Phishing Site Mimics The AlphaBay Market Login Page

downloadAlphaBay Market begun its operation towards the end of 2014 and came it to fill in the gap that was left after Silk Road and Silk Road 2.0 went down. The site has gained popularity in the recent past as one of the largest darknet markets after it was used to sell compromised Uber accounts together with data that was stolen from the 2015 TalkTalk breach. The site was attacked by criminals who used phishing attacks to gain access of other criminals’ credentials.

The Attack


AlphaBay Market was launched by members of Russian carding forums and has been facilitating illegal goods that are commonly sold in anonymous marketplaces. Goods sold on the site include weapons and drugs and has become a very reliable source of these goods for those in need of them. The site utilizes an .onion address that allows it to run on the Tor network as a hidden service. Paul Mutton, security experts at Netcraft, discovered the attack.

In this attack, a phishing site was created in a way that it mimics the address of one of the darknet markets, AlphaBay Market. The address that was used by the phishing site was created to look very familiar to what regular customers on AlphaBay Market are used to ensure that they will not suspect anything. The address then points to a phishing site by AttractSoft GmbH host from Germany. The phishing site mimics AlphaBay Market login page hence unsuspecting users are prompted to enter their usernames and passwords. The user is further forced by a client-side check to complete a security code CAPTCHA field that does not have to be correct because any code entered is accepted, whether right or wrong.

For one to be able to replicate the original website, replication of .onion address associated with hidden services has to be reproduced. To make the connection authentic, one must use this address. This address can be derived from public key making it difficult to impersonate a site without raising curiosity without the owner’s key pair access. These fraudsters have created similar addresses by computing a partial match by utilizing tools such as scallion. A partial match that can be created this way is pwoah7f5ivq74fmp.onion. In this case, however, the fraudsters just created a domain using as their address. The HTML source utilized by the phishing site looks like it had been stolen from a lookalike site and used the domain name. This domain name has been repossessed by GoDaddy who is its registrar. This domain name is very typical of those whose funding have been attributed to fraudulent deals or those that have been subjected to chargebacks.


This particular attack utilized domain that was most probably preferred since it is free to register addresses using it and that is also has a string that is similar to the .onion TLD address based on their length. The two cannot be distinguished easily by a person not keen to check. The fraudsters must have used the understanding that most site users do not stop to check the address hence will log in without verifying if they are on the right face or not.

Possible transactions that can be carried out on AlphaBay Market include buying and selling of spam sending services, the receiving and sending of fraudulent bank transfer service details of user accounts together with other services that are important to those engages in the phishing business.

Mutton indicates the AlphaBay Market phishing attack is a perfect example of criminals stealing from other criminals, he further urges that the veteran users of AlphaBay Market are not likely to fall into this trap as they are normally very keen and will never fall for replicas. According to him, it is only new users on the site that may fall victim to this fraud. It is a clear indication that thieves do not honor each other and will go ahead and steal from themselves. The attack raises the question about how safe our online activities are with all the fraudsters out there.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.