DNStats.net, the first publicly accessible uptime monitor for onion services, once served as one of the few trustworthy providers of darkweb market mirrors. Market customers, researchers, and even law enforcement agencies used the site. Everything changed in 2018 when DNStats started shilling and sending people to fake markets.
To be clear, this post is about DNStats.net. It is not about sites with similar names.
In late a April 2014, the Reddit user /u/select1on announced the creation of DNStats.net on the /r/darknetmarkets subreddit. An archived version of the announcement is available here.
I was bored at work today and though it might be good to be able to see the status of all the sites in the side bar quickly.. I made a fairly simple site to grab a image snapshot of the sites and then make it easy to see if they are loading..
I literally made it just now. Use hidemyass or tor to access if you are worried about dox etc. The server isn’t logging either.
If people think its a good idea, I may expand it with outage notifications etc. maybe keep a history of the images.
Currently updates every 15 minutes.
Although the post generated very little attention at the time, DNStats quickly became one of the more reliable sources of marketplace mirrors and uptime information. Marketplace users who only recently started paying following the scene might struggle to truly grasp the significance of DNStats in 2014; the sector is currently over-saturated with generic uptime monitors and news sites without original content. It is no longer difficult to find marketplace mirrors (phishing links are readily available too). Back then, users had very few clearnet resources for sourcing mirrors or reading news.
Phishing has become an epidemic in the darknet. Sites with phishing links now include even dnstats.net, a site researchers once depended on.
— dark.fail (@DarkDotFail) January 17, 2020
One phisher’s BTC addresses has received over 50 BTC in the past ninety days. Empire Market users are the most targeted.
The Silk Road subreddit launched in late 2011 and Eileen Ormsby’s “All things Vice” covered Silk Road in 2012. Both DeepDotWeb and /r/darknetmarkets launched towards the end of 2013. Grams and DNStats both launched in 2014. Both services brought something unique to the table. Grams had search, Flow, Helix, Helix Light, and Infodesk, among others. DNStats provided marketplace mirrors as well as historical uptime data.
DNStats was to users of Agora Market what Dark.Fail is to users of Empire Market. The /r/darknetmarkets subreddit referred users to DNStats for market uptime and Grams for vendor profiles and data.
The /r/onions subreddit considered Dark.Fail trustworthy enough to add the link to the subreddit’s sidebar. DNStats.net essentially filled the position now filled by Dark.fail.
The point is this: the administrator of DNStats had seemingly unimpeachable motives. He was trustworthy.
The same is not true for the person now controlling DNStats. Something happened in late 2018 that completely changed the site. It both looks and functions like a completely different site.
There is no historical data or even decent information about the service itself. To the credit of this new DNStats, some of the listings on the site do in fact display uptime information. However it appears as if only the last hour is available. The severe decline in usefulness is not the problem with DNStats now, though.
The problem is that DNStats is now distributing links to obvious scams (and “featuring” the links to these fraudulent marketplaces). A perfect example of this is the listing for Escobay. Escobay is not even a market. It might look like a market since the developers cloned the CannaHome interface. The site actually tries to load some assets from a dead CannaHome onion address.
DNStats also serves links to sites with no history on the internet. This is not inherently malicious. But when only questionable sites refer to any onion service, there is a decline in trustworthiness for all parties involved. Some listings, such as the one for BlackPass Market, are mirrored by only other sites known for promoting scams or spreading fake news.
DNStats lists very few legitimate darkweb marketplaces (such as those listed on Dark.fail). And the descriptions for the listed markets are misleading. One example is the description for a new market that says, “Big Blue Market is one of the largest all-purpose markets on the darknet.” This is a patently false claim. The entire Blue Market page is filled with examples similar to the one above.
So what happened to DNStats?
The site administrator removed all remnants of the original DNStats and replaced the home page with referral links to Dream and Wall Street Market. A search of the referral links yielded no results.
- Dream: lchudifyeqm4ldjj\.onion/?ai=3055844889
- WallStreet: wallstyizjhkrvmj\onion/signup?ref=696125
Since then, DNStats has continued to evolve into the dumpster fire of a website that it is today. It appears as if the original owner of DNStats is no longer in control of the operation. Whois records, though, were last updated in 2017—long before DNStats changed. It does not look like the original admin sold or transferred the domain to anyone, indicating that whoever has control of the site now either had legitimate access to the domain or somehow stole the credentials necessary to change DNS settings.
On October 28, 2018, the person with current access to the site changed the nameservers from these Njalla ones:
to these Cloudflare ones:
The original DNStats administrator deleted his Reddit account at some point after September 27, 2018. The DNStats Twitter account has been inactive since July 2018. Nobody has returned emails sent to the publicly listed email address for DNStats. The most recent Bitcoin transaction associated with the DNStats donation address (1DNstATs59JANuXjbpS5ngWHqvApAhYHBS) is took place in August 2018.
The mx servers changed from Google Mail servers to Yandex servers on October 28, 2018. The same day the nameservers changed. Prior to the October 2018 date, DNStats had no webmaster or search console verification TXT records. It now has both.
As of the most recent update on Feburary 15, the Google Search console TXT record is:
and the Yandex TXT record:
Changes to DNS records alone are a sign that DNStats is still alive. Somebody is pasting Department of Justice press releases into the section of the site reserved for news. There is a warning about the Apollon Market exit scam which took place less than a month ago.
One possible line on the current operator of the site is a referral link to Empire Market. The appears twice in the marketplace’s description. DNStats seems to be the only indexed site with the same referral link though.
This is a phishing link
Edit: A reader pointed out that this link does in fact show up in a DuckDuckGo search for “/ref/760948.” A single result for an Empire Market phishing mirror.
Although the news articles are copied directly from the USAO press releases, the descriptions for the marketplaces are unique. They almost exclusively appear on DNStats.net. The first line of the description for Dread is an example of this: “Dread Forum, which is recognized as the successor to DeepDotWeb was created and launched by ‘HugBunter.'” Even some of the misspellings are surprisingly unique.
It seems unlikely that someone running a scam with the DNStats domain is new to the fraud scene. And DNStats is most likely not someone’s first scam. The lack of solid evidence linking DNStats to similar sites is unusual though. But there is some information to use for a profile. The site is unique enough that any similar site based on Nuxt.js or Vue.js is worth examining for other similarities.
There is a chance that the current administrator is someone the original administrator had hired. In January 2015, /u/select1on posted “[For hire] Someone to check the darknet sites and compile the real up to date site details.” I do not remember if he actually hired anyone, though. It also seems highly unlikely that he would have shared administrator credentials with any party hired online.
In August 2015, the administrator wrote that he had a developer working on the database:
Yeah the entire db is about 50mb uncompressed. I am open to the idea of sharing the data, I think I will start to collect more information to add to the usefulness of the data, if anyone has some ideas of what else I can gather that would be great. If you want a dump I can arrange it. I have a developer that makes all my changes but I do the database design. If you want to use the data to form some information I would be really keen to see how that turns out. pm me for details.
At least one additional person had elevated access to at least a part of DNStats infrastructure. And the theory that the original administrator went rogue is one to consider. It is an uncomfortable possibility but somewhat unlikely.
I suspect the original administrator of DNStats chose to vanish for one reason or another between his last tweet in July 2018 and the deletion of his Reddit account in October 2018. The last outgoing Bitcoin transaction in August 2018 potentially narrows that window. The DNStats donation address, in August 2018, had received a total of 28.30143634 Bitcoins (now worth more than $275,000). His arrest for any potential criminal activity on the darkweb seems unlikely or irrelevant to the current status of DNStats.
DeepDotWeb was free at the time and many still openly used marketplace referral links as a source of income. Some of the sites that had funded themselves through the use of referral links shut down after the DeepDotWeb seizure. Others stopped using referral links altogether. Perhaps the DNStats administrator predicted the DDW takedown and left before meeting the same fate. Thanks to the transparency of the Bitcoin blockchain, the evidence that the DNStats admin used affiliate links is pretty damning:
The only potentially related news covered by this site during the disappearance timeframe was the launch of Masterlist in October 2018. And there is no reason to believe a connection between Masterlist and DNStats exists. Olympus Market exit scammed in October as well but there is even less of a reason to suspect a connection between Olympus and DNStats.
If he left, who is in control of DNStats? If the administrator sold the domain, whois records would likely reflect the change.
He tweeted regularly until July 2018. What happened between his last tweet (last public communication) and the Bitcoin transaction on August 14? Why wait until September/October to delete the Reddit account filled with personal information? These are not rhetorical questions. If you know the answer or have contact with the administrator, please feel free to reach out.