Potential 'Exit Scam' Imminent After Nightmare Market Breach

~10 min read | Published on 2019-07-23, tagged Darkweb-MarketExit-Scammed using 2390 words.

A little more than a week ago, bitcoin transactions stopped working on Nightmare Market. The market staff reassured users that everything would be fixed within 24 hours. And shortly after the announcement, everything started working again. Behind the scenes, though, a hacker had almost emptied the marketplace’s bitcoin wallets, forcing the market to use recent deposits to pay for older withdrawals. The market plummeted towards bankruptcy.
Updates and Nightmare Market statement below.
“I Think You Got Hacked”

On July 23, a user on the darkweb forum Dread posted a thread titled “I think you got hacked.” Throughout the day, darkweb vendors started reporting that they had lost access to their accounts. Threads titled “We got hacked. DO NOT ORDER” and “HACKED DO NOT ORDER OFF NIGHTMARE” littered the frontpage of the Nightmare Market subdread.

The person claiming to have hacked vendor accounts–aptly named ithinkyougothacked–posted lists of the first and last words of a vendor’s mnemonic. Some vendors confirmed a match between the words posted by the alleged hacker and the 14 words they had saved during creation of their account.
Below is an exchange between two vendors and the hacker, ithinkyougothacked. The first comment disputed the claim that the market had categorically locked vendors out of their accounts.

/u/ithinkyougothacked (to meth4dead)
not anymore
/u/Vendy_McVendface (to ithinkyougothacked)
Hey I quit Nightmare a month or so ago. Put my profile into vacation mode and walked off. Assuming they haven't deleted my account, want to hack it and deface it to prove you're able to do so? Vendor account I believe is "VendyMcVendface"
/u/ithinkyougothacked (to Vendy_McVendface)
why do you even bother to ask for proof
login name
repress berry separations unstrapped paedophiles canada combatants analyser longings logician sedentary whee sterilised declaim
/u/Vendy_McVendface (to ithinkyougothacked)
And yes I can confirm that is my mnemonic
This is hilarious

Verifying the Hack

Darkweb markets are targeted by disinformation campaigns on a regular basis allegedly sponsored by rival marketplaces. (The existence of sponsored disinformation campaigns is disputed.) Users frequently claim that a market is exit scamming when the market is actually working as well as can be expected. So the claims from ithinkyougothacked were met with a healthy amount of skepticism.
Witchman05, a moderator of the darknetmarkets subdread, added his thoughts in a comment on Dread:
There are several theories that I’m currently entertaining, myself.

  • Rogue Nightmare staff. Not exactly impossible.
  • A real phisher/hacker.
  • These vendors are collaborating to drive business away from Nightmare to other markets by pretending to have been phished.

  • Several vendors have since confirmed that the entity behind the hacks had locked them out of the accounts as well. Darknetlive also independently verified a claim from a trusted vendor. The vendors had nothing in common and no reason to conspire against Nightmare Market. One vendor who posted about the heck on Dread had questionable motives, according to other users of the forum. Those motives had nothing to do with an anti Nightmare Market conspiracy.
    The following vendors, among others, confirmed the hacker had identified their mnemonic and/or locked their accounts:

  • /u/MrPBateman
  • /u/muttz
  • /u/DoktorSommer
  • /u/PleasureIsland-UK
  • /u/Vendy_McVendface
  • /u/OZDrugs
  • /u/NamasteLSD
  • /u/Gfellas

  • Darknetlive reached out to ithinkyougothacked to receive proof that they had compromised Nightmare Market. In an encrypted email conversation, this author provided the hacker with the username of a fresh Nightmare Market account. Within minutes the hacker responded with proof that they had access to—at the very minimum—a support panel. The hacker had upgraded the unused account from a buyer account to a vendor account. The upgrade required no bond. The hacker had either access to the Nightmare Market database or access to the support (or admin) panel and a staff member’s credentials. This fits the hacker’s claim that he had reset a mod’s mnemonic to access the support panel.
    Notice the difference between the two screenshots. The top picture is before. The second is after.

    Marketplace staff members often take care of market issues such as low level disputes, issuing refunds, and ticket escalation through an interface (hopefully) unavailable to the general public. The most recent example of support panel misuse occurred during the Wallstreet Market takedown. A Wallstreet Market (WSM) staff member shared his credentials with Hugbunter after the admins had exit scammed. Then, in an unexpected move, a different member of WSM’s staff publicly shared his account credentials and the I.P. address of the WSM backend on Dread.

    The Backend

    Since support staff function as arbitrators for disputes and help with transaction issues, they often have access to incredibly private information associated with vendor accounts and buyer accounts. In an ideal world for market users, the market would automatically destroy history after a certain amount of had passed. Many markets have offered self destructing messages. Based on information the hacker shared with darknetlive, this author can definitively say that Nightmare Market offers no such expiration date for private information.

    Transaction history kept forever, the hacker said. He provided screenshots of early transactions between vendors and their customers. “Admins can spy all vendors and messages and also view all orders [and] buyer notes back to the first ever made order,” ithinkyougothacked explained. “Messages are deleted but they are saved by backups forever.” So even when the user sees a message disappear from the frontend, the admins, hackers, and law enforcement can potentially access those records forever.

    Messages between staff members also stuck around for longer than expected, screenshots from internal conversations revealed. The hacker had access to the messages Nightmare Market staff members had been sending to each other about the very incident covered in this article.

    The hacker also provided screenshots of the marketplaces earnings and total balances.
    The Market Total Sales and Total Escrow

    And the Withdrawals and Daily Sales

    SQL Injection

    In a conversation between different staff members, one staffer wrote the following:
    Any admins able to go on Dread and deal with these threads about Nightmare apparently being ‘hacked’.
    Some guy is posting vendor mnemonics and locking vendors out of their account on Dread. .onion/ufithinkyougothacked <- user responsible It appears he has access to a staff account because he is banning vendors so he is probably reading these messages. Either way, his point of access was probably the SQL injection I reported months ago to the admin who ignored me and told me it was not exploitable. Also this is probably the result of having errors enabled on a live market which I also advised the admins to disable multiple times…. Since he has clearly hacked a staff account you guys can contact me on Jabber, I will be logging out for my own safety until then.

    Users on Dread claim that Nightmare Market has ignored their security concerns (DarknetLive has received prompt responses from Nightmare Nighmare in the past and has not had recent contact with the market). In one case, according to a user who reported an I.P. leak, the staff banned him instead of dealing with the issue. Others have reported that the market responded to their tickets about issues quickly but never actually implemented fixes of any sort.

    Bitcoin Issues

    On July 11, users found themselves unable to withdraw bitcoin from the market. After significant backlash from the community about the unexpected downtime, a staff member finally responded to users on Dread about maintenance of some sort.

    Darknetlive spoke with an admin from the marketplace who claimed they were “currently fixing some old issues with the [bitcoin] payment system.” In reality, according to the hacker, someone had emptied the market’s wallets. The hacker would not disclose the date of the initial breach but the messages between staff members indicate that a serious incident had occurred months ago involving the market’s database.

    The immediate question is how did the market continue to function with empty wallets? The answer is simple: they accepted deposits and used those deposits to fund withdrawals. Staff manually approved withdrawals past a certain threshold (a possible reason some people had the ability to withdraw and others had to wait weeks). The market managed to maintain this scam by leveraging the 14 day escrow system and counting on users to forget to finalize their orders.
    Although ithinkyougothacked only admitted stealing funds during this incident, the hacker was possibly behind the market theft that occurred prior to the July 11 “maintenance.” The “maintenance” was nothing more than the creation of a new bitcoin wallet to store funds. Nightmare Market had already planned an exit scam once they had refilled the marketplace wallet with enough bitcoin to make the heist worth their time.
    During the conversation with ithinkyougothacked, a new alert showed up on the frontpage of the marketplace. The alert notified users that the bitcoin payment system was undergoing maintenance.

    The hacker wrote that only administrator accounts could access and modify the banners and alerts. Since the admins are aware of the theft and empty bitcoin wallet, the message indicates that they might yet again try to raise funds for their inevitable exit scam.

    July 24: Maintenance Mode

    On July 24, Nightmare Market entered maintenance mode “to improve market.” We will see how this plays out.

    Some unrelated maintenance pictures of Wallstreet Market after the exit scam but before the seizure and Hansa after the Dutch National Police had taken the market over.

    Hugbunter commented on the potential exit scam here: Nightmare Market is potentially exiting.Nightmare Market Responses
    A Nightmare Market staff member, posted on Dread that the market would be returning.
    “Within 24h we are doing an small upgrade as part of a larger one which will include 14 days AF and FE orders will not be shipped automatically as per request from many users,” /u/Sandman_NM wrote. “We will prove to you and everyone that we are not going anywhere.”
    Credit is due to the users mentioned in the article and users who opted to remain anonymous.
    At 9:30 PM UTC, someone claiming to be Sandman emailed and claimed no hack had ever occurred and that the market would return. (The person has since identified themselves as the OP of the official announcement on the Nightmare Market subdread.)
    He later posted on Dread:
    [A]trusted member of the team turned on us when we decided the market was much bigger than 1 person.
    Everything was already stored on a new server so the hack was a scam and we can prove this with solid logs. Mnemonics were not even accessible by admins as we make it clear that only the users get’s these. As such we also cant help someone who loses it to recover certain things, all for security reasons.
    Please dont think we play with your info like this because we do not!

    Sandman, one of the market’s support staff, explained that a former market admin had stolen money from vendor accounts.
    The admin; Creative, tried to steal from us…period. He was not part of the team anymore because of private reasons. But for the safety and continuation of the market we had to move on without him.
    This resulted in him trying to steal money from the market through fake vendor accounts and eventually gaining access to a support member account (with partial info he saved from that account when he was still admin).He then followed to lock vendors and take over their account, which an admin can do and subsequently empty their wallets. This has resulted in him literally stealing funds.

    And he highlighted that no hack had occurred:

    To recap, the Nightmare Market staffer is saying that:

  • Mnemonics are inaccessible to support members and to admins;
  • A rogue admin used a support login to steal funds from the market;
  • The admin, using a support account, locked vendor accounts and drained their wallets.

  • which an admin can do”

  • The rogue admin then spread information about the market and claimed he had hacked the market.

  • Sandman wrote in an email to darknetlive that “not even close to all wallets were emptied and we will not take anything for us for the time being to cover the loss.” To account for any potential losses, the staffer said the markets goal is “to keep improving, keep growing, retrieve everything for every user or some other means of compensation if a user wants that and we can supply it.”

    The Full Nightmare Market Statement

    Here we go..
    Oke so, there have been many speculations and many articles about hacks and such.
    Sorry guys, it’s not true, we were never hacked, and we can proof this solid, with the logs.
    Here is the real story, that we do not like to share but in the light of everything, you deserve to know:
    The admin; Creative, tried to steal from us…period. He was not part of the team anymore because of private reasons. But for the safety and continuation of the market we had to move on without him.
    This resulted in him trying to steal money from the market through fake vendor accounts and eventually gaining access to a support member account (with partial info he saved from that account when he was still admin).He then followed to lock vendors and take over their account, which an admin can do and subsequently empty their wallets. This has resulted in him literally stealing funds.
    As if this was not enough he then made screenshots of market specific data to post it under the motto! I HACKED THEM.
    ‘They were planning an exit strategy’
    Now, let me make something very clear. We are NOT and NEVER HAVE planned an exit. And we WILL pay every cent that the affected accounts have lost from our own pockets.
    And this my friends, is what really happened.

  • We apologize for all the things that have taken place in the last 24h and unfortunately our attempt to keep the team save has resulted in funds being stolen and hacks being claimed. It is literally impossible because after Creative was off the team we immediately moved every single bite of the market to a new server of which he had no data nor access.
    To those who believe in us, please understand that we never meant for this to happen and we will do whatever is in our power rectify this, even as I said before, paying back what was lost from our own pockets.

  • We have been reading things like:
    ‘Inevitable exit scam’ or ‘waiting until there is enough and the make our move’ I dare every single person who claims this to proof that any single one of our team-members has ever said this. Except for creative maybe ;)
    Either way, you will all see…we wills still be here tomorrow…the day after, and the days after that.

    Available here: dreadditevelidot.onion/post/d03f8f18ae08c1eb132f

    Comments (0)