Shadow Ornithology: What Really Happened Behind the Scenes of the RuTor Forum Sale

Chronos — May 15, 2022

Telegram has been buzzing with countless messages about the sale of RuTor, the largest darknet forum in the post-Soviet space. Chronos explains what’s really happening on the other side of the internet.

The Little Animal with an Encrypted Message

On the evening of May 11, RuTor forum users received an unusual promotional mailing from the Solaris marketplace. Alongside the ad text, there was a mysterious message: “Terrible changes are coming, known only to a few. An encrypted message will be left by a little animal who asked to pass [this] information to everyone within the set time.”

This mailing didn’t spark much discussion, which isn’t surprising since the message was hidden behind an ad, and many didn’t even open it fully. However, just an hour later, at 4:55 PM (Moscow time), the “little animal” appeared. White Dante, the forum’s deputy administrator, better known as WD, created a new topic in the news section titled “Canary” and posted the following message:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is my canary. If it is not updated within 3 days, consider me dead. youWD

11.05.2022

-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEzG3umoKdvyUdRZc3qNnTqIBn0EEFAmJ7wUgACgkQqNnTqIBn
0EF0rw/+P+E7SgOOlXov4m5h7neIZ/qaIZhVKFIzXBbG1ts/y9F3B/7QBNKFIru+
XhruWfp6F2OkhZLevKdKXhWxnQsYq1SGdGPnYEDPApENLqLGPsrDGj2VNcTAvP6t
sqcO6+ZXKaEFa8w1qpWAibRZR94Ju2kYNez1fl1pJtUUtPJYBtdNqMkebeLmq0kW
YNEieGqWY1eWUVMTgMrrtdAzxsfCmLxZQASNQNSOS8yb0aJqmyABXP73nEW/cp+/
m/rtKs0JzLBeNWBj+rKxQx65aInObL8jeZrEzZbQa39gkCQLaFhsQMEI/uZIntVE
1rZdqpdoKwLToKpVbVy7/Jtf7Ko68rfrEux1d/V2TiilzDEY99uIUmNksc2/s5yu
mvyyFih0E5JfTOQ/vGlWQretWoImKxssUkkNi+T2ITPJ+/oNQc+zQ+2nuvDBgFvJ
Il0ntoWnuXccV7J9VCKY5owanX93hsjhh6Rt+Ap30GchL0WfkbMLzb24VlKVShs2
t0h3ZNLpPFo6MicfKmtRZ+TkF9qkRUTOAQDuRtnsEEVlGjION8QZJZAD1BS4tsbM
keLZW7PNlqO8PXBAQQeWu16RnTd+Kb+lseKHoo3zTHOEzctRf0r6KDYejZArsKOc
JYQxVzF+0I7i6Pcq6avBWfnjTB4fhfWIXtgeni/gZzuMljXKO8o=
=xMzZ
-----END PGP SIGNATURE-----

The message translates to: “This is my canary. If it is not updated within 3 days, consider me dead. Yours, WD. 11.05.2022.” The PGP-encrypted part was verified and confirmed to have been posted by the admin himself.

Comparing the Solaris mailing and the admin’s post, it’s clear that WD used Solaris to warn all RuTor users about some changes already decided by a small group, which would be significant for many users. The hour gap between the messages suggests this was a pre-planned move.

It’s unclear why WD didn’t just post a direct warning. However, his choice of a “canary” is telling. Some American tech companies have an unwritten rule about publishing a “warrant canary.” The term comes from miners who took canaries into mines to detect dangerous gases—the bird’s death was an early warning. In the US, authorities can require companies to monitor users but prohibit them from disclosing it. One legal workaround is to publish a “canary” stating there’s no surveillance, and remove it if surveillance begins. This suggests RuTor’s admins were forbidden from directly warning users, but WD found an elegant, technically compliant way to do so.

Four hours after posting his modified “canary,” WD joined a thread discussing the Hydra collapse and, in his usual joking manner, suggested “slapping” a user who claimed to have forced WD out of some game. After that, the admin only communicated in the general chat, which doesn’t save message history.

The Poacher in the Mask

On May 14 at 12:42 PM, when WD was already offline, a moderator edited the message in the “canary” thread. The time was set to Liberia’s time zone (-3 Moscow time). The message’s meaning was completely changed:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is my canary. If it is not updated within 5 days, consider me happy. youWD

11.05.2022

-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEzG3umoKdvyUdRZc3qNnTqIBn0EEFAmJ7wUgACgkQqNnTqIBn
0EF0rw/+P+E7SgOOlXov4m5h7neIZ/qaIZhVKFIzXBbG1ts/y9F3B/7QBNKFIru+
XhruWfp6F2OkhZLevKdKXhWxnQsYq1SGdGPnYEDPApENLqLGPsrDGj2VNcTAvP6t
sqcO6+ZXKaEFa8w1qpWAibRZR94Ju2kYNez1fl1pJtUUtPJYBtdNqMkebeLmq0kW
YNEieGqWY1eWUVMTgMrrtdAzxsfCmLxZQASNQNSOS8yb0aJqmyABXP73nEW/cp+/
m/rtKs0JzLBeNWBj+rKxQx65aInObL8jeZrEzZbQa39gkCQLaFhsQMEI/uZIntVE
1rZdqpdoKwLToKpVbVy7/Jtf7Ko68rfrEux1d/V2TiilzDEY99uIUmNksc2/s5yu
mvyyFih0E5JfTOQ/vGlWQretWoImKxssUkkNi+T2ITPJ+/oNQc+zQ+2nuvDBgFvJ
Il0ntoWnuXccV7J9VCKY5owanX93hsjhh6Rt+Ap30GchL0WfkbMLzb24VlKVShs2
t0h3ZNLpPFo6MicfKmtRZ+TkF9qkRUTOAQDuRtnsEEVlGjION8QZJZAD1BS4tsbM
keLZW7PNlqO8PXBAQQeWu16RnTd+Kb+lseKHoo3zTHOEzctRf0r6KDYejZArsKOc
JYQxVzF+0I7i6Pcq6avBWfnjTB4fhfWIXtgeni/gZzuMljXKO8o=
=xMzZ
-----END PGP SIGNATURE-----

The translation: “This is my canary. If it is not updated within 5 days, consider me happy. Yours, WD. 11.05.2022.” Attempts to verify the encrypted part failed, indicating it had been altered. The signed message’s text didn’t match the original, meaning the message was tampered with.

It’s impossible to determine which moderator did this or why, but the significance of the change became clearer later.

Supernova Explosion

While WD was posting his message and someone else was editing it, the darknet community was returning to rumors about RuTor’s sale, which had circulated in closed circles since late April. Just a few hours after WD’s message was updated, the founder of the xNova marketplace published a blog post confirming these rumors.

On the forum, he also wrote that the deal had taken place two weeks earlier (around the time the rumors started spreading) and vouched for the information with his reputation. xNova used this news to promote itself, not just with a blog post. The main admin also started a group chat on RuTor, added several vendors, and called the forum’s sale an act of disrespect toward them, while criticizing the technical skills of the OMG marketplace team.

However, if the news about RuTor’s sale is true, xNova’s competitive advantage and reasons for vendors to switch to xNova decrease, since its competitors have acquired the largest drug forum in the CIS, which will affect their market position. It’s unclear whether this ad campaign interfered with the deal or helped xNova, whose admin claimed activity on his site jumped from “a third of RuTor’s online” to “1 to 1” within just 10 hours.

Shadow Castling

Almost three hours after xNova’s founder published the insider info, a forum moderator named Rotar, who had joined the team about a month earlier, announced his resignation without explanation, further fueling speculation about RuTor’s sale.

Other team changes included the appointment of user Potapych, registered about a month earlier, as the new admin for finance and advertising. He received the red, highest-level nickname color—previously held only by John, the main admin, and WD, his deputy. The community was not pleased, as a user with the same nickname had previously been a moderator on the Hydra-linked LegalRC forum.

At 6:45 PM, after xNova’s post, WD’s message was updated a second time:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is my canary. If it is not updated within 3 days, consider me dead. youWD

-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEzG3umoKdvyUdRZc3qNnTqIBn0EEFAmJ7v4IACgkQqNnTqIBn
0EFzOw//YcAa7eLNj5O+kkgGmhGSaCXj2VvjEGCH7x5/x3X3pk77wSEiinR6Rxhw
mJbM7NLm5tkSQdB0q2Zigbka2ADYJihHjSSaAGTHGVCIAPYAxbEKk+gr8KYerTp1
8NFZuHmKWcYQwUJAWXqCvtISKMcGkI3MiJ6F9plZnxwUV4QJRSgHMz8135eFPyMV
vTmAAm9zJ7Wzcx6g1E3zCbGVTMAteK2yzcpUZIOKq0vcABX23DLRWsr3WxMYZrn2
XBIQyHrgl/8ksrYf5teMbjTbmVcXX1Rs6KE+FJyqJpjf1hU3bJAT9iL7LzUU3nKv
z0A82LO9QbXtm5+OYVqv762YK6wPnSX1DnNMeRnYCqXQuzsqP7akLT9r3CmsSUNS
dx4e01e13GeolZCnLf8AaIPXmpP17hj6tJW67rXeXUYayBKELPgP3emK+EUG7txI
QtLAgbu4MJoJxCaLpnpR4GNa5wRx4rlilLv856DBwNd8vdgYETWHKXMPG10vvxyp
z9STT6Wav7GsZsuua5K2e1Svrbi9Yn7++AF3mJJ/L6DEFrO+YeJztVopCT5HmdVR
5A4zX7EubMc0/15fAGHhA4SVzooeM7YA7TwWi/cNtDzbdxe2iyNsYGFqvwopeGvD
muxURcP7kmItRJc2aPMDXQX1kBbmMn5XKreJm7u2ehHBWMXFUjA=
=6O9+
-----END PGP SIGNATURE-----

The text inside the encrypted block was identical to the original, except the date was missing. Since WD was still offline, it seemed likely the message was fake, but PGP verification surprisingly confirmed its authenticity.

How the moderators managed to sign the message correctly, whether WD did it himself, or if someone else used his key, remains unclear. Another curious detail: the HTML block showing the last edit date was removed from the thread, apparently to hide third-party involvement in editing WD’s posts while he was offline. Regardless, the “canary” condition—to update it within three days—was not met, as the properly signed update came slightly late. Not meeting this condition meant WD should be considered “dead.” According to some users, White Dante had said in RuTor’s chat that any change to the “canary” would mean its conditions weren’t met (we couldn’t confirm this).

Nevertheless, on the morning of May 15, he logged in again:

But can we now be sure that it’s really WD behind the account? Or could the third “canary” update and White Dante’s return online mean the RuTor sale was interrupted after the deal’s details became public? It’s logical to assume that deals of this size might not happen instantly and could be paid in installments during a transition period. And was there even a deal at all, or was WD trying to tell us something else in his encrypted message and the Solaris mailing?

The darknet community still has to find the answers to these questions.

Subscribe to our Telegram channel: @chronos_media