Agora: A True Survivor in a Brave New World

Posted by: c3lt1c

September 24, 2015

Agora hasn’t ‘fallen’ per se but has been intentionally taken down by the admins as a proactive attempt to protect themselves and their users after discovering some suspicious activity around their servers which correlates to the recent TOR vulnerabilities – Of course they would not go in to specifics, as this has always been the ever-cautious demeanor of the Agora admins. Many have spent hour after frustrating hour griping about the Agora crew not being communicative enough with the community, but this secrecy is probably what has kept them in the shadows for so long. To see what I mean you can observe the extent of their detail in the communication released days before bringing servers down. Take a look at the blurbs released and reposted on Agora Market To Pause Operations.  Finish Your Orders And Withdraw Money. The communique was of course verified with their unique PGP key. You can find these words on numerous security and DarkNet sites, but you want find much more detail directly from the Agora crew. This is just one more example of the honest, yet secretive and security-driven identity of the site’s admins. Dark Net Markets have had a rocky history and usually end one of only a few ways: Law Enforcement doxing key players; dishonest administrators pulling ‘exit scams’; or else site admins finally giving up and taking servers down following weeks of DoS attacks (or sometimes combinations of the 3). Successful hacking and/or infiltration (of any kind) is usually made possible, at least in part, with social engineering. Take Silk Road and Ross Ulbricht for example: social engineering wedged a foot in the door followed by LE collecting incriminating conversations. Online conversations will only hold up so well in a court of law – a good case would need to be backed up with hard evidence; this has proven difficult given the very nature of Onion Routing and anonymity. So it’s not surprising the governments and 3 letter agencies spend day after day seeking vulnerabilities, holes and opportunities of any kind to cease DNM (DarkNet Market) operations.

Although the ‘War on Drugs’ is shifting from the street to the fiber optic and copper cable it’s still important to remember that LE cost is adding up, yet not necessarily yielding high success rates. There are likely those 3-letter agents who spend their days pondering and think they’re going to crack TOR wide open; but the real results trickle in from the small advancements. Previously TOR reconnaissance attacks have been often focused on sniffing session packets on entry and exit nodes to correlate time stamps as ‘proof’ an individual is using TOR. Although it’s been proven this is possible as a primary source of proof it’s stretching to reasonable doubt. Is it worth spending tens of thousands of dollars to catch a casual drug user buying amounts that don’t even qualify for intent to distribute; just a measly possession? That’s the beauty/challenge of DNM drug transactions (depending who you are). In traditional busts, LE might raid a small-time distributor and will often immediately offer the arrested perp a deal in exchange for their supplier. It’s probably safe to say that this was one of the most successful methods of arresting all the way to the top of a drug hierarchy. You can see why this doesn’t work with DNMs – you only know your supplier by their online moniker. Just as you’ve been anonymized from others below you, so is your superior. The only knowledge available: the seller knows the buyers name and address (or at least the PO Box or drop they use). It would be rare for the buyer to know the sellers address for any reason at all, so this idea of arresting up the chain is defunct. This is why the newest attack is aimed at de-anonymizing the hidden service itself.

It seems that the best option for LE then is to shoot right to the top. It’s been suggested that plenty of LE agents have created accounts (any likely every market) for buying and selling; and if they play their cards right, they might even end up I the inner circle of the organization’s upper tier (such as the example with Ross Ulbricht). Please refer to the eye opening story of Ross’ demise entitled “The Untold Story of Silk Road”, available on Wired: The Untold Story of Silk Road. This story most definitely uncovered a still largely unknown online drug market culture to the masses; but also served as a very sobering lesson to those heavily involved in the DNMs (buyer, seller and admin alike). I’m willing to bet money that the Agora admins have taken many lessons from the story of Silk Road.

First, they rarely (if ever) engage in open conversation on the subreddit page Agora Subreddit. Or Following the Evolution exit scam a mass exodus of vendors and buyers alike crowded their way on to Agora crippling their servers on and off for months. By following posts on the above subreddit and analyzing historical uptime data on dnstats.net, even non DNM users (such as journalists, writers, observers, etc.) could work out just how impacting this time was to the community. Through this whole ordeal, not once did the Agora admins directly post anything on reddit. This was actually a great source of frustration for many who were often wondering when bitcoin deposits and withdrawals would be fixed. For a long time it was not unusual for community members to have small to large amounts of money stuck on Agora or else in blockchain limbo.

Up until a few months ago (from September 2015) Agora was in a constant state of instability for one reason or another. Following Evolution’s end the influx of emigres to Agora overloaded the servers on numerous occasions, eventually requiring that new registrations be suspended. This eventually stabilized only to be interrupted by several occasions of the site being brought down for hours to days to deal with either proactive or reactive security fixing and patching. Users always had to speculate which it was as the admins would never share detailed information – this was actually very smart to keep any attackers guessing what had been dealt with and what had not. In many instances a short concise communication from the Agora Admins would trickle onto forums and eventually to the Agora subreddit. Ironically the Agora forum saw more downtime than the market itself, so it really didn’t play the same role as Evolution’s forum – the unofficial ‘official’ squawking ground was and still is Agora Subreddit. Then came the long drawn out DoS/DDoS (Denial of Service/Distributed Denial of Service attacks) exploiting a TCP wrapper connection flaw in TOR itself. One of the more disrupted came from a large team that called themselves ‘DDoS Mafia’. At one point a supposed member posted on reddit that the attacks would continue until the money ran out and they could no longer pay for Socks Proxy server use (sorry for the life of me I cannot find this link).

Suspicions arose on forums and subreddits suggesting that the attacks were being paid for by one (or more) new emerging markets trying to take down the ‘big guys’. At one point it was suggested that new kid on the block Blackbank was responsible, until Blackbank eventually fell like the rest. Black bank would never really recover from these attacks and took the hit as an opportunity to exit scam. A lot of talk was going around that Nucleus might be responsible. Nucleus did see down time, but it was nothing like the other markets, so community members were going as far as suggesting that they were intentionally bringing Nucleus down as well to create the illusion that they were victims as well. A true shocker that came from all this was the involvement of one small shady market which had been around for much longer than many of its competitors: Mr. Nice Guy. In May 2015 Mr. Nice Guy admitted to being responsible for at least some of the damage. According to the revealing article on Deep Dot Web Meet The Market Admin Who Was Responsible For the DDoS Attacks , he was victim of a shakedown by the DDoS Mafia (like many other markets). Instead of just paying to be left alone, he saw this as an opportunity to pay the attackers to keep his market up and others down.

Agora was not immune to these attacks, although they claim that much of their downtime was intentional to configure mitigation techniques against the attacks. TOR Ticket #15463 indicates that “Tor deals poorly with a very large number of incoming connection requests”. We get more details from TOR ticket #8902 which indicates “Rumors that hidden services have trouble scaling to 100 concurrent connections”. For a market as large as Agora (I believe it had close to, if not more than, 10,000 drug listings alone), 100 concurrent connections is not a lot. The quick fix would be to limit the number of concurrent connections and ensure that server resources could no longer be brought to their knees. Rather than letting everyone storm the site like a Black Friday crown through 6 sets of doors, close all but 1 or 2 sets of doors and bring people in through a line up a few at a time in a controlled fashion. I lost track of the issues and any permanent fix included in the most recent release, but the point is that legitimate users were accidentally (and unknowingly) DDoSing the site. When the login page, captcha letters weren’t loading or if the page was failing to load at all, you would have hundreds of people hitting the F5 key to refresh their connection every few seconds. People were actually posting about doing this on the subreddit page that numerous announcements had to be made telling people NOT to do this. This would likely be the crowd with little to no understanding of networks, servers, etc. In fact it’s astonishing that some of these people figure out how to use TOR at all.

Eventually the DDoS Mafia laid down their arms as they were being sent off to Fat Camp, summer school or for gender re-assignment; the Agora admins had the servers and software suites in a secure stable fashion and the flow of ex-Evo emigrant users settled down and was brought under control. Perhaps the EU could send an appeal to the Agora Admins for suggestions on what to do with the Syrian refugees. Too soon? Anyway, things were looking good, VERY good for Agora. It’s hard to say how long this lasted…it felt like six months but was probably only half that. Then in August 2015 a bombshell was dropped:

This had been posted on Deep Dot Web August 26 2015 but the first place that I read it was on the Agora subreddit page apparently hours after its release.

Not surprisingly there was an overwhelming sense of shock and awe, although the overall consensus on reddit was understanding and appreciation for the Agora crew’s honestly and willingness to protect all parties involved with the site. Many admins would have seen this as THE opportunity to exit scam and these circumstances would do doubt make it easy to justify their actions to themselves when their conscience spoke up. A quick browser through Agora’s subreddit will probably reveal people still struggling to receive withdrawals despite Agora now being semi-permanently down for 327 hours; but the admins gave fair warning using the usual green banner on the site. The banner warned to finalize any outstanding transactions and get your money the hell out of there. And to protect people from themselves they almost immediately disabled new orders; but of course that didn’t matter as desperation kicked in and some people began depositing new bitcoins to their account – There’s always a few. As demonstrated above Agora were not afraid to bring the market down for hours or days in the interest of security, but this is the first time I have encountered them closing up shop (even if temporarily). One has to wonder if the threat is so imminent and precise; or perhaps the admins are executing a long overdue plan to overhaul the site and servers and bring things back on a new solution – maybe it’s a bit of both. Maybe we can quickly examine the threat and work out for ourselves what might be going on.

I mentioned above that a great deal of resources would be needed to assist in doxing a DNM user or operator, so the first thing to note is that the Agora admins indicated the vulnerability concerning them would potentially require much less resources. The PGP message from Agora referenced on Deep Dot Web and other sites are suggesting that it’s probably the discussion going on involving folks at MIT and The Qatar Computing Research Institute. The vulnerability (or so they say) has to do with being able to control a TOR entry node and working with a predetermined site or list of sites. Without getting too technical we can see the overall theory described in the article New attack on Tor can deanonymize hidden services with surprising accuracy. This attack goes beyond correlating matching session data on exit and entry nodes and this can apparently be used to ‘strip away onion layers’ and collect a fingerprint, which is then used to identify a specific site. Even if you’re not catching someone connecting to the service red-handed, obtaining information to reveal severs’ real IPs will almost always ultimately lead down a trail pack to a real person. Since government agencies are almost certainly setting up their own TOR entry and exit nodes, there is some cause for alarm. MIT’s Roger Dingledine in an email indicates that much of the success relies on luck, the same as other recent ‘groundbreaking’ vulnerabilities.

We don’t know for certain if this is what has the Agora admins spooked but it’s fair to say that it’s a top contender and for the admins to take the site down for an indeterminate amount of time they must have some serious concerns. Perhaps this kind of mentality is solely responsible or at least largely contributes to why Agora has been around so long. They are not cocky, nor do they shoot their mouths off about their libertarian ideals on drugs and freedom. We know so little about the Agora Admins that it’s not silly to assume they are Stoic robots serving operational instructions. So the community has lost perhaps the best free marketplace that has ever existed (if even for a few months); but if I was a member with a lot of lose I would be quite glad. The fact that the admins seem to constantly sacrifice money and site uptime for security and proactive mitigation only, combined with their honest demeanor up until this point, seems to easily answer ;why has Agora survived for so long’? Regardless of whether you’re a citizen dead against free online drug markets; a law enforcement agent chasing down the next Ross Ulbricht; or a pro-market buyer or vendor; credit is due where credit is due. The Agora Admins might be one example of honest legitimate businessmen in an otherwise shady crooked underworld overrun by thieves and scammers. Kudos to you Agora! You possess more honesty and integrity than many ‘legitimate’ people out there.

Updated: 2015-09-24