Ah, the darknet markets. You’ll never find a more wretched a hive of paranoia and shilling. But when your business is mailing drugs, laundering financial data, a reputation across darknet markets as well as associated forums is the life blood of your business. And when enough people run an illegal business, a new market comes to prominence, the market for scamming.

‘is real money!

Let’s take the case study of GBPF (that’s GBP Fakes) from mid 2015 as well as the parallel events on the Oxygen Market.

Oxygen Market first launched around May 2015, making responsible noises like:

We welcome everybody to do a PEN test audit on our market… We did not earn any money yet but we will certainly reward everyone who find a security bug.

Oh there’d be a reward alright ;) Around May 2015 a vendor GBPF announced he was looking to sell his high quality counterfeit £10 and £20 on the darknet markets:

I have invested a lot into this again and purchased a high quality laser printer and hologram printer, which will now allow me to create crisp quality prints on the notes and also I am now able to create perfect replicas of the currency holograms, with all interchanging images you would see in a genuine note. I am also using a different type of cotten-linen based parchment for the notes, which gives it a much better feel and is almost perfectly identical to that of an original, they are also completely starch free, this allows the notes to pass the counterfeit pen test. All UV prints are present on my notes, the same as real ones. Note that these will NOT be usable in any sort of currency machines, such as change machines, self-service checkouts or betting machines.

So that’s some credentials right there surely? Bloke has a laser printer, seems like a legit operation right? Alas for his buyers, when a novel product comes along, authentication services and referrals are not in place. When it comes to drug purity for instance, forums like /r/researchmarkets/ and the like are always keen to review against what is advertised for instance.

GBPF rocks up and finds a naive, captive market all waiting for him:

Definitely interested. Would be good for festivals in the summer where you are expected to pay £7 for a burger bought in tesco that morning haha.

The secret ingredient is crime…

GBPF’s revolutionary fake-a-tron 4000 technology springs into action and samples are mailed out by invitation which immediately receive positive reviews:

My overall review: Once this guy starts selling properly, I’ll buy a lot. I’d still advise to be cautious, and deal within escrow. The notes were perfect, and after I had had them in my pocket for a day, I couldn’t tell the difference. They passed the UV pen test, I bought one just for this occasion. Perfect.

In fact you could say they were very positive reviews:

I finally have the note back from my friend, he said it looks very real. But under further investigation the note is a fake, the best one he has ever seen. he said the hologram wasn’t quite right. And that the paper isn’t right. I have done a water test (Normal house tap water) about 15 minutes ago it seems to go soggy at the edges (tested on each edge) no ink seems to run off it though. I have dropped a few droplets in the center and on the queens face, i instantly saw that the note began to warp, very peculiar.it sort of folded into itself, sort of like a chemical reaction and the paper became extremely stiff and hard to bend properly. I got a small amount on the center where you hold it up to the light to see the queens face, and it instantly made a reaction and i could tell immediately that this is 3 different layers of paper, they sort of came apart from each other. the note didn’t like it one bit, i’m currently in the process of drying it out to see if it goes back to normal. I did another test and ripped the corner of the note to see the paper quality, it is very strong paper and took force to rip, however i could see that it is multi layered paper, and it came clear how these notes were actually made. But in conclusion, yes, these notes are fake. As in they are replicas of notes (What they are actually being sold as)

You might say, that were like real notes…

The print quality of the notes and the feel of the material used is just remarkable, they look and feel exactly like a genuine note, other than 2 of them felt ever so slightly thicker than the others, which not even the guy who loves his job would notice when checking them extensively. I used the notes successfully in a corner shop and on the bus without them even giving the notes a second look.

Yet given the high quality his sample customers still had to pay £8 in BTC for a £10 fake note? It must be fake-fakes, e.g. real money!

GBPF sent out real notes… Why else would you charge £8 for a SAMPLE.

But there’s even more positive reviews:

The note is indistinguishable from a real note. Every feature is present (Raised print, UV, magnetic strip, hologram, watermark, paper feel/thickness, microlettering, print quality). Biggest surprise is the micro lettering, which I have never seen in a counterfeit note before. Additionally, the hologram is flawless; again I’ve never really seen it pulled off, most just use some foil tricks. However, that said, the Chinese are gods for copying holograms, so this is likely an import. Now, this may just be a real note, I sure would never be able to tell and I’ve had forensic counterfeit training.

Now this flurry of positive reviews run contrary to the drama and base-line disorganisation we expect of /r/darknetmarkets!

The highly raved about “GBPFakes” is the same guy from around 6 months ago on Nucleus, who scammed a shit load of people after building up a “trusted” reputation, and like now, drummed up a lot of business by having plenty of reviews on Reddit. When was the last night you saw 1 vendor get 4 reviews in 10 days on /r/DNM ?…baring in mind he has a feedback score of only 4 on Oxygen? So 100% of his customers all post on /r/DNM ? Fuck outta here

Despite some scepticism, with a selection of gushing reviews, GBPF is quickly the darling of the UK online counterfeit scene. Persons of dubious nature are now lined up to place their bulk orders so they can responsibly rip off small business LARGE EVIL CORPORATIONS AND NIGHTCLUBS.

And of course it can’t be a scam as:

He doesn’t require FE = no scam is possible. When/if someone gets a package from him — he examines the bills before releasing the escrow. End of story.

At this point is worth noting that he was listing his product on the now defunct Oxygen Market. What’s that Skippy, it’s not an established market? Might not be secure you say? So shortly after taking the first batch of real order this is how it went down:

[Complaint/Warning] GBPFakes supposedly hacked (most likely exit scam) Today his listings on Nucleus were deleted and his profile text was replaced with “hacked lol hacked lol hacked lol..” The timing is very suspect as it was just after his first round of successful sales with positive feedback, and after a large number of new orders had been made. Perfect time for an exit scam.

Crikey, how’d he pull that one off? Wait, there’s extra phishing messages being sent too?

I have a sneaking suspicions its exploit image

What’s that y’say? Orders are automatically finalising out of escrow when you get the message?

Oxygen quickly admit:

it was html-injection, an image tag. It was the only field that was not properly sanitized. Because it was previously in a pre tag it was not found during the penetration tests… but because of the styling of pgp-encrypted messages we removed the pre tag… We fixed it in two ways…. 1. ) we now sanitize all fields for all html tags. 2. ) we added codes to the links, without a code the link won’t work.

To explain that, Oxygen was:

Allowing images in private messages

Improperly sanitising the images, allowing the attack. I believe the message contents would have looked like so:

Oh hai, I would just like to give an update about your order: <pre>exploitimage.jpg</pre>

The image itself would have been custom crafted with a custom EXIF header so that when the browser rendered the image, it would have forwarded them to the unprotected ‘finalise early’ page through a known url pattern such as:

<meta http-equiv=”refresh” content=”0; url=http://oxygenmarketurl.onion/knownpattern/finalise.php" />

This pattern the market used was so weak, that a user could even be persuaded to click e.g. a bit.ly link, ending up at the same url would end up releasing over their escrow in a single click. Oxygen market, I am disappoint. What did Oxygen have to say about this?

So what have we learned today today?

Counterfeiters still can’t be trusted

New market places are especially technically and economically weak against both scammers and exploits

The community saying ‘but full escrow!’ can be wrong and is vulnerable to being gamed

Let’s see that business model end-to-end, going on the assumption that GBPF planned the whole thing out from the beginning:

How much did he net? Over £5,000 ? £10,000? Unless the now defunct Oxygen market let’s me know, we’ll be left to speculate. GBPF denies complicity, claiming he was set up by Oxygen market themselves.

Oxygen quietly collapsed a couple of months later around August, around the same time the market leader Agora mysteriously closed its doors.

In conclusion, counterfeit £10 notes won’t now be used to rip of small business LARGE EVIL CORPORATIONS AND NIGHTCLUBS so this is evil good? It’s complicated. Markets are secure, except where they’re not. Escrow works except where it doesn’t.

There remains no reliable source of fake GBP at the time of writing.

Update!

GBPF got in touch with me via Reddit in July 2016, a couple of months after I wrote this blog:

Hi. I came across this just now and thought I’d give my own input to try and bed this. I have still been selling on and off privately since this incident. I know of no exploit with Oxygen, I setup on multiple markets but I liked their easy to use interface, mainly the order process tracking it helped to keep on top of things. After sending out some of the first bulk orders I tried to login once I got home and I was banned, I was then accused of all sorts that I would have no knowledge of. I didn’t try to scam anyone and wouldn’t because my production line is a lot faster now do to the automation of some of the steps that I haven’t been able to do in the past. All I know is that I was scammed by Oxygen possibly as a stunt to show how fast they shut down potential scammers because I had only just started up on there, I’ve been around since BMR and keep coming back to continue in the business I’m good at. Also, a good note (pun not intended) is that Oxygen DIDN’T refund people, they refunded 2 or 3 people and left the rest out of pocket, I’m sure there are some comments about this in the past threads. The only reason for not refunding them would be because their little stunt failed and they decided to take that money from it instead. If there was some exploit do you not think it would have been more widespread and occurred with others? Take what you will from this anyway, I appreciate your thoughts on the situation.

He said he lost ‘in excess of 5k’ — which whilst a good day’s work for a scammer, is likely not that significant as a percentage of a whole market’s escrow. As such, whilst GBPF blames Oxygen themselves, the use of a genuine exploit which did not directly coincide with the market’s closure suggests to me a shadowy 3rd party whom we may never know…