ToRReZ Market is Retiring

ToRReZ Market is Retiring

ToRReZ Market is Retiring

ToRReZ Market is retiring, according to an announcement from the market’s administrators.

In October 2021, White House Market announced their retirement after a successful run. Less than two months later, ToRReZ Market, which launched as the “first community-driven market,” announced their retirement as well.

Mr. Blonde, the ToRReZ administrator who signed the farewell message, hinted at the possibility of a return in the future. In the message, the administrator warned against using established marketplaces; they said that markets grow closer to collapse as they age. Traditionally, retiring markets have suggested users migrate to certain “friendly” markets or equally well-established markets. Mr. White, the administrator of White House Market, encouraged users to migrate to Monopoly Market or Versus Market. He highlighted Monopoly Market’s walletless system and Versus' enforced multi-sig.

The message is available on the ToRReZ homepage. My demo account on the marketplace is “NickiMinaj”

Unrelated Warning About Market Shutdowns

As with any market shutdown, there is a slim chance that law enforcement is controlling the entire narrative in a repeat of Operation Bayonet. Operation Bayonet, for newcomers, was a law enforcement operation in 2017 that thoroughly disrupted the darkweb market ecosystem. International law enforcement agencies collaborated to secretly take control of the second-largest marketplace at the time, Hansa Market. LEOs had taken control of the market’s servers and had posed as the market’s administrators for several weeks before the reveal.

A picture of The banners used for Alphabay and Hansa

The banners used for Alphabay and Hansa

Investigators made subtle changes to Hansa Market in an attempt to identify careless vendors and customers. Last I checked, these methods by themselves resulted in very few arrests. Per Wikipedia:

  • All user passwords were recorded in plaintext (allowing police to log into other markets if users had re-used passwords).
  • Vendors and buyers would communicate via PGP-encrypted messages. However, the website provided a PGP encryption convenience feature which the police modified to record a plaintext copy.
  • The website’s automatic photo metadata removal tool was modified to record metadata (such as geolocation) before being stripped off by the website.
  • Police wiped the photo database, which enticed vendors to re-upload photos (now capturing metadata).
  • Multisignature bitcoin transactions were sabotaged, which at shutdown would allow police to confiscate a larger amount of illicit funds.
  • Police enticed users to download a Microsoft Excel file (disguised as a text file) that, when opened, would attempt to ping back to a police webserver and unmask the user’s IP address.

I have one of the .xlsx/.zip files somewhere provided by a former Hansa Market vendor. I will upload it for your viewing pleasure if I can find it.

A picture of The onion service deployed by LE after the Hansa bust.

The onion service deployed by LE after the Hansa bust.

Once law enforcement had set the stage at Hansa Market, other law enforcement agencies shut down AlphaBay Market, the largest marketplace at the time. They seized AlphaBay servers and arrested the alleged administrator, Alexandre Cazes in Thailand. While in a jail in Thailand, Cazes hanged himself rather than spend his life behind bars in a U.S. prison.

As law enforcement had predicted, former users of AlphaBay flocked to the second-largest marketplace at the time: Hansa Market. Law enforcement had control of Hansa at this time and gathered as much information as they could. After several weeks had passed, law enforcement pulled the rug out from underneath Hansa users, replacing the marketplace with a seizure banner similar to the one used during the AlphaBay seizure.

Law enforcement operations targetting marketplaces, at least as we understand them, have not involved such intricate and dramatic steps since the AlphaBay and Hansa seizures. Law enforcement in the Netherlands knocked on hundreds of doors of alleged customers who had neglected to encrypt their addresses when completing a purchase on Hansa Market. However, the infiltration of Hansa Market resulted in very few instances of vendor deanonymization.

Why the warning is unrelated

Although ToRReZ is undoubtedly a large market by today’s standards, it is not the largest market nor is it the most well established. If law enforcement agencies were to attempt a repeat of Operation Bayonet, they would presumably seize the larger market first and push people to the smaller market second. ToRReZ, in their retirement message, explicitly encouraged users to move to a newer marketplace. All newer marketplaces are significantly smaller than the current well-established marketplaces.

The ToRReZ announcement

Below is the ToRReZ announcement.

Dear Users.

After 675 days of presence on the darknet, we have decided to close our door for good. Please read the following statement to understand the market’s closure process.

From 2021-12-17 certain functions of the market has been disabled: registering, upgrading to vendor account, purchasing, featured items auctions, support.

Market wallets are working fine and are ready to get your withdrawals requests. Because we use fully automated system, please be ready for queues when it comes to the withdraw. We especially expect the queue on XMR withdrawals (because of how XMR is built).

Market will be left online for at least two to three weeks until all orders are finalized and disputes are closed. We will review the disputes on the daily basis so you can withdraw your funds as quick as possible. Buyers and vendors - please work with us on your disputes. Please provide information about the package status. Do not be a dick to each other. We give you an opportunity to leave the market with your gear or funds so help us to achieve that. Vendors trying to use this opportunity to exit scam will be banned. We also share our vendor’s data with Recon.

If you forgot your mnemonic / pin / password / pgp - there is nothing we can do about it. If your deposit did not come - it is because you got phished and there is nothing we can do about it. If you paid for the order and it is not on the list - it is because you got phished and there is nothing we can do about it.

It has been a great pleasure to work with most vendors and users. We are aware that we leave quite a big gap in darknet markets but we hope most of you will find a new home. While choosing a new market, please use your common sense. I would personally avoid any “established” market as older they get, bigger chance of collapsing is. Please give a chance to the smaller markets, which are not that loud as others. This is exactly how we became no 1 - being quiet and doing our job, serving customers 24/7 for 675 fucking days.

While ToRReZ will be gone for good, we might (or not) come back at some stage with something different. The whole world goes green. Maybe we will join the trend at some stage ;] When we decide to be back, we will definitely sign the message with one of the known keys so watch out for any copycats.

If you have anything to say to me, you can use Dread’s system but I give no warranty that any of your messages will be read, not to mention that they will not get answered.

Thanks for supporting us. mrblonde

ToRReZ Market Team

--ToRReZ market news: yxuy5oau7nugw4kpb4lclrqdbixp3wvc4iuiad23ebyp2q3gx7rtrgqd.onion/news

Signed Message

The amazing thing is that currently, one of the “established” markets for general criminal activity is Dark0de which was a new market taking loads of criticism not too lon ago. Eventually, we will inevitably be in the same situation with only the strange reboot of Alphabay remaining as an “established market.” Filering out search engine results for specialty markets and ToRReZ, Monopoly, Versus, and Dark0de lead. ToRReZ is technically still higher than all three but that will soon drop. However, these metrics can hardly be considered reliable traffic metrics; no sensible darkweb user searches Google to find the address of a darkweb marketplace. The majority of users who make more than a single purchase presumably bookmark the market’s address, this site, or Dark.Fail (or perhaps one of the many phishing clones of our sites). Additionally, just because someone searched Google for a site and visited Darknetlive as a result does not mean they stuck with the market they searched. I have no analytics available for traffic metrics. No tracking whatsoever. Nginx access logs are disabled. I realize this is no longer the right way to eliminate error logging. Regardless, it should not matter over Tor as I am unable to identify different users.

With that said, I will upload something and an on-site PoC for fingerprinting users even with javascript off. Far from a novel concept but certainly something worth considering for those with less experience in this sector.