Reminder to Verify Empire Market .Onion Links
~4 min read | Published on 2019-08-03, tagged General-News using 813 words.
Empire Market users, like the users of every darkweb marketplace targeted by phishers, continue to make the same mistakes when logging into Empire Market. These mistakes could be mitigated if the market’s users followed some of the appropriate steps outlined by the market itself.
Darknetlive recently mitigated the phishing clones of this that sent users to fake marketplaces. Dark.fail recently dealt with a number of the phishing clones of dark.fail (and spoke with the entity responsible for many of the sites) as well. This is a cat-and-mouse game. Our fixes will work for the time being but the phishers will find a way to get around our fixes. For now though, the measures put in place seem to have helped prevent people from finding phishing links through phishing clones of darknetlive. This unfortunately is far from a solution to phishing in general.
Dread users, as well as the users of several subreddits geared towards users of darkweb markets, have likely received messages with a semi-convincing message about new market mirrors. Unsurprisingly the message also contains those mirrors. In no world are those links worth clicking. Most of the time this is obvious. But as a prolific phisher and scammer once wrote about Empire Market’s anti-phishing measures, “the end user is always the weakest link to a system.” In other words, some people are idiots.
Here is a message darknetlive recently received on Dread from a user named “EmpireModerator.” The seemingly official username would convince some users, unlike many of the various accounts used by the growing number of phishers.
Hi,
Due to the recent DDOS attacks, our technical team has been working hard to provide some alternative ways to deal with it. Right now we mainly control it but we want to explore new ways to avoid any downtime in the future; for that we are creating some new onion links with higher uptime rotating our onion links internally in a proper way with a custom onion balancer that will distribute our traffic better between remote servers. Also we recommend special caution with dark.fail as some users reported that they got phishing links from that source.
You can use any of the following links to access Empire Market, please bookmark them to avoid any phishing attack:
http://[redacted.onion
http://[redacted].onion
http://[redacted].onion
http://[redacted].onion
http://[redacted].onion
http://[redacted].onion
Empire won’t ask for your pin or mnemonic, bitcoin deposit address
always starts with 3 and please check the login phrase on the homepage to ensure that you are using a legit site
Stay safe,
Empire’s Team
Empire Market directly tells users to use dark.fail exclusively for valid mirrors. The first step is to get mirrors from dark.fail. Not darkfail.com, darkfail.org, not some stranger’s message on Reddit. Dark.fail.
If, for example, you visited one of the links from the message above, you would see a very convincing Empire Market frontpage. Unless you have memorized the extensive list of Empire Market mirrors, appearance alone would not be enough to verify the legitimacy of most phishing sites (those serving the real market through a reverse proxy at a minimum).
Verifying the Mirror
In the menu bar there is a link titled “Verify Mirror.” That link presents you with another captcha. Once past the captcha, users will find a message signed with the market’s private key that validates the mirror. The phishing page will have a similarly signed message and appear valid as well.
Copy that entire message and create a text file containing only the contents of your clipboard. Run gpg --verify /path/to/file
The valid link will check out:
The invalid one will not:
The market’s PGP key is available here and at the bottom of this post.
The obvious solution is to get mirrors provided only by dark.fail, the Empire Market login screen, the Empire Market subdread sidebar/ sticky message from /u/Se7en or another Empire Market staff member.
Below is a message from /u/Se7en on the topic of Empire Market phishing links:
Empire Market will never ask for your PIN or mnemonic to log in
If you are asked for your PIN or mnemonic to log in you are on a phishing site.
Account verification
We will never PM you asking you to verify your account. Watch out for staff impersonators.
Phishing proxies
There are phishing sites that act just like Empire, to make sure you’re not using a phishing proxy always verify mirrors at /safe and only get links from dark.fail
How to obtain a legitimate link
Mirrors are available on DarkFail
dark.fail or darkfailllnkf4vf.onion
How to verify if a link is legit
Make sure the onion link included in the login captcha matches the domain you are using, if they don’t match or the login captcha has no link included in it then you’re using a phishing proxy Verify the signature at /safe
How do i secure my account?
Enable 2FA Don’t use the same password for everything and keep your passwords strong using a password manager like KeePassX Use common sense
Empire Market PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK-----mQINBFoTKj4BEADF8SRTYfFg17I5cYMbIGYBg2nLb8kCOL47vE6k38yUme0Lp42fFKyoaSCaERFAjFwRKFpS1pRFZRDCFzC4dNGhSGusHpUcdw2WOE2wt+cKcuMjW1JUasB6jOBw5UsKuHCMcPe6zur/rWvW80ZoijXHABsoiLjagmDRqNxLCGf06vrEfViDuJchyusaM5WBzcDASBUPc65m0MecaB479kinxYjQWf0btadnuJVhHsv8hRosuC3zFsHfDEsCB1A6nr0ivHa8gECEI/5mAYdB7fVWin6sig1aganAJmmqqbaveT/s7LvQJqQ2HAHLvUkqndQSPtuDboB+8FY2XDLPy+V7zP7McQJVHeUyiycVhsrZJnclZh/Y/NAF9IcfiOcDYYoHntrU0inWjw6u+72UTtxMLZ4zIYxYVFiijyR855XmEfLz007ESk0h4FHojoJCl7wQVuSmxHXB/gLsGb+znDd/z4NMWFUJOVdKtdW76fINvkq4c5lE7ql8Cq1HkhYaUBvqovBrKvIII+cyFlu87WLGpCm0nQFNi+M5nuZ8U3sH2NJ4Nr9hBt4TdW/Qou9FmLFoWiqCXiUvlFMqhxBckaJtxqRV0KV/X7jVfaQpJCcWgJf2jhCy6HR+8lB8uj9hCykpfLOTlZ61ETSjVJC5t6vHyEQDO/+r4LXhF9Io/ybqrQARAQABtCRFbXBpcmVNYXJrZXQgPGVtcGlyZW1hcmtldEBub25lLmNvbT6JAjkEEwECACMFAloTKj4CGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRYCb1bquDHnbaEADDNlgnN1wSBgXXiD4Ju8z9ddab9lBdkspWSxdTUbqnN+uGNZhTgaIMosv6d11XosqPBiDmaa9+afigf8KsqmqC6f3JzqaLkRug2JaEcHCH/hGBes36skxCF7zxk/JuMmnu/I1mwt4fP/4ebdG2ygWU+MEVFhiy8GYGUQ7X2KOJcDQGP+8Sp4Zl6U/TL/9fwg+ThXisiHEpOTDAbPDmf6ZJQO0Dl5tQMogpn156+xwlCon3Fhr0ycwkix2EJCzzsHJaugCdVP8ssUobwsPB4QpEkubsOcfOKig2bxnM4CMYzMfSn7eXVvOM4qg3CGR5kxha8LVC1ib/O7XJbvKbwxwjrO0/+PWeoLNwgYV40SJeI4jm/xi6hWqPGMObn/xx+M13WUQA5LwfhUpmbLbplm8rt38BAld++tFTdNneQIPM74LXNUUuEWiKJPcAnx0LGjWCMwsOOe/2D9178L5BXsLh0Ext9xNU3krp7VeHRtOFlRDOdg6YZbZ3nonLswLGV9xrcMAYmEKwWNaLZAr/tPq6k8glo9rCfCCN50kG9h77kZi5zdUgHtxZFHUKs/Vs0HhrdqXK6qGjQ/AijhA0IgPuWbCy9bUtU5iaUeA6z51+vxbda0bMmQwO1dv0JUXITeTDcleRszfXwsuiCwviiUloKKa27JuBChQ3vy6iVwBUB7kCDQRaEyo+ARAAsyNMmlYo8a1qI8qOF2LEq8NoGTHBe8u1N4Q1rlOfIw6mEUgDD9G+QAUPPVcpwjTDdTC0zzoRkpUbqOMpNJqpCA1xTUJBnuBdyRtq/vEyuVSxc8niji9sbkxj2psn5tu//dfy2MxNbFP1JnBRQ5dEIj6d5kcZt0+EhwXqmKvKPPhMeVEz4E4fDOZeMqrbmcY4iiTTqFdN8aJ3E+tJ6pS6HUWwgMOwcQhCzah5q6eMaqtZA7PnuIpeudeVok0i5pvyfDmJsB4nqeeJFyzgNsGy5GkN4vI2zX7luYrxzrDIkmTIwCFmPk9PQHiAY0I+OqeUoPiLHUizvschbKV3TqSYNwlyi5GTymysCKbHvyqGdNgRJxAzV6htDymEBkB5egj98DhMUxCP9P1lhjEkf6GSJK0Y6cppL1NkjD2VG/BT++SqznQCbey1kuZ1UGFaDOpN1vQvF5zSG2t7WLmoZU3k7X3ljpZpSBD2EFcac/wQ+6uE9UMiFU1y9AImC/AqC3oIWE8SgPmG7FULN2pjfQ7wPNqovChtxB3lAqzzzFTX+7UDMiGf8oakxkvwIjQkUL5zEOXnrTvKLaSy4ehxpcyLvU5GXgMyWMaugp04ff3UeJ680eM+P/zJAt81hggOJNqqMVm5aiEuY1yBV9TcZF8qRNwX53UtjGg6YQ0wRgqAp2kAEQEAAYkCHwQYAQIACQUCWhMqPgIbDAAKCRCRYCb1bquDHrKOEACtjY0GUx3wkoDXqLKErhsIwou1MBtQgSZnkrU02MLrRgOa2zABIsFSSLRVJez4oNEYpq6s3dt7zZTBR4Xuc1MGQHbfW5LRnwi+oD+XMqKLYwLPVUlxLdFvF5sl6I+LKRhQTm3CZ56RC2XEyhsBBDSFG6eJGkiV1WHqBBDWOI6M/hCs05bpyCpMixXzagGv97j7JITNZdS8NbiYU44jbqdTSa6sDvQ/gnPAB9p0JAZCDmN0uLZ6zr2S7ovDl7O+1YUj8oKNkcnynlzl4CmQ539Js5SzdGaQ98fPIDgUzDfP6m77+MlmgzDkOxsWfzK87Rw2AsWQTZILc7pZvLoTFHsMsp4nKUOTWj5Aj2PAzngdH5wkYBTAb3aaVxfdw3HoJ6eKmAnK7fdmP9XBVCZFlJCppw9lc6Jh6/SPcNbr33rkvO88YTCq5nCwYEGlZ90PwHGGJqzNBW/v+MJf89eithynE74QRReVNuJDwmddqg0/+/nuFsfglbRHCAMGpFnYART42aHILnJAd86+9t6m9q3f3fUqR7e93Zl7R8I9Ol3Mtrgn8/IyiqUvFxHM91BdWMkWRv4jirytBe8+JC49GNEf0hMuBw3IqukiQpC92J0mCuRoJwqtH10lk226lRN7RVwTJFnZHXotewzMmmkEc+M8EHofjLLAw9p2VA8CY+2Rlg===eO6H-----END PGP PUBLIC KEY BLOCK-----
Darknetlive recently mitigated the phishing clones of this that sent users to fake marketplaces. Dark.fail recently dealt with a number of the phishing clones of dark.fail (and spoke with the entity responsible for many of the sites) as well. This is a cat-and-mouse game. Our fixes will work for the time being but the phishers will find a way to get around our fixes. For now though, the measures put in place seem to have helped prevent people from finding phishing links through phishing clones of darknetlive. This unfortunately is far from a solution to phishing in general.
Use Dark.fail for Empire Links
Dread users, as well as the users of several subreddits geared towards users of darkweb markets, have likely received messages with a semi-convincing message about new market mirrors. Unsurprisingly the message also contains those mirrors. In no world are those links worth clicking. Most of the time this is obvious. But as a prolific phisher and scammer once wrote about Empire Market’s anti-phishing measures, “the end user is always the weakest link to a system.” In other words, some people are idiots.
Here is a message darknetlive recently received on Dread from a user named “EmpireModerator.” The seemingly official username would convince some users, unlike many of the various accounts used by the growing number of phishers.
Hi,
Due to the recent DDOS attacks, our technical team has been working hard to provide some alternative ways to deal with it. Right now we mainly control it but we want to explore new ways to avoid any downtime in the future; for that we are creating some new onion links with higher uptime rotating our onion links internally in a proper way with a custom onion balancer that will distribute our traffic better between remote servers. Also we recommend special caution with dark.fail as some users reported that they got phishing links from that source.
You can use any of the following links to access Empire Market, please bookmark them to avoid any phishing attack:
http://[redacted.onion
http://[redacted].onion
http://[redacted].onion
http://[redacted].onion
http://[redacted].onion
http://[redacted].onion
Empire won’t ask for your pin or mnemonic, bitcoin deposit address
always starts with 3 and please check the login phrase on the homepage to ensure that you are using a legit site
Stay safe,
Empire’s Team
Empire Market directly tells users to use dark.fail exclusively for valid mirrors. The first step is to get mirrors from dark.fail. Not darkfail.com, darkfail.org, not some stranger’s message on Reddit. Dark.fail.
Use Dark.fail for Empire Links
If, for example, you visited one of the links from the message above, you would see a very convincing Empire Market frontpage. Unless you have memorized the extensive list of Empire Market mirrors, appearance alone would not be enough to verify the legitimacy of most phishing sites (those serving the real market through a reverse proxy at a minimum).
Empire Market Real vs Fake
Verifying the Mirror
In the menu bar there is a link titled “Verify Mirror.” That link presents you with another captcha. Once past the captcha, users will find a message signed with the market’s private key that validates the mirror. The phishing page will have a similarly signed message and appear valid as well.
Empire Market Signed Mirror
Copy that entire message and create a text file containing only the contents of your clipboard. Run gpg --verify /path/to/file
The valid link will check out:
The invalid one will not:
The market’s PGP key is available here and at the bottom of this post.
The obvious solution is to get mirrors provided only by dark.fail, the Empire Market login screen, the Empire Market subdread sidebar/ sticky message from /u/Se7en or another Empire Market staff member.
Below is a message from /u/Se7en on the topic of Empire Market phishing links:
Empire Market will never ask for your PIN or mnemonic to log in
If you are asked for your PIN or mnemonic to log in you are on a phishing site.
Account verification
We will never PM you asking you to verify your account. Watch out for staff impersonators.
Phishing proxies
There are phishing sites that act just like Empire, to make sure you’re not using a phishing proxy always verify mirrors at /safe and only get links from dark.fail
How to obtain a legitimate link
Mirrors are available on DarkFail
dark.fail or darkfailllnkf4vf.onion
How to verify if a link is legit
How do i secure my account?
Empire Market PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK-----mQINBFoTKj4BEADF8SRTYfFg17I5cYMbIGYBg2nLb8kCOL47vE6k38yUme0Lp42fFKyoaSCaERFAjFwRKFpS1pRFZRDCFzC4dNGhSGusHpUcdw2WOE2wt+cKcuMjW1JUasB6jOBw5UsKuHCMcPe6zur/rWvW80ZoijXHABsoiLjagmDRqNxLCGf06vrEfViDuJchyusaM5WBzcDASBUPc65m0MecaB479kinxYjQWf0btadnuJVhHsv8hRosuC3zFsHfDEsCB1A6nr0ivHa8gECEI/5mAYdB7fVWin6sig1aganAJmmqqbaveT/s7LvQJqQ2HAHLvUkqndQSPtuDboB+8FY2XDLPy+V7zP7McQJVHeUyiycVhsrZJnclZh/Y/NAF9IcfiOcDYYoHntrU0inWjw6u+72UTtxMLZ4zIYxYVFiijyR855XmEfLz007ESk0h4FHojoJCl7wQVuSmxHXB/gLsGb+znDd/z4NMWFUJOVdKtdW76fINvkq4c5lE7ql8Cq1HkhYaUBvqovBrKvIII+cyFlu87WLGpCm0nQFNi+M5nuZ8U3sH2NJ4Nr9hBt4TdW/Qou9FmLFoWiqCXiUvlFMqhxBckaJtxqRV0KV/X7jVfaQpJCcWgJf2jhCy6HR+8lB8uj9hCykpfLOTlZ61ETSjVJC5t6vHyEQDO/+r4LXhF9Io/ybqrQARAQABtCRFbXBpcmVNYXJrZXQgPGVtcGlyZW1hcmtldEBub25lLmNvbT6JAjkEEwECACMFAloTKj4CGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRYCb1bquDHnbaEADDNlgnN1wSBgXXiD4Ju8z9ddab9lBdkspWSxdTUbqnN+uGNZhTgaIMosv6d11XosqPBiDmaa9+afigf8KsqmqC6f3JzqaLkRug2JaEcHCH/hGBes36skxCF7zxk/JuMmnu/I1mwt4fP/4ebdG2ygWU+MEVFhiy8GYGUQ7X2KOJcDQGP+8Sp4Zl6U/TL/9fwg+ThXisiHEpOTDAbPDmf6ZJQO0Dl5tQMogpn156+xwlCon3Fhr0ycwkix2EJCzzsHJaugCdVP8ssUobwsPB4QpEkubsOcfOKig2bxnM4CMYzMfSn7eXVvOM4qg3CGR5kxha8LVC1ib/O7XJbvKbwxwjrO0/+PWeoLNwgYV40SJeI4jm/xi6hWqPGMObn/xx+M13WUQA5LwfhUpmbLbplm8rt38BAld++tFTdNneQIPM74LXNUUuEWiKJPcAnx0LGjWCMwsOOe/2D9178L5BXsLh0Ext9xNU3krp7VeHRtOFlRDOdg6YZbZ3nonLswLGV9xrcMAYmEKwWNaLZAr/tPq6k8glo9rCfCCN50kG9h77kZi5zdUgHtxZFHUKs/Vs0HhrdqXK6qGjQ/AijhA0IgPuWbCy9bUtU5iaUeA6z51+vxbda0bMmQwO1dv0JUXITeTDcleRszfXwsuiCwviiUloKKa27JuBChQ3vy6iVwBUB7kCDQRaEyo+ARAAsyNMmlYo8a1qI8qOF2LEq8NoGTHBe8u1N4Q1rlOfIw6mEUgDD9G+QAUPPVcpwjTDdTC0zzoRkpUbqOMpNJqpCA1xTUJBnuBdyRtq/vEyuVSxc8niji9sbkxj2psn5tu//dfy2MxNbFP1JnBRQ5dEIj6d5kcZt0+EhwXqmKvKPPhMeVEz4E4fDOZeMqrbmcY4iiTTqFdN8aJ3E+tJ6pS6HUWwgMOwcQhCzah5q6eMaqtZA7PnuIpeudeVok0i5pvyfDmJsB4nqeeJFyzgNsGy5GkN4vI2zX7luYrxzrDIkmTIwCFmPk9PQHiAY0I+OqeUoPiLHUizvschbKV3TqSYNwlyi5GTymysCKbHvyqGdNgRJxAzV6htDymEBkB5egj98DhMUxCP9P1lhjEkf6GSJK0Y6cppL1NkjD2VG/BT++SqznQCbey1kuZ1UGFaDOpN1vQvF5zSG2t7WLmoZU3k7X3ljpZpSBD2EFcac/wQ+6uE9UMiFU1y9AImC/AqC3oIWE8SgPmG7FULN2pjfQ7wPNqovChtxB3lAqzzzFTX+7UDMiGf8oakxkvwIjQkUL5zEOXnrTvKLaSy4ehxpcyLvU5GXgMyWMaugp04ff3UeJ680eM+P/zJAt81hggOJNqqMVm5aiEuY1yBV9TcZF8qRNwX53UtjGg6YQ0wRgqAp2kAEQEAAYkCHwQYAQIACQUCWhMqPgIbDAAKCRCRYCb1bquDHrKOEACtjY0GUx3wkoDXqLKErhsIwou1MBtQgSZnkrU02MLrRgOa2zABIsFSSLRVJez4oNEYpq6s3dt7zZTBR4Xuc1MGQHbfW5LRnwi+oD+XMqKLYwLPVUlxLdFvF5sl6I+LKRhQTm3CZ56RC2XEyhsBBDSFG6eJGkiV1WHqBBDWOI6M/hCs05bpyCpMixXzagGv97j7JITNZdS8NbiYU44jbqdTSa6sDvQ/gnPAB9p0JAZCDmN0uLZ6zr2S7ovDl7O+1YUj8oKNkcnynlzl4CmQ539Js5SzdGaQ98fPIDgUzDfP6m77+MlmgzDkOxsWfzK87Rw2AsWQTZILc7pZvLoTFHsMsp4nKUOTWj5Aj2PAzngdH5wkYBTAb3aaVxfdw3HoJ6eKmAnK7fdmP9XBVCZFlJCppw9lc6Jh6/SPcNbr33rkvO88YTCq5nCwYEGlZ90PwHGGJqzNBW/v+MJf89eithynE74QRReVNuJDwmddqg0/+/nuFsfglbRHCAMGpFnYART42aHILnJAd86+9t6m9q3f3fUqR7e93Zl7R8I9Ol3Mtrgn8/IyiqUvFxHM91BdWMkWRv4jirytBe8+JC49GNEf0hMuBw3IqukiQpC92J0mCuRoJwqtH10lk226lRN7RVwTJFnZHXotewzMmmkEc+M8EHofjLLAw9p2VA8CY+2Rlg===eO6H-----END PGP PUBLIC KEY BLOCK-----
