Agora Comments on Recent Bitcoin-Stealing Private Message JavaScript Attack

On Thursday we published a warning to users of Agora and other darknet markets, reporting that many others were receiving private messages linking to a malicious .onion site, that when accessed with JavaScript enabled attempted to drain the user’s open Agora accounts of their Bitcoins.

Today, Agora admins have posted one of their “blue box” warnings on the front page of their marketplace regarding the incident:

“We have received reports of users receiving private messages containing a link to an exploit which can be used to hack accounts. We are working on a solution, but in the mean time please turn off JavaScript when you browse the market.”

Screenshot of Agora’s warning about the malware attack:Agora-Market-Warning-13-June-2015

Reports of users receiving the messages and being affected by the attack started to appear on June 11th, with several describing being hit with multiple popup windows, attempts at removing Bitcoins from their open Agora accounts, as well as their password/pin/PGP details being altered. Some claimed to have lost access to their accounts for this reason. was able to verify that the messages were indeed sent out to a large number of Agora’s users, and were affecting those who clicked on the .onion link in the message while having JavaScript enabled in their Tor browser (ALWAYS enable NoScript BEFORE using Tor to browse darknet markets). We immediately posted a warning along with a .txt copy of the malicious javascript code for review. Several people reported that small amounts of Bitcoins were successfully stolen from their accounts by the attack, although we were not able to independently confirm any of these losses.

At least one established vendor was affected by the attackers, with users noticing (and confirming) that his entire profile page was replaced with the same malware link from the messages. Today his account seems to have been restored, although we have not yet been able to confirm that his account has been restored to its original owner. The profile includes a message about being on vacation mode from June 8th to June 15th, but it is unclear if this notice had been there before the incident. I would still be extremely cautious if dealing with this vendor, and until it is proven otherwise, I would strongly consider the possibility that his account could still be compromised.

The darknet is a fascinating, revolutionary thing that can be almost unbelievable to some first time users. Unfortunately many rush in to using hidden services before learning how to do so properly. This attack is another reminder to be smart, and focus on staying safe before rushing in. Experienced users are able to navigate the deep web in relative safety and anonymity, which is what makes it so unique and useful. However, newer or less technically inclined people have often run into trouble by not following good OpSec and general darknet security measures, which are fairly simple if you take the time to learn them. Most importantly, they will potentially save you major headaches, time, money, and even your freedom.

For example, there is no reason to ever enable JavaScript while browsing markets. Certainly, never follow an .onion link that you aren’t 100% sure about. Never copy links from Wikipedia, hidden wikis, reddit, forums, or any other location where fraudulent sites are often disguised as legitimate market links, but instead trick unsuspecting victims into installing malicious software or revealing their account details. We suggest getting your links from our darknet marketplace list, or memorizing our easy-to-remember secure short links (also found on the market page).

I have not been able to access Agora’s forums (the only other place official AGO representatives have been known to communicate publicly) today to see if they have posted any more details and/or PGP signed this message. However these blue box warnings have become their primary means of communication, and in the past we have not seen any indication that similarly posted warnings have proven to be valid and official. They occasionally post related updates on the forum, but have rarely provided much more information there.

UPDATE: The Agora forum has return online, but does not contain any further official announcements from the staff. will continue to post updates if there are further developments.

Short link to this page: