Darknet Vendor Selling Bitcoin Forum Databases With 12m Entries

DoubleFlag, a vendor on TheRealDeal darknet marketplace, recently posted a listing that caught even darknetmarket regulars by surprise. For $400, anyone with the technical know-how can own databases from Bitcoin discussion forums with a grand goal of 12,000,000 user entries. Some of the most well known forums now have their user data listed on the darknet.

The entity, whether a hacker, a broker, or simply a vendor, is not unknown. For the sake of fluidity, DoubleFlag is a vending entity—as far as this article goes. Many of the massive database listings over the last year came from DoubleFlag. The vendor listed the infamous uTorrent database that sparkled controversy between uTorrent staff and users. The sale published close to 400,000 accounts for $600.

This listing—a set of 11 databases—blows the uTorrent listing of of the water. Not only will a buyer receive 12 million or more accounts instead of just 400,000, but they will come from 11 different data sources. So if one site encrypted passwords beyond a reasonably crackable manner, all hope is not lost. The buyer can simply move on to the next site. However, according to listing details provided by the vendor, the listing will not require much work, if any, to access the user information.

Here’s the listing details:

“536.727 MerlinsMagicBitcoin.com PHPBB Cryptocurrency 2017
514.409 BitcoinTalk.org Forum sha256crypt (469,540) SMS (44,869) Cryptocurrency 2015-05
568.357 BTE.com scrypt SHA-512 no passwords Cryptocurrency 2014-10
21.439 BTC4Free.com plaintext Cryptocurrency 2014-01
3.153 Bitcoin.Lixter.com plaintext Cryptocurrency 2014-09
1.780 BitLeak.Net MyBB Cryptocurrency 2014-03
28.298 Dogewallet.com MD5 plaintext Cryptocurrency 2014-01
61.011 MtGox.com md5crypt Cryptocurrency 2011-06
34.513 Bitscircle.com bcrypt Cryptocurrency-Bitcoin
10.855.376 Bitcoinsec forum Plaintext Cryptocurrency-Bitcoin2014
3.149 Thebitcoinshop.pixub.com Plaintext”

As the vendor made quite clear, many of the user data files are stored in plaintext. Sometimes, in a case such as this, plaintext passwords and usernames point towards another hacker beating the general public to the dump. Despite the controversy surrounding TheRealDeal marketplace—basically a US hacker’s paradise—the public can still access it. And buy the dump if they wanted.

Many database dumps of this caliber pass through numerous channels before they see the light of the darknet. Those with inside access or a closer working relationship with the original hacker may get permission to dig through and grab credentials for themselves. This benefits both parties as the vendor can advertise the lack of encryption and the entity who decrypted the data receives priority access to anything of value.

However, some of these database breaches date back to 2011. The fact that Mt.Gox is without encryption should not surprise anyone. As of the time I finished working on this article, the data remained untested, at least publicly. While DoubleFlag’s previous listings often tested positive for valid data, there is no proof that this dump would test similarly. Data brokers often lack a way to validate hacked data from hackers and the same applies to some darknet market vendors. DoubleFlag’s name carries some weight, but with any other darknet transaction, so your research first. And change your passwords – especially if you used the more recently breached forums.