Darknet Reddit makes search engine for Darknet Markets

There is a new darknet Reddit search engine for cybercriminals to search illegal merchandise in darknet markets - top UX for online fraud.

Michał Barbaś

Intelligence Specialist

12 March 2020


12 min read

Administrators of the biggest English speaking forum in TOR1 started a new project for Darknet criminals. On the 2nd of March they launched a new R. search engine (something like Google) that allows users to look for illegal merchandise from many Darknet Markets at once. As a result, illicit information will be much easier to find for any cybercriminal.

A brief explanation for Darknet beginners: The Darknet doesn’t resemble the clear web. You don’t have a main page like Google or Bing that allows you to search the whole darknet space. In order to reach any website, you need to know the exact link or address. There are forums that can guide you through the darknet, but to enter them you need to know they exist in the first place. That’s why there have been attempts to create a proper search engine to facilitate the research of illegal activities. Of course, comparing Google to R. search engines is a big simplification. With Google, we can search almost the whole Clearnet while with R. search we can explore only darknet markets (DNM) in TOR and not even all of them.

Almost like Google

The idea of a Darknet Market (DNM) search engine wheere one can browse offers from various stores is not new. What’s unique this time are the people behind it. It is a team of administrators and moderators of “D. forum” - the biggest discussion forum in the English language sphere of TOR, launched in February 2018 as a response to the further banning of Darknet related topics on Reddit. D. became one of the main informational hubs on TOR. So whenever you look for opinions about DNM, specific DNM vendors, new fraud methods or you just don’t know where to purchase something, that forum is the first place many Darknet users go. It also applies to those who chase after tutorials on how to commit fraud, new services in DNM, latest events on the Darknet or anything connected to it, frauds, drugs or any other illicit activity. On this forum, there are many sections, which are clearly about an illegal activity like Fraud, Carding, Fraud Resources, Counterfeiting, Dark Markets, Fake ID, Fake Money, LSD, Drug Manufacture, Malware, Hacking, etc.

Each big DNM and every popular type of fraud and drug has its own section. Also, there are sections for particular countries, cryptocurrencies and popular TOR websites. Only pedophilia, pro-terrorism, poisons, weaponry and assassinations related topics are prohibited. Apart from that, it’s full freedom of speech.


Examples of the most popular subforums on D. forum. Fraud, carding, hacking are among the most popular. Dream Market, Cryptonia and NightMare Market are already dead DNMs.

Creators of the D. Forum are already one of the most influential vendors in English speaking part of TOR and have the reputation. That’s why opening R. search might give them a new role. To underline the connection between the well-respected forum, R. search requires login from D. forum to sign up on R. search. This is even obligatory if you are a DNM vendor and you want to update information about you in R. search. There is no given information whether the R. search engine collects information about users searches and their preferences. As we all know Google uses search history to profile web surfers. What if the D. team can make the same feature, and profile which of its users are interested in which type of illegal stuff? There could be many tools for getting more information about Darknet users who wish to stay anonymous.

The look of R. search

R. search looks really nice (in comparison to other Darknet websites) and is user-friendly. It has basic filter features, including: minimum and maximum price, shipping country, Darknet Markets. At the time of writing this article, R. search engine indexed 23,7 thousand vendors, 61 thousand listings (that’s what we call offers on DNM) and 1,3 million reviews from DNM users. Currently, R. search contains only 6 active DNM plus archive data about DNM that are already gone. The crucial thing is how new DNMs are added and who decides about it. D. forum team wants to create a database with only reliable DNM vendors, without scammers. Of course, it’s their decision which DNM are trustworthy enough to be added to the database and which are not. Thanks to that, the group's role in the Darknet infosphere is becoming more significant.


Main site of new R. search engine.

An important feature: R. search has in its database also archived data from already closed DNMs. Markets on the Darknet rise and fall, and vendors often have to migrate from one place to another. Their market statistics usually do not appear in the new place and buyers have to trust vendors’ words that they are trustworthy, reliable etc. Thanks to R. search buyers can check the reputation of vendors in the old DNMs. R. search has a very interesting type of search engine where you can find vendors by their PGP fingerprint or Public PGP Key2. Thanks to that, when somebody claims he is Mr. X and he had great scores on DNM's that are already dead, one can check if Mr. X on these dead DNM had the same PGP Key. PGP Key is the main way for Darknet users to authenticate themselves.

*List of dead DNM that was added to R. search database. *


Other search engines in the Darknet

As I wrote in the beginning, R. search is not the first search engine in TOR. First well recognizable one was Grams. It operated from 2014 until the end of 2017. Grams was well-known and valued by the TOR community. The website was linked to the cryptocurrency mixer Helix, and because of that its creator was charged with money laundering conspiracy by a US court in the last month.


That’s how Grams looked like. Looks familiar?

In November 2019, a new TOR search engine called K. started its carrier. Its name and filter features are similar to Grams. Its owners also started their own cryptocurrency mixer, that even more so reminds one of the Grams modus operandi. The main advantage K. has over R. search is that K. indexes not only DNM, but also forums (556 thousand forum posts from 6 forums) in TOR. K. has also indexed more listings then R. (66,5 thousand), but much fewer vendors (2,9 thousand) and reviews (257 thousand). K. indexed 7 DNM – 1 more then R. search.

*Statistics, search filters and news on K. search engine website. Insightful observers will find messages to group of “people” which Darknet crooks hate the most. It’s not cops. *


What if Law Enforcement is behind it all?

It may look like a conspiracy theory, but since September 2019 many TOR users have limited their trust in the D. forum and its main administrator – HugBunter. Since beginning of 2019 D. forum is under DDoS attacks3 and because of that, D. forum at times was not available. During September, D. forum was down due to maintenance for more than a week, when HugBunter’s deadman switch was activated. A deadman switch is a type of security system set up by each individual to notify chosen people after an unusually long absence. For example, in the past, Edward Snowden and Wikileaks’ stuff used it to ensure that certain files will be sent to certain emails if, for some reason, they won't be able to do something (like login to some portal)4. In HugBunter's case he didn’t communicate with anyone for 3 days, while in the past he stayed silent for 1 day, maximum. A crucial detail here is the fact that he disappeared at the same time as when D. forum was down and many alarming things occurred in TOR (more about it below). According to other administrators and moderators, that was the very first case of such a situation. Some crooks and Internet portals announced D. forum’s death.

HugBunter came back and launched D. forum on the 1st of October and said that he had some problems, but everything is ok now and the forum came back with new features. He clearly ignored the fuss that his Deadman switch had caused. We have to emphasize that all of that happened during the harsh time for the Darknet society and there was a lot of reasons for every crook to stay alert. At the beginning of September the main admin of another TOR forum disappeared, when he came back he didn’t have access to his own PGP Key and he couldn’t authorize himself. On September 22nd, Berlusconi Market, one of the oldest English language DNM at that time, was seized by Italy Law Enforcement. In November the administrator of Samsara Market, a DNM that appeared a few months before and claimed to be a Dream Market successor, has gone missing. Dream Market was the biggest DNM until March 2019 and almost nobody believed that Samsara is connected to them. Also, in November 2019 Cryptonia Market, DNM considered to be the safest to use because of its security features, stopped working for unknown reasons.


At the end of November, the administrator of the widely respected portal stated he didn’t trust the D. forum team anymore. As he wrote on the next message: “Many people around here are Law Enforcement (LE) targets. But it is highly unusual to continue trusting a known LE target after a prolonged, unplanned disappearance. One that triggered a previously-unannounced "deadman's switch", handing server control to a Paris that nobody knows or has sane reason to trust. Then at least three markets disappear, all at the end of the year: Cryptomarket Hunting Season.” Later discussion in TOR calmed down. Many crooks are still not sure of the D. forum team. The future will show on which side of "the Force” they are on.

Target no.1 to intercept

From a law enforcement point of view, D. forum should be target number 1 to intercept. At the moment, its role as main information hub is far more important for Darknet users than the role of any DNM, notably for low and mid experience users. Every DNM lifetime is limited and because of this business character every one of them will eventually make an exit scam or will be seized by law enforcement. Especially in the last year the rotation of DNM's increased. Contrary to this background, D. forum looks more stable, reliable and secure. Moreover, D. forum’s staff officially don’t sell any illicit goods, so they can be viewed as less attractive targets for any law enforcement. But they do sell advertisements to Darknet vendors and this can be the ground for a money laundering charge. In fact, a similar case occurred in deepdotweb.com case, where portal owners were charged with money laundering conspiracy for such advertisements.


Rules for advertisements on D. forum. Payment only in Bitcoins.

For law enforcement to intercept and run such an information hub connected with a DNM search engine would have many advantages: deciding who is reliable, which fraud method works, surveillance of users and their communication, finding the most active crooks, false creation of trends, dissemination of disinformation and many more. There is no hard evidence that such an interception occurred, but for sure, D. forum and R. search engine are on law enforcement target’s top list. Until such evidence will appear or law enforcement seizes them, more and more TOR users will use these services and will be guided by it.

To see my latest article on the state of the darknet, please check out my article on "Will Instability in English Language Darknet Markets Open the Door for Hydra?" on about-fraud.com.

  1. The Onion Router (TOR) is a secure, encrypted protocol to ensure the privacy of data and communications on the web. It uses a series of layered nodes to hide IP address, online data, and browsing history. Originally developed by the U.S. government, it is now seen as a dangerous system that often is used for illegal or unethical purposes. There are other encrypted networks similar to TOR and they all together form Darknet.

  2. Pretty Good Privacy (PGP) is a popular program used to encrypt and decrypt email over the Internet, as well as to authenticate messages with digital signatures and encrypted stored files.

  3. Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Source: www.digitalattackmap.com/understanding-ddos/

  4. More detailed description of HugBunter deadman switch: “HugBunter purchased a cheap server, a script was put in place to send an email to every D. forum moderator if no login was made on that server within X amount of days. Hug instructed (during a time where he was not compromised) his staff to publish this message without fail if they ever received this email/alert, that was their duty and Paris (another D. forum administrator) fulfilled it. Multiple of these types of systems could have been put into place, but the simple process is; if a step is not taken within a certain period of time the switch would go off. There is no way to activate a deadman switch. It is all predefined with whatever variables there are, the only way to prevent said switch from going off would be to delete the system or fulfill the requirement set to delay or prevent it from going off.”

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Go to pricing