The underlying infrastructure and clearnet IP address of popular dark web drug marketplace DrugHub was exposed following a major OSINT (open source intelligence) blunder by the site’s developers. An unofficial clearnet domain and a Jabber server running on the exposed IP address were also discovered.
The discovery was made by EvilRabbit, who first poked around the EXIF data from the images on the DrugHub website, specifically the logo. This is already an OSINT blunder as it allows anyone with access to the images to track down their source, or at least get information on how and where the images were produced. In their writeup, EvilRabbit explains that all images except the website’s favicon were either made or edited with Adobe software.
Additionally, on its website, DrugHub lists a primary.onion address, a clearnet link, and a permanent mirror. The site’s clearnet mirror is currently secure behind Cloudflare, but in November 2024, it was hosted in the IP address 186.2.171.6. You’ll find a Jabber server running on the same by investigating domains related to this IP address.
Jabber is a popular XAMPP-based service cybercriminals use for secure and anonymous communication. While the website explains how to connect to the Jabber server available on port 5222, the same server is also accessible via the aforementioned clearnet IP address and the 5222 port. To make matters worse, by searching for the exact onion location header of Fofa, another previously undisclosed clearnet mirror for the site is also discovered.
Finally, the server hosted on 186.2.171.6 is located in Dubai. The UAE and the US signed a bilateral treaty for criminal extradition in February 2024. Given the UAE’s dislike for drug use in the country, there’s little in the way of the US Department of Justice to force the Dubai-based server owner to hand over the data to the US Embassy in Moscow.
This means there’s a good chance an investigation into DrugHub is underway, and law enforcement has already found its way inside its servers. A laundry list of URLs related to the website, including both clearnet and onion links have also been exposed in the process.
However, the clearnet platform the IP address reveals redirects to servers and websites the service publicly advertises. Only time will tell whether or not this data being exposed will cost DrugHub.
In the News: Major data breach hits J&K Rural Livelihoods Mission