​Dark Web Spam Is Stealing People’s Bitcoins

Where there are bitcoins, there are scammers. Some users on the dark web drugs and weapons marketplace Agora are being directed to a site which deploys malicious code designed to empty their accounts of the digital currency.

"Got a message from user brandos on Agora about a new market," one Reddit user wrote yesterday. "It doesn't say the name or anything but the guy says he's an old seller and started his own market."

The message then provides a link for users to visit this alleged new marketplace, which promises "24h technical support" and cheaper prices for products.

But not everything is as it seems. "Immediately after I clicked to open the page, tons of Agora tabs opened up," the Reddit user continued, explaining that these pages tried to transfer bitcoin funds from their Agora account.

Motherboard has verified the process by setting up a test account on Agora and deliberately visiting the malicious site. After asking users to enable Javascript, a welcome message to the apparent marketplace "Sydneed" pops up, along with an inviting button saying "I'm human!", the likes of which are used on some sites in the place of CAPTCHAs.

"If you pass the human verification test, the site will then make itself full screen," Thomas White, a Tor hidden service developer, told Motherboard over encrypted chat. Meanwhile in the background, around 40 to 50 browser tabs are opened, all trying to transfer the user's funds to a series of fresh bitcoin addresses, presumably controlled by the scammer.

It appears that some people have lost their bitcoins to the scheme, but only in small amounts. "Luckily I had only like $20 in my account," the same Reddit user posted.

The scam only works if the target is logged into Agora at the same time as they visit the malicious site. Also, it appears that Agora has a built-in mechanism to stop very frequent bitcoin transfers. Eventually, the opened browser tabs read "More than 2 requests/second, please chill for 30 seconds." And of course this site only targets funds stored in a user's Agora bitcoin wallet, and can't reach any bitcoin on the user's own computer.

White felt it was the work of an amateur. "It's a damn basic way of doing things," he said. Some of the code, which was captured by Darknetmarkets.org, appears to be copy-pasted from open source code site GitHub.

"This isn't an exploit, it is closer to a kind of social engineering, since there is nothing in this that gets around security: the user is totally complicit in the process through ignorance of good security practices," White added.

Indeed, the scam once again taps into one of the weakest elements of computer security: the human. By enticing users with the promise of a new marketplace, people are tricked into opening up the malicious site themselves, rather than through any technical prowess of the scammer.

"People like you are idiots. Sorry, it has to be said," wrote another Reddit user in response to an apparent victim.