Kingdom Market Has Issues

~4 min read | Published on 2020-03-05, tagged Darkweb-MarketGeneral-News using 824 words.

Kingdom Market, a new marketplace with very few users, provided the community with a perfect example of a dangerously misconfigured onion service as well as yet another reason to be skeptical about new markets. Short story: their IP leaked. Dread users noticed.
The market is insignificant as far as markets go. Very few people knew about it unil now. Those who knew about the market before this incident likely watched the market’s spectacularly bad announcement unfold on Dread. Markets like Kingdom Market come and go constantly and nobody really cares. One of the differences in this case is the way the market permanently marred its reputation.[img=]Kingdom Market prides themselves with their 24-hour customer service[/img]
It’s my opinion all publicity is good publicity, however Shodan is not what I had in mind.” - /u/mr_white
Yesterday, /u/bugkiller posted a thread titled “Kingdom Market IP.” After verifying that the IP address in the post actually belonged to Kingdom Market, HugBunter posted a warning about the market.
Found by /u/bugkiller via Shodan.

IP is accessible over clearnet and I’ve verified as much as possible to rule out it being a phishing proxy.

Get your coin out now if you, for some strange reason shopped/vended there.

Edit: It is now leaking tonnes due to coinmarketcap seemingly blocking their crypto rate requests, they have errors enabled, oh lord!

ErrorException (E_ERROR)

file_get_contents( failed to open stream: HTTP request failed! HTTP/1.1 429 Too Many Requests (View: /var/www/html/resources/views/master/navbar.blade.php) (View: /var/www/html/resources/views/master/navbar.blade.php) (View: /var/www/html/resources/views/master/navbar.blade.php)

Also, this explains why it was so slow to load each page, he’s running rate update via file_get_contents on every page load.

It is incredibly likely that the Kingdom Market administrators followed a basic “how to” guide when configuring their marketplace. One of the guides provided by Eckmar directs users to use a default nginx configuration.
From one of the pages in the installation guide:<code>server {listen 80 default_server;listen [::]:80 default_server;Server_name IP OR DOMAIN HERE;root /var/www/laravel/public;index index.php index.html index.htm;[...]}</code>
A configuration such as the one above results in the market’s current scenario. If a server is accessible from the clearnet, someone will eventually find the server’s IP address. Services like Shodan simplify the task significantly. At a minimum, nginx’s listen directive should be configured to listen to localhost or a unix socket. The “IP OR DOMAIN HERE” line reads like a joke. Securing a marketplace is a complex task that is far outside of the scope of this post. But in short, this should never have happened.
And, as HugBunter pointed out, the market is running file_get_contents on every page load to get current Bitcoin rates. It appears as if Kingdom Market was fetching updates prices from the server hosting the marketplace and not doing so via tor; the number of users loading pages exceeded coinmarketcap’s rate limit. As a result coinmarketcap blocked requests from Kingdom Market.

Also, Kingdom Market seemingly ignores EXIF data in pictures uploaded by vendors. The existence of identifying EXIF data in vendor’s pictures is not the market’s fault; vendors are responsible for removing their own EXIF data. But modern markets are expected to sanitize pictures and other content uploaded by users. EXIF data removal is an absolute requirement for any marketplace. I downloaded as many listing pictures as possible to examine before Kingdom Market dropped offline. The amount of data is concerning.
According to the EXIF data, this vendor took pictures of their products with a Samsung Note 8:

And this vendor used a Samsung Galaxy S10:

Ugu, the creator of Kilos, warned about the market two weeks ago:
The admins of Kingdom Market emailed me about getting added to Kilos and the email came from an address. In the quoted text from our responses back and forth, it became clear that their computer was set up in French. These two points of information leakage are significant and became obvious within minutes of talking to them. I wish the staff at Kingdom Market the best of luck, and I do not want to damage their business, but I feel obligated to warn people about these safety concerns I have. Personally, I would stay away.

I can confirm their use of a GMail address as they used one in an email to Darknetlive as well.

Oh, Kingdom Market did respond to the post about the IP address leak.
I am here, I left with no money yet in escrow I have more than 28,000 dollars my users are safe,

bug …… and a liar he says take my database except that it is not possible he speaks to noob, certainly I screw up in the configuration of my DNS but it is under repair no user and no seller has his security of compromise.

after with your forum “Kilos” frankly it and more crappy than crappy ^^

why don’t you make a market you talk a lot, people like you are brainless disabled

A noob lol

know one thing we will never pay we and not it is bitch who pays us we pay nothing on the contrary we are paid but good little spotty long hide the back hide are hiding lol

Best Regards,

Comments (17)


Not allegedly. And not someone, multiple people have over the past months. The credentials obviously work, nearly every parameter was vulnerable to SQL injections and the passwords were saved in cleartext. The server also holds a git repository with material, which could possibly lead to the market admins identity. It was an absolute shit hole. I posted about the vulnerability months ago on Dread, took long enough for someone to leak it. Looking at the market, this shouldn't be the most shocking part. Trying the same credentials from both customers and vendors on Dread and other markets is scary though. You can also tell by the looking at the passwords, that they are all being reused.


Yeah there are certainly some reused usernames and passwords in there, I hear.


"You can also tell by the looking at the passwords, that they are all being reused." Why can you / one tell that?


> Why can you / one tell that? It is more of a guess, confirmed by trying it out. If people use password managers, they usually generate the password and it is obviously in most cases not hard to differ between a password that has been randomly generated and a password someone came up with on their own, both by length and the content. If they have passwords like supergod123 for example, you can be damn sure they don't create a password like that for every single market or site. Imagine having to remember them all. And if you use a password manager, why use shitty passwords like that and even take the time to create them?


Thanks, right. Does LE actually look for known passwords if reused on other sites, apps (also clearnet,...)? (I do not want to question using individual and good passwords on websites with prohibited activity and of course there are also non-LE hackers)


yes, they have done it during darkweb investigations in the past. See the Hansa/Alphabay investigation where LE signed into Dream accounts with shared creds.


I would guess they do + see df77f3dc. I think there is something more interesting they can do though than logging into other accounts. If I was an investigator in a dark web case, I would pick passwords that stick out (as in looking like they are being reused, not having a dark web reference in it or alike and be unique enough to not be used by thousands of people) and run them through a breach database. Much more powerful to suddenly have a breached login with the mail [email protected] than accessing another dark web account with the same pseudonym.


true, but they don't ask lets say facebook, if someone uses this password / user name there


text files, not even once


ayo dnl u trust dark eye? alien sound lame as hell imo if me was finna makin a site would u list it dnl????? 🥺 👉👈


You launching DonkeyBay now huh


ayo donkeybay sound dumb as hell i was gonna call it assbay dawg? so is u gon research it so future generations can know how great assbay was an how they got hot dumps from it?


But their website is very vulnerable, the ID parameter is a vulnerable entry point. It smells like federal.

Carl Mark Force2022-09-14

I saw thus being skilled fir the first time this week. Coincidence or failed exit scam after they realised?


it looks like some rookie has made the site 1 min silence for the admin


Fed honeypot


by the way only me not several people