After two weeks of leeway, it seems the votes are in, and Tor2Door has exit scammed, escaping with an estimated 100K in escrow balances. Tor2Door was possibly the most popular darknet marketplace in 2023, alongside Bohemia. However, just over three years after its doors opened, the digital, counterfeit, and drug-based marketplace has vanished. Is it an Exit Scam or a law enforcement seizure? Most signs are pointing towards the exit scam, and only time will tell.
On September 14, 2023, rumours of Tor2Doors exit scam sprung up across Libre and Dread forums. Tor2Door had more than 19,000 listings and featured 900 unique vendors on its platform. But that meant nothing because all links to the darknet website were offline, and this became a quick concern. We reported their possible exit scam about 24 hours later, but it’s complicated when it comes to Darknet Markets.
Onion links are notoriously bad and easy to DDoS. It’s been possibly one of the most popular talking points since the Tor Browser was released. So, a darknet website going down for just 24 hours isn’t as rare as your typical clean-net website. What made things concerning was the fact that it’s admin and staff were silent over the issue. Even this could have been dismissed as one could easily point out that fixing the market required more attention than reporting to its users. But a week passed, and there was no update or word over the downtime of one of the best darknet markets out there.
The issue garnered enough attention for Dread Forum admin u/Solar to announce he was locking r/Tor2DoorMarket with the following brief message
locking sub until (and if) admins come back
Until we receive word of exit scam, bust, or all is good, we will keep new posts on approval only
No moderation on sub leads to chaos
See megathread on /d/darknetmarkets
Additionally, all sub-mods were removed from the subDread to prevent any forum posts from getting deleted.
Naturally, competition is fierce and this is the time for competitors to capitalize. As Tor2Door’s future remains uncertain, rival darknet markets such as Cypher and Archetyp have stepped in to attract Tor2Door “refugees.” These competitors are offering incentives for both Vendors and customers including coupons and discounts, in a bid to capture the displaced user base. After all, 900 vendors will need to set their shop up elsewhere, and its users will generally follow.
Vendor And Customer Frustrations
Naturally, such a major issue would frustrate both customers and vendors. Rumours of the exit scam were quickly cementing the end of the marketplace. Even if the market were to return, its reputation seems to have been destroyed. A cycle that points further to the website’s demise.
Top-tier vendor CrystalCleer even made a bold claim regarding his losses from the exit.
so tired of this shit!!! Complete bullshit makes it pointless to even have bulk listings on markets. All our bulk listings have just gone up due to this, buyers need to go direct with trusted vendors at this point.
20k+ loss for us over here =(
Another user claimed that close to its demise, he had issues already.
“Yep. Pretty sure it’s an exit scam. I wasn’t able to extend escrow or dispute orders. Exit scam or not, I’m done with Tor2Door”
Other users expressed that it was a ticking time bomb anyways. Your average Darknet Market won’t make it past three years without a bust, retirement, or exit. So, judging by its age along, Tor2Door was ready to burst at any point.
As on user put “Too bad… it made it longer than I would have guessed though.” though this isn’t the reaction of somebody who had lost funds due to the exit.
Exit Scam or Law Enforcement?
The real question behind Tor2Doors’ disappearance is whether it’s an exit scam or whether its admin has been captured. Interestingly enough, the consensus for this is not as clear as it may sound. Users have conjured up evidence to say the Tor2Door admin was arrested, and others have evidence to say it’s likely an exit scam. Let’s break it down.
Tor2Door Admin Arrested
The speculation regarding whether the admin of Tor2Door was arrested is based on several pieces of information and clues that have emerged in the aftermath of the marketplace’s exit scam. While these clues are not definitive proof of an arrest, they raise questions about the admin’s activities and possible law enforcement involvement.
The key pieces of evidence we’ll use come from u/CodeIsLaw, a previous law enforcement investigator. CodeIsLaw believes he traced the Darknet Market servers back to the Netherlands, and if he was able to do this, LE would have done a better job.
“I discovered they had leaked the webhost in historical records before changing to Cloudflare and then eventually to DDoS Guard (Russian Cloudflare Alternative) Looking at historical records of dnm.watch we can see that 168.100.9.36 Amsterdam – Netherlands BLNWX 2021-08-19
On 19th August 2021 dnm.watch was resolving directly to IP address 168.100.9.36, so diving deeper into that IP we can look at every site that has ever been hosted on that IP and we find
Dnmarkets.watch 168.100.9.36 Amsterdam – Netherlands BLNWX 2021-09-13.”
This is compelling evidence against the admin. And if LE weren’t aware of this before, they are now. But the evidence continues as it’s been determined that the Tor2Door admin was using an Apple device for his operations.
There are multiple reasons we can affirm this claim;
- The admin was using ChatSecure, which is an iOS-only Jabber client. This could imply that the admin was using an iPhone to run the marketplace.
- The admin accidentally leaked a
tag in the HTML source, which is associated with an iOS-only HTML editor. These details collectively suggest a preference for Apple devices. - Payment Methods: The admin’s preference for requesting QR codes for payments instead of traditional payment addresses raised further questions. This implies the use of a mobile device for cryptocurrency transactions.
- In post /post/0bd69e42ac89ebeb58f8/#c-23378411d4c94b2032, the admin’s Jabber client was identified as ChatSecure, which is specific to iOS. While this leak only occurred once, the admin’s response was to immediately log out and then back in on a new device, establishing a new Off-the-Record (OTR) session. This sudden change in behaviour may have been an attempt to conceal his device type.
Tor2Door Exit Scam Proof
While the above information is compelling. We aren’t fully convinced he was apprehended and only a LE seizure notice or press release could convince us, especially when coupled with exit scam evidence.
Building a case that the admin of Tor2Door likely executed an exit scam wasn’t too difficult. Let’s identify several key factors:
Building a case that the admin of Tor2Door likely executed an exit scam based on the provided information, we can identify several key factors:
- Cryptocurrency Movement: A transaction (TX hash: abbebf84c9d88ae173a3acc7181b1707c34bed8caed054370732a5be75a4cd90) involving Tor2Door’s funds is central to the case. It’s known that Tor2Door sent $1,000 to USNova.
The transaction’s output includes a smaller amount sent to the address bc1q6n7a5jwpjzflyv57u0dkftgq86a07evfkctmsz, which is typically considered a change address.
The resulting funds were then sent to the wallet address bc1q5mt7la95kknxhsuz925su7d8gwtynadd6wsd4u, which is associated with the KuCoin cryptocurrency exchange (As identified in the below image)
- Further Transactions: On October 14, 2021, at 13:29:33, a transaction occurred in which the change from the earlier transaction was merged into a combined transaction with other inputs.
The same address started several smaller movements over the past month. Unusual activity for the wallet over the past few years.
- The mention of the Laravel framework, which is often used in web development, suggests that Tor2Door may not have prioritized coinjoin or mixing techniques for transaction privacy. The absence of such privacy-focused practices in a darknet marketplace dealing with sensitive transactions casts doubt on the admin’s intentions.
How does this tie to the exit scam. There is scepticism about the transaction management practices of Tor2Door. With hundreds of *selective scamming* accusations, and a general distrust towards the marketplace’s operations, users claim they’d been seeing this coming for some time.
When called out, the admin responded, but this only damages the reputation. The uncertainty surrounding how transactions were handled raises questions about the legitimacy of the platform’s financial activities.
All this coupled with the typical operation of an exit scam points doesn’t paint a pretty picture towards who the admin is.
There is a major astrix on this as M00nkey (An alternative market admin) points out.
How can you be certain that some of those inputs haven’t just been taken from a marketplace user and combined in multiple transactions?
If you’re not sure about how their transaction management has been done, you can’t make such confident assumptions.
Though I have to admit, if the site was built using Laravel, it’s likely that the transaction handling wasn’t focused on any kind of coinjoin/mixing and/or privacy in general.
Conclusion: Avoid On-Site Wallets
It’s always sad to see such a popular darknet marketplace fall. However, its typical in the Darknet Business. So there’s one lesson to take away from this as we’ve uttered before. Avoid onsite wallet websites. Any website that forces an onsite balance is likely to exit scam at some point. Tor2Door left with over $100K in their pocket and more sites will do so in the future.