To start, I would like to make this clear to everyone involved that Silk Road does not have malicious intentions or an anti-competition attitude, we actually require competition to keep us motivated and for the diversity of the network but in order to fulfill that function the competition must be a safe one which does not put people in harms way or subject to possible exploit. This post I hope will demonstrate to you why claims a market makes does not correlate to the true story and we would like to demonstrate this with Tormarket. At this moment in time, I also want to clarify in light of recent events the full disclosure everyone deserves to know. This investigation started under the suspicion that Tormarket was behind the ongoing DDOS against Silk Road but has since taken another turn when we looked below the surface a little more. I have no conclusive proof Tormarket did or did not order the DDOS currently hitting us and personally I don't believe I ever will so I won't go on about this much more as it is actually not something that matters any more since we are definitely en route to fixing it if you have watched our recent developments, but over Tor such attacks are not trivial to correct. All of this is done in the name of safety and I hope the owners of Tormarket can take this seriously, go away and rethink their strategies because as I will discuss later we didn't even put much effort in to extracting this data. To take it from the home page of Tormarket, I wish to publicly overturn the rumors and falsehoods of some of the below: Common sense I will allow that to pass as a subjective matter and how they wish to operate their market is none of my business. Competent operators - again it would depend on your individual definition of that. Secure codebase - let us put that to the test. One of the most valuable pieces of any website is the database. It controls so many parts of the site and without it there could be no effective market, so we started trying to extract the information from that. Surprise surprise, it didn't take long to grab the structure: Now we've had a sneak peak at their table structure, it was decided to have a trawl through the messages that vendors had sent to customers. We will list a little segment below, some vendors here might recognize their own messages with of course sensitive information removed from below. Then an order note which was from a buyer to a vendor, we'll keep this very select for obvious reasons: Worried? So were we. Up to this point we weren't looking for any kind of mass data extraction, but in the interest of ensuring the users of Tormarket are safe, we had to do it anyway. The summary of some of the data we went through was to see who the top buyers were, something of equal interest to law enforcement as vendors except it is more likely a buyer will have leaked personal information on the site than a vendor. So who are the top buyers: So user icq has the highest amount of products purchased. We investigated a little further to see precisely what he bought (and we could do this for every buyer I would like to point out): Somebody tell him you don't need to pay these days. Let's try another (jackcubrick): So can this extraction be scaled up to getting entire lists of users? Well we found out: Well let us put this forward as a simple notion. All of the above was gathered without us resorting to fancy tricky or advanced web hacks or 0-day exploits, it was something most clearnet websites run in an automated test and don't expect to find it to pull anything. It is so simple I could actually teach the masses (very easily) how to conduct their own data gathering using some of the techniques we used and still we haven't even explored the more advanced ones as we know we already have the information in front of us. This kind of attack shouldn't even work against the most primitive database driven systems, let alone an online black market and absolutely anyone can do it. If law enforcement are watching I would have no doubt they found this long before us. The observant among you have noticed by now we haven't exposed addresses yet that is on the database table above - I trust I don't need to dox somebody to prove my point right now and so I won't be posting any dox and nor shall I ever, we deleted that information from our records when we saw it as it is outrageous. We tested TorMarket and found yes there is javascript on the page and sometimes it refuses to accept plaintext addresses, but the fact there are plaintext addresses in that database only concludes it is not effective at filtering addresses and in my opinion decreases security by taking the responsibility away from the user - the alternate explanation of this is that plaintext addresses are being kept as well as an encrypted form which is presented to vendors but the whole topic of saving addresses I won't delve in to further. Do we have more data than the above? Yes. Significantly more, but I will only do harm by publishing more so I will leave this case study with you, the users of Tor and our spectators, do you believe that Tormarket has a secure codebase, or is it just another claim like the many others who have a "secure" reputation because they just haven't been hacked yet. Dread Pirate Roberts