Dark Web Escrow Service Explained

Dark Web Escrow Service Explained

gAtO FoUnD - this dark marketplace website -Nucleus- they explains the escrow service policy and wanted to pass it along so we can all learn how the dark plays- now remember that this is only one dark websites version. Each different marketplaces has different version and flavors os their escrow policy. Bottom line your trussing two unknown people and Bitcoin transactions are final – so think and learn. Another marketplace Evolution closed down with 12-million in Bitcoin escrow and the admin disappeared – happily ever after.  - gAtO OuTsegway_bike_Bitcoin

Okay, there seems to be an insane amount of bad finalizing practices on the market – lets lay this out.

Escrow – You give your money to a 3rd party (Nucleus) – This proves to the vendor you have the funds available, they ship product. You receive the item, and when you finalize, Nucleus gives your funds to the vendor. You prove you have money, vendor proves they have product, Nucleus proves the transaction was agreed to and turns the money over.

In the event of a dispute where escrow is involved, Nucleus agrees to mediate, acting as an unbiased 3rd party. If the vendor can prove they sent the product through tracking information or some other means, or offers a reshipment which you choose to accept, ect. Nucleus releases the funds to the Vendor. If the Vendor cannot prove they shipped the product, or no remedy is found to the customers dispute, the funds are returned to Customer.
Nucleus also offers a percentage based refund, where the customer can ask for a smaller portion of the price returned. This is useful for situations where for example a customer places an order for 50 units of an item and only 25 units are delivered, ect. – In the example here, the customer would ask for a 50% refund.

To prevent vendors waiting an excessively long time for funds if a customer should fail to log on or forget to finalize, Nucleus provides a timer on each order which releases the funds to the vendor when it runs out. The customer should note this timer, or auto-finalize feature, and take measures to file an appropriate dispute before it expires. Often, the mail runs slow, and vendors usually like to be optimistic in their advertising, so occasionally the timer will run out before a product has arrived, despite the vendor having actually sent the product. In these cases, the customer can send an order to reclamations by filing a dispute, which will stop the autofinalize timer until the product arrives. When the product arrives, the customer should select 0% in the refund request field, and the vendor will accept this offer releasing the funds.

FE or Finalize Early – You release the funds directly to the vendor, the vendor ships the product. Nucleus is not holding your money in escrow, therefor, in the case of a dispute, a refund is asked directly from the vendor. Vendors often have legitimate reasons for needing the money before delivery, including but not limited to ;
-Customer wants more of a product than is readily available on hand, but the vendor can easily and reliably obtain that amount of product if provided the funds.
-Vendor has an arranged middle-man product with another vendor. Typically, vendors are able to move product at a faster rate than normal customers, so vendors will work out a mutual agreement amongst each other to provide a discount for driving referral business.
-Order is deemed by vendor to be excessively risky due to international shipments, customs, ect. In this instance, vendors inform the customer of the risks involved and usually agree to keep and share tracking information with the customer.
Often, vendors will offer extra products or discounts for early finalization.

In the event of a dispute where escrow is NOT involved, Nucleus is not liable or required to provide mediation for the dispute, and the customer should address the issue with the vendor directly. HOWEVER. The customer SHOULD report any failure to deliver product to Nucleus staff, because if a pattern of failure to deliver, bad information, ect. begins to appear, Nucleus staff can take appropriate measures to remove the repeat offender from the market.

It is VERY important that customers fully understand their agreement with the vendor and Nucleus, and take appropriate measures to protect their money and not get ripped off. Due to the anonymous nature of the darknet, there is very little culpability or repercussions for scamming innocent people. Scammers are here to mislead and deceive, and will take your money without thinking twice, and if you have released the funds to the vendor, Nucleus will not be able to help you get them back.


Tracking Bitcoins in the Dark Web

Tracking Bitcoins – Notes: Follow the Money //-Bitcoin 

gAtO lOoKiNg - at what data points I need to track Bitcoin Transactions in the Datk Web to find answers. These are my notes on just one 1 Websites : If I track the Transactions backwards I can find donors and people paying for their service, Malware and other such crimes if I take the Transactions forward in Time I can find the Main wallets that the bad guys use and who knows – just 1 mistake and we have an IP addresses to track the wallet. I only tracked this a few levels and found 2 large Wallets that they use and they are very active. I have my own BLockChian tool but blockchain.info will do chain.com or blockexplorer.com will give you the same answers – I rather keep my queries private so I have my own Bolckchain tool – Next come using visualization tools to map this out graphically for a better view- This is for education and research purpose –gAtO oUt  

my Target is a Russian Site called Rutor – Forum type

Data Points:

Incoming TimeStamps – Transactions – Total Receive – FInal Balance  – Hash 160 – 

Outgoing will track the Big Wallets – 

Outgoing TimeStamps – Transactions – Total Receive – FInal Balance  – Hash 160 – 

Forward Taint Analysis – Branch

Bitcoin mapped to the Dark Web

Bitcoin mapped to the Dark Web

It has a Donation Bitcoin address- 1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM   – So I tracked it down and found that it sent MOST of it’s donations to- 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 – Now when I track that one down it’s looking like a major Russian sites with over 155 Bitcoins 2–28-2015 the last transactions.

Now we can focus of – 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 – and look at all transactions and plot those all incoming and all outgoing this will give us targets to follow bad major actors. Now we can focus on WHO they SENT their funds to and WHO DONATED to them. But we backtrack one more layer and find that the sent a lot to this wallet address

1NtHN8Tx7MSGZ3XNx5iyNSRqsmQVnb3Ab6 —7,204 transactions 2015-03-03 17:06:41    – 2014-08-06 15:22:59

They still have other wallets – 1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz –   34 transactions

Address 1NtHN8Tx7MSGZ3XNx5iyNSRqsmQVnb3Ab6
Hash 160 f00d8406e59a45ab7e97c0b04db7f9429ebb301d
No. Transactions


Total Received 2,080.69607184 BTC
Final Balance 304.3742092 BTC

russian Rutor  – http://xuytcbrwbxbxwnbu.onion/forums/

Main Bitcoin Address 1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM

Address 1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM
Hash 160 8fcac294e22adeae7593423548491f35898b09f2


No. Transactions 19
Total Received 1.63527533 BTC
Final Balance 0.00080742 BTC

Forward Taint Analysis 1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM
Reversed Taint is the % of funds sent from an address which passed through another address.

This page shows the addresses which have received bitcoins from 1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM. The greater the taint the stronger the link between the addresses.

Branch Address Taint (%) Count Top IPs
1EGhD6k5eemHUKXTyYpsW4tTgXsBNQqFhX 11.0051651037% 2
14Ccaz57tQ1VnQUYMRDfLCB33wxP94qsAc 8.3366196043% 2
1NvY14xke2ciChZrhsWkW6NuzKUUENeQZv 3.5355121312% 3
17MSwaNBwPpNVKQtmzXv7rdcB5AuPypHw6 3.2806102634% 2
1MqW5zvaJGuEC6nbN3pUQTLTzPYRMSbk8S 2.9744283827% 2
1AM8EBKq5nmS4auVJK4vmKxWFYPcQyvtra 2.8613089644% 4
1BKTXyCsdrcBGJt1UEnjCLMK1Ko6wePLty 1.7409219031% 2
1CoVBD7dgQ2Zp5CVCGi2vFsNodcpVknHx9 1.6006770483% 6
2 1HTwtVPt9rjw41eeXdYSVDKRwJyiMEbgei 1.3490150913% 4
17kuq7g8vuQWadEjZyXJmthQ8T5UEFJUTp 0.4930945387% 6
1A4R1UWVyChjDJYQMkNeGBW1L2ykzr6si5 0.4818026739% 2
1Dh4a88kEPcUgkwrXZ4LBmWPnDmUfa1ibU 0.4516307499% 6
1FV4CMcG2vgxR2wLacKzmbqqaLZuJdQXrn 0.2922542393% 3
12kgFJgQGEFhs3NWYsSJPNNLDooGkxjf3d 0.2781579272% 2
1ErGZMb1LGpm5AMuwzT1bL43QUH5q9efMa 0.2559340135% 6
4 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.0968090042% 8
1K9nnxWbStkFCWvespfzLsPZYHq43vTQiD 0.0286783334% 3
1KRbwDqzFtyjteweqRe37osgEGkPLRMtnv 0.0215128665% 6
1JobkW3ZQxumgGZSRiHr2aY1GPr8TF3XpE 0.0064259097% 4
1FYE661Cri8xEqh2qaAMmw4pC573DukufK 0.0061480831% 4
13TbeKq8CtL1HMa3U4k6DPDJEP6jNnMNNp 0.0000610886% 3

Forward Taint Analysis 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5
Reversed Taint is the % of funds sent from an address which passed through another address.

This page shows the addresses which have received bitcoins from 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5. The greater the taint the stronger the link between the addresses.

Branch Address Taint (%) Count Top IPs
13 1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 2.2174398666% 26
25 1NtHN8Tx7MSGZ3XNx5iyNSRqsmQVnb3Ab6 1.7865394656% 50
3 1UtLFi4Tq3J78295tj2g2JwfhdAxUSE4T 1.5667580712% 6
3 1AH736hXH5FL4hwzK33jekiUAPxVUf6nAr 0.635670431% 6
1Q1JodiqipvQV1jwvuvVxkpQCmf8YZUNnP 0.1971180446% 2
19EdnSKKz5qyp841rNHzPgFsCAq4ikqUCV 0.1897090349% 4
1CSR6iByvTpU4AE13MHpRi28Uz4H4p8PSc 0.170258001% 2
1DV8HJwoPPtAKYKgK7HDE6x4JtkaZsrJSY 0.0636613273% 2
17Yc8SYUc1fGDRrYGK6g3bf8Zy1RzWoEmv 0.0490620728% 2
1BQRe4fFy8eBAwiahxXgHnMsEgict1sAbv 0.0409695535% 2
16Nh2MDRLDgCdNw1Jc62Uae2qfdy5LatGE 0.0396932922% 2
19jhCRTBY9wiRz8tZdrXZhSc4Fh959gV48 0.0229410487% 2
1AfUvSt5niHxK3rXirg6PPjX1vHAhH2xq5 0.0217795946% 4
1LWNgKGJbNay3sv9zXkoFWz3YPdquvjqqf 0.0134652748% 2
2 16wQPaxCNvJLmK27hkpALRtuEQj8J8s38B 0.0127191175% 4
2 18JwGuE6PW3K1R3EKjdoJxcM6TkfCB2ppS 0.0098792337% 4
1CwUXZj8RgazBJ2MebXaT3si7APtCcyfM2 0.0034772095% 2
16FafbhV69ZGF6LgRBRvtva8YDQZkrWoMw 0.0029778368% 2
1BZaVwqgfnzPSG2f87n37stWBDzrbLxP2Z 0.0029742616% 2
4 1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 0.0011167496% 8
2 1BKTXyCsdrcBGJt1UEnjCLMK1Ko6wePLty 0.0005619961% 4
1HGRgfAQfi4HNP6D6tFipepq3R9Mj5tBZU 0.0005416019% 2
14NaoDXNcgQApFGk6rMCKWkYHdLcWTXJi9 0.0004192744% 4

Sent Transactions (Oldest First)


d2343b633648df54a97f1c17cbc61ae0c8b3fc6eaa4834aba95b1dedaa749c11 2015-02-28 15:13:51
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.02 BTC

1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 0.00080742 BTC

d760ca520a51ccfecb8b13d57e9e9361dd33432277244db121f388b5464f3a69 2015-02-22 08:20:44
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.134 BTC

1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 0.00090742 BTC

9ea39386edb73af774d4dd4d455893686e217434deb09a8525945b86b31b28d6 2015-02-14 15:41:15
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.50074716 BTC

1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 0.0009 BTC

e5400443d745dc65529e2a44af0c632412649f4fe03b181821cf0f7951b82d77 2015-02-07 16:23:55
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.95812075 BTC

1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 0.0008 BTC

e31d379a23c416acd81312ff7fcf5ab6440101d38966edd76bc33649a450ec6e 2015-01-21 16:37:46
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1A4R1UWVyChjDJYQMkNeGBW1L2ykzr6si5 0.02 BTC

1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 0.1049 BTC

b41a1c2e3a1cce3eb21d4a6dc2dead8ebe82aa1223ff084a41a6450acc17b27d 2015-01-11 21:03:03
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 147KA4pZNoWa6aqZjEkGGQqSQCNTgr6Zt9 0.0009 BTC

Bitcoin Address Addresses are identifiers which you use to send bitcoins to another person.

Address 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5
Hash 160 7683fe644e422fb5eb188f4b5f88acf8c22609dc


No. Transactions


Total Received

153.42158471 BTC

Final Balance

0.00000001 BTC


Received Transactions (Oldest First)


5e61490cdc5e4b8301fae79005adf16e23cafc9c647a4bf1d95ae4c242b816ce 2015-03-02 14:29:40
1UtLFi4Tq3J78295tj2g2JwfhdAxUSE4T 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.637 BTC
b1d8165b8a0a00152a52e70c0b0e63f4b4a8a28c3a4f5768f6aa4a2d6a9c5536 2015-03-02 14:29:27
1UtLFi4Tq3J78295tj2g2JwfhdAxUSE4T 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.8196 BTC
d2343b633648df54a97f1c17cbc61ae0c8b3fc6eaa4834aba95b1dedaa749c11 2015-02-28 15:13:51
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.02 BTC
2649bea8642dff5df722ae4603934e6923d3792fb3e8ca130cc13baf3f227710 2015-02-26 21:19:03
1ABR7zQKUwd6bm6Yn4vMdKcZeS5rvWTKKN 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 9.7495 BTC
c3bf2e86f0c463962cbaa8e306c4274bc8149123c01ae6bfd78301ff6cb954f0 2015-02-25 14:24:30
19jhCRTBY9wiRz8tZdrXZhSc4Fh959gV48 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.2242 BTC
d760ca520a51ccfecb8b13d57e9e9361dd33432277244db121f388b5464f3a69 2015-02-22 08:20:44
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.134 BTC
f0bb075efa6f62831c62c4de5bdc8fee61b06190d91b869b128191e51a389c08 2015-02-21 07:30:05
1HGRgfAQfi4HNP6D6tFipepq3R9Mj5tBZU 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.303 BTC
b45790b0d2330e8bd247dd1650fd51d89131caccce1ad8abb83d67de78646a22 2015-02-17 16:58:37
1AH736hXH5FL4hwzK33jekiUAPxVUf6nAr 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 3 BTC
9ea39386edb73af774d4dd4d455893686e217434deb09a8525945b86b31b28d6 2015-02-14 15:41:15
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.50074716 BTC
70c5bc162ae7ebe0814ccb4529b5c139053a41cc89d0aede009753c6fdeedfcd 2015-02-08 15:07:55
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.41286591 BTC
e5400443d745dc65529e2a44af0c632412649f4fe03b181821cf0f7951b82d77 2015-02-07 16:23:55
1E7JXT4jVJxdED9B2XDcGXk3CKvfjkypvM 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.95812075 BTC
3ed07babaaf8000abf84f9950cb4969996fbd7ea0aca734c84af4157f7296497 2015-02-07 10:25:56
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.59441341 BTC
356c5442b5b6abd8ffff132d782e9272a8289e8fa76ed9bd9a7326186d60a58a 2015-02-05 19:17:10
16Nh2MDRLDgCdNw1Jc62Uae2qfdy5LatGE 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.0569 BTC
7dafde347e78b72d60c8d0f3a8c78035d5a27a9be8ff1d5ae67f01dd7ab71eb7 2015-02-05 11:06:19
12aSH5k86L2CcKHeyo997JAZCioD6dE2fX 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.3 BTC
6bab0248f7cd1b9ed69c91cf2a728a4428ed37af74feafca8a996ef11fb84428 2015-02-03 17:27:22
1UtLFi4Tq3J78295tj2g2JwfhdAxUSE4T 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.71691792 BTC
b8ee473482dee0a313f5c833d2682c3076ce1a931aabae803facf9d4eeac2823 2015-02-02 20:21:19













1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.9295 BTC
b93269e8522ccf0f646e170c2b88a354ec36cd8f723aa1ecc243b467cc8e77d1 2015-02-01 17:30:14
1AH736hXH5FL4hwzK33jekiUAPxVUf6nAr 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2 BTC
815fe7054809568843e6d1a706b6f03ebae4b35f10076bccc5cc56fefa318ec0 2015-01-31 10:18:57
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.34807701 BTC
0a7ba0d195f7bbae16fc3e0bdb9124f4c106ab953f4bd9dbb5e50637793836f5 2015-01-30 17:44:35
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.47689935 BTC
eb180a98e0dd55bf7a48e7d8abaf1c8cfa85a5d0ed6f996a2fb159c6b2b00daa 2015-01-30 17:26:53
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.77930403 BTC
4bdb980c4f7964789f58d99186f427a2073fc436a238248eb19b66449814f678 2015-01-27 18:16:43
1NtHN8Tx7MSGZ3XNx5iyNSRqsmQVnb3Ab6 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.5255 BTC
cd7ba1d6231ebac72bb542845ea082519af38deb5cd62b01ef09fc9c7f3ffe52 2015-01-27 17:23:51
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.5987 BTC
d801968aead1e48ed8b7d941379ae191c5e3c27f6e2a0721f207046b10b9f469 2015-01-25 17:25:05
1HGRgfAQfi4HNP6D6tFipepq3R9Mj5tBZU 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.2059 BTC
d09cb66b7aab5832d14ce57220664441633f2f17222093f7e901c568c8c463a5 2015-01-23 11:08:11
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.94594443 BTC
f501a0c2c12124917dda86995f0fc8fd86767a98b7fc0b2d63767e7e36fb33d1 2015-01-21 11:17:40








1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.4155 BTC
4db751b68ca82a6b66d3283af95204c7e541672b7adbda0a8e67569f2918b2ec 2015-01-21 06:55:52


1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.7465 BTC
0e40583f045e251332c5bd762d6c7d8ebfc0a2d772be89088c9fc789b38eb167 2015-01-20 18:20:54
1BKTXyCsdrcBGJt1UEnjCLMK1Ko6wePLty 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.7749 BTC
c6c5f97658fb4eaf2fb9343e7b66ac17d3308b94bd91583a5b2cc39134ec4309 2015-01-20 17:11:35
1HGRgfAQfi4HNP6D6tFipepq3R9Mj5tBZU 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.09112807 BTC
361cfc04b5dfa2f2bef8d35cb6ec21e5d57ba2efaf202a01262216dabcf6f128 2015-01-20 14:11:08




1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.3533 BTC
39cc788c8a3d6ab1add20334ab97fb985bb96d024576613a732e218d70458a7e 2015-01-19 10:47:31
























1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.9035 BTC
025081d1eee8aeb1bc6141f736e8ac7e4668793561760b43b232554bb12be570 2015-01-17 18:24:39



1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.2735 BTC
b7f78287ad2bbb1a156ae0298f4cbac50a61d700ebedb1a7969a9a7fca8361d3 2015-01-17 07:27:43





1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.5645 BTC
47e127e6ede6a7a11175a0253f3b3c54b21c381358f6f7d97ffa0bfb700ebf48 2015-01-16 10:08:41
1Lv9cChvuMg1HM1ct4t6GoSQwA8sR8ZSmV 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.1265 BTC
e37d015b8bd169eaa7731e73befdad2a49a181d5b1f7de6a089bdeb84f88aa02 2015-01-15 17:13:52
1AH736hXH5FL4hwzK33jekiUAPxVUf6nAr 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.4349 BTC
0454c717af60f009932edaba62bf787fcd9b3c0d46e74c25ba0ea8f2f3741cf7 2015-01-15 16:36:17
1BKTXyCsdrcBGJt1UEnjCLMK1Ko6wePLty 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.9 BTC
c713a77d1f67a30865d832def49a366b8d603ec18d2fe68fbc09ae05479cb510 2015-01-15 13:39:24
1HGW1CcZHXqGZ4CMEH7tPAPUq7y97JMNx 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.15 BTC
c3188223fd86ec20527855a170e4919046db07413c17b046f48948e871e939ac 2015-01-13 15:27:35
1BKTXyCsdrcBGJt1UEnjCLMK1Ko6wePLty 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.699 BTC
4ec44ccde9b150ddd17f72c732b51dfec371abbf2a5ddbecc043d5991f60d9bb 2015-01-12 15:43:48
1HGRgfAQfi4HNP6D6tFipepq3R9Mj5tBZU 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.0749 BTC
dc88011b62a5fb504dd780d962c8e38c344dfeb5c52469bbc8abc230953be837 2015-01-10 08:04:35
1CtKXKwZ4A2hiLLBedn4zZ7jRXDAmm3G5j 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.7995 BTC
810866b8b4a3673833e53afbe8ad3d6dd68d50ccae7124f27f2ecebf63a5c5f8 2015-01-10 03:28:47
















1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 12.4795 BTC
b59347e37295025edeea36671321ed7f5a42e26fc486d267636243bc9adb7756 2015-01-09 14:42:21
1C8bhkiKmm7e8f5V7uhdq2zPS98QR8QLc1 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 6.3395 BTC
b71f5872afcfbdf38509bd59f558a68e344876f771b6fc779b2e78242391e6f9 2015-01-06 11:25:28
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.995 BTC
08929a68ec2a0568f2a3ee0ce631918f5bb42b5230262d3b395b5aa0cc953d9d 2015-01-06 11:24:34
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1 BTC
71eda6b3463bfe4c7722a20f8a29cd6f1e38c0770fefc7e6574cf8743b187496 2015-01-06 09:40:42
1AH736hXH5FL4hwzK33jekiUAPxVUf6nAr 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.5408 BTC
25c71f88137267efb20463db1b65084ccc2258f7f316e77130dbc3e26e0847bf 2015-01-06 08:57:31
1AH736hXH5FL4hwzK33jekiUAPxVUf6nAr 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2 BTC
e783db2d942d7f96283547814c588c50ab94e105e4fc767fdd4404422efea8ca 2014-12-31 09:09:52
1MSc45GE7PH5pb3QCT18AhvtUwaPiQ8zzd 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.08645221 BTC
19c30fd66202b866f5c5831923cce78997717ba941481f80d0654b62b0b325ea 2014-12-28 09:52:04
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1 BTC
bf0d61d592384a4032ace6cfb0bbd6fd16ac15ea0dc3c9f067a4a2677596b7c4 2014-12-27 15:43:45
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1 BTC
f687acbb563fb9e7a4076a3e69b2bebbb005f2f35ec7180d3421d22560d2bfd8 2014-12-27 15:38:41
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1 BTC
b119fbec62be2bdae512848de0ea00498f11d1f176641a99eabb17c00c8b6ec2 2014-12-27 15:12:22
1GJq5nqAgZDDM3rWfobhJXDf1AEQtkYEPz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1 BTC

eceived Transactions (Oldest First)


2a4a2c714d51875dcd3cee6638ecff91c06d0720cd87d242ffee9a7c1a23be91 2014-12-27 13:44:53
1ESgfptPcdBoxLjBji7MpdUbDu5UhXtASh 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.62713021 BTC
7468540ae9b5bd65b8543cbe0dde2456add54a57562e5e90e05ea4cde248f3ba 2014-12-20 18:01:57
1BQRe4fFy8eBAwiahxXgHnMsEgict1sAbv 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.3616 BTC
918b9604eb0d3b9cc6da92887263960768c8fc43bdaa3fd698215b8c8eca47b9 2014-12-16 18:00:04
13dwHrjFwSbhLGHsQD1n2vY47q9nC6B8uR 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.009 BTC
ffdd823d74f5b560923abc7f7b4ab4bffe55e84d398e6b36ed5f9b7c743f3ac1 2014-12-15 16:49:43
1BZaVwqgfnzPSG2f87n37stWBDzrbLxP2Z 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.0363 BTC
258f6df358fb0a2003c3dfc83deeb4486309cb9fe8d67149d9fcaf4b09294995 2014-12-09 05:58:57
1J9YqsZ9Ma9HKehmvvaoDWzTLjRXnR6BPv 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.10648424 BTC
fed414863b7e5af1b5c11f5307b8c3d5b485a2452c8eb70fd9f1d07835eac954 2014-12-08 12:56:12
1LL7pbKG7t6g1YGqGYi1FAyyspPEFD3aPY 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 4 BTC
492dcc537bc3c66bb9932dce8e244c5d0049ad37726b540c5d253eb8e5e22b41 2014-12-07 10:42:14
1DV8HJwoPPtAKYKgK7HDE6x4JtkaZsrJSY 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.54 BTC
5a6bea6dddd1594f1bec99a5f7cd196842b8f2631096d32e855d24cdd149b9d8 2014-12-03 10:19:28






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 8.7445 BTC
b7e6c7d4b9780c8478603df9908814bddfc9eba10e3fc1956fb4be1c13a19508 2014-12-02 21:45:15
19waMbmQKh75vh6CWZ3M3AuxxfDgYaoUaC 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.6596 BTC
9af1c5853553c5b3ecd9e99627c9f37fd46d775332cfb66949c9b509ea6f819b 2014-12-02 12:00:07
18JwGuE6PW3K1R3EKjdoJxcM6TkfCB2ppS 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.111 BTC
36a97960fa5618088cf644d10be85dcbca450e81c49ebdaf15d78b9a088dcf04 2014-12-01 19:07:04
1CR74kWgyj1Cvout5XJZNYDSmwhduzAqG5 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.6114 BTC
5435460786da0bde996bad2192f2901666f1628e6fbee8010b4ee1333476ea19 2014-11-14 15:24:01






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 4.2495 BTC
4174d19c7eec1d82726f9c7216fc97ef97de17c7729f4b69015f0a2a890d7732 2014-11-12 17:23:21






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 3.0025 BTC
066c0fbb3ecb5d72be7e53782faef56419a5de529474fada875debf1502c9407 2014-11-08 19:02:29
1ABR7zQKUwd6bm6Yn4vMdKcZeS5rvWTKKN 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 7.0745 BTC
ffabad79a099e18d9b871eec141fbd83b991da6aec7847d71f599bdc444f1851 2014-11-06 07:36:47





1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 8.3135 BTC
3e9fbbf559d5c2be7d52ae9cb13828807897a0f1e2f9dc5cb016d56445c3f7ed 2014-11-01 19:14:00




1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 4.1495 BTC
73f317e19dd602c6496a9422dc6a79c19fd6b50db5aa41739f617f9524f7f4f7 2014-10-22 11:57:27
18JwGuE6PW3K1R3EKjdoJxcM6TkfCB2ppS 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.0647 BTC
db540ae8000d104fe573102af4c96a9a95796a21d64d6c413921f16fa9fd092e 2014-10-22 06:09:33






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 9.2745 BTC
bbca6248d6940e70b0644d808d378f309802d708225b55d6a4b377e4ed4a49b2 2014-10-16 06:23:37






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 4.6685 BTC
22ec2f8b394c281b7c47eb40cd102187e4720d4eb4cde3002c7c0b08f73097b3 2014-10-15 18:44:58





1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.4225 BTC
8110148d0f816ab76a16aa455959e78c05bbf863a8a3b78eb14e4990b1a1669a 2014-10-10 15:28:11
16wQPaxCNvJLmK27hkpALRtuEQj8J8s38B 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1 BTC
21fba8e705793d4a291c0e8de8c1dc0b33a96b1c263facdefb1b855874e930eb 2014-10-10 06:11:40






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.5535 BTC
79540099c3cf5e1d05279209cdcc8e8333d6d908cd97c9ae7eb30f5606b4e823 2014-10-06 11:59:22
16wQPaxCNvJLmK27hkpALRtuEQj8J8s38B 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.529 BTC
c15bb4856612123b852877188be562e84eebda709c3b2f501154ea705d3cdc82 2014-10-04 15:40:20





1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.7095 BTC
e792ec4a5e7453e29d6ab763e10653f1f50144e55be8dec8b0b5ee08dd84ac72 2014-10-04 08:07:28






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.2735 BTC
9041df7610973ad18058862d898ea0b4ed7b997d861e2ab4ebca4f7a3168100e 2014-10-03 12:42:07






1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 2.0355 BTC
7c2350a971ab04e3010d7c7f1ec7d9fef8e8663ef3f789d74529485fc39a16db 2014-09-27 15:21:59
1TvYXhc6YoL1DrPbTF1aPEaLhiHhjduxz 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.0993 BTC
55223201a2dbef26a43dd9a19bbbcf4c5daf084e1798410f341997611502b57b 2014-09-23 13:00:48
11ohjiVPjtBk3AxXYi6Hu1u1nDy46mnXY 1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.00000001 BTC
c835a7206640b10b0a3d803a8fe36d1f64ecd3933bd4b9c018bb84431359ef42 2014-09-23 12:47:26



1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.0748 BTC
6242f92fd595e779918d050d889c7252877296d96b4325a7a325db22f7b3639c 2014-09-23 06:10:04




1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.1293 BTC
45b05888bb81fac7262891ba86a0e7a3552d15f514f1594f6b1642ba86fdec9c 2014-09-22 19:56:16










1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 1.7345 BTC
223daf20b77255cd7e208066c8a77e968fc6cdab6b7876673014df53a3ba9ffc 2014-09-22 13:03:06



1Boerin5zj8LvC25ehNTDRGsD3ybF2TUA5 0.27 BTC

Dark Web Bitcoin and other nasty stuff

Dark Web Bitcoin and other nasty stuff

gAtO bEeN - analyzing my Dark Web data and it’s worst then ever. Besides the usual crap like human sex slaves, drugs and guns. There seems to be a lot of newer sites that look like terrorist sites, some preaching and asking for donations and of course Bitcoin is the currency of the Dark Web. bitcoin-gollum

Of course there are some sites that are a joke and looks like a government operation gone sour. I am sure they will catch small wanna be script kiddies but the real treasure is in other sites that are linked from these terrorist sites that require login information and no way to register. But in some of the paste-sites reveal it’s pretty easy to gain access via other that can vouch for you. The good part is I found a way to code my login info to my crawlers so this is going to be my next target.

monitoring the dark web:

  • Mapping the hidden services directory by deploying nodes in the distributed hash table (DHT);
  • Customer data monitoring by looking for connections to non-standard domains;
  • Social site monitoring to spot message exchanges containing new dark web domains;
  • Hidden service monitoring of new sites for ongoing or later analysis;
  • Semantic analysis to track future illegal activities and malicious actors; and
  • Marketplace profiling to gather information about sellers, users and the kinds of good exchanged.

The funny part is you been hearing about DARPA Memex dark web tool and that all LE are using it, so how come Law Enforcement allow these terrorist sites and these children sex slave sites to function. I found over 22,000 Bitcoin addresses, so it should be easy to start to map these and try to follow the Bitcon to the bad guys. I’m sure some are using full-node Bitcoin wallets and it’s pretty easy to match it to an IP address. So why does MemEx and LE allow this.

From a year ago when I last crawled the Dark Web I can see that a few sites have been taken down by DOJ- good for them, but new ones pop up in a New York minuet and they keep operating normally of course they have to re-brand and get the new .onion url out in paste site and BB sites.

I am cleaning up my 400,000 URL and start to crawl by next week – if I got 400k from just 17k of sites this new crawl should deliver millions of new Dark Web sites -and so the fun begins –  gAtO OuT


Bitcoin in the Dark Web

Bitcoin in the Dark Web – Digital Underground

gAtO wAs – asked to check the Dark Web (Tor-i2p) with my Artemis Tor-i2p search engine to see how Bitcoin is doing, and the answer was shocking. I dug around and got a base of 2,000 Tor URL out of those 1,400 we OK and I came back with 17,000 new URL from this first run. Just checking on the Bitcoin keyword it got the biggest hits followed by CC (credit cards) and other stolen good and services. black_bots_

Were the Dark Web was more about Porn a year ago it has changed direction and has become a Bitcoin value transfer network for any information you are looking for and the transactions are all Bitcoin now. As we seen the white cola world adoption of Bitcoin in the clear web has made it more powerful in the Dark Web. More stolen properties, more coin mixer and not only Bitcoin but Litecoin and DogeCoin are becoming more popular to trading in goods and services.

As the DOJ has shut down Silk Road and other drug sites new one have popped up but the thing I seen the most from my crawlers is that more and more trades or goods and services have gone to Bitcoins exclusive as the currency of the Dark Web. Security of transactions are becoming more complex with escrow serves popping up all over the place and even Dark Banks for your Bitcoins and wallets.

We are planing a big sweep of the Dark Web 10 crawls (total of up to 5 million Dark Web URL and website content) for any and all Bitcoin addresses and then use my new designed Blockchain tools to look at all the Bitcoin transactions and see if we can follow the money to an IP address of the bad guys. Hopefully this will open new ways of finding Bitcoins in the Dark Web and help LE get the bad guys. – gAto OuT


Bitcoin and Tor Support

Bitcoin and Tor Support

It is possible to run Bitcoin as a Tor hidden service, and connect to such services.

The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on a random port. See Tor Project FAQ:TBBSocksPort for how to properly configure Tor.bitcoin-gollum

1. Run bitcoin behind a Tor proxy

The first step is running Bitcoin behind a Tor proxy. This will already make all outgoing connections be anonymized, but more is possible.

-socks=5        SOCKS5 supports connecting-to-hostname, which can be used instead

of doing a (leaking) local DNS lookup. SOCKS5 is the default,

but SOCKS4 does not support this. (SOCKS4a does, but isn’t


-proxy=ip:port  Set the proxy server. If SOCKS5 is selected (default), this proxy

server will be used to try to reach .onion addresses as well.

-onion=ip:port  Set the proxy server to use for tor hidden services. You do not

need to set this if it’s the same as -proxy. You can use -noonion

to explicitly disable access to hidden service.

-listen         When using -proxy, listening is disabled by default. If you want

to run a hidden service (see next section), you’ll need to enable

it explicitly.

-connect=X      When behind a Tor proxy, you can specify .onion addresses instead

-addnode=X      of IP addresses or hostnames in these parameters. It requires

-seednode=X     SOCKS5. In Tor mode, such addresses can also be exchanged with

other P2P nodes.

In a typical situation, this suffices to run behind a Tor proxy:

./bitcoin -proxy=

2. Run a bitcoin hidden server

If you configure your Tor system accordingly, it is possible to make your node also reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent config file):

HiddenServiceDir /var/lib/tor/bitcoin-service/

HiddenServicePort 8333

HiddenServicePort 18333

The directory can be different of course, but (both) port numbers should be equal to your bitcoind’s P2P listen port (8333 by default).

-externalip=X   You can tell bitcoin about its publicly reachable address using

this option, and this can be a .onion address. Given the above

configuration, you can find your onion address in

/var/lib/tor/bitcoin-service/hostname. Onion addresses are given

preference for your node to advertize itself with, for connections

coming from unroutable addresses (such as, where the

Tor proxy typically runs).

-listen         You’ll need to enable listening for incoming connections, as this

is off by default behind a proxy.

-discover       When -externalip is specified, no attempt is made to discover local

IPv4 or IPv6 addresses. If you want to run a dual stack, reachable

from both Tor and IPv4 (or IPv6), you’ll need to either pass your

other addresses using -externalip, or explicitly enable -discover.

Note that both addresses of a dual-stack system may be easily

linkable using traffic analysis.

In a typical situation, where you’re only reachable via Tor, this should suffice:

./bitcoind -proxy= -externalip=57qr3yd1nyntf5k.onion -listen

(obviously, replace the Onion address with your own). If you don’t care too much about hiding your node, and want to be reachable on IPv4 as well, additionally specify:

./bitcoind … -discover

and open port 8333 on your firewall (or use -upnp).

If you only want to use Tor to reach onion addresses, but not use it as a proxy for normal IPv4/IPv6 communication, use:

./bitcoin -onion= -externalip=57qr3yd1nyntf5k.onion -discover


Tor Traffic Confirmation Attack

Tor Traffic Confirmation Attack -Roger Dingledine Report
  On July 4 2014 we found a group of relays that we assume were trying
  to deanonymize users. They appear to have been targeting people who
  operate or access Tor hidden services. The attack involved modifying
  Tor protocol headers to do traffic confirmation attacks.gato_signal_02

  The attacking relays joined the network on January 30 2014, and we
  removed them from the network on July 4. While we don't know when they
  started doing the attack, users who operated or accessed hidden services
  from early February through July 4 should assume they were affected.

  Unfortunately, it's still unclear what "affected" includes. We know
  the attack looked for users who fetched hidden service descriptors,
  but the attackers likely were not able to see any application-level
  traffic (e.g. what pages were loaded or even whether users visited
  the hidden service they looked up). The attack probably also tried to
  learn who published hidden service descriptors, which would allow the
  attackers to learn the location of that hidden service. In theory the
  attack could also be used to link users to their destinations on normal
  Tor circuits too, but we found no evidence that the attackers operated
  any exit relays, making this attack less likely. And finally, we don't
  know how much data the attackers kept, and due to the way the attack
  was deployed (more details below), their protocol header modifications
  might have aided other attackers in deanonymizing users too.

  Relays should upgrade to a recent Tor release ( or, to close the particular protocol vulnerability the
  attackers used -- but remember that preventing traffic confirmation in
  general remains an open research problem. Clients that upgrade (once
  new Tor Browser releases are ready) will take another step towards
  limiting the number of entry guards that are in a position to see
  their traffic, thus reducing the damage from future attacks like this
  one. Hidden service operators should consider changing the location of
  their hidden service.

  We believe they used a combination of two classes of attacks: a traffic
  confirmation attack and a Sybil attack.

  A traffic confirmation attack is possible when the attacker controls
  or observes the relays on both ends of a Tor circuit and then compares
  traffic timing, volume, or other characteristics to conclude that the
  two relays are indeed on the same circuit. If the first relay in the
  circuit (called the "entry guard") knows the IP address of the user,
  and the last relay in the circuit knows the resource or destination
  she is accessing, then together they can deanonymize her. You can read
  more about traffic confirmation attacks, including pointers to many
  research papers, at this blog post from 2009:

  The particular confirmation attack they used was an active attack where
  the relay on one end injects a signal into the Tor protocol headers,
  and then the relay on the other end reads the signal. These attacking
  relays were stable enough to get the HSDir ("suitable for hidden
  service directory") and Guard ("suitable for being an entry guard")
  consensus flags:
  Then they injected the signal whenever they were used as a hidden
  service directory, and looked for an injected signal whenever they
  were used as an entry guard.

  The way they injected the signal was by sending sequences of "relay"
  vs "relay early" commands down the circuit, to encode the message they
  want to send. For background, Tor has two types of cells: link cells,
  which are intended for the adjacent relay in the circuit, and relay
  cells, which are passed to the other end of the circuit.
  In 2008 we added a new kind of relay cell, called a "relay early"
  cell, which is used to prevent people from building very long paths
  in the Tor network (very long paths can be used to induce congestion
  and aid in breaking anonymity):
  But the fix for infinite-length paths introduced a problem with
  accessing hidden services:
  and one of the side effects of our fix for bug 1038 was that while
  we limit the number of outbound (away from the client) "relay early"
  cells on a circuit, we don't limit the number of inbound (towards the
  client) relay early cells:

  So in summary, when Tor clients contacted an attacking
  relay in its role as a Hidden Service Directory to publish
  or retrieve a hidden service descriptor (steps 2 and 3 on
  https://www.torproject.org/docs/hidden-services), that relay would
  send the hidden service name (encoded as a pattern of relay and
  relay-early cells) back down the circuit. Other attacking relays,
  when they get chosen for the first hop of a circuit, would look for
  inbound relay-early cells (since nobody else sends them) and would
  thus learn which clients requested information about a hidden service.

  There are three important points about this attack:

  A) The attacker encoded the name of the hidden service in the injected
  signal (as opposed to, say, sending a random number and keeping a local
  list mapping random number to hidden service name). The encoded signal
  is encrypted as it is sent over the TLS channel between relays. However,
  this signal would be easy to read and interpret by anybody who runs
  a relay and receives the encoded traffic. And we might also worry
  about a global adversary (e.g. a large intelligence agency) that
  records Internet traffic at the entry guards and then tries to break
  Tor's link encryption. The way this attack was performed weakens Tor's
  anonymity against these other potential attackers too -- either while
  it was happening or after the fact if they have traffic logs. So if
  the attack was a research project (i.e. not intentionally malicious),
  it was deployed in an irresponsible way because it puts users at risk
  indefinitely into the future.

  (This concern is in addition to the general issue that it's probably
  unwise from a legal perspective for researchers to attack real users
  by modifying their traffic on one end and wiretapping it on the
  other. Tools like Shadow are great for testing Tor research ideas out
  in the lab: http://shadow.github.io/ )

  B) This protocol header signal injection attack is actually pretty neat
  from a research perspective, in that it's a bit different from previous
  tagging attacks which targeted the application-level payload. Previous
  tagging attacks modified the payload at the entry guard, and then
  looked for a modified payload at the exit relay (which can see the
  decrypted payload). Those attacks don't work in the other direction
  (from the exit relay back towards the client), because the payload
  is still encrypted at the entry guard. But because this new approach
  modifies ("tags") the cell headers rather than the payload, every
  relay in the path can see the tag.

  C) We should remind readers that while this particular variant of
  the traffic confirmation attack allows high-confidence and efficient
  correlation, the general class of passive (statistical) traffic
  confirmation attacks remains unsolved and would likely have worked
  just fine here. So the good news is traffic confirmation attacks
  aren't new or surprising, but the bad news is that they still work. See
  https://blog.torproject.org/blog/one-cell-enough for more discussion.

  Then the second class of attack they used, in conjunction with their
  traffic confirmation attack, was a standard Sybil attack -- they
  signed up around 115 fast non-exit relays, all running on
  or Together these relays summed to about 6.4% of the
  Guard capacity in the network. Then, in part because of our current
  guard rotation parameters:
  these relays became entry guards for a significant chunk of users over
  their five months of operation.

  We actually noticed these relays when they joined the network, since
  the DocTor scanner reported them:
  We considered the set of new relays at the time, and made a decision
  that it wasn't that large a fraction of the network. It's clear there's
  room for improvement in terms of how to let the Tor network grow while
  also ensuring we maintain social connections with the operators of all
  large groups of relays. (In general having a widely diverse set of relay
  locations and relay operators, yet not allowing any bad relays in,
  seems like a hard problem; on the other hand our detection scripts did
  notice them in this case, so there's hope for a better solution here.)

  In response, we've taken the following short-term steps:

  1) Removed the attacking relays from the network.
  2) Put out a software update for relays to prevent "relay early" cells
     from being used this way.
  3) Put out a software update that will (once enough clients have
     upgraded) let us tell clients to move to using one entry guard
     rather than three, to reduce exposure to relays over time.
  4) Clients can tell whether they've received a relay or relay-cell.
     For expert users, the new Tor version warns you in your logs if
     a relay on your path injects any relay-early cells: look for the
     phrase "Received an inbound RELAY_EARLY cell".

  The following longer-term research areas remain:

  5) Further growing the Tor network and diversity of relay operators,
     which will reduce the impact from an adversary of a given size.
  6) Exploring better mechanisms, e.g. social connections, to limit the
     impact from a malicious set of relays. We've also formed a group to
     pay more attention to suspicious relays in the network:
  7) Further reducing exposure to guards over time, perhaps by extending
     the guard rotation lifetime:
  8) Better understanding statistical traffic correlation attacks and
     whether padding or other approaches can mitigate them.
  9) Improving the hidden service design, including making it harder
     for relays serving as hidden service directory points to learn what
     hidden service address they're handling:

  Q1) Was this the Black Hat 2014 talk that got canceled recently?
  Q2) Did we find all the malicious relays?
  Q3) Did the malicious relays inject the signal at any points besides
      the HSDir position?
  Q4) What data did the attackers keep, and are they going to destroy it?
      How have they protected the data (if any) while storing it?

  Great questions. We spent several months trying to extract information
  from the researchers who were going to give the Black Hat talk, and
  eventually we did get some hints from them about how "relay early"
  cells could be used for traffic confirmation attacks, which is how
  we started looking for the attacks in the wild. They haven't answered
  our emails lately, so we don't know for sure, but it seems likely that
  the answer to Q1 is "yes". In fact, we hope they *were* the ones doing
  the attacks, since otherwise it means somebody else was. We don't yet
  know the answers to Q2, Q3, or Q4.

Tor Wacky Times and the NSA

gAtO rEaD – that Tor (The Deep Dark Web) is now all messed up by the NSA, FBI and LEO so all you bad guys using the Tor network better watch out, or should they???fed_links_01

Aug 5 the FBI snakes in Freedom Hosting and put a number of websites out of business in the Dark Web. They let the flames go out that they caught a bunch of Pedophile sites with that bust, but it does not seem so.

The Attack on the Dark Net Took Down a Lot More Than Child Porn – http://gawker.com/the-attack-on-the-dark-net-took-down-a-lot-more-than-ch-1081274609 – gAtO contribute to this article–

fed_usCitizenship_01Aug 19 – Millions of Tor Clients start to go up in numbers. What’s this all about, we get a bunch of Tor clients just hanging around doing nothing in Tor. Some say it’s a Bot-net or something like that. Then it growns 4, 5  million Tor users and the last week or so it starts to go down again. So what is all this about all these Tor Clients and the Tor- Botnet?fed_rent_a_hacker01

Oct 3– Silk Road get’s taken down, Oh the FBI had a copy of the Silk Road servers back in June just before the AUG 5 take down of FH by the FBI. So the Feds had Silk Road all this time and this is all they can do, can’t even get a few Bitcoin wallets- what a cluster fˆ%k—//fed_cc-paypal_01

Now you got NSA saying that Tor is cracked and the bad guys cannot use it. They claim that they can hack Tor anytime and anywhere with documents that a summer student left on how to hack the Tor network back in 2006. By the Way – most of these hacks do not work in Tor, maybe on a regular network but not on the Tor network.fed_hit_man_01

So now gAtO goes in search of Tor sites and a lot of sites went down by hook or crook —BUT someone has started to replace these Tor Hidden Websites in the Tor Network – But something is FuNnY – all these sites us the same web templates –

So now you can take a walk down memory lane and see all the older Tor-Websites have gone away and new ones have magicly re-appear.

fed_apple4bitcoin_01Now if this was the only place were this has happens OK sure, but at other Tor- Wiki Tor Link sites you will see the same thing – Commercial sites are all FuNnY and all the non-commercial Tor-websites are Tango Down.

So now Tor goes round and round but nobody knows what the heck is going on- In the Tor network – The Deep Dark Web run by Criminals or the FBI – you can answer these questions yourself by visiting the site –trust but Verify– ((not me))– gAtO oUt

fed_counterfiet_euro_50 fed_counterfiet_usd_01 fed_links_01 fed_mobile_steal_store_01 fed_uk_guns_01














SilkRoad Seized BitCoins Addresses are identified

Silkroad Seized Coins Addresses are identifiers which you use to send bitcoins to another person.

gAtO fOuNd – the Bitcoins Silk Road MASTER Wallet – number #####

Address 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX


Checkout the blockchain link – https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

that were captured by the FBI – So WHY is it being trickle  down all over the world 25, 50, 100, 500 BTC at a time. Next check out –
Taint Analysis
 – Related Tags – Unspent Outputs  –

Taint Analysis:


Taint Analysis 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX 
Taint is the % of funds received by an address that can be traced back to another address.

This pages shows the addresses which have sent bitcoins to 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX. The data can be used to evaluate the anonymity provided by a mixing service. For example Send Coins from Address A to a Mixing service then withdraw to address B. If you can find Address A on the taint list of Address B then the mixing service has not sufficiently severed the link between your addresses. The more “taint” the stronger the link that remains.

 Related Tags:


Find Related Tags
This tool can help find known addresses which could be used to reveal the identity of a number of target addresses.

Target Addresses

 Unspent Outputs


This wallet contains a very large number of unspent outputs. Please consolidate some outputs

So the question becomes who is taking Bitcoins from Silk Road Master Bitcoin Wallet – click on the transaction  and find the geo-location of money going out of SR BTC wallet every 20 seconds at a time, 5, 10 little numbers of BTC add up when you spread them out –

Block Chain gives you all kinds of ways to look at all this Bitcoin Data from Silk Road – With every Address of the user wallets, and all kinds of transactions informations, gAtO can find some of these SR-vendors geo-location and so can LE…we can do all kind of things with this data — have fun-gAtO oUt





Silk Road down – Tor still OK

Silkroad Seized Coins Addresses are identifiers which you use to send bitcoins to another person.

– https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

I found what I was after – this is all the Bitcoin Wallet Address from Silk Road that the FBI has –

caveat – check your wallet number if it’s not listed then your wallet is still cool and the funds available  –MaYbE!!!

UPDATE: notice that SILK ROAD account is still paying out all this money to France, Germany all over the UE – 500 BTC – 100 -BTC at a time WoW – Someone is making off with all the money from the SR account-

Unspent Outputs 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX – https://blockchain.info/unspent?active=1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX&format=html 

 gAtO sEe- the fact is that as always GREED is what got SilkRoad Tango Down. I been getting lot’s of slack about Tor and all that but sorry, it’s as safe as you make it. Tor gives you an edge and if you really need the privacy and do your research on Tor, you too can communicate anonymous FACT not fiction -// 

Now the Bitcoin aspect of this take down is what is really cool. This take down now makes BTC more legit since they can’t say yeah it all criminals using Bitcoins, na, na, na, – I saw the first few 1 million dollars BTC transaction the other day – but still “Bitcoin Buying and Selling is a pain the A$$” my new Bitcoin book coming out in a next months just in time for the holiday seasons - gAtO oUt


On 10/04/2013 02:21 AM, Roger Dingledine wrote:

 OK, I just read the Maryland complaint. It’s obvious what happened.

 An FBI undercover agent contacted him, wanting to sell large quantities

of cocaine. He found a buyer, and delegated the details to his employee.

Said employee had full admin access to his servers.

His employee then provided his ACTUAL PHYSICAL ADDRESS to the undercover

FBI agent. The FBI mailed 1 Kg (very highly cut) cocaine to said

employee, and arrested him on receipt. Said employee soon told the FBI

all that he knew.

So now the FBI had access to the servers. There’s no reason to suspect

that they needed to compromise Tor to gain access, or for anything else.

There’s more drama about the murder for hire stuff, but it’s irrelevant.



Tor Bot Net realm=bitcoin-mining-proxy

update -: Here is the poop – Skynet is bitcoin c&c and the Tor Zombies are Bitcoin miners- Here is the Botnets – :–http://arxiv.org/pdf/1308.6768v1.pdf -so I ran my crawler on them and got this little hit on all the Skynet were Bitcoin c&c Server

qdzjxwujdtxrjkrz.onion Skynet -realm=”bitcoin-mining-proxy” -HTTP/1.1 401 Unauthorized

URL of the Site — : http://qdzjxwujdtxrjkrz.onion
HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=”bitcoin-mining-proxy” Content-Type: text/plain Transfer-Encoding: chunked Date: Wed, 11 Sep 2013 16:16:57 GMT Proxy-Connection: keep-alive Sorry, I don’t know you.

on all the Skynet I get this realm – bit coin-mining-proxy- this is a secret hidden service that only if you have the right authorization in your torrc file the Tor website will reject you – So all the botnets have the right authorization name- pretty sweet setup I say- now 3million Tor Botnets turning Bitcoins – no wonder these zombies are real quite in Tor- got them-

Large botnet cause of recent Tor network overload – http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/

gAto sEe- ever since Aug 19, 2013 Tor has been getting a lot of users. First 1 million, then 2 million then over 3.5 NEW million Tor users in the last 25 days. So what is happening in Tor world is that they are going crazy, Tor relay operators have reported what looks like they are dDoS-ig their own relays sometimes. Lots of circuits built and broken and this has put a big strain on Tor.

Worst still these new 3.5 Million Tor users are just sitting idle and the Tor network is freaking out. To get a hidden service connection is almost impossible but I can still use Tor to use the clear-web with no problems. Thu Tor I can see my site- uscyberlabs and any other non-Tor site and it loads pretty fast. When I try the hidden Wiki – NO-GO

If I keep at it I will finally find a Tor-website- like my own that works and it loads.

my new toy in Tor- Secure Encrypted Tor Messaging website – http://tpgewiccpecsbajt.onion/ – so I know Tor is still working.

Tor Bot-Net -How to handle millions of new Tor clients – problem is messing with everyone.

Conspiracy theory

  • Left over FBI bonnet – from the Freedom Host Raid around Aug 5
  • Russian Bot-net
  • Some Tor Experiment gone -lOcO – NOT gAtO, at least this time.. mEoW
  • Was August 19 the starting date to run en masse from the NSA’s PRISM project?
  • Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs?
  • So some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.
  • The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications.
  • TrendLabs says- “The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.”

The Tor network is overloaded – but they still have no idea what is going on in Tor and how to stop it and/or control it. So were do we go from here in Tor. I got my box working and some other tor websites may need to think about the version they use until we get this Tor-Bot net under control in Tor -gATO oUt

Client- Sep 09 09:56:05.868 [Notice] Tor v0.2.3.25

Server Tor v0.2.3.25 – on Linux – http://tpgewiccpecsbajt.onion/  – Testing my new site in Tor and I noticed