Darknet News

Top 5 Darknet Market Exit Scams of All Time

It’s a well-known fact that no darknet market lasts forever. There are simply too many things that could go wrong with an unregistered, unregulated market selling illegal items on the dark web for such a business to have a lifespan longer than any “normal” business. As a matter of fact, a 2021 study estimated the average life of a darknet market to be just over eight months. There are three main ways in which markets come to an end: raided by law enforcement (seizure), a pre-announced closure which gives users an opportunity to withdrawal their funds (peaceful exit), or the market admins simply run away with everybody’s funds, unannounced (exit scam).

The act of exit scamming for a darknet market has few comparisons in the real world but has been likened to “ripping off 1000s of drug dealers at one time.” The level of paranoia and fear major market admins might have after absconding with hundreds of thousands – or even millions – of dollars entrusted with them cannot be overestimated. Not to mention the attention garnered from high-powered law enforcement agencies on an international level. Granted such admins have air-tight OpSec, however, there is little recourse for their victims, who cannot exactly go to the police and file a complaint. This makes the act such a lucrative crime.

It just so happens that exit scams are the most common way for a market to meet its end, and we cover five of the biggest such scams in this article. It should be noted that it’s not certain all the markets mentioned here actually exit scammed on purpose; most notably of which are Nucleus and AlphaBay. Regardless, the likelihood of law enforcement’s involvement with their closure is minimal, and the outcome is the same for its users regardless: funds trapped in the market at the time of closure are lost, with no way to get them back. We end the article with some tips on how to spot potential exit scams that may apply to current and future markets.

#5. Nucleus Marketplace

Operated From: Oct 2014 – Apr 2016

Total Loss: at least $2.1 million (approx. 5000 BTC + unknown amounts of LTC and DASH)

A lesser-known rival of the original AlphaBay, Nucleus is characterized by enduring one of the more mysterious closures of any darknet market of substantial size. It was one of the go-to markets after the exit of Evolution in Mar 2015, picking up hundreds of vendors and thousands of customers almost immediately thereafter. By July 2015, Nucleus was big enough to attract the attention of hackers, who managed to drain $50,000 in BTC from vendor wallets before admins shut off the market’s servers, taking it offline for a couple of weeks to patch up holes in security.

Nucleus endured several other controversies during its year and a half of operation, including sales of firearms, dramatic skirmishes with vendors, inconsistent order and resolution processing, and garnering the personal attention of EUROPOL. Its reputation was also tarnished by prolonged periods of downtime. Nevertheless, the market managed to transact around $88.3 million worth of BTC, LTC and DASH during its relatively limited course of existence.

According to some accounts, the demise of Nucleus began with a dispute between a disgruntled vendor and marketplace staff. This dispute led to the vendor being banned, who is said to have then hacked the market in retaliation a few days before it went offline altogether. On April 13, 2016 – the day the market disappeared – a transfer of 12 BTC went out from an address known to be associated with Nucleus escrow funds. This led many to conclude the market’s sudden closure was indeed an exit scam.

A transfer of 59 BTC a week later from a different associated wallet appears to have gone straight to LocalBitcoins to fund a trade, although the observing community was skeptical that a seasoned DNM admin would make such a careless maneuver. For whatever reason, however, not a single coin from the market’s main escrow wallet – which currently holds over 5,000 BTC – was ever moved again. This has prompted several different theories as to what happened, with the most popular one being the main admin – a suspected heroin addict – overdosed and died shortly after shutting the market down.

#4. Evolution

Operated From: Jan 2014 – Mar 2015

Total Loss: approx. $12 million

Now almost forgotten in the annals of dark web history, Evolution was another market that was the biggest of its era, opening just two months after the closure of Silk Road. It hosted around 34,000 listings at the time of its disappearance, which included not only drugs and stolen credit card data but weapons as well. Run by a highly competent pair of admins, the market was renowned for its tight security, excellent site design, and had phenomenal uptime in comparison to its contemporaries. It was also one of the first markets to offer the option for BTC multisig payments, however, its implementation was described as “fundamentally flawed” and very few users made use of it.

Evolution benefitted from free advertising on the now-banned r/DarkNetMarkets subreddit, which was home to over 50,000 subscribers; many of whom would post vendor and product reviews for all to see. The subreddit served as a gathering place for not only DNM buyers but vendors and support staff as well, who seemed to think their anonymity was as untouchable there as it was on the dark web. This was later proven to not be the case as the US feds ended up subpoenaing Reddit for user data pertaining to Evolution staff and vendors in the weeks following the market’s exit.

In early March 2015, Evolution admins made the announcement that withdrawals from the market would temporarily be disabled due to technical reasons, which wasn’t unusual at the time. Users didn’t think much of it until the above-pictured message was posted to Reddit on March 17th, triggering a wave of confusion, anger and sadness in the comments below. One of the most trusted DNMs yet to have existed just pulled the plug on its loyal users, leaving them hanging and without recourse.

Despite being so early in the timeline of darknet markets, there had already been around 20 exit scams prior to the exit of Evolution. The difference is most of these previous markets had only encountered a tiny fraction of Evolution’s success, with some lasting less than a month before closing shop. Evolution’s closure was therefore the first major DNM exit scam that resulted in a multi-million theft of user funds. Admins Verto and Kimbal were never heard from again. Meanwhile, r/DarkNetMarkets continued as a hub for buyers, sellers, and support staff until it was finally banned three years later, in March 2018.

#3. Wall Street Market

Operated From: Jul 2016 – Apr 2019

Total Loss: over $14.2 million

With over a million registered users and tens of thousands of listings, Wall Street Market was an extremely large DNM that incorporated a lot of elements that would later become standard for other markets. Such elements include support for Monero, BTC multisig payments, and availability in six languages. Wall Street Market’s ascent began after the takedown of the original AlphaBay, in July 2017, which saw a mass migration of buyers and vendors to the market, who found it to be an adequate substitute for their needs.

Everything went well for the market for over two years, until the first few months of 2019, when several buyers started reporting being scammed by vendors and having their disputes ruled in the favor of the vendor. In early Apr 2019, users started reporting the payment system being broken, unable to place orders after depositing funds to their account wallet. Two weeks later, abnormal outflows of BTC from the market raised concerns, which were temporary allayed after admins reported a problem with their Bitcoin node being out of synch and vendor payments needing to be processed manually.

Shortly thereafter, however, it became apparent something more sinister was at hand after Wall Street admins and moderators started deleting complaints from the market’s forum as well as Dread, all the while insisting everything was fine. The amount of backlash became too much for one such moderator named med3l1n, who, after having his pleas for respite ignored and accepting the realization that the market he worked for was indeed exit scamming, began using his moderator status to extort buyers who had sent their addresses for orders unencrypted, threatening to dox them to law enforcement.

On Apr 21st, things took a turn for the even worse when med3l1n posted his market support panel login credentials online, along with the admin panel IP address, which ultimately gave law enforcement access to all user details, including login times, orders, associated BTC addresses, disputes, and support tickets. The move ultimately led to the seizure of the market by German and US authorities two days later. The three suspected admins, all citizens of Germany, were arrested on Apr 23rd and 24th, seizing the market’s servers on May 2nd. Moderator med3l1n was also quickly identified as a resident of Brazil and charged with drug distribution and money laundering.

#2. Empire Market

Operated From: Jan 2018 – Aug 2020

Total Loss: over $30 million

Opening for business less than six months after the famous takedown of AlphaBay, Empire Market rose to prominence by outlasting the competition. It featured the same template of AlphaBay and was even launched “in the memory of Alexandre Cazes,” AlphaBay’s admin who is said to have committed suicide in a Thai jail cell while awaiting extradition to the US. In 2019, as many as eight major darknet markets exit scammed after the seizure of Wall Street Market that year.

By 2020, Empire was the world’s biggest darknet market, with around 1.3 million registered users at the time of its closure. As the big dog in town, the market soon faced a relentless DDOS attack — a problem compounded by hordes of phishing clones and the vengeance of a banned vendor who repeatedly attempted to dox the site’s admins. These factors may have led to overwhelming pressure that encouraged the site to close down without warning, trapping thousands of its users’ bitcoins in the process.

“It’s easy to have a firm ideology at the launch of a darknet cryptomarket,” wrote DNM researcher and authority DarkDotFail in a Twitter thread about the market’s sudden disappearance. “But once you’re holding thousands of Bitcoin greed can defeat all good intentions.” It is not known exactly what happened to Empire’s admins, but chances are they simply sailed off into the sunset with their ill-gotten BTC treasure, never to be seen or heard from again.

#1. AlphaBay v2

Operated From: Aug 2021 – Feb 2023

Total Loss: unknown

After Hydra, the former Russian language market, the second incarnation of AlphaBay was the biggest darknet market the world had ever seen. It only took seven months after launch for it to reclaim the title the first version held as most popular English-speaking darknet market. It’s success was due not only to its admin’s (DeSnake) association with the original AlphaBay, which operated from Dec 2014 to Jul 2017, but because it was a relatively solid market that had all the trappings of a sophisticated operation. One such element was a lockdown mode in case the market’s PGP canary expired, which is exactly what happened when DeSnake did not log into the market in time in early Feb 2023.

DeSnake, who was also the founder of AlphaBay v2 (which he insisted was “the original AlphaBay”), had been less and less active on the market and the Dread forum – for which he was the #1 donator – in the months leading up to his disappearance. After Dread went down in late Nov 2022, which was the primary hub of communication for all things DNM-related, communication from DeSnake reduced to almost nothing, even on AlphaBay itself. It wasn’t entirely unusual for the admin to take long, unannounced vacations, and the market’s lockdown system had been triggered at least twice prior in its year-and-a-half history.

After an entire week of the market’s PGP system being frozen, locking all vendors and 2-FA enabled users out of their accounts, it was apparent that something was definitely wrong this time around, however. On Feb 13, 2023, AlphaBay admin The Cypriot posted a warning on Dread for non-2-FA enabled users to stop placing orders on the market, suggesting something was surely amiss. DeSnake last logged into the market on Jan 25, and all seemed to be normal. He had made substantial progress with a first-of-its-kind harm reduction system which incentivized volunteers to test and report products, had big plans for a decentralized marketplace that could run without direct administration — yet had disappeared completely.

After Dread returned in early March, the deviousness of AlphaBay’s disappearance was compounded by several vendors complaining that they had been unfairly banned from AlphaBay in the days leading up to the lockdown, with their outstanding disputes all being resolved in favor of the market. Dread posters were quick to point fingers at The Cypriot, who continues to maintain his innocence, yet the idea that DeSnake simply vanished doesn’t sit well with all. The fact that AlphaBay was a Monero-only market makes the situation especially complicated because it is near impossible to follow the trail of funds.

Two and a half month’s after AlphaBay’s end, nobody really knows what happened. Dread founder and admin HugBunter seems convinced it was indeed an exit scam, which is the general consensus on the forum. Conspiracy theories include DeSnake never being whom he claimed, that he was arrested, that his PGP key was compromised by an impostor, that he had been killed in the Feb 6 earthquake that ravaged Turkey, or that he had been conscripted to fight in the Russia/Ukraine war. Others believe he simply had enough of the stresses involved with managing such a high-profile operation and decided to walk away, taking user funds with him. Whatever the case, its unlikely he will ever return.

How to Spot an Exit Scam

As an exit scam is still the most prevalent way in which a market will come to an end (and they all end at some point or another), it’s a good idea to be aware of some warning signs that may indicate a market is on the brink of an exit. Some of the more basic signs include:

  • A sudden restriction in withdrawals or deposits.
  • A sharp decrease in the number of active vendors and buyers.
  • A sharp increase in the number of negative reviews of the market.
  • An absence or delay in responding to support tickets.
  • Repeated postponement of scheduled maintenance or updates.
  • Sudden changes in the user-interface or functionality of the market.
  • Increasing reports of lost funds or payments not reflecting in accounts.

Other warning signs include changes to site design or policy that might entice users to make more deposits, disabling of direct pay or multisig payment options, and long periods of time without communication from market admins. The best ways to mitigate losses induced by an exit scam are to never place more than one order at a time, keep orders to amounts you can afford to lose, and don’t keep large amounts of funds in a market account wallet.

You can also mitigate potential OpSec disasters by never sending unencrypted information when placing an order. Always encrypt shipping information yourself with the vendor’s PGP key, and don’t use the market’s auto-encrypt option. Remember that the darknet is truly the wild west of the internet, and there’s very little recourse to be had if market admin or staff should run off with all its users’ funds, or heaven forbid, decide to publish their information online.

Leave a Reply

Your email address will not be published. Required fields are marked *