September 29, 2023 Searchlight Cyber Analysts

Tor2(Run Out The Back)Door: Exit Scam or Seizure?

We take a closer look at Tor2Door as the illicit market, one of the biggest on the dark web, goes quiet.

What is tor2door?

Tor2Door was a very popular dark web market. It mostly specialized in the sale of drugs but was also an active hub for fraud and other cybercriminal activity. Launched in January 2020, it was notable for being one of the longest standing marketplaces of its type, especially after the closure of fellow veteran ASAP earlier this year. According to our telemetry, there were more than 19k marketplace listings on Tor2Door last year, advertised by more than 900 vendors.

Click here to read more about Tor2Door in our dark web hub.

why do people think tor2door is closed?

The first alarm bells about Tor2Door began ringing on the dark web forum Dread as early as September 14, 2023. In the screenshot below, a user on the Tor2Door subdread highlights that the market’s “mirrors don’t work”. “Mirror” refers to versions of the site hosted on different onion addresses (and sometimes entirely different networks, such as I2P), a technique used to mitigate the impact of DDoS attacks as well as distribute traffic coming from legitimate users. A Tor2Door vendor confirms that they are also unable to access any links.

The next few days saw users pleading with Tor2Door administrators and staff to respond, expressing frustration at the inability to make withdrawals, and speculating that the market’s operators had “exit scammed”. An “exit scam” refers to the admins withdrawing funds from a marketplace – held in on-site wallets or in escrow pending order completion – and disappearing. The anonymizing nature of Tor and other privacy networks makes exit scams an occupational hazard of buying and selling on dark web marketplaces. High profile markets such as Empire, Yellow Brick and the second iteration of AlphaBay are all believed to have closed in similar fashion.

Buyers aren’t the only ones unsettled by Tor2Door’s downtime. We have also observed “official” Tor2Door vendors on Dread questioning the downtime, asking for advice, and discussing the possibility that the admins have exit scammed:

Exit scam, bug, or seizure?

An exit scam isn’t the only potential explanation for Tor2Door’s sudden departure being circulated in the dark web underground. Initially, market staff members and optimistic users were promoting the claim that the admins had found a “mega-bug” in the site’s code and the downtime was only temporary while maintenance took place.

Other, more skeptical netizens hypothesized that the market leadership had been arrested and seizure was imminent, primarily evidenced by past examples of poor OPSEC on their behalf. If this is the case, it likely won’t be confirmed for several weeks or months due to the nature of law enforcement investigations.

what happens next?

While there is a possibility that Tor2Door will return, that scenario is looking increasingly unlikely. Unfortunately, there are plenty of criminal marketplaces on the dark web ready and waiting to capitalize on Tor2Door’s market share.

Indeed, rival markets such as Cypher and Dark Matter have been posting on Dread to attract Tor2Door “refugees” – i.e. vendors and customers who are now looking for a new outlet to buy illegal goods and services.

One competitor is even offering $150 worth of coupons as an offer to “help offset losses”, encouraging Tor2Door users to sign up.

The ever-shifting makeup of the cybercriminal ecosystem means that other markets will quickly come forward to fill the void left by Tor2Door, just as Tor2Door took advantage of previous markets disappearing. The lifetime of dark web marketplaces is short. Tor2Door’s three year run is seen on the dark web as a long tenure.

This fast pace of change makes it imperative for law enforcement and cybersecurity professionals to continuously monitor the dark web for market developments. Early knowledge of Tor2Door’s downtime can help law enforcement continue to track vendors as they migrate to new marketplaces and re-start their criminal operations.