In the aftermath of the shuttering of the notorious black market Silk Road, the race has been on to fill the multi-million dollar hole left in the underground online drug trade. One of the most established of these sites is Black Market Reloaded, where thousands of users trade drugs anonymously—they think. But here's some bad news for Black Market buyers and sellers: Black Market Reloaded has experienced a serious security breach, which allowed BBC journalists to easily identity a number of buyers and sellers on the site.
Researchers with the BBC investigative news show Newsnight identified three users of Black Market Reloaded (BMR), using a leaked database of usernames and email addresses. These include a fisherman in California selling around $1 million worth of marijuana per year, a British man selling credit card details and counterfeit money, and a user from Norway who appeared to have bought links to child porn. According to Newsnight, these users had unwisely registered for Black Market Reloaded using emails they'd also used on social media sites.
Though the Newsnight program just aired, the data breach that allowed them to identify BMR users occurred in October of this year. It was big news on the Dark Net when it happened. Black Market Reloaded's anonymous founder, backopy, initially said the breach, which was disclosed on a German hacker forum, was so severe he'd have to close down. Just a couple days later he reversed course and reopened, saying that the leak was not as serious as he'd first thought.
Like Silk Road, BMR uses the Tor Network and Bitcoins to provide anonymity to its users. Even before Silk Road was taken down, Black Market Reloaded was booming. In March, it announced it was doing $400,000 per month in sales. As of last month, Black Market Reloaded had over 300,000 registered users, according to Newsnight, and was gaining users at the rate of 2,000 per day. But the new BBC report suggests even technical tricks can't keep these users safe, especially if they're sloppy with security.
"Black Market users are, in aggregate not that careful," an independent researcher who goes by the name Gwern and has followed the rise and fall of Silk Road and online drug markets closer than pretty much anyone, told me in an IRC chat. Even Silk Road's proprietor, Dread Pirate Roberts, made dumb mistakes that helped authorities pin the unassuming San Francisco geek Ross Ulbricht as the alleged mastermind
In the wake of Silk Road's downfall, media reports have hyped the explosion of alternatives. But the breach underscores growing concerns about the security of these "new Silk Roads." Black Market Reloaded "is fucked," Gwern told me. Last month, Gwern bet over $800 worth of Bitcoins that Black Market Reloaded would be shut down within six months. Black Market Reloaded, he wrote on Reddit, "has been marked by a pattern of arrogance, technical incompetence, dismissal of problems, tolerance for sellers keeping buyer addresses & issuing threats, astounding tolerance for information leaks… etc." (Nobody took him up on the offer.)
Gwern is convinced that Black Market Reloaded, like Silk Road before it, has been infiltrated by law enforcement. "It's been around so long that the investigation should be maturing soon," he told me. "They haven't talked about any infiltration… which means they've probably been infiltrated but don't realize it yet." He added: "And their coding is pretty bad." Another major Silk Road replacement, Sheep Marketplace, isn't any better, Gwern said.
A reboot of Silk Road has been getting a lot of attention as well, and Gwern is a bit more optimistic. "[Silk Road 2] seems secure, but we won't really know for years," Gwern said. After all, Gwern pointed out, the Black Market Reloaded leak only occurred three years after its launch. Traffic at your own risk.