP led to a web host in Moldova, which he reported to the authorities.
The researcher found yet another dark web drugs market called "DrugStore by Stoned100", which sold a variety of illegal goods, including amphetamine, ecstasy, hash, MDMA, sildenafil, weed, and even ransomware.
It appears that human error is causing such leaks. "It is the administrator's mistake that the IP is leaking," Sh1ttyKids told Bleeping Computer.
The researcher's work indicates that the dark web infrastructure may be more vulnerable now than ever before. Although the recent closures of prominent dark web markets may have led to multiple newer markets cropping up, these markets may actually be easier to take down by law enforcement authorities.