WARNING: Do Not Open Unsolicited Messages on Markets, Do Not Enable Java Script, and NEVER Click Links You Don’t Trust.

Numerous users of the Agora Darknet Marketplace have reported receiving an unsolicited message today, containing a .onion link that when opened contains a malicious java script exploit that can at least attempt to drain the Bitcoins from your account.

DarknetMarkets.org has verified the authenticity of the malicious messages, but has not been able to confirm any losses of Bitcoins. Users who keep NoScript enabled and do not follow unknown links are almost certainly safe.

Always use DarketMarkets.org’s Market List or another trusted source for your market links. Never get links from Wikipedia, hidden wikis, reddit, or other link lists or message boards. These links are constantly being switched to harmful sites, usually phishing links.

Needless to say, never follow a link sent to you by a stranger on the darknet.

At least one vendor appears to have lost their account to the same scammer(s). mrfields, who had been vending on Agora for over a year, and had completed between 300-500 deals with a rating of 4.99/5, had his entire profile removed and replaced with a link to the same .onion site pushed in the malicious private messages. As of this publication, the link had been on his profile page for at least four hours. It is currently unclear how he lost his account, but it is assumed that he fell victim to the exploit while having Java Script enabled in his Tor browser.

Below is a screenshot of one of the malicious messages. If you see anything similar, do not open it. Please tell us if you have been affected by this attack.


I have copied the entire text of the exploit and posted it here. Hopefully some Java Script experts will be able to figure out exactly what we are dealing with.

DarknetMarkets.org will provide updates on this situation as they arise.

Short link to this page: https://drk.li/867