AlphaBay Admin Leaks Archetyp Market IP

Another day and another drama in the darknet markets community, this time its not World Market and Dark0de Market, but AlphaBay Market and Archetyp Market.

AlpahaBay Market Admin (DeSnake) has published a post on Dread claiming to have found the Archetyp Market clearnet site IP.

Under the title : “UI does not equal good security or capable admins. Short case study: Archetyp IP leak” DeSnake published:

An object lesson of why you should attend your own flock first before looking at others. A short guide for the inexperienced darknet marketplace admin.

In the last few months you might have noticed of lots of shilling and whatnot on part of people from, directly connected to or loosely affiliated with the marketplace Archetyp and the admin running it. I will skip the clownish character of that admin (who also got his start selling ‘guides’ at AlphaBay originally) we have had our front and back conversation on Dread so not getting into that.

We get it, well, apart from the shilling part as that something for us, AlphaBay, is condoned and prefer organic traffic and building our loyal customer (including vendors) base without such lame tactics. Now that mr_white has retired Archetyp have decided to poke their heads out without fear of getting DDoS’ed to death and attempt to gain market share. We all know why that is. Because admins do not know how to protect against different types of DDoS attacks and although I do not agree with the DDoS method as a way of competition, it seem it has kept in check less technically capable admins in check before we arrived in August 2021.

That is the only reason Archetyp and other places are making themselves more known now because they rely on not having other DDoSers attack their infrastructure. In the past months or even years for some markets, you can clearly see who handles DDoS poorly and who can put up a fight.

To begin with AlphaBay did get DDoSed a lot, since day 1 relentless attacks. I used that as an opportunity to fine tune the firewall we already had in place. While it was not perfect initially, it was able to withstand a lot of the attacks even though you needed several identity changes to access us, so I knew I was on the right track. Within 2 months I fine tuned it to a point which gave us not only high level of protection but kept our costs extremely low compared to what attackers where spending. This gave us a huge advantage. It allowed us to focus on market upgrades, more time on the decentralized project and generally run everything smoother without worrying about the firewall or accessibility.

On the other side, less technically capable admins had other solutions to the DDoS. Some were offering rotating onion addresses that they manually posted etc. but ultimately that only delayed the DDoS. Masking the problem is not the same as solving it or at least countering it to a level where its impact is minimal. But most notably the pinnacle of human intelligence was Archetyp. Instead of dealing with the DDoS, putting in the countless hours of research and testing like we did, they had the big brain move to offload/outsource the problem to companies in the clearnet. Specifically Cloudflare.

I do not blame them, it is not easy to craft a solution with little technical skills even when you have plug and play solutions like Endgame but there are multitude of issues:

Vendors and customers put themselves at risk before even accessing the marketplace. Tor can be observed as I have said many times especially for targets of high interest like big vendors/buyers or admins/Staff, however the clearnet makes it even easier to do that. From LE perspective it is perfect. All IPs that make DNS requests to archetyp.cc are users of the site (very high probability).
Cloudflare is a US company that complies with US laws. It takes nothing for any agency to subpoena their domain from cloudflare and redirect it to ones that they control. Case proof: recent takeover of Raid forums by the FBI.
Cloudflare is not a magic protection. It can be bypassed. They have just not met someone who can effectively bypass their protections and there are many people that specialize in that. So someone targetting both their onion and clearnet will negate their defenses to a point where users will not be able to access the marketplace at all.

Apart from those obvious issues, here lies one of the core reasons for the post. When you start something, finish it to the end and do not cut corners. Little yosi already cut corners by outsourcing his DDoS defense (if you can even call it that) but on top of that he failed to secure his server which is hosting https://archetyp.cc. I have given a demo to /u/Paris with the real IP and gave him undeniable proof that it is indeed that server hosting archetyp.cc is leaking the IP.

Since Archetyp were attempting to ‘take shots at us’ with their UI angle through their friends circle they have built in the last years clowning and whatnot, I decided to give this object lesson why security is #1 priority no amount of UI/dress up is going to change that. Another thing is there is a reason why their market has not taken off for more than one and a half years+. I believe some of it has to do with their admin, I mean who serious vendor wants to entrust their money to a person with such a personality, but most importantly is if your end product is not good, people are just not going to use it in the long term regardless of how much marketing or shilling you do ‘our UI is superior’. That being an only talking point shows more than enough.

Also in that regard people want simplicity, redesigning everything just to make it pretty does not equal it will be usable. Case point: our old UI that lots of markets copied including World market. Before it was chaotic but it became the defacto standard even till today regardless. Now we have the same principles but it is more streamlined and easy to understand. I believe with our expertise and track record, unmatched by no other marketplace, we know what we are doing. Of course that does not mean we are not taking feedback, on the contrary we have made quite a few changes to the UI/UX because we listen to our users.

Some other noticeable tips for admins/service operators:

Test out all edge cases of your functions
Security is a priority not a second thought. Layer multiple protections/methods of defense for each function. Lock down your servers.
If you are doing something do it well. You might not get as much functionality but if you do something well in a stable and secure manner you will be recognized for that
Put a secure system to generate private onion addresses for customers/vendors. That goes a long way even if you have little idea how to protect against the DDoS
Use I2P. I2P is a low-cost for defenders and high-cost for attackers solution as even Paris noted in the current Dread v3 post. Educate your community how to use it. Go to /d/i2p to learn more

Now I know this post will trigger an admin or two especially the parts directly mentioning certain parties and they will attempt to wiggle their way out or give an excuse and that is fine, PR is PR. But what I would like to remind all admins in the scene is take care of your own shit before you advertise it or attempt to undermine others.

Thank you.

Dread Admin has quickly confirmed DeSnake claim of finding the IP address of Archetyp Market clearnet site-

/u/DeSnake has verified this with me and I can confirm the public https://archetyp.cc cloudflare protected server’s IP has been found. The ending digits if the IP is 206 and when attacked (without a lot of power to be said) the whole site goes offline. It’s not a core server to a market but it is the link portal and entrance. It’s important to remember to protect all items of your infrastructure and consistently check if your servers have been accessed from outside.

Having an official clearnet site of a darknet market is a major security issue and in fact, the last darknet market who had a clearnet site was Wall Street Market which once exit scamed was quickly seized and its 2 admins arrested in Germany.

Not only that Archetyp Market has a clearnet site, the IP was leaked, meaning any law enfocment agency can seize control of the server and change the links of the site to any link they want.

However, after a few hours of the post being published, DeSnake has deleted the post after a lot of backlash against him and AlphaBay from many users who claimed that he was using the IP leak as a way to continue shilling his own darknet market.

Archetyp Market admin has quickly made a comment and post announcing that he will delete his account and leave Dread for good-

tldr: The Alphabay admin is dead, you are a three letter agent, alphabay is a honeypot.

I never sold anything on Alphabay and for sure not ‘guides’, you are a manipulative liar, I pointed that out before when we had our “front and back” conversation.

You are known for hardcore shilling on Dread, inserting yourself in every conversation but yet you failed to build a great market.

The way you talk about DDoS is funny, as “fine tune the firewall” is what supposed to be? Blocking 127.0.0.1 when DDoS via Tor hits, you are retarded and it shows.

“Archetyp and other places are making themselves more known now” – we fucked off from Dread semi since WHM went down, mostly because we spend most of our time on the market nowadays, this can be proven by simply checking our post history on Dread you clown. /u/Paris comments cemented our way to make it final to leave Dread today.

Within 2 months I fine tuned it to a point which gave us not only high level of protection but kept our costs extremely low compared to what attackers where spending.

This is basically not possible, as you have to outspend the attacker, that is simple math you retard. Even though you got the IP of archetyp.cc and I will not deny this, archetyp.cc is the smartest thing to do against DDoS.

more time on the decentralized project and generally run everything smoother without worrying about the firewall or accessibility

I call exit-scam of Alphabay end of 2022s / start of 2023, because this “decentralized project” will never launch, this project does not exist at all. It’s another of your retarded ways to shill your market using buzzwords.

Vendors and customers put themselves at risk before even accessing the marketplace. Tor can be observed as I have said many times especially for targets of high interest like big vendors/buyers or admins/Staff, however the clearnet makes it even easier to do that.

Tor was created to hide users who access the clearnet. Accessing archetyp.cc to obtain a mirror which you can verify using PGP is not at all risky.

From LE perspective it is perfect. All IPs that make DNS requests to archetyp.cc are users of the site (very high probability).

Using Tor browser to access archetyp.cc does not leak the IP. This is another of your retarded attempts to manipulate users.

Cloudflare is a US company that complies with US laws. It takes nothing for any agency to subpoena their domain from cloudflare and redirect it to ones that they control. Case proof: recent takeover of Raid forums by the FBI.

I promise that I had iptables similar to this setup on https://archetyp.cc

iptables -A nginx -i eth0 -s 173.245.48.0/20 -j ACCEPT
iptables -A nginx -i eth0 -s 103.21.244.0/22 -j ACCEPT
iptables -A nginx -i eth0 -s 103.22.200.0/22 -j ACCEPT
iptables -A nginx -i eth0 -s 103.31.4.0/22 -j ACCEPT
iptables -A nginx -i eth0 -s 141.101.64.0/18 -j ACCEPT
iptables -A nginx -i eth0 -s 108.162.192.0/18 -j ACCEPT
iptables -A nginx -i eth0 -s 190.93.240.0/20 -j ACCEPT
iptables -A nginx -i eth0 -s 188.114.96.0/20 -j ACCEPT
iptables -A nginx -i eth0 -s 197.234.240.0/22 -j ACCEPT
iptables -A nginx -i eth0 -s 198.41.128.0/17 -j ACCEPT
iptables -A nginx -i eth0 -s 162.158.0.0/15 -j ACCEPT
iptables -A nginx -i eth0 -s 104.16.0.0/13 -j ACCEPT
iptables -A nginx -i eth0 -s 104.24.0.0/14 -j ACCEPT
iptables -A nginx -i eth0 -s 172.64.0.0/13 -j ACCEPT
iptables -A nginx -i eth0 ! -s 131.0.72.0/22 -j DROP

Weird that the entries were deleted, on a server which IP could have only been known to CloudFlare. Weird that Alphabay, which was rumored to be a honeypot is the one who finds our clearnet IP. Weird that if I re-collect it: US Agents busted Alphabay, weird that Alphabay pushes for I2P which is proven to be worse than Tor in hiding user IP’s, so many weird coincidences.

And really weird that /u/DeSnake manages to use book-examples of manipulative behavior, only to be seen by sociopaths and agents who are trained to use all sorts of these rhetoric tools to persuade people.

And yes, Archetyp has the best UI and the best UX, alphabay comes not even close to it.

I believe with our expertise and track record, unmatched by no other marketplace, we know what we are doing.

What is this supposed to mean? “I believe that we know what we are doing.” That sentence does not even make sense.

Also “unmatched by no other marketplace” does this refer to suicide-rate or which aspect of alphabay is unmatched besides that?

A few hours later the markets admin has deleted his account, but the markets sub is still active.

in conclusion it seems that even after Dark0de Market exit scam recently the darknet market scene is still full of drama, fueled this time by DeSnake, who seems to have a lot of free time on his hand and instead of improving AlphaBay is more focused on hurting his competition.

We can only hope that darknet markets admin will focus more on securing their markets from attacks and fixing bugs and no spent hours on end on finding vulnerabilities in other markets and hours on Dread making accusations against fellow markets admins.