Weeks before the darknet market DDoS attacks began, TradeRoute Market arranged weekly payments with an infamous darknet marketplace phisher known as “Phishkingz.” In a conversation with DeepDotWeb about two days before Traderoute went down, Phishkingz revealed that he had found a way to access code from the marketplace’s admin backend. Shortly after Phishkingz revealed his findings, TradeRoute exit scammed.
The marketplace went down during the most recent DDoS wave, alongside the majority of the “top markets.” As the downtime increased, market users posted on Reddit with increasingly credible concern. Phishkingz (PK) voiced his concern in a post titled “Dear TradeRoute Its [Phishkingz] aka BillyIsOnTheNet1 Either Post A Message Or I Leak The Source.”
DeepDotWeb also heard the phisher’s thoughts during a conversation with on jabber [email protected] (Jabber included at his request), PK’s official Jabber address. In a July interview with DeepDotWeb, PK explained that he “dominated the phishing scene on the darkweb.” And it was through his phishing schemes that he stumbled upon a critical TradeRoute bug. Under the BillyIsOnTheNet1 alias, PK messaged a TradeRoute technical admin about a vulnerability he (and another phisher) had discovered while creating a transparent proxy for TradeRoute credential phishing.
PK’s proxy—one of his phishing sites that, like any phishing site, looked almost identical to the real thing—granted access to TradeRoute’s “whole database.” The time between the discovery and disclosure is unknown. But, at some point following PK’s discovery, he used Dirbuster to scan TradeRoute directories and filenames. He then “channeled them through a transparent proxy.” And then building the database was fairly straightforward. TradeRoute handed PK $2,000 per week for the disclosure. PK sent DeepDotWeb copies of the scripts and clone sites for verification.
Note: All this, including the source code of the script which compromised TR, TR leaked source code, the full conversation with the admins and wallet addresses related to TR were provided to deepdotweb BEFORE Trade route went missing:
In a later message, PK revealed he had found more valuable bugs. “I have found several big bugs within the code [and] i am willing to work with you guys keeping this place safe and secure,” he said in the conversation with TradeRoute staff. The Technical admin denied that one of the bugs could exist and asked for the remaining two bugs mentioned by PK.
The phisher then announced, on September 11, that he would leak the full source code of the site unless the market admins paid him one bitcoin. That never happened. Instead, the staff decided to pay PK 0.375 BTC every Friday.
On September 12, the conversation thread between PK and the Technical admin had drawn to an end. The payments would arrive every Friday and required no user interaction as a script automatically deposited the payments into PK’s account. The TradeRoute deal required PK to keep silent about the vulnerabilities.
Payments would continue “as long as no leak is ever seen on the internet,” the admin wrote. “But if there’s any leak, or if you try to blackmail us again in the future you will automatically lose your privilege.” And all seemingly went well until roughly one month later. DeepDotWeb and Phishkingz had spoken throughout the month leading up to TradeRoute’s exit scam. Both suspected the marketplace had left for good before receiving confirmation from TradeRoute staff themselves.
On Reddit, as mentioned above, PK warned TradeRoute staff that if payment did not come his way on time, he would release the market’s source code. The absence of moderators on the TradeRoute subreddit allowed his posts to live on. PK revealed that he had messaged the TradeRoute staff who publicly used Reddit. He asked the moderators to relay the message to admins that they needed to pay him outside of the market. He asked them how they would be getting paid.
However, to TradeRoute Dispute and Support Admin “SamCulperTR,” the phisher pointed towards the evidence that the TradeRoute team had packed their bags. “No shit… And they barely paid you shit,” the admin wrote. (DeepDotWeb confirmed the authenticity of the messages by signing in to PK’s Reddit account.) PK said that he wished the market would come back and that he and “his partner” had not leaked any of the source code or sensitive files. “So I take it this is an exit scam then,” PK added.
Culper responded with few words, but just enough to prove that TradeRoute had exit scammed: “You are the reason they took off.”