We Start Now

[Faradey]

Rome… what do we know about Rome? Rome was founded in 753 BC and grew from a city into an empire stretching from the shores of the Atlantic Ocean in the west to the Mediterranean Sea in the east. Rome is not a geographical location or a nation; Rome is an idea. By conquering countries, Rome brought culture, prosperity, stability, and well-being to others, albeit by force, but thanks to Rome, the conquered nations developed. Yes, Rome fell, but it is not 476 AD now; it is 2025, and Rome fell due to communication difficulties. In today’s era of digital technology, it doesn’t matter where you are—data exchange happens instantly. We have carefully studied the mistakes of all our predecessors and thoroughly prepared. We will never fall! We are building a new Rome, and we will bring prosperity, stability, and security to our users worldwide!

We have created a mechanism that is not just well-protected or complex. At its core, we have eliminated the very idea of being attacked or found. It simply yields nothing; we have no vulnerabilities, neither for hacking nor for DDoS. We guarantee the security and stability of our service, thanks to the constant work of our team of the best specialists—developers, defenders, and our attackers. Our team’s expertise includes cutting-edge IT technologies, time-tested proprietary synthesis methods, unique stealth techniques, knowledge of logistics, and international law. We can influence markets in various and all available ways, from destroying competitors to building a new market for legal drugs.

We are beginning to build our empire, and others will either join us or disappear, with only their memory left on Wikipedia pages. We paralyzed Archetyp operations for nearly a month and a half and will achieve its complete destruction. We will clear the entire drug market in the darknet, but other markets have the opportunity to join us. Users should not react with hostility to our expansion. This is just business, and in business, the strongest and best prevail. And that is us.

If the supermarket you’re used to shopping at burns down, you’ll simply go to another, more reliable one. The same thing is happening now. All markets will simply burn down, and no one will remain except us. The only question is how quickly you realize this and start building your reputation with us, which is the main factor in resolving disputes.

We offer shops free 6-month listings for any number of products, provided they verify themselves on any other market. Archetyp vendors didn’t get to take advantage of this offer since we’ve kept Archetyp paralyzed, and we won’t chase private mirrors. Everyone else still has a chance to seize this opportunity before we start targeting other markets.

Bazaar, this is the new Rome, this is a new empire.

 

[pshcrmth]

Such a MANIFESTO!

 

[The-Hive]

 

[Yugong]

Научный прорыв: Когда обезьяны открывают для себя Интернет и учатся говорить, они начинают DDoS-ить Archetyp.

Один из пользователей, работающий под прикрытием на маркет Bazar, с ником HarrierDoBois, выложил пост, в котором рассказал, как админы Bazaar'а выложили сообщение на своём форуме BreakingBad. В этом сообщении они, якобы, хвастались DDoS-атакой на Archetyp и страдали манией величия. Копия поста доступна для вашего развлечения: Dread/post/64166ad1aca18c13b9c9.

Откуда я знаю, что HarrierDoBois работает на них?
Всё просто. Посмотрите на скриншот, который он приложил через dumpli. Обратите внимание на надпись a moment ago внизу — это стандартный вывод для их форумного софта и означает буквально "несколько секунд назад". Это значит, что HarrierDoBois сделал скриншот практически мгновенно после публикации. Кто бы смог так быстро его увидеть и заскринить? Только тот, кто заранее знал о посте. Они так торопились, чтобы "слив" выглядел внезапным, что спалились. А теперь всем понятно, кто его крышует. Раз уж зашла речь, добавлю: palecafe и deepweb — тоже проекты Bazaar/BreakingBad. Их уже не раз пытались пропихнуть на Dread. Будьте осторожны.

Клоуны с цирка под названием Bazaar/BreakingBad Forum после моего ответа Dread/post/64166ad1aca18c13b9c9/#c-e08aad2504911956ae поспешили отключить свою JavaScript-капчу. Теперь у них сломана регистрация и взломать их Laravel-приложение не получится. Но и не надо — их маркет не дотягивает даже до самого дна, на уровне новоявленных рынков из /d/newmarkets, которые живут по паре недель. Сейчас объясню почему.


Когда заходишь на их маркет первое, что нужно проверить? Исходный код. Сразу видно, что информация утекает:

stat bazaar **

<script>
(function(){
  var loader = document.currentScript;
  var domain = window.location.hostname;
  // var statHost = 'stat.' + domain;
  // var statOrigin = window.location.protocol + '//' + statHost;
  var statOrigin = '*****stat.bazaar.**';
  var url = statOrigin + '/js/script.js';

  fetch(url)
    .then(function(response) {
      return response.blob();
    })
    .then(function(blob) {
      var blobUrl = URL.createObjectURL(blob);
      var s = document.createElement('script');
      s.defer = true;
      s.src = blobUrl;
      s.setAttribute('data-domain', domain);
      s.setAttribute('data-api', statOrigin + '/api/event?rid=*****-***-**-****-******');
      document.head.appendChild(s);
    })
    .catch(function(err) {
      console.error('Error loading stat script:', err);
    });
})();
</script>

или их онион-эквиваленты:

r2e7xc6s6fnmn5jblnmedwtrljzfzgwp34qw45bmri5ljl3kc********onion

  var statHost = 'r2e7xc6s6fnmn5jblnmedwtrljzfzgwp34qw45bmri5ljl3kc********onion';
  if (!isOnion) {
    statHost = 'stat.bazaar.bz';
  }

  var statOrigin = window.location.protocol + '//' + statHost;
  var url = statOrigin + '/js/script.js';

где они хостят свою систему аналитики Plausible. Поскольку своих мозгов не хватило — тупо взяли готовое решение. Если вам по кайфу, когда за вами следит Google и вся остальная сеть, то может это покажется нормальным. Но вообще это тупой ход и демонстрирует полный технический ноль.

Но это ещё цветочки. Держитесь крепче. Трекается не только заход на сайт, но каждая страница, каждое действие, всё, что вы делаете на платформе. А если вы заходите на их клирнет-домен (да-да, вся функциональность доступна там — просто геианльно):

curl --include "r2e7xc6s6fnmn5jblnmedwtrljzfzgwp34qw45bmri5ljl3kc********onion/api/event?rid=%27"
HTTP/1.1 404 Not Found
Date: Thu, 29 May 2025 **:**:** GMT
Content-Type: text/html; charset=utf-8
Content-Length: ****
Connection: keep-alive
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers: 
cache-control: max-age=0, private, must-revalidate
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: *******-********
x-robots-tag: noindex, nofollow
[color=red][b]Server: awselb/2.0[/b][/color]

Это уровень идиотизма, которого в даркнете ещё не было. Логируются и отслеживаются все движения пользователей, все запросы. И, чтобы было ещё легче полиции, всё это хостится на AWS. Если бы я не знал, насколько они тупы, я бы решил, что это honeypot.

Ходы ещё умнее? Да, пожалуйста! Хранить изображения через Minio:

storage.bazaar.**/media/

и эквивалент:

storage.bazaarboom567hsuxjspmwurpl7lyx23p7r2byg22vwfhv5yu********onion/media/

Улик у меня нет, но с учётом их полной технобезграмотности, вполне возможно, что этот Minio-бакет тоже на AWS.

Хочешь попробовать дефолтные креды Minio (minioadmin:minioadmin) или другие эксплойты?Вперед.

Интересно, как у них устроен auth cookie? Да легко декодируй base64.

{"iv":"oVE09nuOgS45kRgYGZY33g==","value":"NTWPR3agRofCyJn/yju5vx26ew5cHF0UBzgu6hu4W4Zffcd0T1LZQ5b3ENEpcnZt","mac":"220f6b87e732ac927f18964c95f6ba8c091fd5cee9400bf4187c10704a09bf83","tag":""}

А Bazaar щедро предлагает ещё больше! Вместо PGP-подписей или шифрования, у них прямо в форме заказа поля адрес, имя и прочая инфа. Но не переживайте они "обещают" использовать SHA256 для шифрования записок и хранить данные "недолго". Слово пацана.

Лично я не стал долго копаться на их сайте и инфраструктуре. Хватило часа — и чем больше я находил, тем больше приходил в ужас. Уровень безопасности и заботы о пользователях: минус сто.

Какой пост без IP-слива? Чтобы не нарушать правила по доксингу — дам лёгкий тизер:

77.110.10*.***

Один из их IP. Сервер на Ubuntu (да, подтверждено по уникальным TCP-пакетам не просто). Может, это и есть сервер с их аналитикой? Оставлю это читателям поройтесь, повеселитесь.

curl --include "r2e7xc6s6fnmn5jblnmedwtrljzfzgwp34qw45bmri5ljl3kc********onion" 
HTTP/1.1 403 Forbidden
Date: Thu, 29 May 2025 **:**:** GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
[color=red][b]Server: awselb/2.0[/b][/color]

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>[color=red][b]nginx/1.24.0 (Ubuntu)[/b][/color]</center>
</body>
</html>

Открытый nginx, уязвимый OpenSSH (удалённый доступ), куча дырявых сервисов. Как вам Fastpanel, ребята? Нравится? Или это всё же difficulthorse, хинт-хинт?

Обсудим другие ваши IP и сервисы от Aeza? Надеюсь, вы им хорошо платите — потому что ваша тупость будет им дорого стоить.

Итак, подведём итоги провалов Bazaar Market / BreakingBad

1) Используют Cloudflare и запускают полноценное зеркало в клирнете. Давайте отправим все свои данные через Cloudflare без PGP — ну просто гении!
2) Требуют решить JavaScript-капчу для доступа к сайту.
3) JavaScript обязателен для работы основного функционала.
4) Логируют и отслеживают каждое действие/запрос пользователя в систему аналитики.
5) Логируют и отслеживают и отправляют это всё в AWS-бакет. Да, вы не ослышались.
6) Рекламируют серверное шифрование (AES-256) вместо стандартного PGP, проверенного годами.
7) Светят IP-адреса своих серверов в клирнете.
8) Запускают уязвимые сервисы, через которые можно дальше эксплуатировать и идентифицировать другие их сервера в пределах хостинга (Aeza).

Они не просто забили на безопасность пользователей у них её даже в планах нет. Это стало очевидно, когда я увидел, что у них JavaScript везде. Команда Bazaar, учите историю: вы не в Древнем Риме. Но они-то искренне считают, что строят новый Рим. Те же люди считают, что dead drop'ы это инновации, а доставка с такси «гениальная идея» (ага, отличный способ устроить массовые аресты). Почитайте их посты посмеётесь от души, как новички строят империи.

Bazaar неуязвимы? Их невозможно DDoS-нуть? Зал в смехе. Даже англоязычные маркеты, которые заявляют, что это был последний DDoS или у нас антифишинг, выглядят поувереннее. Хотя и это часто враньё но их уровень на порядок выше, чем у Bazaar.

Теперь Archetyp admin может взять всю эту инфу и разнести её по сети, чтобы при поиске Bazaar Market все видели одно «Обезьяны с манией величия, решившие админить рынок»

Этот пост напоминание НЕ используйте Bazaar Market, если вам важна приватность и безопасность. Всё весело, пока кто-то не получает срок в 20 лет. Не становитесь этим кем-то. Не доверяйте свою жизнь админам-неучам.

Но если вам по кайфу рынок, где PGP не обязателен, все запросы летят в Amazon S3, адрес, имя и прочие данные сохраняются тупыми админами...тогда да, ваш выбор Bazaaar Market oни точно не Придууурки.

Теперь давайте посмотрим, как быстро этот пост удалят, потому что администрация Bazaar была разоблачена и показала свой настоящий уровень некомпетентности. Я мог бы копнуть ещё глубже но не стал, так что скажите спасибо.

 

[Yugong]

Scientific breakthrough: When monkeys discover the Internet and learn to speak, they DDoS Archetyp.

Another user who is working as undercover for Bazar market HarrierDoBois posted a topic where the Bazaar admins made a post on their own forum BreakingBad. In the post they outlined how they were allegedly DDoSing Archetyp and delusions of grandeur, a copy available for your entertainment /post/64166ad1aca18c13b9c9.

How do I know HarrierDoBois is working for them? Easy. Look at the image he linked on dumpli in his post. Notice the a moment ago text at the bottom? Standard for the forum software they'ew using means literally some seconds ago. HarrierDoBois was told to quickly screenshot it and in their rush to expose their stupidity they added another stupidity. Physically no way to have screenshotted it without waiting and refreshing every second on the forum. Now everyone knows who he works for. Since we're talking about this let me also add palecafe and deepweb as owned by Bazaar/Breakingbad and they have been pushed on Dread a couple of times. Be aware.

The jesters at circus Bazaar/BreakingBad Forum were quick to disable their javascript captcha shortly after reading my response /post/64166ad1aca18c13b9c9/#c-e08aad2504911956ae to their funny Rome delusions. Now their registration is broken and you can't hack their Laravel application. But you don't need to hack or bothering with hacking them because they aren't on the level of the lowest tier markets which appear for few weeks in /d/newmarkets. Let me explain.

When you enter their market what is the first thing we should check? The source code. Immediately you see information is sent to
or the onion equivalent
hosting their Plausible analytics platform. Because they don't have the skills their own one they have used a ready product. If you like tracking like Google and the rest of the Internet track you, you would say yeah the move to use another product for analytics is tasteless and shows lack of skill but what the hell, right?

But hold on for a ride. Not only the entry is tracked but every page you go and everything you do, all actions on the platform. If you're visiting their clearnet domain (full site on there, genius)
A level of stupidity we haven't seen in the darknet yet. Logging and tracking all of your user movements and requests and for extra easy steps for police to get the data, they are hosting it on AWS. If I didn't know they were this stupid I would say this market is a honeypot.

More smart moves? Yes please! Using Minio to store your pictures.
and equivalent
I don't have any proof for this one here but given how technically inept they are, I wouldn't be surprised if the Minion bucket itself is hosted on AWS too.

Want to try Minio default creds (minioadmin:minioadmin) or other exploits? Be my guest.

Want to know how they make up their authentication cookie? No problem decode the base64.
Bazaar offers more! Instead of PGP recommendation or PGP enforcement, Bazaar has fields for orders directly to put your address, name and other details. But don't worry and think of extortionists like Incognito admin who put everyone on the line, Bazaar promises to use SHA256 encryption on your notes and store them only for short period of time. Pinky promise.

I didn't personally bother to look at their website and infrastructure for more than an hour as the more I found the more I was in disbelief. The level of security and care for the users is minus, minus 100.

A post like this isn't good without an IP leak. Not to be within doxxing rules I'll tease a small part of it
This is one of their IPs. Ubuntu server (yes unique TCP packets confirmed not only). Could it be the Ubuntu server where their analytics is hosted? I'll let the readers do their own homework/have fun.

Vulnerable nginx, OpenSSH (remote) and so many other vulnerable services on that IP. How is Fastpanel fellas? Is it good or is it a difficulthorse hint hint?

Should we discuss other IPs and services you have from Aeza? I do hope you are paying them well because your stupidity will come out of their nose unfortunately.

Let's do a recap of Bazaar Market/BreakingBad fails.

1) Using Cloudflare and running directly full clearnet mirror. Let's send our data to Cloudflare without PGP... what a bunch of geniuses!
2) Requiring to solve javascript captcha for accessing the website.
3) Requiring javascript for main site functionality.
4) Tracking and logging every user request/event to analytics platform.
5) Tracking and logging every user request/event to analytics platform and sending it to AWS bucket.
6) Promoting server side encryption on the server (AES 256) instead of the age old market standard of PGP.
7) Exposing network IPs to clearnet.
8) Vulnerable services running on servers allowing further exploitation and identifiction of other servers within their hosting provider (Aeza).

They have no interest in keeping users safe at any level. That was most clear to me when I saw javascript everywhere. Bazaar team, learn your history, you aren't in ancient Rome. But these people think they are building Rome. The same people who think dead drops are innovation or putting everyone at risk with taxi service (get your drugs fast delivery, nice way for police to catch everyone). You should read their posts you will have a good laugh how beginners build empires.

Bazaar don't have vulnerabilities, they don't have DDoSable services? Laughs in the audience. In all honesty English markets also claim this is the last DDoS they will ever receive or have unphishable markets both of whom are bullshit and speaks of degree of lack of understanding/skill. However the security standard is much higher than what is displayed by Bazaar.

Now /u/BigBossChefOfArchetyp can take this information and blast it over the Internet so when someone searches Bazaar Market they will be redirected to Monkeys with Delusion of Grandeur Running Servers.

The post should serve as a reminder don't use Bazaar market if you value security and privacy and trust the superlist process of Dread created by /u/HugBunter and /u/Paris It exists for a reason to remove security risks to user who truly care about their security. It's all fun and games until people are facing 20 years in prison. Don't trust your life to ignorant admins.

However if you would like to use a market where PGP isn't recommended, you get your requests logged to Amazon buckets and your personal details saved by these morons, visit Bazaar Market they are definitely not Retaards.

 

[pshcrmth]

...haters gonna hate... ..the dogs may bark but the caravan passes...
..god bless U!...

 

[Yugong]

It's common sense which you clearly don't have. Either that or you are a fed.

 

[pshcrmth]

Yours attitude looks more like fed wanna be tbh. So dont judge if You dont want be judged...

 

[pshcrmth]

As well its Yours opinion only...

 

[pshcrmth]

Все твое и ваше — всегда было мое и наше ‍

 

[Yugong]

It seems someone else had posted before 1 week ago and exposed your infrastructure too Dread/post/41586f78a2e32484e207

As I said laughter in the audience. Embarrassing.

 

[Faradey]

I want to thank the author for such a detailed investigation, as by responding to people like him, we only prove our competence. I initially wanted to write a detailed response to each point, but they are so fundamentally foolish that I’m at a loss as to which specific errors in his reasoning to highlight. Nevertheless:

We use the clearnet for the convenience of our users, and if you access the clearnet domain, there’s a warning recommending the use of Tor.

Regarding the danger of JS, instead of baseless and amateurish claims, it would be worth providing specific examples of JS vulnerabilities. On the contrary, JS is a good defense against phishing and DDoS—not absolute, of course, but very effective. The author would do well to familiarize himself with the Tor Browser, where all JS vulnerabilities have long been addressed.

Like EVERYONE IN THE WORLD, we log user actions—this is what EVERY SINGLE WEBSITE OWNER does, ABSOLUTELY EVERYONE. We use Plausible to measure the effectiveness of advertising campaigns; it’s an open-source solution vetted by hundreds of users on a voluntary basis.

We have never had any connection to Amazon; this is an empty and baseless accusation.

The CAPTCHA was never disabled; it works as intended and activates automatically when needed, not like on a certain well-known market where you have to pass four CAPTCHAs in a row to access a site with a design and archaic mechanisms that could make your eyes bleed.

PGP is also used by us, but we’re against forcing it—we prioritize user convenience, as with clearnet addresses. Users can choose to use it or not.

The IP? That’s just laughable. You can take that IP, the host’s name, and run to Europol—it has nothing to do with us.

Nobody will delete your post; you’ve already humiliated and ridiculed yourself, and you don’t even need help with that. We are tolerant of the mentally challenged. This post isn’t for you but for our users. We have the strongest team at the moment, the best chemists in the world, the most extensive knowledge in logistics and stealth packaging for both personal use and wholesale transport, and the best IT team. We prove all of this in practice every day.

Nobody will engage in pointless bickering with you; we won’t stoop to your level. If you want to humiliate yourself further, go ahead and keep embarrassing yourself—our help isn’t needed. We have better things to do.

We are also open to discussing real issues, not fantasies, and for that, we have a bug bounty program.

 

[Yugong]

> we only prove our competence.
Do you though? You have no technical competence. Everyone on Dread laughed at you and not only there. You will gain some users but you are putting them at risk with your poor practices this is what it's about. Any idiot can run any forum we have seen it many times how it ends with hurting assholes.

> We use the clearnet for the convenience of our users
But you claim you are secure. Convenience is the enemy of security. You are asking all customers to put their data without PGP and through Cloudflare all logged to Amazon buckets. Very well done. If your users don't see anything wrong with it they should use your site. Only reason such measures would be tolerated by admins or users would be if the whole thing is a honeypot by police.

> Regarding the danger of JS, instead of baseless and amateurish claims, it would be worth providing specific examples of JS vulnerabilities.
You want free education? Use search engines and find for yourself. Find how many times police used javascript to deliver exploits to users, learn how much information can be collected through javascript OS, your screen size, your CPU and much much more.

> Like EVERYONE IN THE WORLD, we log user actions—this is what EVERY SINGLE WEBSITE OWNER does,
You are (supposedly) a darknet market not everyone in the world. No other top market does this. If they did, they would do it in the backend not send requests every time. Lack of skill.

> We have never had any connection to Amazon
Explain to your users why doing the command I showed with curl results in you showing Amazon headers. You must be the PR person for the market because you offered no counter to the technical proof I provided.

> PGP is also used by us, but we’re against forcing it
Nobody said to force it. It was said to not promote SHA256 server side encryption. At very least ask your monkey coders to auto encrypt to vendor PGP which isn't best but offers a balance. You want some free education why? Read the story of Incognito admin how he extorted. Your team is so unprepared it is laughable in a jerk circle liking each others extremely smart posts.

> The IP? That’s just laughable. You can take that IP, the host’s name, and run to Europol—it has nothing to do with us.
You were shown mercy by me not posting all of your other IPs and servers. You can try to damage control and try to deny this but your reputation is in the toilet.

> Nobody will delete your post; you’ve already humiliated and ridiculed yourself
I'm almost certain Bazaar is a troll market. Nobody is this stupid I'm actually concerned about the real people around you and spreading this aura of stupidity. When you are shown proof and specific examples you say this is false but they exist anyone can check.

> We have the strongest team at the moment
Strongest in smoking meth and receiving anal penetrations of your site by random users. You take it very well, the strongest taking.

> the best IT team
That's why you got exposed twice and you were banned from Dread. Because you couldn't do basic requirements like have no javascript. Very elite coders.

> Nobody will engage in pointless bickering with you; we won’t stoop to your level.
It is good to know now your users know their security is pointless for you. You are either police or true retards in the medical sense.

> We are also open to discussing real issues, not fantasies, and for that, we have a bug bounty program.
You were shown issues but instead of accepting and reviewing it like men you decide to deflect it like a bitch and take zero responsibility. Speaks a lot about your character or lack thereof.

The people who choose your market and services they have been warned by me and others. Everything which happens after is their own responsibility.

I don't have anything else to say everything was explained very clear if you can't or refuse to understand and accept it, your users both buyers and vendors will suffer from your ignorance and carelessness.

 

[Faradey]

I’m not a doctor, but you clearly have some issues if you think anyone will fall for your ridiculous provocations. I strongly recommend you buy something from this section:
http://bazaarboom567hsuxjspmwurpl7lyx23p7r2byg22vwfhv5yubvvezid.onion/catalog/pharmacy

I can give you a free $100 coupon, do u want?

 

[mewnmewamine]

"Like all other marketplaces"

Bro seriously stop

 

[Faradey]

 

[marekzmarek]

@Yugong what is the reason for U to register on that forum??

 

[pshcrmth]

A: looking for attention / B: Black PR

 

[marekzmarek]

looks like that

 

[pshcrmth]

ayyy!

 

[pshcrmth]

 

[pshcrmth]

Bb and Bazaar are so bad like drugs itself. Or even damn, worse