Security-conscious darkweb crime marketplaces institute world-leading authentication practices

If you are a seller on Alphabay — a darkweb site that sells "drugs, stolen data and hacking tools," you'll have to use two-factor authentication (based on PGP/GPG) for all your logins.

What's more, Alphabay requires you to use a unique seven-word phrase to recover passwords (as opposed to easily researched questions like high-school football team, mother's maiden name, etc), and says there is no way to recover a lost password without this phrase. Finally, Alphabay requires a four-digit PIN to transfer bitcoin to your personal wallet.

Alphabay has deployed these measures to prevent phishing, which plagues darkweb markets in the same way that stick-ups plague drug dealers — without access to police investigations and without the threat of legal repercussions, crime sites are themselves prey for other criminals. While other sites have deployed some of these procedures as options for sellers, Alphabay leads the darkweb marketplaces in requiring them.


In this regard, Alphabay has better authentication procedures than Gmail or most US banks (my own US bank only recently dropped its 7-character maximum for its passwords, which were also case-insensitive and couldn't contain punctuation!). As Joseph Cox points out, this doesn't mean that the sites itself are more secure than, say, Google — the latter having an army of security experts, tripwires and IDSes, and the full power of many nations' legal apparatus with which to fight hacking attempts.


The thing is, for all of these companies, two-factor authentication is optional. For AlphaBay vendors, however, irrespective of whether they're selling heroin, rifles, or a piece of malware, they all have to use two-factor authentication. Arguably, that's an improvement over many everyday sites.

Of course, this is not to claim that, say, Google, as a company has worse security overall than an illegal marketplace. Plenty of dark web sites have been hacked over the years, resulting in millions of dollars worth of bitcoin being stolen. But enforcing two-factor authentication when plenty of companies are only just introducing it at all displays an interesting disconnect between the security of illicit and legal sites.

Some Dark Web Markets Have Better User Security than Gmail, Instagram
[Joseph Cox/Motherboard]