In light of the $365,000 in Bitcoin phishing scheme, I thought this conversation with the owner of Fresh Onions would be fitting. Fresh Onions is an open source darknet market crawler and search engine. Unlike Grams, Fresh Onions crawls the darknet in its entirety and marks fake sites when possible.
An Interview with the Creator of a Darknet Search Engine
The timing worked well and _abruptdismissal,_ the creator, gladly gave information on fake or cloned hidden services. With long addresses filled with seemingly random characters, darknet sites or hidden services provide excellent targets for phishers.
Phishing on the darknet
Users of darknet sites who keep bitcoin on the site’s wallets seemingly click market links from the least authoritative sources. Many are not aware of the general protocol following something as simple as a downed market. For instance, when a darknet market goes down for unannounced maintenance, new users frantically search the internet for minute or alternate onion addresses in desperation. A phisher shines in this scenario; random links posted on Reddit get clicked by the same people who have not yet learned that keeping money on a darknet market is a had idea.
About “Fresh Onions”
Fresh Onions is a website that displays a database of hidden services. The site, a hidden service itself, differs from basic hidden wikis for several reasons. Here are some facts (along with some intertwined features of Fresh Onions) –
- It is not a hidden wiki;
- A spider constantly crawls the database for uptime status every 1–3 hours;
- The spider crawls inaccessible sites with an algorithm that includes the number of times the site is inaccessible;
- Up sites are displayed in green, troublesome sites in orange, and likely down sites in red;
- He scrapes clearnet sites—including Pastebin — for .onion sites to add to the database;
- If a link matches one on the /r/darknetmarkets superlist, it gets displayed with a [G]enuine label;
- And the opposite applies to [F]ake sites.
And the Features Listed on GitHub
- Crawls the darknet looking for new hidden service
- Find hidden services from a number of clearnet sources
- Optional fulltext elasticsearch support
- Marks clone sites of the /r/darknet superlist (note: also gone. DNStats is a viable alternative.)
- Finds SSH fingerprints across hidden services
- Finds email addresses across hidden services
- Finds bitcoin addresses across hidden services
- Shows incoming / outgoing links to onion domains
- Up-to-date alive / dead hidden service status
- Search for “interesting” URL paths, useful 404 detection
- Automatic language detection
- Fuzzy clone detection (requires elasticsearch, more advanced than superlist clone detection)
- Doesn’t fuck around in general.
Abruptdismissal also removes CP and related material, when possible. He mentioned this on Reddit:
yeah so i actually try and do that, via a fairly primitive method unfortunately. I have a list of banned words and if a site has one of those banned words in the title, it gets banned and is not shown in the list. Also, you can’t search for the banned words either.
there are currently 108 banned sites :(
if you can think of a better way that doesn’t involve me manually verifying every site I’m definitely interested.
I reached out and spoke with him about a topic of his interest. He chose cloned .onion sites. Perfect choice.
As technical scams go, this must be one of the simplest, and, at least anecdotally, one of the most effective. You build an automated tool. This tools takes an onion address. We’ll call this the “host” It then runs an onion vanity tool (such as “scallion”) to generate an address that is substantially similar, at least in the first five or six characters. Let’s name this address, the “parasite”.
Now, once you have your target host and your parasite address, you spin up a hidden service on the parasite. This hidden service essentially acts as a proxy to the host. Any request a victim makes the parasite, the parasite makes to the host and returns the exact same content. Well, almost exactly the same. Financial freedom is just a few short regexes away. As the response comes back from the web server you change a few things. Replace all references to host address with that of the parasite. Alter any cryptocurrency addresses to ones you control. Log any login forms.
So let’s say you run this tool against a popular darknet market.
On spreading fake onion addresses
Then you take your parasite address and paste it round a few forums. Maybe go and subtly update the hidden wiki with the “new” Alphabay onion address. Some sucker hasn’t bookmarked the Alphabay address, so they go to hidden wiki and click on the link there. Then they login to the site… your site… and bingo! You have their creds. Maybe they decide to transfer some bitcoins into their account… uh ho! That’s actually your account.
Obviously there’s a bit of an outlay involved to create (or buy) the tool in the first place, but from then on out it’s pure economies of scale baby. Aside from needing to spread the URL of your parasite around, it’s almost fire and forget. To give you some idea of the scale of the problem, AlphaBay alone has around 350 clones. I use the natural language processing from http://www.automatingosint.com/blog/2016/09/dark-web-osint-part-four-using-scikit-learn-to-find-hidden-service-clones/ to detect clones of darknet market sites and automatically mark them as fake. During the five months I’ve been running the “Fresh Onions” tor directory, I’ve found over 4000.
“The moral of the story is: always make sure you get the link for a darknet market from a trusted source.”
Want to run your own Fresh Onions instance? Check out the source on Github.