PGP Key Details
- Tor Market Key
- 705B 8D46 BD9C 254E B50D ABE4 B66A 7541 077E CC76
Tormarket is a simple darknet market created to make trading less risky than using the large well known darknet markets. History has shown that the larger a market website grows, the more headwinds it faces to continue operation. When they eventually fail, users often lose a lot of money. The goal of this site is to maintain stability and uptime for the long term.
Many past darknet markets have implemented their wallets live, accessible to the web server so once hacked it is impossible for them to recover. This site implements the wallet and payment systems in a separate location isolated over the TOR network.
Tormarket is free for anyone to create a buyer account. To become a vendor a bond payment is required.
Some features of the market are: 2FA login, no-escrow available for some vendors, paying for multiple orders with one payment, product cloning, stock quantity management, very simple order process, feedback system.
The website operator provides an escrow service and dispute resolution so vendors receive funds after buyers have finalized their orders.
The security of funds is top priority and is achieved by separating the wallet from the web server. The web server has no way to contact the wallet or even know its location. The code is custom written by authors with experience in web application security. PHP is not used.
The market provides a solution for vendors to advertise products and manage the order process, while minimising costs by using a shared platform. Most of the features have been added to simplify order managment by vendors, while the buyer feature set is minimal.
Bitcoin, Litecoin, Zcash are the only supported payment methods. Vendors set the payment methods they accept on each product. Payments by the market to users are always made in the same currency that the order was paid with.
Read more about the technical differences here.
An order becomes paid after payment has sufficient blockchain confirmations. Bitcoin payments need 3 confirmations. Litecoin needs 10. Zcash needs 18.
How to avoid your account being hacked
Bookmark this website and always use the bookmark for future access. Official URLs will always be announced with a PGP signature. If you use links provided by someone else, such as on a forum or wiki, they may be links to a fake (phishing) site which looks identical to the real site. The phishing site will steal your login credentials or more commonly they let you create an order and ask for payment to their wallet.
There is an option to enable PGP two factor authentication (2FA). This will require you to decrypt a random string of characters every time you login and when you make account settings changes. When 2FA is turned on it may help alert you if you are logging into a phishing site.
Order states change based on events like payment being received. Some states change automatically such as paid or expired states. Other states such as shipped, finalized are manually set by the vendor, customer or administrator.
This diagram shows all possible state transitions of an order.
When an order is in one of the finalized states, there is no way to reverse the process or make any changes. Funds will have been paid out already and the market is no longer be involved. So if problems with the trade remain, the buyer and seller must resolve it themselves.
All orders have an attribute named delivered which should be updated by the customer when their package arrives. For escrow orders it can be updated at the same time as finalizing. For no-escrow orders, click the Delivered button to update it. The delivered attribute has no effect on payments. It is only for informational purposes and helping detect problems with vendors.
You will need to create a new account to send a support message. Passwords can be reset by the administrator if proof of PGP key ownership provided. If you have lost your password and PGP key then it may be possible for vendor accounts to prove account ownership by showing you control bitcoin addresses associated with the account. No other information can prove account ownership, no exceptions. This rule is so all users and vendors in particular can be assured that their accounts are safe from social engineering attacks that aim to take ownership of their identity and funds. There exist phishing proxies built to impersonate TorMarket which can obtain passwords and all account details.
Proving identity using bitcoin. Locate in your wallet the change address or the address spent when paying for an order. If one is empty (no funds) then provide the private key. If they still hold funds, send a few satoshis from that specific address (utxo) to the order address and this will prove you control that wallet.
It is safe to leave feedback because the system hides the identity of who left the feedback and also what other products that customer purchased. Only the vendor knows which customer left the feedback.
The buyer usernames displayed in feedback are hashes but additional data (salt) is added to the hash input which differs for each vendor. So the buyers hashed username is different for every different product they leave feedback on. This means that a vendor who has received feedback from a customer, cannot determine all the other vendors that the customer purchased from by looking at feedbacks of other vendors.
Market rules and policies
Product listings must be medications, drugs and drug paraphernalia.
No fentanyl or its analogs.
No fake drugs or inaccurate descriptions.
No shipping to USA.
No impersonating other vendors. Avoid similar vendor names.
Do not deceive other users of the system.
Do not program automated requests without asking permission first.
Personal information in messages, orders, and support tickets must be encrypted with PGP. This includes tracking numbers, and address details.
If a vendor does not visit this site for 7 days and not in vacation mode, their products listings may be automatically disabled.
The administrator may remove product listings and disable accounts to enforce these rules.
Payments owing to buyers from refunds, expired, or declined orders will be held for 21 days waiting for buyer to enter the wallet address. After 21 days the funds may be removed from the system.
Russian vendors can request a lower commission rate of 3.5%.
Do not create orders that are left deliberately unpaid.
When you receive your package, promptly Finalize to expedite vendor receiving their payment.
Do not send spam messages to vendors. Messages should be product related.
Feedback left on an order should be specific to that order. Therefore you should not alter historical feedback from good to bad based on a newer order.
New vendors go through a trial period to assess their suitability on this market and if there are multiple customer complaints their ability to sell and the bond can be revoked. This rule applies even when the vendor is not deliberately scamming, ie they could be ignoring orders and causing problems in other ways. New vendor accounts that appear to have characteristics of scams may be frozen before any orders received and their bond held for six months.
No doxxing customer information.
Vendors must not ask buyers to finalize early unless their account has been given permission to create no-escrow products.
Shipping information such as time between order being placed and expected shipping date must be clearly described in the product listing or vendor profile.
Vendors must not set status to shipped prior to day of shipping.
When accepting an order, the vendor is confirming that they can fulfil the order and delivery details could be decrypted, and shipping options are correct.
When you have products available for sale, you need to login every 4 days to avoid orders being withdrawn by the customer.
Only make products available for sale if you have the product ready to ship. Occasionally you may sell out elsewhere so can’t fulfill an order. Vendors who decline orders are reviewed and may loose vendor status if it happens without good reason.
The vendor must respond to a customers refund request in the form of Tor Market messaging and maintain consistent communication until the issue is resolved otherwise escrow funds will be paid to the buyer.
When vendors are out of stock for an extended time they should hide the product listing to keep the site uncluttered. Please try to minimize products showing that are not purchasable.
Only one product listing per product is necessary. You can clone products and have duplicate products for custom orders only.
Avoid use of all-caps when listing products and make it descriptive of the product. ie “MDMA” is acceptable but not “MOLLY ON SALE NOW SHIPPING NEXT WEEK”.
No advertising for direct deals or listing products that are advertisements for another website.
Asking users to communicate directly with you (ie wickr) is deemed suspicious because scammers typically use this technique. Keep communication on the market because if any disputes occur they will be resolved easier.
There are no fees for buyer accounts. Vendors pay a commission on their sales.
Each product purchase results in a separate order and each order has a unique bitcoin (or litecoin) address. The usual method of payment is to pay each orders bitcoin address. There is no shopping cart. When bitcoin transaction fees are high, paying for multiple orders can be expensive. If you have multiple orders to pay, it is best to use a wallet that supports paying multiple bitcoin addresses in one transaction. This is called payment batching and will allow you to pay less in bitcoin transaction fees.
Also a Tormarket feature called multipay allows you to pay for two or more orders by paying a single bitcoin address. This is cheaper than using payment batching. To use multipay, first create a set of two or more unpaid orders. Now at the top of the order list, a button will show ‘Multipay using bitcoin’ and clicking this will show instructions on how to pay all your unpaid orders with one payment. Basically, it sums the total owing of all payment pending orders. If this total is paid to the bitcoin address of the oldest payment pending order the server will change all those orders to paid. Read the instructions after clicking multipay because you must do exactly what the instructions say otherwise it will not work. Using multipay will increase the buyers privacy if they are buying from multiple vendors - it means the vendors will not be able to identify the payment transaction on blockchain.
Signed payment addresses
The payment address you see on an order is unique and will not exist yet on the blockchain. The order shows you a PGP signature of the order address. Buyers should verify the PGP signature is valid and signed by tormarket key. Provided the signature is valid you can be sure your funds are being sent to the correct wallet and not an address belonging to a hacker or scammer.
Expired, under-paid and over-paid orders
There is a 24 hour payment window. This allows you to lock in a price at order creation, then have enough time to ensure payment confirms on blockchain. If payment is received after the payment window expires, your order will be set to state expired.
When orders are under-paid they will also become expired. If you have under-paid, then make additional payments to the same order address to cover the order price. There is no problem if you over-pay an order, but once status is paid you cannot be refunded any overpayment unless the vendor declines the order.
Vendors cannot process expired orders without administrator intervention. Ensure your payment transaction has a sufficient fee to allow it to confirm on the blockchain before the order expires. Some wallets have RBF (BIP125) support which allows the payment to be sent again with a higher fee to speed up confirmation.
If you are manually choosing the fee to use on your bitcoin transactions then this site is helpful http://core.jochen-hoenicke.de/queue.
Expired orders will be refunded to the buyer. However, it is possible for the administrator to change expired orders to status paid which would allow the vendor to process the order. This is preferable to refunding the order. If the buyer and vendor agree to this change, they should both send a support message requesting the order be changed to paid.
Encrypted postal addresses
It is strongly recommended to use PGP to send postal address details. Other darknet markets have been compromised and customer postal details exposed because the customer did not encrypt their address. If you don’t want to install PGP then there are web based alternatives for encrypting messages but those sites may record what you encrypt. ie https://sela.io/pgp/
The address field can be left empty when ordering products such as ebooks or when you have already given the vendor your address.
Old orders and deleted orders will have the address field deleted from the database to further increase privacy.
Orders autofinalize one week after they are shipped to ensure vendors receive payment when the buyer forgets to finalize the order. The Extend autofinalize button will delay autofinalizing when you are still waiting to receive the product. This option appears in the three days leading up to the autofinalize date.
Finalizing before receiving the product bypasses escrow and there is no way to be refunded.
No escrow orders
Some vendors who have established a good reputation may list products having no-escrow or finalize early requirements. “Escrow: no” will show on the product listing and once paid, funds are immediately allocated to the vendor instead of being held until you finalize. Vendors do this so they receive payment faster but there is a disadvantage for the buyer because no dispute resolution is possible. If you don’t want the added risk of buying no-escrow, choose a different vendor or ask the vendor if they will create an option to buy with escrow.
When you choose to purchase a no-escrow product you will be warned - “This order will automatically finalize upon vendor acceptance. Any shipping problems or disputes will have to be resolved directly with the vendor and the market cannot mediate conditions of sale.
When you receive a no-escrow order, click Delivered button so the vendor and market can keep track of undelivered packages.
When the order status is changed to “refund requested”, then the vendor must approve the amount and a payment will be scheduled.
To specify a refund address once order is “admin finalized” or “refund finalized”, view the order details and look for a button that allows entering the refund address. Refunds will be paid out same day or on the day after you specify the address. Payments occur at a random time.
To contact a vendor, visit their profile and click “Send message”.
Vendor accounts cannot make purchases. This is to prevent de-anonymisation of vendors.
Vendor account creation and bonds
Register a new account with no purchase history - there is a reason markets keep buyer and vendor account separate. With the new account, purchase the bond. Once bond is paid, your account will change to vendor type within ten minutes. The bond is refundable (the exact amount paid is returned) after six months from the purchase date if a good sales history is established. To be eligible for the refund, the account must have generated some sales. The bond is to dissuade the vendor trying to scam customers and the bond may be forfeited for breaking the rules.
Also the bond will be held and not released for six months if any products appear to be deceptive. Basically if it looks like a possible scam, your account is locked preemptively before you can sell anything. You will receive the bond back after six months because the market could have made a mistake in assessment.
Record the details of the bond payment because when the account is changed to vendor type the bond purchase order will no longer be visible.
Bond waiver is possible when the vendor is active on the top markets with sufficient sales volume and feedback to gauge their reliability. Preferably 30 sales in the last month. To prove your identity, make a PGP signature of your request and send this in a support ticket. The ticket must describe your username on each market and where you ship from. Alternatively, use the PGP verification process after your key is saved in account settings. Explain in the ticket which method you have used to prove identity. Staff will then login to each market to check your profile and review sales/feedback. Since this is a manual procedure and markets are often slow or unresponsive, there will be a delay in processing your bond waiver request. It may take a week before staff can successfully access Empire market.
Commission is 5% of the funds paid to an order. The only other fee is the withdrawal fee which is currently 0.00017 BTC.
Stock available must be specified on each product. When orders become paid then the product stock value is reduced automatically until the product listing changes to sold out.
Disabling sales can be done three different ways.
- Vacation mode will disable sales of all products.
- A product stock value can be changed to 0.
- A product can be set to disabled. It will still show in product lists but customers cannot purchase it.
Hidden products are only accessible to someone that knows their URL and do not show in product listings.
When taking photos for product listings, do not use your everyday phone. Use a dedicated phone/camera. This protects against correlating sets of images taken by the same camera that are publicly accessible on sites such as Facebook.
No escrow products are those which have the no escrow setting enabled. Vendor accounts are manually given permission to use this feature if they have a good history. Without permission, the no escrow setting will appear disabled.
When the order is finalized by the customer, you need to click Set address on the order view to specify your wallet address for receiving payment. To automate this, you can specify your wallet address in account settings, then you will be paid automatically.
Payments from finalized orders will be processed at least once per day at a random time. In account settings you specify which days you would like to receive payment. If multiple orders have been finalized the amounts owing are summed and you will receive a single payment.
A network fee will be deducted from your payment but it is usually a very small amount if not zero. The network fee will show in the navigation bar for vendor accounts (if the fee is not zero). The network fee only changes on Monday (GMT), then remains constant for the week. The fee is deducted once per bitcoin transaction. When multiple orders are being paid out there is a single transaction and fee deducted once.
When the withdrawal fee is cheap you will likely want payments sent every day. But when the fee is high you can save money by receiving your payments less frequently. For example, setting the schedule to Sunday only will result in a single payment on Sunday of all bitcoin owing to you from finalized orders, with the withdrawal fee deducted from the payment. The withdrawal fee and payout schedule was implemented as a result of the very high bitcoin transaction fees of December 2017 when transactions cost over $20 in miner fees.
Another advantage of receiving your payments less frequently is your wallet will be cleaner and have less UTXOs. This means when you eventually spend from your wallet, the transaction sizes will be smaller so you will pay less in bitcoin fees.
After the payments are broadcast by Tormarket, you can expect a confirmation on the blockchain within 24 hours. You can see the transaction id of your payment on the order view or the Payment history page. To ensure a confirmation in that time frame, payments may be re-broadcast with a higher fee. Some wallets allow spending unconfirmed payments (CPFP) and that could be an option for you if the blockchain is congested and you want to use the funds without waiting.
When customers over-pay an order, the vendor will receive the over-payment, less commission calculated on the paid amount.
All order payments for every vendor go into the escrow wallet and payments are generally paid out from this same wallet. The source bitcoin addresses of your payment are selected by the wallet algorithm and will be addresses from other orders placed on the system.
Disputes and refunds
When the customer wants a refund, the vendor and the customer try to resolve the issue. ie re-ship, return goods, partial or full refund. The customer can change the refund amount they request. When it is something both parties agree on, the vendor can accept the refund amount and funds are paid out. Or the buyer can cancel the refund request and finalize.
If no agreement is reached, the market decides how to distribute the money in escrow. In the case that the vendor has ignored a refund request, the market may approve the customers refund after 7 days. The vendor must respond to the customers refund request in the form of Tor Market messaging and maintain consistent communication until the issue is resolved.
The archive button simply removes the order from the order list and you need to click the Show Archived button to see it. An archived order can be moved back again to the main order list page by Unarchiving it. This can be helpful to keep track of which orders need attention. ie Shipped orders can be archived so the order list only shows orders that need processing.
There is an alternate URL available on alias1. This allows you to log in with two different accounts simultaneously using the same browser. Use a different URL for each account such as a buyer and vendor account.
Should vendors mix their payments from orders? If you need to spend the funds and that process reveals your true identity, you may want to mix the funds first.
Buyers can see funds being paid out to vendors by watching the blockchain. Mixing is the process of making it too difficult to use blockchain analysis alone to follow the funds.
In the first step of being paid by Tormarket, you can mix the funds a little by reducing the frequency of your payment schedule. When paid once a week for example it will be harder for the buyer to see which payment out of the Tormarket wallet was to you.
The cheapest and less risky way is to self mix (rather than using an anonymous service) but the process is time consuming. This is done by holding accounts on several websites that allow bitcoin transfer into a pool of funds and out again as different coins. For example, crypto exchanges. Using TOR or a proxy when using the websites means no site will know the user identity. Funds are sent through a chain of these exchanges.
PC wallet => online wallet 1 => online wallet 2 => online wallet 3 => PC wallet 2
This is analogous to having multiple bank accounts with anonymous identities. As the funds flow through the chain of accounts it becomes very hard to trace without co-operation from all the companies to provide their log files of transactions in and out. The more wallets in the chain the harder is it for someone to get all the logs. Using geographically diverse websites will help more (ie China, Russia, Venezuela) because no juristiction has authority everywhere. You would need to vary the amounts throughout the process.
Other methods can be used such as coinjoin algorithm which is implemented in the Wasabi wallet (highly recommended) and JoinMarket wallet. Avoid using mixing services (aka tumblers) like Helix because it is not known how effective they are. Some of these services have failed to adequately mix coins.
The majority of the order processing code has been in use since Sept 2015 and is well tested. As a multi-vendor market it has been running since early 2018.
The architecture consists basically of two separate systems.
- The public system running the market web server and TOR has no bitcoin private keys stored. It only holds a list of payment address strings in the database. The market server provides an API for retrieving data about payments owing.
- An isolated payment server running the private bitcoin wallet(s) , locked down with minimal software installed. It only runs a wallet process, TOR and an application to process payments from data retrieved via the market API. It connects out to the market web server API over the TOR network. This helps to conceal the location of the bitcoin wallet so even the market webserver can never access the payment server.
With Tor .onion addresses, https is not necessary because Tor ensures you are connected with the real authenic website and not a fake one. Tor also handles end to end encryption between this website and your Tor Browser to keep communication private. Traffic never leaves the encrypted Tor network. Provided you enter the .onion URL correctly Tor will take care of network security and privacy for you.
Theft of escrow funds would be extremely difficult because the public server doesn’t store bitcoin. A hacker would need to modify the database to have their own bitcoin addresses so payments go to the wrong recipient. Any database tampering would likely be detected by the scripts on the payment server that process payments.
Periodically the escrow funds are replaced with fresh coins from Chaumian CoinJoin. This means that anyone who has paid into the wallet so they can analyse it, will have a limited window in time between their payment and when all the funds are replaced, to follow transactions. Then the trail stops and it’s like a new wallet was started.
The web server does not hold any PGP private keys. This means PGP encrypted messages in the database can’t be decrypted, even if a full copy of the server is obtained.
The web server (and all systems used in maintaining and administering tormarket) have full disk encryption and use the most secure open source operation systems (not Windows, or Apple).
All network access to the web server is through TOR and includes additional hops though other networks in addition to TOR. This means that network traces of the server do not reveal any users or operators of the server. All servers that process traffic from Tor (ie market HTTP traffic) have DNS resolver set to lookup via TOR. General outbound traffic to the internet is restricted with firewall rules. These precautions are to avoid any inadvertent outbound traffic that would reveal IP addresses.
Session data (cookies) are all stored client side, signed and encrypted. No session data is stored on the server. This gives speed improvements and additional security because database leaks cannot reveal session tokens.
Crypto currencies technical
Litecoin and Zcash were added because their network transaction fees are cheaper than Bitcoin. At times the Bitcoin network can be too slow and expensive so alternatives are needed. Both of these currencies are clones of the bitcoin source code which makes it easier for vendors and customers to learn about their use. Compared to Bitcoin, they are riskier to hold funds in and their main advantages are as fast, cheap transactional currencies, not long term stores of value.
Zcash has very good privacy. No other crypto-currency has better privacy than Zcash, hiding both transaction amounts and addresses. With Bitcoin, to make some details of a transaction private requires building a special type of transaction called a Coinjoin. This requires specialized software that coordinates with other users contributing to the transaction. Using Zcash is much better alternative to Bitcoin coinjoins in terms of privacy.
There is only one software implementation of Zcash that supports shielded transactions, called zcashd. zcashd is a full node and stores the entire blockchain - about 25GB. Desktop wallets ZECwallet and Zepio are graphical frontends to zcashd.
Although Litecoin and Zcash offer many advantages over Bitcoin, they are not decentralized in the same way Bitcoin is. Decentralization is what protects against censorship and theft of funds by government.
Monero may be added in future. Its privacy features allow hiding amounts transferred, and obscuring inputs to transactions by adding additional dummy inputs. It achieves better privacy than Bitcoin but not as private as Zcash.
There is no support for bitcoin multi-signature addresses because it is difficult and time consuming for most buyers to use.
In summary, Bitcoin is the best way to safely store value. Other crypto-currencies can offer cheaper transaction fees and privacy features but it is advisable to exchange them for Bitcoin instead of holding them, in all cases other than short term holding.
How the market generates payments
If the bitcoin transactions for buyer refunds and vendor payouts are broadcast but awaiting confirmation, more payouts may arrive for the payment server to pay. Instead of making new separate transactions, the old transactions are replaced. This process keeps repeating and the transaction gets bigger as more payments get rolled in. Each replacement is broadcast with a higher fee.
You can try spend any payout funds before they are confirmed, but ensure you set the fee high enough to confirm quickly. This is because once you spend unconfirmed payout funds, it stops the payment server algorithm from replacing old transactions. Basically when spending unconfirmed funds, provide a good fee to confirm quickly otherwise it may delay your payment and delay other payments as well.
The canary notice file is a PGP clear-signed message that updates every two weeks.
If you have any questions please send a support message.