WEBVTT

00:00.110 --> 00:02.690
What's up, everyone? So today we're talking about

00:03.430 --> 00:07.810
Phantasma Market, which was a liability and a failure

00:08.590 --> 00:10.270
pretty much from the get-go.

00:10.710 --> 00:12.230
Failure! You're still a failure!

00:12.730 --> 00:15.210
Failure! I can smell the failure!

00:15.610 --> 00:17.990
Like the minute had launched and

00:18.590 --> 00:20.610
basically I'm talking about their

00:21.510 --> 00:26.210
name as well as their branding ability because it's a really stupid name.

00:26.940 --> 00:34.130
It sounds like it was invented by a 12-year-old who thought that that would be a cool name for a market.

00:34.890 --> 00:38.430
Now, on a kind of more serious note, these

00:38.430 --> 00:45.570
morons decided to launch a market with a clear-net IP address and a

00:46.000 --> 00:53.870
$99 re-skinned silk road template, which makes total sense. It's kind of worse than lazy.

00:53.870 --> 00:58.570
It's just an operation that is going to get people arrested.

00:58.930 --> 01:01.670
That's how it works when you make these dumb markets.

01:01.930 --> 01:08.090
And like if you're watching this and you've never like set up a dark-net market before like everyone else or done that working or

01:08.090 --> 01:15.370
dealt with any kind of infrastructure whatsoever and know nothing about the back-end or the middle-tier or the front-end

01:15.370 --> 01:19.970
in regards to like development or about infosec or

01:19.970 --> 01:24.910
opsec and like just went out and set up a like dark-net market.

01:25.250 --> 01:28.370
Something like this would probably be the result of that.

01:28.610 --> 01:36.450
But you would also have to add in that factor of just not caring and just a pinch of reckless disregard like with it.

01:36.610 --> 01:39.930
So yeah, yeah, it's really bad. The most damning mistake

01:40.510 --> 01:47.210
was pretty immediate. Hubbunter discovered Phantasmas clear-net IP within minutes of actually visiting the site.

01:47.210 --> 01:52.290
This wasn't actually the result of like phishing or shodan or something like advanced

01:52.290 --> 02:01.890
recon or oscent on this part. It was just there. Visible to the public, kind of like an apple at the bottom branch like

02:01.890 --> 02:08.790
aka low hanging fruit. Now, this is the same fruit that law enforcement absolutely loves.

02:09.230 --> 02:15.390
It appears that the dark-net market admin by default was in some part actually

02:15.390 --> 02:18.910
kind of trying to like give his market away to law enforcement.

02:19.290 --> 02:25.790
The server was serving the hidden service directly from a clear-net IP address.

02:26.830 --> 02:32.530
Yeah, if that makes sense without any attempt to route it like solely through tour.

02:32.910 --> 02:36.250
That's the equivalent of a dark-net market basically

02:37.010 --> 02:41.530
doxing itself before they even start like on day one.

02:41.530 --> 02:47.530
Hubbunter described it as a quote, an extremely poor and basic server set up.

02:47.810 --> 02:52.070
And obviously this is a incredible understatement.

02:52.210 --> 02:55.590
I have absolutely no doubt that he could have been much more brutal

02:56.270 --> 02:59.810
in his actual critical assertion of this market.

03:00.090 --> 03:03.950
Like one thing I'll give him is that he's definitely a fairly classy guy.

03:04.110 --> 03:11.090
Tends not to completely unleash in certain cases like this when he probably could.

03:11.530 --> 03:16.470
I, however, am not so I will if I was to give a comparison for this,

03:16.530 --> 03:20.290
it would be that when your clear net IP is visible,

03:20.530 --> 03:22.470
your location is visible, right?

03:22.590 --> 03:23.950
Your infrastructure is visible.

03:24.610 --> 03:26.210
Your users are visible,

03:26.250 --> 03:31.190
especially if you're connecting without advanced protections at all.

03:31.370 --> 03:34.550
They're also vulnerable to things like traffic

03:34.550 --> 03:39.710
correlation, timing attacks, passive monitoring and potential subpoenas

03:39.710 --> 03:42.050
to hosting providers because of that.

03:42.650 --> 03:46.210
So you're not just risking like your own freedom as an admin.

03:46.650 --> 03:49.610
You're also dragging every buyer and vendor down with you.

03:49.830 --> 03:54.610
And this is why people who set up markets and don't actually know

03:54.610 --> 03:58.370
what they're really doing are by far some of the most ignorant

03:58.370 --> 04:03.950
and really dangerous people that are in the sphere of the dark-net markets.

04:04.210 --> 04:08.270
And this like wasn't even like their only mistake.

04:08.270 --> 04:10.710
The entire back end was built on recycled,

04:11.970 --> 04:14.970
unmodified $99 marketplace script,

04:15.870 --> 04:19.410
a known template which was filled with vulnerabilities,

04:19.770 --> 04:21.230
backdoors and logical flaws.

04:21.530 --> 04:24.610
It was actually confirmed to be one of the old ECMAR scripts

04:24.610 --> 04:28.250
which have been floating around the clear net forums for years.

04:28.650 --> 04:31.010
And you see scam circles use these as well.

04:31.070 --> 04:34.250
But the scripts are infamous for being easy to deploy

04:34.250 --> 04:36.470
and even easier to compromise.

04:36.930 --> 04:39.570
Essentially, you could basically just run this

04:39.570 --> 04:42.130
and more or less you have a market set up.

04:42.430 --> 04:45.070
Don't do it. It's a horrible thing to do, massive risk.

04:45.190 --> 04:47.490
But I know some of you have thought that this is a good idea

04:47.990 --> 04:50.730
because I've talked to some of you through email about this.

04:50.990 --> 04:55.210
And I would say this is by far one of the worst things that you can do.

04:55.570 --> 05:00.310
Again, not only does this expose you to the potential targeting

05:00.870 --> 05:03.030
by law enforcement, for which if you're caught,

05:03.170 --> 05:05.230
you could possibly get a life sentence, right?

05:05.230 --> 05:08.790
If they charge you with continuing criminal enterprise.

05:09.070 --> 05:11.970
But at the least you'd be looking at like 10 years in federal prison.

05:12.410 --> 05:15.250
And that's if everything goes really good for you.

05:15.530 --> 05:18.610
But on top of that, you're also jeopardizing a ton of other people.

05:18.970 --> 05:21.010
It's cool not to care about yourself

05:21.010 --> 05:24.110
and have a kind of a laissez-faire attitude about that kind of stuff.

05:24.990 --> 05:27.330
I mean, you have that prerogative as an individual

05:27.330 --> 05:29.330
who isn't actually owned by anyone else.

05:29.450 --> 05:33.910
However, my real main issue and main contention kind of comes

05:34.460 --> 05:37.950
when you start to jeopardize everyone else's safety and security

05:37.950 --> 05:42.950
because of laziness or incompetence or just lack of understanding.

05:43.510 --> 05:48.190
Now, the admin didn't even try to secure anything on the site.

05:48.250 --> 05:52.870
They openly admitted they were using the Silk Road theme as a tribute to Ross.

05:53.210 --> 05:56.910
I'm claiming it was meant to reflect his values.

05:57.270 --> 06:02.070
But instead of actually honoring Ross, they insulted his legacy

06:02.070 --> 06:05.750
by launching something that was so insecure, unstable

06:05.750 --> 06:08.450
and really unserious at the end of the day.

06:08.630 --> 06:13.410
The script was the same ECMAR base that's been around for years,

06:13.590 --> 06:17.030
known by everyone in the scene to be riddled with backdoors

06:17.030 --> 06:18.450
and lazy coding, basically.

06:19.030 --> 06:23.610
Duck Egg even commented saying, old Silk Road script.

06:24.090 --> 06:26.270
Why not just design a new one from scratch?

06:26.870 --> 06:28.210
The design is awful.

06:28.810 --> 06:33.150
Hubbunter emphasized the issue wasn't using the pre-built script,

06:33.670 --> 06:38.390
but instead failing to actually customize, harden and actually audit it.

06:38.650 --> 06:40.190
And that's exactly what happened here.

06:40.570 --> 06:43.350
They just launched it raw and exposed.

06:44.130 --> 06:49.650
So when it was banned from Dread for the IP leak, the admin pulled a

06:50.610 --> 06:52.130
kind of a textbook move.

06:52.590 --> 06:57.710
They created a new Dread account and basically reposted the exact same market

06:58.210 --> 06:59.250
like nothing had happened.

06:59.870 --> 07:03.270
Now, the new account was like 56 minutes old.

07:03.810 --> 07:06.410
And the attend was obvious here.

07:06.570 --> 07:07.990
It was called reputation laundering.

07:08.430 --> 07:12.430
And that's when you basically reset your public image.

07:12.810 --> 07:16.510
You bury the past and try to attract new users who.

07:17.470 --> 07:20.510
Aren't as aware of the disaster, right?

07:20.890 --> 07:24.210
Wikipedia holds the term as something that occurs when a person

07:24.210 --> 07:27.550
or an organization conceals unethical, corrupt

07:27.550 --> 07:31.570
or criminal behavior or other forms of controversy

07:31.570 --> 07:35.750
by performing highly visible positive actions with the intent

07:35.750 --> 07:38.690
to improve their reputation and obscure their history.

07:39.470 --> 07:44.350
So reputation laundering can include gestures such as donating

07:44.350 --> 07:49.550
to charities, sponsoring sports teams or joining prominent associations.

07:50.190 --> 07:53.530
Obviously, in this case, they didn't do any of that.

07:53.530 --> 07:54.970
In fact, they didn't.

07:55.590 --> 08:01.410
Do really absolutely anything to benefit anyone besides themselves.

08:02.250 --> 08:07.190
So that didn't really matter, though, because users like UK

08:07.190 --> 08:12.190
Peng and going to go for it immediately noticed calling it out

08:12.190 --> 08:13.010
in the comments.

08:13.270 --> 08:16.250
And another user, Hourglass, who we've talked about on this

08:16.250 --> 08:20.130
channel a couple of times, pointed out that it was a blatant

08:20.130 --> 08:22.170
reputation reset tactic.

08:22.610 --> 08:23.710
So there was that.

08:24.250 --> 08:28.370
The same admin had previously demanded to be made a moderator

08:29.010 --> 08:31.530
of the new market's subreddit.

08:31.770 --> 08:35.570
And Hubbunter incited this in a post referring to the market

08:35.570 --> 08:40.930
admin when he said, quote, one was already banned from new markets

08:40.930 --> 08:46.270
and throwing a tantrum and demanding to be made a mod of it instead.

08:47.210 --> 08:48.090
So it's banned.

08:48.430 --> 08:50.750
And he's like, make me a mod flipping out that he's on a

08:50.750 --> 08:52.810
absolutely no sense.

08:53.150 --> 08:58.430
They had no credibility, no technical skills, no track record whatsoever.

08:58.970 --> 09:01.930
And they thought like somehow they're entitled to dictate how

09:01.930 --> 09:03.490
other markets got listed.

09:03.830 --> 09:05.570
It's just beyond stupidity.

09:05.990 --> 09:09.410
The entitlement alone, though, really should have raised red flags.

09:09.770 --> 09:13.350
And instead of focusing on actually fixing their catastrophic

09:13.350 --> 09:17.810
security and PR issues that they were having, they started

09:17.810 --> 09:21.290
throwing tantrums like a 12 year old would and kind of begging

09:21.290 --> 09:24.050
for influence from everyone else that was there.

09:24.490 --> 09:27.770
Technically, the site was a mess also, right?

09:27.890 --> 09:29.630
It wasn't just physically.

09:30.310 --> 09:33.230
Multiple users actually reported issues, broken security,

09:33.590 --> 09:38.270
forms, slow load times, poor UX and heavy front bloat.

09:38.810 --> 09:41.510
There was no effort to actually streamline and secure anything

09:41.510 --> 09:43.530
from top to bottom.

09:43.530 --> 09:49.750
It just looked like complete boilerplate mess deployed by

09:49.750 --> 09:53.750
someone who didn't even understand how PHP sessions or CSRF

09:53.750 --> 09:55.390
tokens actually work.

09:55.750 --> 09:58.610
Now, keep in mind the risks that are actually posed by

09:58.610 --> 10:02.150
markets like this aren't actually theoretical.

10:02.870 --> 10:04.830
They're very much operational.

10:05.370 --> 10:10.450
When a market leaks its clear net IP and fails to isolate

10:10.450 --> 10:13.850
services or runs unpatched public facing infrastructure,

10:14.190 --> 10:18.250
it gives law enforcement and hostile actors a very easy

10:18.250 --> 10:21.110
path to correlation and compromise.

10:21.810 --> 10:25.310
So just like many law enforcement agencies depend on

10:25.310 --> 10:29.390
informants and because of that have become subpar

10:29.390 --> 10:33.570
at investigation abilities, many of the investigating agencies

10:33.570 --> 10:37.050
that end up taking down dark net markets also rely on

10:37.050 --> 10:41.030
really stupid, upset mistakes that the dark net market

10:41.030 --> 10:44.050
admins make. And this is why when a market is taken down,

10:44.250 --> 10:46.530
it makes international news, right?

10:47.010 --> 10:50.650
Like it's like law enforcement is screaming from the roofs

10:50.650 --> 10:53.010
like a four year old, look what I did, daddy.

10:53.670 --> 10:56.010
And I brought this up before because it's just it's

10:56.010 --> 10:56.930
annoying to see every day.

10:57.090 --> 10:59.470
But basically, earlier, I was saying, was it just theoretical?

10:59.990 --> 11:00.770
I could back that up.

11:01.030 --> 11:03.830
It's exactly what happened with Alpha Bay, where early

11:03.830 --> 11:07.250
server misconfigurations allowed the tour service to

11:07.250 --> 11:10.730
basically be correlated with a clear net IP, ultimately

11:10.730 --> 11:12.210
identifying the operator.

11:12.790 --> 11:17.190
Now, before anyone jumps in and claims it was the email address

11:17.190 --> 11:20.490
I got him caught, read the actual indictment.

11:20.990 --> 11:23.890
The US Department of Justice clearly states that

11:23.890 --> 11:28.750
law enforcement first identified the clear net IP hosting the market.

11:28.950 --> 11:32.270
That IP was registered to a Canadian company,

11:32.830 --> 11:34.510
which was tied to the actual admin.

11:35.450 --> 11:39.590
Now, only after they had that infrastructure did they actually

11:39.590 --> 11:44.830
connect his reused Gmail and LinkedIn accounts as corroborating evidence.

11:45.310 --> 11:47.090
Now, the email didn't expose him.

11:47.730 --> 11:51.710
The exposed server actually did that.

11:52.550 --> 11:55.970
Like, and you can verify this yourself in the 2007 Department

11:55.970 --> 11:58.470
of Justice complaint that actually exists.

11:58.470 --> 12:02.510
The IP comes first and then the email comes second.

12:02.910 --> 12:06.250
Hey, now I'm getting a little track and then distracting myself

12:06.250 --> 12:07.350
from the actual point of this.

12:07.530 --> 12:13.030
But markets like this one basically repeat the same fatal mistake.

12:13.170 --> 12:16.710
And that's hosting their own nodes, but not knowing how to actually do it.

12:17.050 --> 12:20.870
Hosting the application server and often elastic search.

12:21.230 --> 12:25.550
Or whatever the search thing is, all on a single exposed box.

12:25.550 --> 12:30.150
And any part of that stack actually responds to clear net queries.

12:30.370 --> 12:34.290
It creates a pivot point that traffic correlation becomes trivial.

12:34.630 --> 12:39.870
If ingress and egress pass are visible on the same physical host.

12:40.050 --> 12:46.530
So add that back end logic that was actually left in development mode,

12:47.110 --> 12:51.270
which is yet like another brilliant move by the Internet admins

12:51.890 --> 12:54.130
and the verbose error messages.

12:54.130 --> 12:57.270
So you can give extra information away for free.

12:57.530 --> 13:00.690
That detail to every little thing, along with the stripped headers

13:00.690 --> 13:03.050
or exposed debugging endpoints.

13:03.570 --> 13:06.830
The attack surface just multiplies exponentially.

13:07.490 --> 13:10.430
And every user basically assumed anonymity

13:10.430 --> 13:13.950
that the infrastructure couldn't technically deliver.

13:14.370 --> 13:17.230
Now, Huggbunter had actually banned them from Dredd,

13:17.230 --> 13:19.930
stating clearly that he wouldn't allow such a threat

13:19.930 --> 13:22.630
to actually remain active on the platform.

13:22.630 --> 13:25.090
And again, like I said before, it makes sense.

13:25.630 --> 13:30.470
He pretty much made it plain that law enforcement or anyone else

13:30.470 --> 13:33.610
with bad intentions could exploit that kind of negligence

13:33.610 --> 13:37.510
that they displayed in ways that would absolutely hurt the community.

13:37.670 --> 13:42.090
He also called out the admins, kind of a erratic behavior

13:42.750 --> 13:47.310
that they were childlessly freaking out about instead of actually paying

13:47.310 --> 13:50.230
attention and listening to the feedback that was given

13:50.230 --> 13:51.590
or fixing the issues.

13:52.170 --> 13:54.330
And that's the right move, right?

13:54.470 --> 13:55.870
Like this is in 2012.

13:56.190 --> 13:57.430
These aren't rookie mistakes.

13:57.890 --> 13:58.810
We have use cases.

13:58.990 --> 14:01.010
We can look at prior engagements

14:01.010 --> 14:02.990
and figure out what best practices are.

14:03.430 --> 14:05.550
And so these are mistakes that should be happening.

14:05.790 --> 14:08.170
If I had to define this market in summary,

14:08.650 --> 14:13.890
like one term, I guess, I would say it was a factory failure, right?

14:14.690 --> 14:17.030
Like the admin was absolutely reckless.

14:17.370 --> 14:19.050
The infrastructure was negligent.

14:19.050 --> 14:22.190
The script was outdated and insecure.

14:22.630 --> 14:25.410
The entire launch just showed a complete disconnect

14:25.910 --> 14:28.510
from running a dark damn market.

14:28.990 --> 14:30.790
And like any of the actual discipline

14:30.790 --> 14:33.150
that that actually requires or entails.

14:33.510 --> 14:36.310
And this should be a warning to the community overall

14:36.310 --> 14:39.690
to avoid anything that uses recycled scripts

14:39.690 --> 14:43.070
and avoid admins who can't handle criticism,

14:43.350 --> 14:47.130
even though there are some top admins to this day

14:47.130 --> 14:48.610
who are exactly like that.

14:48.610 --> 14:53.570
Avoid platforms that claim to value anonymity and privacy

14:53.570 --> 14:57.710
while leaking their own infrastructure or name dropping.

14:58.110 --> 14:58.610
That happens too.

14:58.910 --> 15:01.510
If you see a market like this one

15:01.510 --> 15:03.690
reappear under a different name,

15:04.430 --> 15:07.430
treat it like a trap because in retrospect,

15:07.850 --> 15:09.630
that's what it actually is.

15:10.270 --> 15:12.410
Thank you for watching and I'll see you in the next video.