The takedown of three major Dark Web markets by law enforcement officials over the summer has driven many vendors of illegal products to set up their own shops that, in many cases, are not properly configured and are leaking the underlying server's IP address.
In case of Dark Web portals, leaking the real-world IP address means law enforcement can move in, seize the server, and possibly track down the illegal shop's owner and much of his clientele.
Over the past two months, one security researcher, in particular, has been quite efficient at finding Dark Web shops festering with criminal activity that are also leaking their real IPs.
Going online by the pseudonym of Sh1ttyKids, the researcher's latest victim is a cannabis-selling shop named ElHerbolario, which he tracked down to two Dutch IP addresses (188.8.131.52 and 184.108.40.206) that were being used by BlazingFast, a well-known bulletproof hosting company operating out of Ukraine.
With the information the researcher made public, Dutch authorities can now physically seize the server from the data center where that particular machine is running, and analyze its data, tracking down customers and sharing information with other law enforcement agencies across the world
Two weeks before tracking down ElHerbolario, at the end of October, the researcher found an IP leak for the Italian Darknet Community (IDC), a hacking forum for Italian-speaking users.
According to the researcher, that IP address —220.127.116.11— led back to a web host in Moldova, which the researcher said he reported to authorities.
Another case that Sh1ttyKids tracked down is of a Dark Web portal named "DrugStore by Stoned100," a site that was selling a large collection of illegal products such as amphetamine, ecstasy, hash, MDMA, sildenafil, weed, and even ransomware.
The site was running a vanilla WordPress install, leaked its IP, and even exposed database backup files, allowing access to copies of its database with one click.
Before DrugStore, the researcher told Bleeping Computer that he also tracked down a Dark Web portal that was selling performance-enhancing drugs to an IP address based in Ukraine —18.104.22.168.
Human error to blame in all cases
"It is the administrator's mistake that the IP is leaking," Sh1ttyKids told Bleeping Computer in a private conversation.
The researcher's assessment is dumbfounding if we take into account that there are dozens of automated server setup scripts that can than install a web server for Tor-based usage, automated scripts that remove information that can lead to IP leaks.
In all cases, the researcher used small details, like an onion site's unprotected SSH fingerprint, to track down the real-world server and its IP address using search engines like Shodan or Censys.
Sh1ttyKids' technique is simple and is easy to defend against by an experienced web server administrator. The catch is that none of the people running these newly set up (and IP-leaky) Dark Web portals are an "experienced web server administrator."
Those three portals were run by experienced coders who provided a point-and-click interface for vendors to set up merchant profiles and sell their illegal products.
Once these markets went down, many of these vendors were left with stockpiles of product they had to sell and no place where to sell it.
Some vendors moved to competitors like Dream Market, Valhalla, or Wall Street Market, others started selling products via Telegram channels or XMPP spam, but some decided to set up their own onion sites.
Without the proper skills to secure their shops, these latter crooks are now the easy prey of researchers investigating the Dark Web —like Sh1ttyKids— and law enforcement agencies, who for the past year have been prioritizing going after criminals active on the Dark Web and have far more time and resources on their hands compared to lone security professionals.