Reminder to Verify Empire Market .Onion Links


Empire Market users, like the users of every darkweb marketplace targeted by phishers, continue to make the same mistakes when logging into Empire Market. These mistakes could be mitigated if the market’s users followed some of the appropriate steps outlined by the market itself.

Darknetlive recently mitigated the phishing clones of this that sent users to fake marketplaces. Dark.fail recently dealt with a number of the phishing clones of dark.fail (and spoke with the entity responsible for many of the sites) as well. This is a cat-and-mouse game. Our fixes will work for the time being but the phishers will find a way to get around our fixes. For now though, the measures put in place seem to have helped prevent people from finding phishing links through phishing clones of darknetlive. This unfortunately is far from a solution to phishing in general.

Dread users, as well as the users of several subreddits geared towards users of darkweb markets, have likely received messages with a semi-convincing message about new market mirrors. Unsurprisingly the message also contains those mirrors. In no world are those links worth clicking. Most of the time this is obvious. But as a prolific phisher and scammer once wrote about Empire Market’s anti-phishing measures, “the end user is always the weakest link to a system.” In other words, some people are idiots.

Here is a message darknetlive recently received on Dread from a user named “EmpireModerator.” The seemingly official username would convince some users, unlike many of the various accounts used by the growing number of phishers.

Hi,

Due to the recent DDOS attacks, our technical team has been working hard to provide some alternative ways to deal with it. Right now we mainly control it but we want to explore new ways to avoid any downtime in the future; for that we are creating some new onion links with higher uptime rotating our onion links internally in a proper way with a custom onion balancer that will distribute our traffic better between remote servers. Also we recommend special caution with dark.fail as some users reported that they got phishing links from that source.

You can use any of the following links to access Empire Market, please bookmark them to avoid any phishing attack:

http://[redacted.onion

http://[redacted].onion

http://[redacted].onion

http://[redacted].onion

http://[redacted].onion

http://[redacted].onion

Empire won’t ask for your pin or mnemonic, bitcoin deposit address

always starts with 3 and please check the login phrase on the homepage to ensure that you are using a legit site

Stay safe,

Empire’s Team

Empire Market directly tells users to use dark.fail exclusively for valid mirrors. The first step is to get mirrors from dark.fail. Not darkfail.com, darkfail.org, not some stranger’s message on Reddit. Dark.fail.

Use Dark.fail for Empire Links

If, for example, you visited one of the links from the message above, you would see a very convincing Empire Market frontpage. Unless you have memorized the extensive list of Empire Market mirrors, appearance alone would not be enough to verify the legitimacy of most phishing sites (those serving the real market through a reverse proxy at a minimum).

Empire Market Real vs Fake

Verifying the Mirror

In the menu bar there is a link titled “Verify Mirror.” That link presents you with another captcha. Once past the captcha, users will find a message signed with the market’s private key that validates the mirror. The phishing page will have a similarly signed message and appear valid as well.

Empire Market Signed Mirror

Copy that entire message and create a text file containing only the contents of your clipboard. Run gpg --verify /path/to/file

The valid link will check out:

The invalid one will not:

The market’s PGP key is available here and at the bottom of this post.

The obvious solution is to get mirrors provided only by dark.fail, the Empire Market login screen, the Empire Market subdread sidebar/ sticky message from /u/Se7en or another Empire Market staff member.

Below is a message from /u/Se7en on the topic of Empire Market phishing links:

Empire Market will never ask for your PIN or mnemonic to log in
If you are asked for your PIN or mnemonic to log in you are on a phishing site.

Account verification
We will never PM you asking you to verify your account. Watch out for staff impersonators.

Phishing proxies
There are phishing sites that act just like Empire, to make sure you’re not using a phishing proxy always verify mirrors at /safe and only get links from dark.fail

How to obtain a legitimate link
Mirrors are available on DarkFail
dark.fail or darkfailllnkf4vf.onion

How to verify if a link is legit

  • Make sure the onion link included in the login captcha matches the domain you are using, if they don’t match or the login captcha has no link included in it then you’re using a phishing proxy
  • Verify the signature at /safe

How do i secure my account?

  • Enable 2FA
  • Don’t use the same password for everything and keep your passwords strong using a password manager like KeePassX
  • Use common sense

Empire Market PGP Key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFoTKj4BEADF8SRTYfFg17I5cYMbIGYBg2nLb8kCOL47vE6k38yUme0Lp42f
FKyoaSCaERFAjFwRKFpS1pRFZRDCFzC4dNGhSGusHpUcdw2WOE2wt+cKcuMjW1JU
asB6jOBw5UsKuHCMcPe6zur/rWvW80ZoijXHABsoiLjagmDRqNxLCGf06vrEfViD
uJchyusaM5WBzcDASBUPc65m0MecaB479kinxYjQWf0btadnuJVhHsv8hRosuC3z
FsHfDEsCB1A6nr0ivHa8gECEI/5mAYdB7fVWin6sig1aganAJmmqqbaveT/s7LvQ
JqQ2HAHLvUkqndQSPtuDboB+8FY2XDLPy+V7zP7McQJVHeUyiycVhsrZJnclZh/Y
/NAF9IcfiOcDYYoHntrU0inWjw6u+72UTtxMLZ4zIYxYVFiijyR855XmEfLz007E
Sk0h4FHojoJCl7wQVuSmxHXB/gLsGb+znDd/z4NMWFUJOVdKtdW76fINvkq4c5lE
7ql8Cq1HkhYaUBvqovBrKvIII+cyFlu87WLGpCm0nQFNi+M5nuZ8U3sH2NJ4Nr9h
Bt4TdW/Qou9FmLFoWiqCXiUvlFMqhxBckaJtxqRV0KV/X7jVfaQpJCcWgJf2jhCy
6HR+8lB8uj9hCykpfLOTlZ61ETSjVJC5t6vHyEQDO/+r4LXhF9Io/ybqrQARAQAB
tCRFbXBpcmVNYXJrZXQgPGVtcGlyZW1hcmtldEBub25lLmNvbT6JAjkEEwECACMF
AloTKj4CGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRYCb1bquDHnba
EADDNlgnN1wSBgXXiD4Ju8z9ddab9lBdkspWSxdTUbqnN+uGNZhTgaIMosv6d11X
osqPBiDmaa9+afigf8KsqmqC6f3JzqaLkRug2JaEcHCH/hGBes36skxCF7zxk/Ju
Mmnu/I1mwt4fP/4ebdG2ygWU+MEVFhiy8GYGUQ7X2KOJcDQGP+8Sp4Zl6U/TL/9f
wg+ThXisiHEpOTDAbPDmf6ZJQO0Dl5tQMogpn156+xwlCon3Fhr0ycwkix2EJCzz
sHJaugCdVP8ssUobwsPB4QpEkubsOcfOKig2bxnM4CMYzMfSn7eXVvOM4qg3CGR5
kxha8LVC1ib/O7XJbvKbwxwjrO0/+PWeoLNwgYV40SJeI4jm/xi6hWqPGMObn/xx
+M13WUQA5LwfhUpmbLbplm8rt38BAld++tFTdNneQIPM74LXNUUuEWiKJPcAnx0L
GjWCMwsOOe/2D9178L5BXsLh0Ext9xNU3krp7VeHRtOFlRDOdg6YZbZ3nonLswLG
V9xrcMAYmEKwWNaLZAr/tPq6k8glo9rCfCCN50kG9h77kZi5zdUgHtxZFHUKs/Vs
0HhrdqXK6qGjQ/AijhA0IgPuWbCy9bUtU5iaUeA6z51+vxbda0bMmQwO1dv0JUXI
TeTDcleRszfXwsuiCwviiUloKKa27JuBChQ3vy6iVwBUB7kCDQRaEyo+ARAAsyNM
mlYo8a1qI8qOF2LEq8NoGTHBe8u1N4Q1rlOfIw6mEUgDD9G+QAUPPVcpwjTDdTC0
zzoRkpUbqOMpNJqpCA1xTUJBnuBdyRtq/vEyuVSxc8niji9sbkxj2psn5tu//dfy
2MxNbFP1JnBRQ5dEIj6d5kcZt0+EhwXqmKvKPPhMeVEz4E4fDOZeMqrbmcY4iiTT
qFdN8aJ3E+tJ6pS6HUWwgMOwcQhCzah5q6eMaqtZA7PnuIpeudeVok0i5pvyfDmJ
sB4nqeeJFyzgNsGy5GkN4vI2zX7luYrxzrDIkmTIwCFmPk9PQHiAY0I+OqeUoPiL
HUizvschbKV3TqSYNwlyi5GTymysCKbHvyqGdNgRJxAzV6htDymEBkB5egj98DhM
UxCP9P1lhjEkf6GSJK0Y6cppL1NkjD2VG/BT++SqznQCbey1kuZ1UGFaDOpN1vQv
F5zSG2t7WLmoZU3k7X3ljpZpSBD2EFcac/wQ+6uE9UMiFU1y9AImC/AqC3oIWE8S
gPmG7FULN2pjfQ7wPNqovChtxB3lAqzzzFTX+7UDMiGf8oakxkvwIjQkUL5zEOXn
rTvKLaSy4ehxpcyLvU5GXgMyWMaugp04ff3UeJ680eM+P/zJAt81hggOJNqqMVm5
aiEuY1yBV9TcZF8qRNwX53UtjGg6YQ0wRgqAp2kAEQEAAYkCHwQYAQIACQUCWhMq
PgIbDAAKCRCRYCb1bquDHrKOEACtjY0GUx3wkoDXqLKErhsIwou1MBtQgSZnkrU0
2MLrRgOa2zABIsFSSLRVJez4oNEYpq6s3dt7zZTBR4Xuc1MGQHbfW5LRnwi+oD+X
MqKLYwLPVUlxLdFvF5sl6I+LKRhQTm3CZ56RC2XEyhsBBDSFG6eJGkiV1WHqBBDW
OI6M/hCs05bpyCpMixXzagGv97j7JITNZdS8NbiYU44jbqdTSa6sDvQ/gnPAB9p0
JAZCDmN0uLZ6zr2S7ovDl7O+1YUj8oKNkcnynlzl4CmQ539Js5SzdGaQ98fPIDgU
zDfP6m77+MlmgzDkOxsWfzK87Rw2AsWQTZILc7pZvLoTFHsMsp4nKUOTWj5Aj2PA
zngdH5wkYBTAb3aaVxfdw3HoJ6eKmAnK7fdmP9XBVCZFlJCppw9lc6Jh6/SPcNbr
33rkvO88YTCq5nCwYEGlZ90PwHGGJqzNBW/v+MJf89eithynE74QRReVNuJDwmdd
qg0/+/nuFsfglbRHCAMGpFnYART42aHILnJAd86+9t6m9q3f3fUqR7e93Zl7R8I9
Ol3Mtrgn8/IyiqUvFxHM91BdWMkWRv4jirytBe8+JC49GNEf0hMuBw3IqukiQpC9
2J0mCuRoJwqtH10lk226lRN7RVwTJFnZHXotewzMmmkEc+M8EHofjLLAw9p2VA8C
Y+2Rlg==
=eO6H
-----END PGP PUBLIC KEY BLOCK-----