TradeRoute Market Issues Security Fix After $100k Theft

TradeRoute Market Issues Security Fix After $100k Theft

On August 8, a user created a thread on the TradeRoute marketplace forums. The user requested that the TradeRoute administration examine a “strange” listing. The listing was for a “small house for children.” It was strange for several reasons. The first was the number of vendor accounts that someone had created in order to do something “sketchy.” One user noticed that many of these vendor accounts shared PGP keys. All of the accounts had multi-thousand dollar transactions and reviews.

And second, several days before they listings popped up (or someone noticed them), another user posted on Reddit about accidentally receiving two withdrawals instead of one. The poster had only been debited for the first one. Other users commented on the post, and some mentioned being able to exploit that vulnerability at will. The post creator or administrators removed that post, according to another recent post questioning the ordeal. (I too came up empty handed after a {brief} search.)

TR.PNG

TradeRoute forum user KnockTurnal had recently seen the “strange” listing and also found it “odd.” The user said that the situation would not be so odd if the listing and account existed in a singular quantity. “BUT there’s a lot of them,” KnockTurnal wrote. “Each one has a purchase with feedback of like $7,500 each one.” The user continued, “I also want to see how or why this happened as […] the amount of money needed for a troll to do this doesn’t seem real.”

On the TradeRoute forums, an admin commented with answers to the community’s questions.

“Administrator” wrote:

Hello,

Yes, that was a vulnerability, an user found an intricate way to steal funds from us and he used multiple vendor account and those listings to steal. He went away with around 100k$, we’ll take this as a loss. We already released the patch and moved on.

The damage that can be done by robberies in TR is very limited as our hot wallet is very small, rest assured that 95% of the funds are always safely stored in cold wallets. Also multisignature or security escrow transactions are totally safe, this only could affect the normal escrow balance.

It’s sad to see this happening but there’s a lot of hackers and thieves focused on darknet markets. We are doing our best to keep the market updated and bug-free.

Best regards!

TradeRoute had apparently announced a bug bounty akin to the bug bounty of the former Hansa market or current Dream market. The unofficial TradeRoute account later deleted the post. No current mention of the bug bounty is available. In fact, Reddit users indicated that pentesters treated the market’s hot wallet as the rewards for the bug bounty. The new TradeRoute Reddit account chimed in and announced that the bug bounty post was unaffiliated with the actual marketplace. Soon after the unofficial marketplace account deleted the post.

TRq.PNG

The majority of vocal users seemed content with the TradeRoute response regarding the theft/hack. Some thanked the admin for honesty in a situation where other marketplace admins would not have been so honest. Others were content that they received a response from someone at TradeRoute altogether. Hacks either push admins to harden their market or push admins to disappear in the night. TradeRoute is yet to disappear.

The post TradeRoute Market Issues Security Fix After $100k Theft appeared first on Deep Dot Web.