Onion.rent

Malicious. Lazy. Somehow successful.

Onion.rent, the older sibling of “onion.top,” is more annoying than many other proxies combined. Unlike many of the other servers mentioned in this list, onion.rent is not particularly interested in tracking your every move. Instead, since the very inception of onion.rent, onion.top, and other members of the same family, the actors behind the proxies have relentlessly targeted users of the Dream darkweb marketplace. The owner(s) earn tens of thousands of dollars every month with one simple trick™.

They own so many of the DeepDotWeb clones that their numbers game has fully paid off. They are sitting on hundreds of darkweb related domain names. Probably half of their total domain collection is dedicated to domains that fit the “typosquatting” definition. For example, DeepDoWeb.com (notice the lack of a”t” between the “o” and the “w”) is actually used as one of the primary phishing clones and their other sites with similar typos just proxy content from DeepDoWeb.com.

When you visit the DeepDotWeb onion site (deepdot35wvmeyd5.onion) via onion.rent, you are fed a page that looks almost identical. Lately the clone has been a few articles behind. It does not take long for anyone with experience on both the real version and the onion.rent version to realize something is screwed up. And it is; on the real onion, when you access the market directory list, clicking on the title of a darkweb marketplace opens a page with links and site information. Clicking on the Dream darkweb market listing on the onion.rent version of the DeepDotWeb hidden service automatically redirects users to a Dream market address.

2pjwzzms2yqlrkhp.onion is surprisingly a real Dream Market address

Given the onion.rent operator’s history with Dream, one might expect that the redirected Dream address was not an official Dream link. Oddly enough, the link was (and still is) an official link that anyone can confirm against SpeedStepper’s public key. The address is the “2pjwzzms2yqlrkhp.onion” address (archive). Furthermore, Dream is completely accessible and usable though onion.rent.

On the surface, the proxied Dream Market works as it should. But it only almost works correctly. Dream Market provides customers with new Bitcoin addresses for making deposits on the market. Here is what that looks like to someone visiting the Bitcoin wallet settings panel on the market:

And, for the paranoid customers, Dream provides a method through which a Bitcoin addresses can be linked to the user’s account. Like the verification of Dream market onion addresses, Dream market provides a similar service for Bitcoin addresses. Here is what one looks like:

Wait… The two addresses don’t match…

The screenshots above were taken only 30 seconds apart yet something very important changed. The address (censored) in the signed PGP message does not match the address from the page only one click away. Fluke? Nope. I double checked it and then started monitoring the address changes over time. The operators of onion.rent and related proxies are making some serious money.