Dark Web Escrow Service Explained

Dark Web Escrow Service Explained

gAtO FoUnD – this dark marketplace hidden service website -Nucleus- and they they explains the escrow service policy. gAtO wanted to pass it along so we can all learn how one dark website plays-

Now remember that this is only one dark websites version. Each different marketplaces has different version and flavors os their Bitcoin escrow policy. Bottom line your trussing two unknown people and Bitcoin transactions are final – so think and learn. Another marketplace Evolution closed down with 12-million in Bitcoin in escrow and the admin disappeared  – happily ever after. Beware Will Robinson  – gAtO OuTsegway_bike_Bitcoin

Okay, there seems to be an insane amount of bad finalizing practices on the market – lets lay this out.

Escrow – You give your money to a 3rd party (Nucleus) – This proves to the vendor you have the funds available, they ship product. You receive the item, and when you finalize, Nucleus gives your funds to the vendor. You prove you have money, vendor proves they have product, Nucleus proves the transaction was agreed to and turns the money over making a small profit per transaction and many people and vendors at the same time.

In the event of a dispute where escrow is involved, Nucleus agrees to mediate, acting as an unbiased 3rd party. If the vendor can prove they sent the product through tracking information or some other means, or offers a reshipment which you choose to accept, ect. Nucleus releases the funds to the Vendor. If the Vendor cannot prove they shipped the product, or no remedy is found to the customers dispute, the funds are returned to Customer.
Nucleus also offers a percentage based refund, where the customer can ask for a smaller portion of the price returned. This is useful for situations where for example a customer places an order for 50 units of an item and only 25 units are delivered, ect. – In the example here, the customer would ask for a 50% refund.

To prevent vendors waiting an excessively long time for funds if a customer should fail to log on or forget to finalize, Nucleus provides a timer on each order which releases the funds to the vendor when it runs out. The customer should note this timer, or auto-finalize feature, and take measures to file an appropriate dispute before it expires. Often, the mail runs slow, and vendors usually like to be optimistic in their advertising, so occasionally the timer will run out before a product has arrived, despite the vendor having actually sent the product. In these cases, the customer can send an order to reclamations by filing a dispute, which will stop the autofinalize timer until the product arrives. When the product arrives, the customer should select 0% in the refund request field, and the vendor will accept this offer releasing the funds.

FE or Finalize Early – You release the funds directly to the vendor, the vendor ships the product. Nucleus is not holding your money in escrow, therefor, in the case of a dispute, a refund is asked directly from the vendor. Vendors often have legitimate reasons for needing the money before delivery, including but not limited to ;
-Customer wants more of a product than is readily available on hand, but the vendor can easily and reliably obtain that amount of product if provided the funds.
-Vendor has an arranged middle-man product with another vendor. Typically, vendors are able to move product at a faster rate than normal customers, so vendors will work out a mutual agreement amongst each other to provide a discount for driving referral business.
-Order is deemed by vendor to be excessively risky due to international shipments, customs, ect. In this instance, vendors inform the customer of the risks involved and usually agree to keep and share tracking information with the customer.
Often, vendors will offer extra products or discounts for early finalization.

In the event of a dispute where escrow is NOT involved, Nucleus is not liable or required to provide mediation for the dispute, and the customer should address the issue with the vendor directly. HOWEVER. The customer SHOULD report any failure to deliver product to Nucleus staff, because if a pattern of failure to deliver, bad information, ect. begins to appear, Nucleus staff can take appropriate measures to remove the repeat offender from the market.

It is VERY important that customers fully understand their agreement with the vendor and Nucleus, and take appropriate measures to protect their money and not get ripped off. Due to the anonymous nature of the darknet, there is very little culpability or repercussions for scamming innocent people. Scammers are here to mislead and deceive, and will take your money without thinking twice, and if you have released the funds to the vendor, Nucleus will not be able to help you get them back.


Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg – a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor – gAtO oUt…


ToR-Relays -DeepWeb Info

Inspector –information about ToR-Relays

gAtO iS hApPy pUpPy – found the ToR Inspector site in the .onion. This site has information about all ToR-Relays around the world and it indicates if this ToR-Relay is BAD-GOOD-ERROR-REJECT status. Let’s say that you are planning an adventure into ToR land the (paranoid securitytechy-talk) thing about ToR that you have to remember is the Entry Node into ToR and the Exit Relay out of ToR. ToR- the .Onion is legal.

ToR security: When you go into ToR the .onion your computer must enter the -ToR-Matrix- so the first ToR-Relay is your entry point and when you leave the .onion your Exit-Relay is logged by your ISP. All they know is that you went into ToR and you left. They don’t know anything about your session in the deepWeb. Using the ToR network is not illegal so far today anywhere. In places like the middle east and China it’s becoming a problem for these governments so they try mess with the ToR-Relays all the time. On this site [1]ToR Relay Inspector you can see if your entry and exit -TOR-Relays are working good and have not been compromised.

IP - Router Details- Version-Platform Tor-Relay-information




With the tools on this page I can look at all the US ToR-Relays, or Russia, China I can see their status, I can see the current version of the relay so I know what can happened – Think of it as as Patch-management on the fly, we see the OS platform of the relay: Here is a clearWeb Example>of a ToR-Relay>



Now that we know all this information about my ToR-Relay I may want to be active and select my own Entry-Exit ToR-Relay, on this page I can create an exclude-Entry-&-Exit-Node so when I can tell my ToR connection what to use. In a place like China were the government is always bring to find and corrupt ToR-Relays this is a great tool. As security people we need to look at this project which is Donation Only funding and help them. The DeepWeb is open just like Pandora the masses are exploring it and once they feel free and safe it may help them just like it did in the Arab Spring. gAtO know the deepWeb is being used by the bad guy’s too but just like a tool. With a hammer you can build a house or use it to hit mouses for gAtO dinner- This is a good page for any Security Reseracher to learn but some bad things are I can see the IP of all the Relays and maybe I can now do a DDoS attack to keep that Relays down – A government can use this tool to see every ToR-Relay in their country and DDoS them, maybe-sI-nO- gAtO oUt


InspecTor / ExcludeNodes generator

[1] http://xqz3u5drneuzhaeo.onion/users/badtornodes/

The following list provides information about relays that have been checked for injecting content over HTTP-connections.

Furthermore it allows you to create a string, that is used to prohibit your Tor client to use specific nodes when building circuits.

For more information you should read this useful HowTo.

If a relay is marked good, it doesn’t mean it is good at all, but the test went well. It could modify content under special circumstances.

This list is not complete (and won’t be), but will get updated regularly. New nodes appear every day and we also recheck known ones.

Note: This is not a real-time test, it was created a few hours or days ago.


For contact or to report suspicious nodes you know about, just use badtornodes@TorPM.

(GnuPG Public Key with fingerprint BBE0 C6B1 1245 07C9 8C48 2D67 1B4F 850B 0E1A 29E8)

I won’t publish the source code of this service in its actual state. If you have no trust in this list, don’t use it.