Darknet market link provider reveals new details of attack
The anonymous admin of dark.fail provided an update this week as to what happened recently with the website that caused the owner to lose control. A staple reference among the darknet market community, dark.fail usually hosts a collection of verifiable links to darknet markets and has been seen as a trusted host for these types of URLs for years.
Now it simply contains a message explaining the series of events that ultimately put it under the control of an attacker.
“We are infuriated that our trusted name was used for harm,” the admin states on the dark.fail front page. “Devastated, motivated. Big changes are on their way.”
The backstory behind the event is complicated – even described as “unprecedented” by the admin – and requires some explanation:
Employees of Tucows, the domain provider that is responsible for .fail registrars, fell victim to a social engineering attack around April 28th, in which the attacker managed to convince Tucows to transfer ownership of dark.fail to their control. Tucows had received an email containing what appeared to be a court order from an official German government email address.
Ultimately, neither court order nor email address were legitimate, and the attacker proceeded to replace the usual darknet market links hosted on dark.fail to phishing links, directed to credential-stealing imitations of popular markets.
While it is impossible to know how much cryptocurrency the attackers made off with from accounts of their phished victims, their potential haul was limited thanks to pressure put on hosting services provider Namecheap by the social media community.
The original message from the dark.fail admin contained the following signed message, and continues to apply to those reading it for the first time:
“If you visited sites listed on the clearnet domain “dark.fail” between April 29th through May 5th, 2021 you were phished and should rotate all credentials immediately! DarkDotFail has regained control of the domain “dark.fail”, the Twitter account “@DarkDotFail”, the Reddit account “/u/DarkDotFail”, and the email address “[email protected]”.
Thank you Njalla for your tireless work in getting our hijacked domain back. The attacker was unable to get past 2FA on our Twitter, Reddit, and Email. They did not access any existing messages nor servers. Emails sent to any address @dark.fail during the attack were received by the attacker.
Our .onion site was not compromised. Our OPSEC is fully intact.”
The admin stresses that darknet market links will only be hosted on the .onion version of the site for now, until better clearnet solutions become available.
The attacker has managed to get control of the domains “darknetlive.com” and “onion.live” as well for a few days.