Home » Featured » TradeRoute Market Issues Security Fix After $100k Theft
Click Here To Hide Tor

TradeRoute Market Issues Security Fix After $100k Theft

On August 8, a user created a thread on the TradeRoute marketplace forums. The user requested that the TradeRoute administration examine a “strange” listing. The listing was for a “small house for children.” It was strange for several reasons. The first was the number of vendor accounts that someone had created in order to do something “sketchy.” One user noticed that many of these vendor accounts shared PGP keys. All of the accounts had multi-thousand dollar transactions and reviews.

And second, several days before they listings popped up (or someone noticed them), another user posted on Reddit about accidentally receiving two withdrawals instead of one. The poster had only been debited for the first one. Other users commented on the post, and some mentioned being able to exploit that vulnerability at will. The post creator or administrators removed that post, according to another recent post questioning the ordeal. (I too came up empty handed after a {brief} search.)

TR.PNG

TradeRoute forum user KnockTurnal had recently seen the “strange” listing and also found it “odd.” The user said that the situation would not be so odd if the listing and account existed in a singular quantity. “BUT there’s a lot of them,” KnockTurnal wrote. “Each one has a purchase with feedback of like $7,500 each one.” The user continued, “I also want to see how or why this happened as […] the amount of money needed for a troll to do this doesn’t seem real.”

On the TradeRoute forums, an admin commented with answers to the community’s questions.

“Administrator” wrote:

Hello,

Yes, that was a vulnerability, an user found an intricate way to steal funds from us and he used multiple vendor account and those listings to steal. He went away with around 100k$, we’ll take this as a loss. We already released the patch and moved on.

The damage that can be done by robberies in TR is very limited as our hot wallet is very small, rest assured that 95% of the funds are always safely stored in cold wallets. Also multisignature or security escrow transactions are totally safe, this only could affect the normal escrow balance.

It’s sad to see this happening but there’s a lot of hackers and thieves focused on darknet markets. We are doing our best to keep the market updated and bug-free.

Best regards!

TradeRoute had apparently announced a bug bounty akin to the bug bounty of the former Hansa market or current Dream market. The unofficial TradeRoute account later deleted the post. No current mention of the bug bounty is available. In fact, Reddit users indicated that pentesters treated the market’s hot wallet as the rewards for the bug bounty. The new TradeRoute Reddit account chimed in and announced that the bug bounty post was unaffiliated with the actual marketplace. Soon after the unofficial marketplace account deleted the post.

TRq.PNG

The majority of vocal users seemed content with the TradeRoute response regarding the theft/hack. Some thanked the admin for honesty in a situation where other marketplace admins would not have been so honest. Others were content that they received a response from someone at TradeRoute altogether. Hacks either push admins to harden their market or push admins to disappear in the night. TradeRoute is yet to disappear.

3 comments

  1. What, no honor among thieves? I am shocked.

  2. Where can I see a screenshot of the listing? For posterity’s sake…

  3. TradeRouteModerator

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA512

    Since this article used my old TR mod name I figured I would give people an update.
    That random username is no longer mine as reddit mod. Now my username is:
    TradeRouteModerator

    You can validate this for yourself by checking the status of TR on the superlist here:
    https://www.reddit.com/r/DNMSuperlist/wiki/superlist#wiki_trade_route

    The superlist also tells you our ONLY official subreddit locations. Please do not trust subreddit admins that are do not have there subreddit listed here!

    Also, if there are any messages that appear here with my username that do NOT come signed with this PGP key they are imposers. Thank you.
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1

    iQIcBAEBCgAGBQJZt8ydAAoJED6k40iZGyTyDh4QAN8EBCbq1ZPTComaXMNM+9kM
    Gb+WTS0DnWYjt2bMmdac50PBZSvZ0LlVd1hT7/tslyNNVyFnvXtKybiWfE/iYohs
    p/uBfB6ME/p++B5+UaVXPMn5XQW/coS7/G2btNHOVAVbpvFh0GAV7SlokNmLLAmI
    pVC8bdpaWmT2TrcdJe5azydZ/KgsA3KqNZHWLJtkSAC+x10DqSRaWV1JfmqvX4M8
    N0Ak5/1TOx2VR7B4drKDHN8KiiOgnfDnusuyJch+MxYhlk9Ab05WdMrvSTyZtxM5
    V1Q64uWnKMUoZ6G7BSrH77xdrewMou2zGpU0suFOyDvvbQpC8/ciop7/dbRXqTVPOnea68
    9Q5DTbLrgxCjsti6gkKxS8Ya5mnVNWHPbQf+hdAo4BBozDuVTxf5h9dF1uqbKLgS
    2P7wrcHnetwNfH2GnpuyrIK+CWDL4Ep0ezIb6CZ2qGTt5veMwa7tccOJHjmK3PVM
    V7MfWrTjetbpiHPTAo3r7q3prZ1ISfL0tQikpFyOJVUHScmRYXmCXQtjR3X3rmBK
    5E+tPRmH/WhYoaaN5n28IREKk2otBfNUNrIX3k7wU7TsI7LCqgkIsneIYPCazwVE
    5SbvYRV/OuPdcHJCfRpzlLDa73Z9oVxN3vnRiUqo8n0ZW8L7pUn29NTRp1I5ctxP
    2Bve+dW2hSdqVdfQEdkg
    =zCkH
    —–END PGP SIGNATURE—–

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *