A 12-step guide to darknet markets

Read time 4min 40sec
ITWeb Security Summit 2015

For more on this and related topics, do not miss the summit, at which Roger Dingledine, president, director and co-founder of The Tor Project, will discuss attacks on Tor. 26 to 28 May, Vodacom World, Midrand to book click here.

Someone anonymous (naturally), asked me how a newbie might go about buying something from a darknet market like Agora, Evolution, the Middle Earth Market, or the now-defunct Silk Road.

I strongly advocate using the dark Web only for legal purposes, like buying My Little Pony collectors' items. I might believe government surveillance is ipso facto dangerous, that encryption is good for you, or drugs ought to be legal, but I cannot in good conscience advise you to violate the laws of your country. I hereby formally disclaim any responsibility for your actions. If you get caught, even if only with pony merchandise, you're on your own.

With that out of the way, here is a guide to darknet markets:

1. Download and install the Tor browser bundle. This will allow you to visit Web sites via the onion routing network, which makes it hard to trace you. Its use is good security practice anyway, since it will stop commercial tracking too. Follow the Tor guide to online security and anonymity. Just running the browser is not enough.

2. A good start point is The Uncensored Hidden Wiki: The addresses can change without notice as sites are compromised by hackers or law enforcement, so keep an ear on the chatter in forums to help you decide which sites you can trust. A particularly useful forum is the DarkNetMarkets subreddit.

3. Go out onto the dark Web and learn. Operational security takes work, and the darknet can be bewildering at first. It will remind you of the clearnet Internet in the mid-1990s. Make sure you're comfortable with your knowledge before you proceed with anything that might be considered risky, like investing in Hasbro's MLP line of toys. Read pages like 'How To Exit the Matrix' and 'Security Basics' on the Hidden Wiki.

4. Install PGP or GPG and learn about creating and using public-private key pairs. Then, never divulge or lose your private key. Keep it on an offline USB stick, to be safe.

5. Find a darknet market. They need to be accessible, but they do get hacked or shut down, so addresses change all the time. Always double- and triple-check addresses on various forums. Click here for a fairly recent list of markets.

6. Register an account, never using any personal details, of course. Browse around. Reputable markets have measures to protect buyers and sellers. An escrow system is a must. This ensures buyers commit funds upon order, but sellers only get paid upon delivery. Never accept a special offer to bypass an escrow system, or to enter into private negotiations. That is how many scams are perpetrated. On some sites, sellers pay a deposit or bond to the market, which they forfeit if too many customers complain. An eBay-style reputation system is also necessary. Learn how your chosen market works, and how it protects its traders.

7. Acquire some bitcoin. Once you're ready to buy your favourite pony, you'll have to pay, and credit cards are not acceptable in crypto circles (because transactions can be repudiated). Start at, or find a local exchange in your country that will accept your currency. I use The bitcoin blockchain (ledger) is public, so learn about the limits of bitcoin anonymity:

8. Create a bootable USB with Tails, for use while conducting actual transactions. This will ensure there is no trace left on your computer.

9. Set up a secure e-mail account with a service such as ProtonMail or Hushmail. You may need it. At least use throwaway addresses dedicated to each transaction. Likewise, find a secure chat client like Off-The-Record or XChat, for communication with anonymous strangers, if your chosen market does not provide a secure comms facility itself (most do).

10. Optionally, use one or more VPN or proxy services. Tor is usually enough if you practice good operational security, but the more proxies you're behind, the harder it becomes to trace you. VPN endpoints or proxies should be in fairly liberal countries, outside your own and the US.

11. Do the deal. Contact the seller, informing him or her of your intention to aquire a new Rainbow Dash plush toy for your private pleasure. You'll be asked to pay into the market's escrow account, and the goods will be dispatched. In most cases, sellers use regular airmail. It is surprising how many My Little Ponies make it through airports and post offices unmolested. Obviously, importing them by the crate is more likely to raise suspicions than one or two for personal use. It is hard to gauge actual risk, but I'd wager that buying MLP merchandise face to face is more likely to get you exposed.

12. Don't trust anyone, including me or this guide. Go as far with this as you wish, but do your own homework. Enjoy your plush ponies, you freak.

Login with