Alphabay Hacker “Cipher0007” Takes Down Sanctuary Market

In January 2017, a hacker—known on Reddit as /u/Cipher0007—found two Alphabay bugs that gave him access to over 200,000 messages between vendors and buyers. He handled the disclosure well and received community praise for doing so. Come late May, the hacker posted that he hacked the Sanctuary marketplace and, in the process, indirectly extinguished the site.

Instead of contacting the admins of the darknet marketplace, he took the details (redacted details, but exposed the flaws nonetheless) to Reddit. He found an SQL injection bug in the marketplace’s database. He dumped the private key associated with the .onion creation after he uploaded an SQLi shell with sqlmap. Cipher0007 further dumped data from the marketplace’s phpMyAdmin install.

He wrote, “this is proof of [the] uploaded shell and dumped private key of [the onion URL] of [Sanctuary] market and info of [the login database config] using /phpmyadmin.” He added three proofs but ultimately only one was required, if that. “[I] uploaded a shell with sqli using sqlmap on vmware,” he added.

Instead of the praise he received from the Alphabay incident, he saw a significant number of irritated comments. The very title of the post, “The Sanctuary Market Pwn3d By Cipher0007,” made him sound as if he just sought attention, several users vocalized. One, for instance, wrote, “Your title reeks of ‘GIVE ME ATTENTION.’ a cool blackhat just says ‘lol owned. here’s their passwords.’”

Another felt irritated that the hacker never reached out to the market’s admins. This, he attempted several times on Alphabay yet only received a response once he posted about the bug on Reddit. (And then he won an unknown sum from an Alphabay bug bounty. “Also shouldn’t you have notified admins 24-48hrs ahead before publicly boastingwarning? I mean just to be polite. Any way there could be more, just saying stuff about what I see so far,” another user wrote.

Cipher said the market was too​ far gone with too few users to justify a fix. He believed that a market with this many issues would always be a major security risk to users.

And, /u/wombat2combat, the subreddit’s first-responder in these situations agreed that Cipher acted in the correct manner:

“He has shown in the past that he is interested in the future of the dnm community and I strongly think that this is still the case here. While vulnerabilities should in most cases be reported to market admins (so they can get fixed, little or no users harmed and nobody else can exploit them) there is a point where a market fucks up so badly that there is simply no future for it. Given that this market has barely any users and the graveness of the admins mistakes…

Even if he reported the many bugs to the admin and made a post about it later, the situation would be the same: no sane user would use such a market. Hopefully the admin closes the market soon”

I reached out to the marketplace administrator, Darkmarket. He told me that he appreciated what Cipher0007 accomplished—to a degree. “What I am not satisfied with is that he did not contact me to let me know [that he found and exploited vulnerabilities in the server],” the admin wrote in an email. He continued to say that following the Reddit post, he “received several attacks on the server.” Some attacks from were from hackers attempting to clone his sites, he explained. Others were just causing damage.

After DeepDotWeb moved the marketplace into the Dead/Scam category, he commented on the page and thanked the community. “This is a jungle. You are all sharks but we are the same.”