Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

I personally have no idea how Dark Web marketplaces work outside of them using Tor. This seems to have some good insight into how it works. I also learned that Donald Trump plans on releasing Ross Ulbricht, the founder and convicted felon of the Silk Road.

JavaScript is not seen on modern Darknet websites. Why? Websites can be actively fingerprinted, regardless of Tor's efforts to prevent this. Not using JavaScript drastically reduces the attack surface. But how does a modern website even work without JavaScript?

Captcha uses a weird feature of the browser's input type that will send the X and Y coordinates that were clicked in the image. People also do some crazy things with CSS. Most of the complicated code is run server-side instead of client-side as a result.

The onion links are nasty to look at. So, phishing becomes even easier against non-tech-savvy users. This is particularly bad because there are multiple mirror links of the same website. To get around this, there are multiple points where you are forced to think critically about the decision you are about to make.

Messages are typically encrypted using PGP, which is registered at account creation. If a message needs to get sent to the user, such as for 2FA, it's done using PGP.

After a user is logged in, they are given a publicly accessible website link to access the "clearnet". Since these are more risky, a given group of authenticated users is given a unique mirror to make the URL private and unique. After a user makes a transaction, the pool is upgraded. I'm not super clear on the terminology here but it sounds like a lot of defense-in-depth measures.

Many websites have an integrated wallet. This way, you can send your funds in once and just use them on the provided account all the time. To prevent exit scams, it's typically a 2 out of 3 (user, vendor and market) multisig wallet. Once you want to buy something, you communicate the shipping details using the PGP key information.

Remaining perfectly anonymous is really hard. Things like language and region-specific writing, such as commas vs. decimals on large amounts, made it possible to narrow down the location of the operators.

Overall, an interesting look into the design and usage of a darknet site. Good write up!