Agora Dark Web market discovers suspicious activity on servers, pauses operations

The Agora Dark Web market cited Tor Hidden Services security vulnerabilities that could allow de-anonymization attacks and temporarily shut down operations after detecting suspicious activity on its servers.

Agora, the largest online black market on the Dark Web, is temporarily shutting down in response to “vulnerabilities in the Tor Hidden Services protocol which could help to deanonymize server locations.”

MIT and Qatar Computing Research Institute published research in July, showing how to launch successful de-anonymization attacks as well as how to prevent them. The research showed that resources to pull off such attacks are “much lower than expected.” Agora added, “In our case, we do believe we have interested parties who possess such resources.”

After “discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on,” Agora has chosen to “pause operations.”

“We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement,” Agora said via a statement on Reddit as well as Pastebin, announcing the temporary shutdown of its marketplace. “We decided to move servers once again, however this is only a temporary solution.”

At this point, while we don't have a solution ready it would be unsafe to keep our users using the service, since they would be in jeopardy. Thus, and to our great sadness, we have to take the market offline for a while until we can develop a better solution. This is the best course of action for everyone involved.

The research referenced by Agora involves a circuit fingerprinting technique that could determine with a 99% accuracy if a Tor circuit was being used as “an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit. Breaking Tor’s encryption wasn’t necessary.”

The researchers were able to passively pull off circuit fingerprinting. MIT reported:

Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88% accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88% certainty, identify it as the service’s host.

The Tor Project blog said the research was “a well-written paper.”  The researchers’ proposed countermeasures to neutralize the attack were called “interesting,” by a Tor spokesman; he added, “We need more concrete proof that these measures actually fix the issue.”

Agora apparently is done waiting and intends to take action to mitigate the problem. “We shall do our best to clear all outstanding orders and we ask all of you users who have money on their accounts, withdraw them as soon as possible, because we don't want to be responsible for it during the time when the market will be offline.” There “might be some delays in payouts, since many people are expected to withdraw money at the same time, but we intend to resolve any such issues in the end.”

“We advise you to use only destination bitcoin addresses that do not expire when you send money out from Agora, as the payments to them might get delayed,” continued Agora’s statement.

While the market is offline, do not send any bitcoin to any of your deposit addresses on Agora. We do not guarantee the safety of any funds sent there.

Vendors, we strongly advise you to abort any orders that haven't been sent out or processed yet, as we cannot guarantee what will happen with the orders in resolution. We shall try to resolve it on a case-by-case basis, but there might not be time to wait for orders that require long shipping times.

We are going to handle the situation with the vendor bonds soon, we need some time to make sure that no one uses this as an opportunity to start scamming wildly.

All of the market data will be kept intact and be available upon return, including all of the user history and profile data.

Agora included its new PGP key which can be used to check the authenticity of its future messages.

After the Evolution Market exit scam, when Evo went poof along with million in bitcoins, Agora was credited with selling more products than any other online black market and was dubbed king of the Dark Net by Wired. Instead of seeming sketchy, the fact that Agora issued a statement before temporarily shutting down seems to ring of professionalism…something that is not often associated with the Dark Web portion of the Deep Web.

But not everyone is impressed or as optimistic about shoring up security. Matthew Green, a cryptography expert from Johns Hopkins University, tweeted, “I wouldn't trust a Tor hidden service farther than I could throw the server. Not in 2015.”

IBM researchers warn businesses to block Tor

Elsewhere regarding Tor, the IBM Security X-Force research team released its quarterly threat intelligence report (pdf); the researchers advised businesses to block Tor as the service is increasingly used by malicious actors.

Join the CSO newsletter!

Error: Please check your email address.

More about AgoraMITPGPX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Darlene Storm

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place