I always keep this information confidential, but it is no longer relevant. As /u/OhLongJohnson said, this fail might be a good example to make future markets safer.
I warned Kingdom staff about half a year ago, market URL rotator leaked server IP address behind cloudflare.
Leak was caused by not properly configured nginx and iptables. /u/OhLongJohnson immediately forwarded my message to their developer. The bug was fixed very quickly.
This does not cause any immediate problems, as the URL Rotators are always on a different server than the actual market.
But, LE probably knew this and it was a good starting point to look, scanning for market server IP. Maybe URL rotator compromised, LE sniffed for connections?
What are your thoughts /u/Paris /u/CodeIsLaw ?
footnote: M00nkey market faced same issue, admin was warned on time.
/u/Paris · N/A votes · 21st December, 2023 - 15:28 · Link
A market URL rotator is something that should be secured but that is only to prevent compromised links from being spread from it. Protecting the origin IP using cloudflare is only to counter people who would DDOS the site. When it comes to protecting it from LEA cloudflare does nothing. Daunt is protected by cloudflare but we know the server was imaged just a bit of time after it was announced. Not that they could find anything. We designed it so even if it's imaged or monitored there is basically nothing they can get from it. Replacing links would be possible if they have cloudflare secretly route to another server they control. But we have yet to detect things like that. Still people verify the URLs with PGP keys. In other words, when it comes to leaking IPs of your clearnet link rotator it's a matter of protecting it from DDOSERs not LEA. For obvious reasons, there are no privacy protections in the clear. You should assume if the site is accessible in the clear LEA probably has already imaged the server. Still it's very important to protect it against IP leaks so attackers can't easily gain access.
/u/NoJSDev1 · N/A votes · 21st December, 2023 - 18:22 · Link
Out of curiosity how did you know that LEA imaged your server? What way do you have to detect that
/u/Paris · N/A votes · 21st December, 2023 - 20:04 · Link
We have our ways :D
/u/lexxi · N/A votes · 6th January, 2024 - 19:46 · Link
Technical details of how you detect these types of events would be super interesting. If running on a dedicated server with drives using RAID, ZFS etc... then one way could be checking for disks being removed (to be imaged without server going down). Cloud / VPS servers running containers or VM's get a bit more tricky in that regard.
/u/newyork81 · N/A votes · 21st December, 2023 - 18:11 · Link
Ip leak my ass this was a exit scam. How the fuck you in jail but you have access to the internet i was just talking to the nigga 20mins before the shit went down
/u/Ohnoerman · N/A votes · 21st December, 2023 - 19:21 · Link
This absolutely could have been what lead to their downfall, if not the sole reason. Just remember that Ross of Silk Road was compromised because a fed discovered a StackExchange post submitted before SR really started to take off, which seemed particularly linked to the DNM scene. The account he posted this under was linked to his real email.
/u/Heinous · N/A votes · 31st December, 2023 - 00:47 · Link
It wasnt an ip leak lol. Dude sent his coins directly from the market to an exchange. Low ass hanging fruit, thats it...
/u/tordotwatch · N/A votes · 8th January, 2024 - 21:22 · Link
Read description more carefully.