Alphabay was launched in November of 2014 and has grown rapidly to over 250,000 users. It is considered the largest darknet market by many, with thousands of transactions taking place monthly. Two extreme bugs were disclosed to the Alphabay team by a reddit user by the name of Cipher0007 in late January.
In an official statement by Alphabay, the attacker was able to obtain 218,000 user messages. If exploited, the bug could have allowed government agencies or nefarious hackers to access the sensitive information such as delivery addresses, tracking numbers, etc.
The attack has shown that no service is entirely immune to infiltration, therefore it is recommended to use encryption such as PGP for all sensitive communications on markets such as Alphabay. Alphabay administrators paid the attacker for the bug information, and the developers quickly sealed the loophole. As an apology, Alphabay offered a 20% discount on escrow fees the week following the attack.
It is important to note, this is not the first successful compromise of user data on the Darknet Market. In April of 2016, 13,000 messages were stolen through a hole in AlphaBay’s API. The attacker claimed “Only the minority of messages are encrypted with PGP. This is the reason you ALWAYS encrypt all comms with a vendor, because of stuff like this.”