News Feed
  • DrugHub has agreed to fully refund all users who lost money in the SuperMarket exit scam.  
  • Retro Market has gone offline. Circumstances of the closure unknown.  
  • SuperMarket has closed following an exit scam by one of the admins.  
  • The admin of Incognito Market, Pharoah, has been arrested by the FBI several months after exit scamming.  
  • Silk RoadTorhoo mini logo
  • darknet markets list
  • Popular P2P exchange LocalMonero has announced it is closing.  

Is it back? 📮 A proposal for service downtime transparency : PGP | Torhoo darknet markets

So. With all the chaos lately I've been watching the following scenario unfold a couple of times. A market goes offline. An hour pass. Two. Couple posts start popping. No update from the admin. FUD grows on Dread. Rumors. Morons start to act like they were behind an "attack". More posts. Speculation of exit-scam or LE seizure. Panic attacks in https://torhoo.cc/go.php?u=TDJRdlEyRm1aVVJ5WldGaw==#. Law enforcement larping. Phishing links. Death threats. All kinds of nasty stuff.
And then suddenly the service comes back online. Followed most of the time by a boring message from the admin about a planned update. PGP signed if we're lucky enough. Everything goes back to normal. Well. Most of the time, anyway. "Touch grass", they said.


🤨 What's the deal here?
/u/int21h 🍼
1 points
1 week ago
You could use one of the blockchains to post arbitrary data, like with BTC's OP_RETURN. Publish the SHA256 hash of the message in the blockchain and that timestamps the message. Then when you're ready to release the message, add the transaction hash, sign it, publish it.

To verify it:

1. Verify the PGP signature of the message.
2. Lookup the transaction to prove it was mined in a block that pre-dates the event.
3. Calculate the SHA256 of the message (minus the transaction hash). For example, open a terminal and run "shasum -a 256", paste just the message, Ctrl-D to finish.
4. Verify the message hashes match.
/u/pgpfreak 📢 P Moderator
1 points
1 week ago
Absolutely. BTC hash is a great choice for timestamps. But. I like when people speak about world news or events instead. Call me eccentric.
/u/Beelzebub
1 points
2 weeks ago
"The obvious question is: why wouldn't they communicate sooner?"

This is the problem. As soon as possible, a PGP signed message about what is happening should be issued in the Market sub.

That's in the Market's best interest. Most of them do that.
/u/pgpfreak 📢 P Moderator
1 points
2 weeks ago
I agree it's in their best interest. But. I read multiple comments about the risks of announcing a server update before proceeding with it. Sounds logical, too. I can imagine several kind of attacks taking advantage of such an event... Like sniffing information not being exposed usually, timetable attacks, or network monitoring. And if the market waits the last minute to publish message, one could assert they're improvising, like I gave a recent example in another comment /post/066b422c5242f6d10fe1/#c-244c173a506d057f03. Maybe I'm overthinking it though.
/u/Beelzebub
1 points
2 weeks ago
In the normal world, best practices involve doing server updates on a back up server. When it's working, you switch it to be the live server.

I don't know if this is the case on the Darknet. The server shouldn't be offline for more than a couple of minutes.
/u/pgpfreak 📢 P Moderator
1 points
1 week ago
This is what I expect too on the clearnet. I don't believe that happens this way often on the darknet. Just look at the number of "Market down" threads we have each day. My suggestion doesn't make a lot of sense for short service downtime periods. It's more about the long ones.
/u/soul_m
1 points
1 week ago
Information available in advance is always published, the rest is at the discretion of the market. The market must monitor security - this is a rule of good manners: post an ad, and people will read it. maintenance for example First, the market must protect itself at all costs. Because it is responsible. And if something is not planned, the main thing is to always be safe. And be in touch. Any actions related to downtime are a consequence of either improving or creating a higher level of security.

Requirements. 99% of work in the darknet is perceived with a smile. This is a dark world, dear friends, you need to act without rules. And if the market does something - and is idle, it means it is working, and not standing still.
/u/pgpfreak 📢 P Moderator
1 points
1 week ago
Information available in advance is always published

Not always. I'd assert it is quite rare even. I agree with the rest of your comment though. 99% of darknet public relation is throwing a smile in the right direction. The idea of signing a message before going on with downtime is mainly to make sure it looks like a genuine, relaxed smile; not a painful one.
/u/BlackCell P
1 points
2 weeks ago
Can you elaborate on this:

The day of the update, the admin has control over when they release the passphrase to the public. It may be as soon the critical phase is done, because the FUD grows too much, or even after the service is back up again. Any case, by doing so, they provide hard proof the downtime was expected and not, the result of an attack, seizure, DDoS, meth addiction, tripping cat, whatever.
/u/pgpfreak 📢 P Moderator
1 points
2 weeks ago*
Well, what hurts the market the most during downtime is speculation about what's happening, or has happened. Some users will use this to assert all kind of stuff: that they took the market down, that they have insider information about a seizure, that they know about an exit-scam, whatever. Totally random example /post/06919242459a034e7fb1/#c-05b159b8dfef9d5b36.
So with appropriate preparation, you could have responded something like:

This is an update we've been planning for two weeks. Check this PGP message from 15 days ago here (xxx) with passphrase (yyy).

By doing so, you would have offered your customers hard proof there was nothing to be alarmed about. That, without having to disclose an incoming period of server vulnerability before it actually happens. Which is why most market admins won't make anticipated announcements in the first place.
/u/BlackCell P
1 points
2 weeks ago
Might be easier to make a subdread, get a few vetted mods from dread and encrypt the signed message with their public keys , post it in the sub, so they can verify it if needed. However each time a market posts someone will know an update etc is coming and this also gives preparation even if its fully encrypted.
/u/pgpfreak 📢 P Moderator
1 points
2 weeks ago*
Sure! The main idea is signing a message before engaging with the downtime. I'm sure this can be done several ways. Advantage of using a passphrase is you remove the need for an intermediary. But it implies sending the password to users during the event, which I guess can be a bit harder. Having a trusted party to take care of relaying the info makes things easier for the market obviously.

However each time a market posts someone will know an update etc is coming and this also gives preparation even if its fully encrypted.

Thought the same thing at first. But I think you can get rid of it by using throwaway accounts (for publishing the message) and keys (for signing it). So there's no way an external observer can know about something cooking up before it actually happens. Makes things a bit more difficult for the market though.
/u/lemonDragon
2 points
2 weeks ago
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I Like the IDEA. Maybe instead of using dread as a trusted timestamp, use like something like the last mined hash. Bc what if dread and the service goes down at the same time. Great idea
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQhYtiuwyCguivkIiUJL6pY9kBN1gUCaG7gcQAKCRAJL6pY9kBN
1qqFAQD7EmN3zqayvldGlSayluoxNNMTLPQWSPaF4tvSz9RwxQEAtc3l10N4ZTV5
gH4d7yQCZXIqS01BbP7xmhwSw0CrOwo=
=E4FW
-----END PGP SIGNATURE-----
/u/BlackCell P
1 points
2 weeks ago
Dread is a more reliable timestamp than a hash in this case.
/u/pgpfreak 📢 P Moderator
1 points
2 weeks ago*
Thanks man!
Unfortunately the BTC hash can't cut it in this case... It's perfectly fine for a canary, when the issuer needs to prove the message was written after a given time. But here it's the opposite. The admin has to prove they wrote the message before a given time. They could take a hash from 10 days before and sign it at the last minute. Wouldn't be proof it was 10 days ago. Hope I'm not missing something but I don't see how it could work.
That's why I believe you need a third-party service to achieve this. But. It's PGP. As long the passphrase isn't disclosed yet, nobody can read it. And it is short-lived once it is. So I guess you could use any service for that, including clearnet. And to avoid simultaneous Dread downtime, one could publish the same message in several places. Sounds unlikely but it is definitely something to consider.
  • Sponsors
VigorSwap Instant Crypto Exchange
FraudGPT

  • Explore Torhoo!

© Torhoo! 2025

All links are for educational and research purposes only. Torhoo! does not vouch for any site.

Advertise on Torhoo