News Feed
  • DrugHub has agreed to fully refund all users who lost money in the SuperMarket exit scam.  
  • Retro Market has gone offline. Circumstances of the closure unknown.  
  • SuperMarket has closed following an exit scam by one of the admins.  
  • The admin of Incognito Market, Pharoah, has been arrested by the FBI several months after exit scamming.  
  • Silk RoadTorhoo mini logo
  • darknet markets list
  • Popular P2P exchange LocalMonero has announced it is closing.  

Why does the bible recommend not signing messages? : DNMBible | Torhoo darknet markets

The bible explicitly says to 'uncheck the sign' checkbox, in other words recommending against signing messages, why is this?
Couldn't this be abused by markets, or worse, by LE in various ways?

For example. Let's say a market gets taken over by LE and run by them for a little while like Hanza was. What's to stop them from sending a bunch of unsigned encrypted messages to vendors, pretending to be the buyers they have orders from and asking for a new tracking link, maybe because the buy "accidentally deleted the first message containing the tracking link". Then claiming they lost their key passphrase and asking the vendor to send it with their new key.
I could imagine that plenty of vendors would be willing to resend that information when asked, with the idea of providing good customer service, because they would have no reason to suspect it's coming from anyone other than the customer. After all, customers as a general rule never sign their messages.
And for all new buyer accounts while they're running things, they could just play man in the middle from the first communication onwards by forwarding their own public keys to the vendor instead of the customer's.
If LE did this in such a scenario, it would probably give them a trove of extra customer names and addresses to go with their later seizure of the market.


Or another example. Let's say a market wants to make even more money during an exit scam. They set up an anonymous drop to have drugs delivered. Then every large order that comes in for one vendor each, they intercept the unsigned user message with the user's address data and send an unsigned message with their own drop address to the vendor instead.
Aside from just making a bunch of money from the user funds during their exit scam, they could easily net a few more $100k extra in stolen product from the vendors.
/u/Shakybeats M
4 points
2 years ago
Few reasons it is not recommended to sign your message. The first and simple reason. It's annoying to vendors. A lot of high volume vendors want to just get the details they need and go. They are not going to verify your message, and most people don't even have a pgp on their market profiles for them to import. A vendor is not going to take the time to import 100 keys every day just to verify the signature. A good vendor when you ask them for tracking should request basic information so they don't just send you the wrong tracking information by mistake. They should require you to send them your name or address that was used for the order in an encrypted message before they will send you the tracking information, and the order number.

The other reason it's not recommended is for your own opsec. Anyone can send an encrypted message, LE has no way to prove it was you who placed an order. If LE has your keys, and you signed the message it shows you were in control of the keys that an order was placed with. Here is a good discussion where /u/heavyweaponsguy and /u/redbox expand more on the topic. /post/1fcba18c71b1f0912bbe
/u/EightTails 📢
9 points
2 years ago*
I would disagree with almost every one of those points.

- What do you mean it would be annoying to vendors because they just want the details?
If you sign and encrypt it, the signature verification happens automatically at decryption. There's no extra steps involved, so why would they be annoyed?

- Most people don't even have a pgp key on their market profile.
If that's true, isn't that something that should be added to the bible, that for opsec reasons they SHOULD add their keys to the market, and that buyers should prefer markets where setting up pgp info is mandatory?

- Vendor not going to import 100 keys every day.
I assume any self respecting vendor is running tails or whonix. Not that hard to recommend to vendors to run a simple 9 codelines long background script that autoimports keys from the clipboard. Then all they have to do is copy them to clipboard. A no-effort operation.
#!/bin/bash
while true
do
if [  "`xclip -selection c -o|sed '1q;d'`" == "-----BEGIN PGP PUBLIC KEY BLOCK-----" ]
then xclip -selection c -o|gpg --import
echo "" |xclip -selection c
fi
sleep 1
done


- About a good vendor requesting basic info before sending out that info.
A good vendor should do a lot of things. Isn't really a fair argument to at the same time say they're too lazy to import user keys and then come to their defense in terms of what the good opsec way of handling such a request is when in the original hypothetical, LE is already abusing the fact that almost noone has proper opsec.
I would bet that if you run a test, you can get tracking information for an order without providing any info whatsoever from most vendors, merely by sending the request for tracking info with the account the order was made with.

- The own opsec argument. "If LE has your keys".
That's a big "if". In the event LE has penetrated your defenses to the point where they have access to your private keys, in that scenario, in 99% of cases, they most likely also have your market account credentials anyway. And if they have the vendor's past messages, they also have the usernames associated with those messages. Would be about equally incriminating evidence to have the account credentials of the account associated with that order on your system, especially if that order hasn't been removed from the market's history yet. So this is not really a proper argument against signing messages, given the downsides of not doing it imo.
/u/[deleted]
1 points
1 year ago
Thank you this was very educational for me, happy browsing :)
/u/Gh0stiea
1 points
1 year ago
Agreed.
/u/[deleted]
-1 points
1 year ago
okay to answer its annoying for vendors yes, people dont have time for it mostly, but if a vendor is sending you a tracking number, get another vendor, thats terrible opsec, a vendor sending you tracking information is unsecure for you and the vendor.

Also dont even buy any products with tracking, always select the cheapest option, because any vendor of any intelligence is always going to get tracking for a package no matter what, so they can win any disputes from buyers, so even if your buying no tracking, they are still sending it tracked, if they are not and you dont get your package then you get your money back anyway if your on any decent market

Also your ruining your plausable deniability if you buy tracking and check your tracking number without privacy

Maye a little off topic but thought it might save buyers some money paying for unnecessary tracking when you never need it
  • Sponsors
VigorSwap Instant Crypto Exchange
FraudGPT

  • Explore Torhoo!

© Torhoo! 2025

All links are for educational and research purposes only. Torhoo! does not vouch for any site.

Advertise on Torhoo