Cybersecurity Expert Tracks Down IP Addresses of Darknet Platforms

Last summer, law enforcement agencies shut down two of the largest darknet markets, AlphaBay and Hansa. Shortly after, the closure of the RAMP marketplace was also announced. As a result, sellers and buyers of illegal goods were left at a crossroads, needing to find new places to conduct their business, but with no clear direction. Some vendors moved to smaller marketplaces like Dream Market, Valhalla, or Wall Street Market. Others began operating through XMPP spam and Telegram channels. A third group decided to launch their own onion sites and conduct business independently.

This last category of sellers has attracted the most interest from an independent cybersecurity expert from Japan, known by the pseudonym Sh1ttyKids. Journalists from Bleeping Computer reported on the work of this so-called dark web hunter. Over the past two months, Sh1ttyKids has helped shut down several onion sites distributing drugs and other illegal goods. It turns out that uncovering the real IP addresses of these sites is not as difficult as one might think.

Sh1ttyKids told reporters that one of his latest “victims” was a site called ElHerbolario, which sold cannabis. The expert traced the site to two Dutch IP addresses, 188.209.52.177 and 185.61.138.73, both hosted by BlazingFast, a well-known “bulletproof” Ukrainian hosting provider. Since Sh1ttyKids shared all collected data with law enforcement and made it public, Dutch authorities can now physically seize the criminals’ server from the data center, analyze the site’s traffic, track buyers and site owners, and share this information with law enforcement agencies in other countries.

Two weeks earlier, at the end of October 2017, Sh1ttyKids also managed to discover the real IP address of the underground hacker forum Italian Darknet Community (IDC), which caters to Italian-speaking users. According to the analyst, the address 176.123.10.203 led him to a Moldovan hosting provider, and he has already reported this to the authorities as well.

Sh1ttyKids also found major security issues with the darknet market DrugStore by Stoned100, which offers a wide range of illegal goods, from drugs to ransomware. It turned out the site was running on a standard version of WordPress, exposing its real IP address, and the marketplace operators failed to secure their database backups, which could be accessed with just a few clicks.

Sh1ttyKids explains that in almost all cases, he simply paid attention to small details. For example, he found unsecured SSH traces and used search engines like Shodan and Censys to identify the criminals’ servers. However, according to Sh1ttyKids, the main problem with all these sites was the human factor: many onion site operators lack proper administration skills and end up leaking their real IP addresses left and right.