** Update: 4/30/2018 **
Since this has been one of our more popular articles I decided I should make an update on what has occurred in the past few months. First off, we are still investigating this in our spare time..mostly because the sheer size of this operation is baffling. So far we have identified hundreds of more phishing sites, all of them have the same MO. Same registrar, variant spellings of DeepDotWeb, AlphaBayMarket.net, etc and we continue to find more everytime we take a fresh look.
Many of the domains are no longer working. We would like to believe darknet shoppers have become more wary of phishing sites over the last few years. Or it may be due to the fact that Google Chrome, BitDefender, and numerous other security platforms have begun blocking those phishing pages or issuing warnings to would be visitors…or victims.
Not to pat ourselves on the back too hard, but when we initially reported on this phishing network, hundreds of the pages were indexing, and ranking well in Google search results, and had been since around 2015. The day we published our findings we reported ever link we found to the proper channels, and continue to do so with every new link we discover.
One of our writers who has been researching this operation from a different angle feels pretty confident that they have identified a couple of people behind this massive scam, and informed me that if he is right, that they are fairly well-known individuals in the darknet community. However, they want to continue further investigating his suspicions and won’t name’s until he is 100% certain and as evidence as possible to support it. But according to them, it’s not who everyone expects it to be, it’s actually the opposite.
In total, we have connected over 600 domains to this massive phishing network, which would raise our estimated investment cost to at least $21,000 USD in domain registration fees alone.
– ⅁ʟɪᴛᴄʜ⨯ᴘʟᴏɪᴛя ͬͤ ͬͬͤ ͦͬͬͤ ͬͦͬͬͤ ͤͬͦͬͬͤ ͬͤͬͦͬͬͤ ͬͬͤͬͦͬͬͤ ͦͬͬͤͬͦͬͬͤ ͬͦͬͬͤͬͦͬͬͤ ͤͬͦͬͬͤͬͦͬͬͤ ͬͦͬͬͤͬͦͬͬͤ ͦͬͬͤͬͦͬͬͤ ͬͬͤͬͦͬͬͤ ͬͤͬͦͬͬͤ ͤͬͦͬͬͤ ͬͦͬͬͤ ͦͬͬͤ ͬͬͤ ͬͤ
NOT YOUR AVERAGE PHISHING CAMPAIGN
TL;DR summary: we published a list to our Pastebin that contains all the phishing links we discovered that targeted the darknet market community. We also searched for and included any DNS and site information that was tied to each phishing site link. You can find a link to our Pastebin post at the bottom of this article.
Phishing scams, the overgrowing nuisance that has plagued that underground community of the darknet since the very beginning. Over the last year or so the popularity of phishing has increased so exponentially. It’s almost impossible to get through a day without stumbling upon some sort of irritating, and usually, blatantly obvious phishing link creeping onto your screen. Darknet Forum moderators constantly scrubbing out the shady link litter on their threads. Darknet market moderators clearing dirty phishing links out of their vendor’s feedback section. What’s next?
Now darknet users need to take the extra precautions of the clearnet. Websites they regularly visit to find invite links to darknet markets. Those are the new playing fields for the modern phisher. The new tactic that has been fooling even seasoned darknet users. Phishing sites disguised as popular news and information websites. These clone sites are nearly exact copies of the websites they imitate. The only difference being the phishing links to the darknet markets and the website URL is one or two letters from the legit websites URL.
Over the last couple months, darknet forums and Reddit threads have been buzzing with darknet users who had been duped by these clever clearnet clone sites. Many not realizing they had fallen victim to the crafty new-ish phishing scheme for several days, and by then their market wallet is usually empty. ( don’t leave BTC in your market wallet!)
Due to the lack of coverage on the clearnet phishing sites, we decided to take it upon ourselves to draft up a list of these poison URL’s for our readers, thinking the list would be relatively short. A few misspellings of DeepDots site, maybe some others and that should be it. However, we quickly realized that we were dead wrong. Over the last day, we stumbled upon nearly 300 of these clearnet phishing sites, nearly all of them registered within the last 5 or 6 months. But what we really found bizarre, is that it appears that only one or two scammers (or groups) are behind ALL of them.
From our research it appears that nearly all of the URL’s we discovered were purchased through the registrar PDR Ltd. d/b/a PublicDomainRegistry.com. PDR Ltd charges $35 for each domain name registered through their company…per year. This would mean that the person, or group, behind this new scam has invested an estimated $10,395 USD in acquiring the domain names alone, just to cast their massive phishing net. That cost of this scam is likely much higher once the server and hosting cost are added to the total investment, and that can only mean one thing. The scam works, and it’s lucrative enough for the scammers behind the operation to make that type of investment. That being said, we encourage our darknet readers to take the following precautions when visiting ANY website, especially ones related to finances and darknet markets.
DOUBLE CHECK THE WEBSITE’S URL
These websites will look identical to the sites you intend on visiting. If you are in a rush and misspell the website URL then YOU WILL end up on a phishing site. Make sure every single letter in the website domain name is typed out perfectly, especially if you have any plans of using their link list to get to a darknet market.
BOOKMARK OR SAVE LINKS YOU USE REGULARLY
The safest bet is bookmarking darknet news sites you visit so you don’t have to hunt them down or risk misspelling the URL. This is especially true with DeepDotWeb. Given that they are a popular and trusted news source, it makes sense that the phishing net is mostly composed of misspelled variations of DDW’s domain name. It might also be a good idea to bookmark or save a link to us (darknetmarkets.net), /r/DarknetMarkets, and other sites or subreddits with a clean reputation.
STAY AWAY FROM ONION SITES THAT END IN “.TOP”
All of the phishing sites mentioned in this article will have 2 noticeable differences from the legitimate website. They will have a misspelled variation of the actual website you intended on visiting, and all of the links to darknet markets, forums and tumblers will end in .top. If you see an onion link ending in “.top” it means you are on a phishing site.
ONLY USE LINKS FROM SITES YOU TRUST
If you don’t have your list or bookmarks of the darknet markets you need to visit, then cautiously use a reputable source for links. That means never blindly use links posted by random strangers in forums…and never jump on DuckDuckGo and search “Dream Market login page” and use a link from someone’s Tumbler. You can go here to our Darknet Market Link List, which always has working, verifiable links and alternative links. You can also visit DeepDotWeb, /r/DNMSuperlist/ or DNStats who have so far all been reputable sources for safe links. Better yet, double check your links against two of the sites I just mentioned for confirmation…you never know.
Hopefully, with a little common sense and caution, we can make that massive phishing net nothing more than a big waste of time, money and effort at the expense of the scammers who created it. That being said, here is a list of the phishing links we scraped up that make up most, if not all, of the giant phishing net-work ( see what I did there? ) along with some information we harvested on each of the domains (probably nothing too useful, but its a start). Hopefully, someone will make use of it for a good payback doxxing. And if that’s not your forte, then feel free to copy the list of domains and submit them to any of these find phishing link reporting sites, blacklists and abuse report pages.
PDR Ltd Abuse Report Form ( Copy and paste the entire list of phishing links directly to their domain registrar in a few clicks and you could cost a group of scamming phishers over $10,000 USD if they lose their domain names. )
Google – Safe Browsing (submission for phishing sites)
APWG – Anti Phishing Work Group ( Phishing Site Report Page )
BrightCloud ( Malicious site reporting page )
BitDefender ( Malicious Site Reporting Page )
Symantec ( Phishing Site Submission Form )
TrendMicro ( URL Submission Page )
TrustWave ( Malicious Site Submission Form )
Yandex ( Malicious/Phishing Site Report Page )
AVG – Report Phishing Sites via email: [email protected]
ESET – Report Phishing Sites via email: [email protected]