Agora Dark Web market discovers suspicious activity on servers, pauses operations

Largest online black market temporarily goes offline
Credit: Thinkstock

The Agora Dark Web market cited Tor Hidden Services security vulnerabilities that could allow de-anonymization attacks and temporarily shut down operations after detecting suspicious activity on its servers.

Agora, the largest online black market on the Dark Web, is temporarily shutting down in response to “vulnerabilities in the Tor Hidden Services protocol which could help to deanonymize server locations.”

MIT and Qatar Computing Research Institute published research in July, showing how to launch successful de-anonymization attacks as well as how to prevent them. The research showed that resources to pull off such attacks are “much lower than expected.” Agora added, “In our case, we do believe we have interested parties who possess such resources.”

After “discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on,” Agora has chosen to “pause operations.”

“We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement,” Agora said via a statement on Reddit as well as Pastebin, announcing the temporary shutdown of its marketplace. “We decided to move servers once again, however this is only a temporary solution.”

At this point, while we don't have a solution ready it would be unsafe to keep our users using the service, since they would be in jeopardy. Thus, and to our great sadness, we have to take the market offline for a while until we can develop a better solution. This is the best course of action for everyone involved.

The research referenced by Agora involves a circuit fingerprinting technique that could determine with a 99% accuracy if a Tor circuit was being used as “an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit. Breaking Tor’s encryption wasn’t necessary.”

The researchers were able to passively pull off circuit fingerprinting. MIT reported:

Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88% accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88% certainty, identify it as the service’s host.

The Tor Project blog said the research was “a well-written paper.”  The researchers’ proposed countermeasures to neutralize the attack were called “interesting,” by a Tor spokesman; he added, “We need more concrete proof that these measures actually fix the issue.”

Agora apparently is done waiting and intends to take action to mitigate the problem. “We shall do our best to clear all outstanding orders and we ask all of you users who have money on their accounts, withdraw them as soon as possible, because we don't want to be responsible for it during the time when the market will be offline.” There “might be some delays in payouts, since many people are expected to withdraw money at the same time, but we intend to resolve any such issues in the end.”

“We advise you to use only destination bitcoin addresses that do not expire when you send money out from Agora, as the payments to them might get delayed,” continued Agora’s statement.

While the market is offline, do not send any bitcoin to any of your deposit addresses on Agora. We do not guarantee the safety of any funds sent there.

Vendors, we strongly advise you to abort any orders that haven't been sent out or processed yet, as we cannot guarantee what will happen with the orders in resolution. We shall try to resolve it on a case-by-case basis, but there might not be time to wait for orders that require long shipping times.

We are going to handle the situation with the vendor bonds soon, we need some time to make sure that no one uses this as an opportunity to start scamming wildly.

All of the market data will be kept intact and be available upon return, including all of the user history and profile data.

Agora included its new PGP key which can be used to check the authenticity of its future messages.

After the Evolution Market exit scam, when Evo went poof along with million in bitcoins, Agora was credited with selling more products than any other online black market and was dubbed king of the Dark Net by Wired. Instead of seeming sketchy, the fact that Agora issued a statement before temporarily shutting down seems to ring of professionalism…something that is not often associated with the Dark Web portion of the Deep Web.

But not everyone is impressed or as optimistic about shoring up security. Matthew Green, a cryptography expert from Johns Hopkins University, tweeted, “I wouldn't trust a Tor hidden service farther than I could throw the server. Not in 2015.”

IBM researchers warn businesses to block Tor

Elsewhere regarding Tor, the IBM Security X-Force research team released its quarterly threat intelligence report (pdf); the researchers advised businesses to block Tor as the service is increasingly used by malicious actors.

Call on line 2! Six ways to add a second line to your smartphone
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies