Versus, a notorious English-language cybercrime darknet market, shut down after a hacker disclosed a high-severity Proof-of-Concept (PoC) exploit last week. The vulnerability could’ve been used to access the market’s database and expose its servers’ IP addresses.
The hacker leaked a PoC showing how an attacker could access the website server’s file system on Dread, a social media platform on the darknet. Versus administrators then took the website offline and conducted a security audit to assess damage to the service, which offered a combination of hacking services, drugs, stolen payment cards, coin mixing and leaked databases.
This isn’t the first security audit of the three-year-old darknet marketplace. Versus’ operators announced at least two more security audits in the past after suspicions of hacks or critical flaws arose.
After discovering the vulnerabilities described in the PoC, the market’s administrators decided to take the website offline for good. The decision sparked confusion and worries among the market’s community members. Some of them theorized that owners were carrying out an exit scam, while others believed it was an FBI takeover, and a few of them felt the service was on the verge of becoming a liability.
After the website was shut down, a leading operator of the Versus marketplace posted a PGP-encrypted message to shed light on the situation. The message can be found in its entirety below:
“There is no doubt that there has been a lot of concern and uncertainty regarding Versus in the last few days. Most of you that have come to know us have rightfully assumed that our silence has been spent working behind the scenes to evaluate the reality of the proposed vulnerability.
After an in-depth assessment, we did identify a vulnerability which allowed read-only access to a 6+ month old copy of the database as well as a potential IP leak of a single server we used for less than 30 days.
We take any and every vulnerability extremely seriously but we do think that its important to contend a number of the claims that were made about us. Specifically of importance: there was no server pwn and users/vendors have nothing to worry about as long as standard and basic opsec practices have been utilized (for example, PGP encryption)
Once we identified the vulnerability, we were posed with a fork in the road, to rebuild and come back stronger (as we had done before) or to gracefully retire. After much consideration, we have decided on the latter. We built Versus from scratch and ran for 3 years.”
The staff member also promised to give Versus customers a link to perform transactions unhampered by time limits, letting them retrieve escrow balances.