The steady increase in the popularity of darknet marketplaces in recent years has attracted the attention of two perfectly contrasting sides—criminals and law enforcement authorities.
The anonymous nature of these platforms provides considerable safety to online criminals. At the same time, law enforcement agencies have revamped their efforts to combat these criminal activities facilitated over the dark web.
Now it’s not only darknet platforms that have to worry about law enforcement, but hackers who ironically operate on the very same platforms also have to be cautious with their behavior.
There have been increasing cases of hackers targeting dark web marketplaces for financial gain and other motives.
This is the case for a darknet marketplace called The Sanctuary Market, which recently became the latest victim of a cyber attack.
The Sanctuary Market was hacked by a notorious hacker going by the pseudonym “Cipher0007.” Before the attack, The Sanctuary Market was a growing dark web platform best known for dealing illegally acquired digital information and malicious tools such as malware.
Although the site also exhibits drug and gun sales, digital information makes up the largest fraction of the sales volume.
The hacker successfully orchestrated the attack due to a SQL injection flaw, by which he was able to completely take over The Sanctuary Market. SQL injection refers to a method that is used mostly to attack data-driven applications such as databases.
The hacker often inserts malicious SQL statements into entry fields for execution such as dumping the contents of the database to the attacker’s end. It appears that this is what The Sanctuary Market hacker did.
Cipher0007 exploited the SQL injection flaw to introduce a shell on The Sanctuary Market’s server. Having created this backdoor, the hacker was able to gain access to certain sections of the backend.
Cipher0007 then proceeded to dump the private key used for The Sanctuary Market’s .onion URL.
The hacker also claimed that he was able to dump the data configuration details and other unspecified login information by using the platform’s phpMyAdmin installation.
This action left The Sanctuary Market’s login page open to external connections long after Cipher0007 executed the hack.
The hacker was quick to provide proof of his dark web exploit, posting a screen grab online while he entered the shell to the market’s server. Cipher0007 also posted The Sanctuary Market’s 1024 bit RSA private key and its root account login information.
As of writing, news outlets and users on the dark web have generally come to the assumption that The Sanctuary Market is dead until further notice.
This is a fairly common occurrence in the case of dark web platforms that have experienced major hacks. The criminals who use these platforms are wary of the attention generated by such news, and fewer users trust the sites after cyber attacks.
Most dark web markets operate through escrow services, meaning that they have control over considerable amounts of users’ funds. In the past few years, several marketplaces have had these funds stolen following hacks.
Cipher0007 has built up a rapport for hacking dark web platforms in the past. Earlier this year, he earned a Bitcoin reward after he reported two high-risk bugs to AlphaBay staff and to the public.
AlphaBay is currently the top trading dark web marketplace in terms of size and traffic. The bugs discovered by the hacker could have been used by an attacker to gain access to more than 218,000 private messages on the platform. Cipher0007 chose not sell the bugs, for which he was duly compensated from AlphaBay.
At the moment, the motive behind The Sanctuary Market hack has not been conclusively established—that is, aside from the conjecture that Cypher0007 seems to have performed the hack to point out the market’s security flaws.