Spam message scams Bitcoins from darkweb marketplace users

Ray Walsh

Ray Walsh

June 17, 2015

Deep inside the dark web, on Tor anonymity servers, someone with a little imagination has devised a cunning and opportunistic scam for stealing Bitcoins from people as they go about their daily routine of attempting to purchase drugs, weapons, or both, at rock bottom prices.

Gone are the days when buying a fix of high grade,90 percent pure Peruvian cocaine might get you mugged on a dark backstreet in the bad part of town, leaving you drugless, beaten up, and with no funds in your wallet.

These days, you do not even need to leave the comfort of your own lounge, where you could be sat relaxing, still in your jim-jams on a comfortable leather sofa, as you get robbed of your drug money – leaving you sad, empty, disappointed, drugless, and humiliated in front of your new girlfriend Rhiannon, and her hot friend Beth.

What we are talking about, of course, is the rampant online drugs trade that is the average deep web marketplace, and in particular one that has risen to popularity since the death of Silk Road.

The name of this site is Agora, and recently some users on reddit have gone on record warning others that a scam advert is redirecting users to a fake marketplace that promises skunk and grenades at even lower prices than Agora. Instead, what they get is a malicious bit of code that empties users’ funds from thier account.  Explaining how he got sucked into the scam himself, one redditer writes,

‘Got a message from user brandos on Agora about a new market. It doesn’t say the name or anything but the guy says he’s an old seller and started his own market.’

He then continues by explaining how the message builds confidence and intrigue by claiming that the new marketplace offers a first deposit bonus, 24 hour support, and is able to (thanks to close ties with sellers) offer discounts on products of  ‘about 10%’.

This information, of course, is designed to lure the Agora user into clicking on the link at the bottom of the message, something that the redditer admits he was successfully fooled into doing.

On arrival at the link in the message, users are asked to turn on Javascript  (‘ for verification process’), and are then given a vibrant and professional looking page that invites them to enter the marketplace (Sydneed) by clicking on a button that says ‘I’m human’. This is a verification method that is sometimes used as an alternative to the common ‘CAPTCHA’.

For the naive, unsuspecting, and quite possibly stoned as a bat Agora shopper, this may all seem quite legitimate  (or perhaps it is just the bait of cheap drugs hanging off the hook that does the trick!) Unfortunately, however,  for any user that is fooled by the scam, turning on Javascript is what sets them up for the fall. When they click the verification button, instead of arriving at the advertised new marketplace, multiple Agora tabs open – all of which try to empty Bitcoin funds from the user’s account.

Immediately after I clicked to open the page, tons of Agora tabs opened up saying “Unable to withdraw amount: 1.0000000”, “Unable to withdraw amount: 2.0000000”, etc. and there were like at least 20 pages with different amounts. 2.0, 0.5, etc.  Luckily I had only like $20 in my account.’

The scam actually only works if the person who clicks on the link in the message is logged into their Agora account at the time. It would also appear that Agora has a security mechanism in place to stop very frequent Bitcoin transfers – which appears to have limited the severity of attacks.

Thomas White, a Tor hidden services developer, says the scam is very simply put together, and likely the work of an amateur. The code itself, which was obtained by Darknetmarkets, appears to have been copy and pasted from open source code site GitHub, and while it does have the ability to successfully rob Bitcoins (as demonstrated by the scammed reddit user), White explains that the code does not exploit a weakness in the Agora site,

‘This isn’t an exploit, it is closer to a kind of social engineering, since there is nothing in this that gets around security: the user is totally complicit in the process through ignorance of good security practices,’

One reddit user who is baffled that anybody would click on an unsolicited link in a message in their Agora mailbox writes,

‘People like you are idiots. Sorry, it has to be said.’

It is clear from reading further messages on the reddit page that others have also fallen prey to the scam. Luckily for those affected, however, it does not appear that anybody lost any substantial amount of money. Many, however, are complaining that the scam also changed their pin and password and has locked them out of Agora – something they appear to be desperate to rectify as soon as humanly possible. Cough, cough.

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
Exclusive Offer
Get NordVPN for only
Exclusive Offer
Get NordVPN for only