Remember our recent posts regarding the demise of Flomarket due to Hack / Scam? Sure you do. if not you can check out these posts:
The post announcing the shutdown of Flomarket: Flomarket: Aaaan’d its gone! (With your BTC)
The Post reporting about the Withdrawals issues: Warning: Reports Of FloMarket Possible Scam / Hack
As you probably saw in the shut down post, the admin claimed that the market was hacked and left hes Torchat ID:
So, We have teamed up with A great Reddit user by the name of Gabralkhan – that you probably know from the DarknetMarkets Sub reddit who also conducted the reddit investigation regarding the Tormarket / BMR / Sheep Hacker , who took a great Initiative – and contacted the FloMarket admin and offered him an interview to tell hes side of the story, this interview revolves around different topics about the darknet markets and being a hidden marketplace owner – who lost it all and gives us a rear insight of the market owners point of view regarding the events who led to the closure of the Flomarket.
We of course cannot back up any the things he say, we can just prove that its really the admin by:
Proof 1#: Tor Chat window showing the same Torchat ID listed at the shutdown notice, confirming he had done this interview with us:
Proof 2#: Just navigate to the Ex Flomarket Url here: http://fmkt3wixc772jxyj.onion/
And there should be a notice telling that this interview happened and linking to our article:
If you should believe him or not, you will be the one to decide. We doubt that a low life scammer would have taken the time to conduct 3 interviews over 3 days in order to tell hes side. Anyway this is an interesting document from a different point of view showing us the incentive everyone got after the demise of Silk Road – Money wise, to start new markets, and the risks involved with operating them, we bring you the chat logs as they are, unedited, just personal information that he provided was removed. and some other personal parts of the chat.
Myself = Gabralkhan
Flole = The market Admin.
The Three Hard question that everyone want to know:
myself : 1st question : Why didn’t you put a warning on the site just after the hack ?
Flole : I hoped that the hacker was a honest vendor and send back the money. So I don’t wanted to make useless panic, when there is no real problem. When I lost communication to the hacker, I decided to make the site ofline, because at that time it was a real problem.
myself : 2nd question : Why didn’t you hide the deposits addresses on FM after the hack, even with a possible technical issue announcement, to be sure any deposits could be made?
Flole : I was full of hope I get the money back so I don’t wanted to make useless panic, so I decided to let it run, but I made a difference from bitcoins deposited before and after, so I would have been able to send “new” money back to their owners…
myself: Why did you kept the hack details secret after the hack and until now for this interview ?
Flole : I thought no one is interested in it. I wanted to make a short explanation and don’t write a book about the hack. I was also very depressed, so I decided to no longer think about it.
1st part : Presentation.
myself : how are you related to FM?
Flole : I am the admin,developer and supporter of the site. No one except me has ever seen the site source code. No other has ever seen the database.
myself : Were you the only person supporting the project of FM?
Flole : not really, there has been a vendor promoting the site for “first-page-listings”
myself : who are you in real life, personally and profesionally ?
Flole : I have developed software for some people, but I never did it professionally. I did it just as hobby, and I learned all programming skills as hobby.
Flole : Personally I am a 15 year old pupil, living in EU, who has fun developing software. I am doing it for several years now.
Flole : As a side note i can add that I have never tried any drugs, never smoked cigarettes and never drink alcohol.
myself : How did you ended to develop and admin a DarkMarket? and Why? what were you expecting from it?
Flole : I saw that silkroad has been seized and I thought there should be something replacing it (Silkroad 2.0 has been faster). I have read, that backopy, admin of BMR, made 440.000$ per days, so I though: sounds interesting I mainly expected money and fun from it. I wanted to buy expensive DJ equipment, so I started the site.
Flole : I was very concerned about support, i tried to be the maximum available i could, connecting several times everyday to solve problems. That’s also the reason why I added an Live Chat function.
2nd part : FloMarket
myself : Can you give us a brief Timeline of FloMarket developement and activity?
Flole : development started at october 2013 when silkroad has been closed. Originally I wanted to start on the 1.1.2014, but I thought the BMR shutdown could be a good start, so I tried to start when they has shut down on december 2013. Nearly month later, on the 28. December we got hacked, and on the 6. January we closed.
myself : Were there big steps that you would like to note for FM, moments you have consdiered like milestones of FM for example?
Flole : the 1000 user mark, reached on 6. December 2013
myself : What were your feelings at this occasion? of for example for the first order of the market?
Flole : I was happy when the first order got finalized of course. I thought about closing the market when there were no orders, because I didn’t know, wether the site got accepted, but then I knew: I can proceed!
myself: Can you tell us a little bit more about the project itself? some technical aspects of FM and his development, the tools used?
Flole : the site has been hosted on an apache web server with php. As database mysql has been used. All site content has been dynamically generated by php scripts. The site has been “protected” by nginx in front of the apache.
myself : There was also rumors about the use of “Bitwasp” for FM, what can you tell us about that?
Flole : basically it has been used, but not the latest version. I checked out the source code from bitwasp a few weeks before i started, and when I made a single change, no update could be applied. So I needed to apply every update manually and review every file.
myself : About your feelings about the whole story of FM and how it ended. were you badly depressed to see the loose of all your “hardwork”?
Flole : Basically I feel sad about how it ended. It’s bad for everyone who lost money on the site, and all hard work has been destroyed.
3rd part : anecdotes or experiences that you could give about FM, the support, the administration.
myself : Do you have anecdotes about FM and its Administration, developement?
Flole : it hasn’t been easy everytime. Many times I was short before stopping developing the site, but everytime I continued. Maintaining the site has been very difficult sometimes. People tried to make profit by telling the support they have deposited money, when they did not. Then I had to add all users money together. Many things I did from school, when we used computers there. But some things only worked at home, for example bitcoin related actions.
Flole : I used the break one time to drive at home and had a look from there.
myself : That sounds incredible!! were you partly managing FloMarket from your school? does the school network and computers were originally able to achieve these actions or did you change the configuration yourself ?
Flole : normally it has been impsossible installing tor on the schools computers, but I resetted the admin password and used the workstation everytime since then, so I knew how to activate the tor configuration. Also the schools firewall has been a problem, but since ports for email has been opened, I opened tunnel through them. So I was able to manage it also from school.
myself : i guess you were using the computers at school a lot for this, is there sometimes were you had to hide yourself from the school staff?
Flole : they had a remote control software, but when using the second monitor function, the software is useless (the graphics card has 2 video outputs, I had one screen. On the first screen I opened the text editor and wrote a bit. then I used the second screen to do real, usefull work. The teacher was only able to see the first screen, because the software was not designed to do otherwise.
Flole : one time a teacher has seen me sending a message, but telling him I was saving a file made him go away.
myself : Do you have an anecdote about the support on FM, about the Buyers or Vendors for example ?
Flole : maybe… A vendor wanted a “holiday function”, and only 10 minutes after the wish, it has been there. He was really surprised.
myself : Did you had bad experiences of support with some Vendors/Buyers?
Flole : I was informed immediatly after a support request was received. So I have been able to respond a buyer in under one minute, he was surprised and more than happy with it. A bad one: A buyer tried to tell me he deposited bitcoins, but they never arrived. He was unable to provide transaction hash or other details about the transaction, so he was just trying to make profit.
myself : were you afraid of LE Agencies?
Flole : Well, I wasn’t really, even the servers were standing in the basement of my family’s house.
4th part : The Hack.
myself: Can you tell us about the hack itself, how did it happened ? what details do you have about it ?
Flole : The only details I have, that a vendor named “turtlesh3ll” withdrew more BTC than there were on his account. He withdrew multiple times 0.27997004 BTC to the address 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 in irregular timespans.
send -0.27997004 1518 confirmations main Sat, 28 Dec 2013 19:12:06 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 f6d5ca4e86…
send -0.27997004 1518 confirmations main Sat, 28 Dec 2013 19:10:28 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 bc75989bd1…
send -0.27997004 1518 confirmations main Sat, 28 Dec 2013 19:10:01 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 55ba925f99…
send -0.27997004 1518 confirmations main Sat, 28 Dec 2013 19:08:47 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 346047655f…
send -0.27997004 1518 confirmations main Sat, 28 Dec 2013 19:07:51 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 d212d894d4…
send -0.27997004 1519 confirmations main Sat, 28 Dec 2013 19:06:55 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 0dbb059a94…
send -0.27997004 1512 confirmations main Sat, 28 Dec 2013 19:05:09 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 bc5a1886f3…
send -0.27997004 1516 confirmations main Sat, 28 Dec 2013 19:04:41 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 2b0bd496cc…
send -0.27997004 1512 confirmations main Sat, 28 Dec 2013 19:04:10 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 41a178f894…
send -0.27997004 1519 confirmations main Sat, 28 Dec 2013 19:03:41 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 7a77175167…
send -0.27997004 1516 confirmations main Sat, 28 Dec 2013 19:02:03 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 50bb4fae79…
send -0.27997004 1512 confirmations main Sat, 28 Dec 2013 19:01:25 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 180ea45831…
send -0.27997004 1512 confirmations main Sat, 28 Dec 2013 19:00:54 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 5dae600a89…
send -0.27997004 1512 confirmations main Sat, 28 Dec 2013 18:59:55 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 181890c08d…
send -0.27997004 1519 confirmations main Sat, 28 Dec 2013 18:58:45 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 16d856dbd1…
send -0.27997004 1519 confirmations main Sat, 28 Dec 2013 18:57:15 +0000 1QGVcWQtQnS1jNacciaRzcasS6NURr1Cd7 f0f393a1a6…
myself : can you give us a timeline of what you did and how you try to handled ithe hack, and what happened after until the down.
Flole : First I disabled the cashout function. Then I tried to respend the money to cancel the transaction: No chance. After that I tried to contact the vendor, he has responded me, that “the address is from a supplier and he doesn’t have access to send the money back” Quote : (“i didnt withdraw. I dont have anything to withdraw!! that wallet address is a supplier. i dont have access.”). Then he started making news about the site is scam. Another user copied the scam warning, and because of the disabled bitcoin function, many people started making such news.
myself : It seems strange that a user that claim that “he don’t have anything to withdraw” in a message, then send a warning for a scam cause he couldn’t withdraw, do you think that was a move to confuse people and cover the tracks of his hack?
Flole : i think he knew that I got hacked because he did it. He maybe sent the message to make me think I need to react and replace the money by my own, so he can do the trick again and steal a few BTC again.
myself : How many time there was between the hack and the moment you decided to put FM down seeing that it was hopeless to try to get the bitcoins back ?
Flole : the user hasn’t logged on for 7 days, then I decided to stop all…
myself : After the hack why didn’t you put the Market immediatly down? did you disable the deposits after the hack during the time the market was still up?
Flole : If I would have stopped the market, I would never been able to contact the hacker. There has been no option for disabling the bitcoin deposit option, since much vendors have saved their topup address on their computers…
Flole : But no one deposited money after the hack
Flole : that’s the lucky part for all.
Flole : I am pretty sure some people will say they deposited money after that, but no money was received here. Also no one would scam for not even 5000$ .
myself : A lot of rumors have evocated SQL Injection as a possible method to achieve these kind of hacks, what do you think about it?
Flole : you have seen the source code, then his balance wouldn’t be negative and the code is not vulnerable to sql injection. Another fact is that every submission, wether sucessfull or not is logged. Nothing regarding sql injection from this user can be found there. None of the tried has been sucessfull…
myself: So days after the hack and after analyzing all the logs you fail to understand how the hack was performed exactly? but for you it is not at all an SQL Injection method?
Flole : no, its definitve not an sql injection could not be even because there is a “is_nummeric” check, which fails when the input is not a number…
myself : Do you have an hypothesis at the moment on how it could have been performed and with which hacking method?
Flole : i don’t know. But currently someone is anlysing the failure…
myself : So you a have hope to figure out how the hack was performed during the next weeks?
Flole : maybe he will find out what happened, maybe not…
myself: have you figured out now if you could have done something during the hack or was it too fast? in reference to the BMR hack where Backopy “pulled out the plug” in the middle of the hack seeing the fake withdrawals.
Flole : backopy had more than 500 Bitcoins, I had 5. He withdrew them in less than 5 minutes. I was unable to see it, it was fast.
myself : why did you not published all the details about the hack that could have given credit to your story on the server frontpage? the message you made was very short.
Flole : That was a message I originally used on an other server. I was extremely depressed and so I simply copied the message and wrote a few sentences…
5th part : your future
myself : What are your plans now, after the Down of FM? Do you have more projects about DarkMarkets that you would like to develop?
Flole : I think I will not try it again. Maybe some other projects, but not a DarkNetMarket again…
Floe: I think my next project will be Torbook: A Tor version of Facebook.
myself : How have you been affected by the FM story and its bad end? How are you dealing with all your work that was lost and all the time that was spent for nothing in the end ?
Flole : I am trying to make money otherwise… I am sad of course, but the work wasn’t lost, it’s just useless… I hope that some people liked it and found it usefull, than the site was a success when it was active…
Flole : The hope was very big of course, otherwise the project would never had started…
myself : What do you think you personnaly and technically learned from this experience with FM?
Flole : developing the site was much fun, I learned many things, I also learned much about dos attacks and avoiding them. The experience I had was really big, I think it will be usefull in my further life.
myself : do you think there is something to add about your future?
Flole : I will finish my school and then I will search a job… a legal job…
6th part : The DarkMarkets World.
myself : what do you think about all the new darkmarkets that have been created lately?
Flole : they tried the same thing I did: Making profit from SR abd BMR shutdown. I think we can’t trust to any of the new sites, since they haven’t been tested for exploits. I will and like my site: Some time all works well, and then they get hacked… They just want to make money easy and fast…
myself : Is there some DarkMarkets you want to point out for their good security or interesting features, or inversly some DarkMarkets that have bad security?
Flole : I think no market which is not open source is good. The best is bitwasp, because it’s open source and everyone can host it. I am sure many people will copy the code and start an own site, but be warned, my site shows: EVEN AFTER HARD WORK, THE SITE COULD NOT BE READY FOR PRODUCTION!!!
myself : Do you have previsions about the DarkMarkets world ? Do you think that more hacks on DarkMarkets will happen in the next weeks ?
Flole : yes, imagine every site has only 5 BTC on it(like mine), a small family can live some weeks from that, so why not try it for extra-cash?
myself : Do you have advices you would like to give to DarkMarkets owners and Admins ?
Flole : Manually verify each transaction.
Flole : that’s the only thing which helps.
myself: And to people like you that would like to develop and Open a DarkMarket ?
Flole : don’t create another one. 10 markets are more than enought!!
myself : To finish, would like to say something to the unfortunate Users, Vendors of FM that have lost Bitcoins with the hack and the down of FM ?
Flole : I am sorry for every single satoshi that got lost. I have done my best to recover them, but there was no chance. I hope that no one got into trouble because of this.
myself : To be clear, how all this story of FM end for you? were you able to get money from your work on FM even before the Hack during the normal period of activity?
Flole : no, I have never cashed out, because I believed in my site’s security.