Dark web marketplaces are using the same model as legit businesses – they are launching bug bounty programs to protect them against possible hacks. The rewards will make bounty hunters analyze the websites, find security flaws, and earn profits.
According to tech magazine CyberScoop, Hansa Market is one of these marketplaces. Hansa, which made about $3 million last year, has launched a bug bounty program on January 30. The rewards range from 0.05 BTC ($50) to 10 BTC ($10,000). Security measurements, like bug bounty programs, are essential for marketplaces that sell narcotics, illegal firearms, log-ins, and other hacked data since the markets need to protect their sellers from law enforcement authorities. However, police are not the only ones who would benefit from such hacks. Dark net markets also have to protect against rival hackers, who would steal information, such as data dumps.
Despite Hansa’s efforts, privacy researcher Sarah Jamie Lewis doesn’t believe that bug bounty programs could help black markets that much. According to her, the website admins have to go “much deeper” if they want to solve their security issues.
“The problems pervading onions [the nickname for websites accessed on the Tor network] are caused by bad assumptions at the software design level — the reliance on web technologies designed for an Internet without consideration for privacy. Bug bounties are only a patch, what we really need are new privacy-oriented software stacks, servers, blog platforms, etc,” Lewis said in a statement.
Hansa launched its bug bounty program after AlphaBay, the biggest active dark web market, got compromised in January. The hacker, known as “Cipher0007”, managed to breach the website and steal over 200,000 private messages exchanged between users and sellers. He was able to compromise the dark net market, acquire the first and last names of the buyers and vendors, nicknames, addresses, and the tracking IDs of packages sent by sellers when included in the messages and not protected by PGP keys.
Cipher0007 disclosed the vulnerabilities of the dark net marketplace on Reddit. According to him, there were to two security flaws that could be exploited to acquire user private messages. The hacker also posted some screenshots as proof.
Before his post on Reddit, Cipher0007 opened several support tickets on AlphaBay, warning the marketplace of the website issues. Soon after, the dark net market rewarded the hacker for disclosing the flaws rather than selling them or releasing the data to the public. Cipher0007 even revealed his methods to the black market admins, so AlphaBay developers were able to close all loopholes in a few hours.
In a statement on PasteBin, AlphaBay confirmed the validity of the vulnerabilities and said the bugs allowed the hacker to steal a total of 218,000 messages, which were not older than 30 days. Older messages are automatically purged from the system, according to the marketplace.
With such information, the hacker could make big money selling the information to law enforcement authorities. If he would do that, it could have resulted in the fall of the biggest active dark net market.