This post has a follow up — A look back on Crimewave’s “rotten onions” scam

The trust model on the dark web has always been pretty fractured. With random lists, wikis and brazen clearnet phishing sites, with so much money to be made ripping off darknet market visitors, it isn’t any surprise the scum of the darknet are incentivised to do so?

Don’t forget to donate via Bitcoin!

Back in the 2014’s the Onion Cloner was the premier script for duplicating sites and tampering with key fields such a forms and bitcoin addresses. Coupled with a little wiki-vandalism and a scammer could expect to find a steady stream of marks handing over their market credentials and bitcoins, without any legal or financial recourse. Despite some public-spirited user attempts to crash it, it represented a standard in darknet fraud.

This is a cloned phishing login. Note how the form asks for the pin on login, it should only be on payment

So prolific were the cloned sites, that when in November 2014 Operation Onymous saw 276 onions seized, it turns out that up to 153 of these were cloned sites or other scams.

Of course dark web scams have not gone away since then, and nor will they any time soon and darknet markets with their high illegal bitcoin turn-over continue to be a popular target.

So the latest tool on the scene is a tool called ‘Rotten Onions’ I found on a domain that laughably suggests people actually memorised onion domains. Let’s take a look:

~~~~~~~~~~~~~~~~

~ ROTTEN ONIONS ~

~~~~~~~~~~~~~~~~ WHAT IS IT?

Rotten Onions is an extension for mitmproxy made to launch MITM-like phishing attacks on darknet markets and bitcoin anonymizers for the purpose of stealing money from users who are too stupid to check that they’re on the right URL. It’s a bit of a spiritual successor to the infamous Onion Cloner, but unlike Onion Cloner, it doesn’t suck. ~~ WHAT DOES IT DO?

The current features are as follows:

* Functions properly on onion.link, onion.to, etc (which is only noteworthy because Onion Cloner did not)

* Store login and registration data

* Check account balances upon login (currently working on most but not all major DNMs and mixers)

* Replace valid bitcoin addresses with attacker-owned bitcoin addresses

* Alter withdrawal requests and send coins to attacker-owned bitcoin addresses

* Thoroughly spoof HTTP headers to prevent detection and avoid most Tor-friendly CSRF protection methods

* Store cookies and PHP sessions to bypass 2FA login protection Planned features:

* Bypass Tor with Javascript + STUN server calls to harvest real IP addresses

* Replace PGP keys with automatically generated lookalikes, then intercept messages encrypted with our malicious PGP keys, decrypt and store the messages, then encrypt the data with the original PGP key and pass it on to its intended destination ~~ HOW WELL DOES IT WORK?

I’ve had a total of 11 malicious onion domains up since late January 2016, targeting 3 darknet markets and 2 bitcoin mixers. (I am not going to link to them, so please don’t ask me.) So far, I’ve stolen ~8.5 BTC. I plan to expand this attack to more markets and more mixers in the future though. ~~ WHO MADE IT?

Crimewave, the owner of the indestructible castle in the sky~ ~~ CAN I HAVE IT?

If you want to buy the code, you can email me or contact me on XMPP with an offer. If you do decide to purchase it, I will include all future updates free of charge. My contact details and PGP key can be found in contact.txt. If you send me anything that isn’t encrypted, I will ignore it and cease all communication with you.

The features offered by Onion Cloner seems legit, however one specific claim to “Bypass Tor with Javascript + STUN server calls to harvest real IP addresses” seems highly suspect since only non-Tor users are affected by this vulnerability.

I am going to hazard a guess that whilst ‘Crimewave’ did build, and may sell this tool, he’ll be a lot happier taking people’s bitcoins for nothing, as is the way of a scammer.

Oh, but where can you find reliable onion sites and links? On the Wikipedia article ‘List of Tor Hidden Services’ of course, mostly populated by me.

This post has a follow up — A look back on Crimewave’s “rotten onions” scam