DrugHub: How not to operate a Dark Net Marketplace
If this your first time reading my content or if you’re a returning reader my name is Pavel Kravchenko and I run Evil Rabbit Security, a group of 4 highly talented Dark Web & OSINT enthusiasts who have had some rather lovely work produced over the past 5+ years under 1 or more aliases. One thing we all enjoy is “Big Scores” and this is just one of 3 Dark Net Markets I have managed to identify Infrastructure related to it’s services, However I have of course identified anything from Child Abuse Websites to Scam Services all over the Tor Network, I have written a guide called Peeling Onions which you can find by clicking on the link I’ve embedded.
DrugHub is one of a few marketplaces that operate on the Dark Web today and originates from the staff of White House Market & would later merge with Supermarket. I would check DrugHub out around a few months ago, when I began Project Dark Archives which only “Tor Scrape” would be released via github it’s nothing special right now and I’ve been too lazy to update it, during the earlier iterations which were scrapped due to issues with Tor Scrape I noticed some odd things I have never seen before, usually I enjoy finding directories via looking at a page’s source and there was images on drughub but there wasn’t any seen in within the code as a directory, I later found out that Base64 can be used to store Images, Video and Audio formats and display them in a web browser at the cost of 33% more size (This can be more secure and reduces the need for storage of content) however upon doing so I was like: “Ok, well that’s an odd choice” and began to mess around with different types of common OPSEC mistakes one might make
The first problem
A while ago I started looking more into EXIF Data & It’s use in Open Source Intelligence Gathering I will say that I did not expect this to be the first tell tale sign of failure with DrugHub but of course to my surprise it very well was.
You might be wondering what exactly it is you’re looking at so lemme break it down. You are looking at the EXIF data of a brand logo from drughub which is the one below
The “DrugHub” logo next to the login is the logo used here, but what’s so special about it? Well, we can tell the users of the software used Adobe Illustrator 24.0 which is outdated as of 2019. We’re currently on 29.x at the time of writing. Now we know that whoever created the Image uses Mac OS probably due to the image creation needed to produce the logo which you’re seeing there as Adobe Photoshop is one of the main reasons people buy Macbooks and other Apple Products but I digress, and this failure is consistent throughout all brand logos but IS NOT or to the best of my knowledge seen within the Vendor’s product images however Adobe isn’t the only thing used. In fact the favicon.ico is the only thing that DOES NOT use Adobe, but rather something a little more “rare”
Ho ho ho IT’S MAGIK YOU KNOW? NEVER BELIEVE IT’S NOT SO! (Ok enough of my singing) but you get the point that none of this should be known but it couldn’t get any worse could it?
“Go Cry on dread about it” — DrugHub’s Administration
Well, Unfortunately for DrugHub I didn’t do that, Yes I did DM HugBunter and haven’t went back to check if he responded as I didn’t care but that’s the response I was given by the Admins of Drughub to go cry about it…
So in the months to follow I’ve did a variety of things until that one fateful day when I decided to go looking on Fofa Search and found a phishing page was told, I found a phishing page and was like: Oh? Well one second and 5 minutes later I returned with what would become the dumbest F***ing thing imaginable (but we’re not to the point of the story as to why it’s really stupid yet).
The leak
While it might look like a Phishing page because “DrugHub.link” isn’t mentioned on DrugHub, Daunt or anywhere and I thought so too but then I started poking around and it began to slowly sink in what the hell I found.
Get Evil Rabbit’s stories in your inbox
Join Medium for free to get updates from this writer.
I know you see PHPMyAdmin, Admin, API and etc but keep your pants on most links do not work (Probably due to whitelisting or them being associated with drughub.su while some are drughub.link). However I highlighted the “Onion Enabled” for a reason… Now if you’re phishing you’d probably want to I don’t know remove the legitimize service from your code or whatever? In this case both DrugHub.link & DrugHub.su lead to the same Tor Hidden Service and yes, That IPv4 address also does. DrugHub.su is registered via a Russian Company & uses Google Trust Certificates whereas drughub.link uses Cloudflare which will prove worthy of noting.
189.2.171.6Hosts both drughub.link & drughub.su but why CloudFlare for one & Google Trust for another? Not 100% sure. Keep in mind .link uses cloudflare as an SSL provider, HOWEVER .su is being proxied through Cloudflare while .link is NOT, .link is wide open and if you run
ping drughub.linkYou will get the IP address from above. This proves to that their maybe some relation but I know I’ll have some people doubting this. Well, Thankfully we have
https://daunt.link (Tor Only)You can use Daunt which is made by the creators of Dread and you’ll see that DrugHub lists it’s perm mirror and drughub.su so now we have .su established as DrugHub’s clearnet mirror for Anti-DDOS Measures ok, but what about the .link?
Well, simple the IP below is to drughub.link keep in mind it’s the same link from ping & censys
As you can see DrugHub.link & DrugHub.su use the same IP address although it might seems suspicious that drughub.su would be seen using Cloudflare as of Today & DrugHub.link would be seen using an IP that was never updated between today and the November 25th 2024.
You’re probably wondering why this is a “Huge Deal” and I’ll explain to you that the EXIF Data & Clearnet Proxy IP leak is not the only problems DrugHub has… and it gets worse, way worse.
Chat: They’re cooked
As you may notice this comes from DrugHub and specifically /info/jabber you might notice there’s a “port 5222” listed in there. This seems rather dumb. Now you’re probably wondering: What’s exactly wrong?
Well, Here’s a fun joke read the mid-section and you tell me: What’s wrong?
If you’re struggling well, You can use the DrugHub main URL, A Private Mirror OR A CLEARNET MIRROR and now this becomes rather critical. You see, if someone gained control over their server in Moscow, they’d be able to potentially see everything being sent. Now I wouldn’t be surprised if the Jabber server (which we know there’s at least one of them) is communicating with others. You see, we know that the Tor Hidden Service is also: Using port 5222 and this just makes it even dumber because if I can use a private mirror, the main Hidden Service OR THE CLEARNET mirror one must ask: Could I “Make an account using the hidden service change service to the clearnet and figure out if they’re using a shared database” and the answer is: I honestly do not know HOWEVER what I do know is one could theoretically grab the Omemo encryption key from the server’s memory and begin accessing user’s information.
The Russian Problem:
As you may know the US will struggle to get a hold of the data by begging the FSB or Russian Government to take action, that is true BUT in our case these Administrator’s failed to do any fucking research before buying a server. The company that owns the Infrastructure is based in Dubai, which itself is based in the United Arab Emirates which is just great, as of February 24th 2022 the U.S. and The U.A.E. signed a bilateral treaty for criminal extradition which means: That server is now within reach of the United Arab Emirates who can on behalf of the U.S. Department of Justice force the business owner to hand over the data to the US Embassy in Moscow. Since the company owner is doing business remotely the laws of Russia really don’t apply here do they? The business owner is free to do as they like, but I don’t believe the Arabian Government likes people involved in Drug-Related offenses. So, It would be wise to turn over the data.
This said… at this point in time I would not be surprised if DrugHub has been had it’s servers imaged by Law Enforcement and investigations at this point are probably underway.
However as a treat:
dns.names phpmyadmin.ns.community.api.clissl.drughub.link
dns.names webdisk.admin.drughub.link
dns.names sitemap.ww1.api.api.clissl.drughub.link
dns.names www.drughub.link
dns.names forums.forums.demo.admin.drughub.link
dns.names api.comvida.graycell.pti.clissl.drughub.link
dns.names www.wwwqa-insight.drughub.link
dns.names wwwqa-insight.drughub.link
dns.names board-staging.drughub.link
dns.names ngqcuclissl.drughub.link
dns.names www.new.forums.demo.admin.drughub.link
dns.names www.wwwwwwwwwwwwserver.drughub.link
dns.names www.fervent-raman.186-2-171-6.plesk.page
dns.names vpn.blog.coml.ssl.drughub.link
dns.names www.reporting-production.drughub.link
dns.names localhost.new.szxszy.coml.ssl.drughub.link
dns.names www.2023.drughub.link
dns.names www.cpanel.coccinigliadelpi.clissl.drughub.link
dns.names www.cgzolwwforum.drughub.link
dns.names www.cii7gefijutsi8r31u2g.186-2-171-6.plesk.page
dns.names report-preprod.drughub.link
dns.names ns.dev.webdisk.admin.drughub.link
dns.names www.wvykkmetric.drughub.link
dns.names www.forums.forums.demo.admin.drughub.link
dns.names www.git.dev.webdisk.admin.drughub.link
dns.names blog.api.api.clissl.drughub.link
dns.names wwwwwwwp.drughub.link
dns.names 186-2-171-6.cprapid.com
dns.names www.wwwwwwupload.drughub.link
dns.names mail.186-2-171-6.cprapid.com
dns.names interesting-almeida.186-2-171-6.plesk.page
dns.names wwwwwwwwwwwwserver.drughub.link
dns.names www.186-2-171-6.cprapid.com
dns.names ash.drughub.link
dns.names www.mail.186-2-171-6.cprapid.com
dns.names fervent-raman.186-2-171-6.plesk.page
dns.names www.dev.webdisk.admin.drughub.link
dns.names www.www.mail.186-2-171-6.cprapid.com
dns.names bot-development.drughub.link
dns.names www.gitlab.forums.demo.admin.drughub.link
dns.names www.demo.admin.drughub.link
dns.names upload.drughub.link
dns.names www.beta.drughub.link
dns.names whm.coml.ssl.drughub.link
dns.names drughub.link
dns.names 186-2-171-6.plesk.page
dns.names cdn.blog.coml.ssl.drughub.link
dns.names pop3.demo.admin.drughub.link
dns.names www.vibrant-varahamihira.186-2-171-6.plesk.page
dns.names cgzolwwforum.drughub.link
dns.names www.dashboard.blog.coml.ssl.drughub.link
dns.names wwwmedia.drughub.link
dns.names www.beta-chat.drughub.link
dns.names comvida.graycell.pti.clissl.drughub.link
dns.names vibrant-varahamihira.186-2-171-6.plesk.page
dns.names www.8ieywx38p8qfhv0w.drughub.link
dns.names wnobsntest.drughub.link
dns.names fqawahictordpress.drughub.link
dns.names git.dev.webdisk.admin.drughub.link
dns.names dev.webdisk.admin.drughub.link
dns.names blog.coml.ssl.drughub.link
dns.names www.remote.szxszy.coml.ssl.drughub.link
dns.names wwwtest.drughub.link
dns.names ns.blog.coml.ssl.drughub.link
dns.names www.alpha-flow.drughub.link
dns.names wwwwwwwww.drughub.link
dns.names jabber.drughub.su
dns.names cii7gefijutsi8r31u2g.186-2-171-6.plesk.page
dns.names dashboard.drughub.link
dns.names www.blog.drughub.link
dns.names wwwwvykkmetric.drughub.link
dns.names wwm.drughub.link
dns.names wwwngqcuclissl.drughub.link
dns.names www.home.cpanel.pop3.demo.admin.drughub.link
dns.names www.board-staging.drughub.link
dns.names chat.forums.demo.admin.drughub.link
dns.names www.chat-hotfix.drughub.link
dns.names cdn.webdisk.autoconfig.webmail.ssl.drughub.link
dns.names www.ai.drughub.link
dns.names www.cpanel.pop3.demo.admin.drughub.link
dns.names www.vwpuechat-hotfix.drughub.link
dns.names www.ackend.drughub.link
dns.names www.wwwwwwwwwserver.drughub.link
dns.names www.gitlab.hostmaster.autoconfig.webmail.ssl.drughub.link
dns.names www.mail.forums.demo.admin.drughub.link
dns.names www.whm.media.webdisk.admin.drughub.link
dns.names bot-hotfix.drughub.link
dns.names beta-chat.drughub.link
dns.names superset.drughub.link
dns.names mail.forums.demo.admin.drughub.link
dns.names www.wwwpreview.drughub.link
dns.names elated-gauss.186-2-171-6.plesk.page
dns.names www.autodiscover.drughub.link
dns.names www.bi.drughub.link
dns.names shop.dev.webdisk.admin.drughub.link
dns.names www.app.coml.ssl.drughub.link
dns.names wvykkmetric.drughub.link
dns.names 8ieywx38p8qfhv0w.drughub.link
dns.names www.ns.store.pop3.demo.admin.drughub.link
dns.names 1.drughub.linkBelow is:
Drughub.link:5222
186.2.171.6:5222
186.2.171.6
drughub666py6fgnml5kmxa7fva5noppkf6wkai4fwwvzwt4rz645aqd.onion:5222
