Several People Have Hacked “Alien Market”

Alien Market, which is a very serious darkweb marketplace, has been hacked.

Someone has hacked Alien Market and dumped the database containing the usernames and passwords of registered users.

A picture of Listings on Alien Market — Listings on Alien Market

The darknet market link distribution site Dark Eye has changed the status of Alien Market to “the market has been hacked and the database leaked.”

A picture of Dark Eye believes the market has been hacked. — Dark Eye believes the market has been hacked.

From a guy in the comments:

“Not allegedly. And not someone, multiple people have over the past months. The credentials obviously work, nearly every parameter was vulnerable to SQL injections and the passwords were saved in cleartext. The server also holds a git repository with material, which could possibly lead to the market admins identity. It was an absolute shit hole. I posted about the vulnerability months ago on Dread, took long enough for someone to leak it. Looking at the market, this shouldn’t be the most shocking part. Trying the same credentials from both customers and vendors on Dread and other markets is scary though. You can also tell by the looking at the passwords, that they are all being reused.”

The login information for Alien Market “vendors” appear in the text file containing dumped usernames, passwords, and withdrawal pins. Someone has tested many of the logins, and they purportedly work.

A picture of Usernames, passwords, and pins — Usernames, passwords, and pins

Some believe this market is a scam!

A picture of Alien Market reviews on Dark Eye — Alien Market reviews on Dark Eye

The market’s FAQ is a goldmine:


How to open an account with alien market?

Opening an account is fast and easy.

All you need is a simple user name like “niman541” or any other suggestion that you would like as a password or any of the numerical numbers or pin like “542178” or “3215478” of any of your choosing.

Click on creates account and then login using the username and password you just created.

How to deposit and withdraw BitcCoin?

One will be able to deposit a the created/ registered account. After depositing, the transaction will take about 15-20 minutes to show the new balance of the account. If in the wallet, the current amount is lower than 17 dollars the balance will not be able to be displayed. The withdrawal fees will charge $27. Any amount lower than 27 dollars, will warrant no amount to be credited.

Why is the market sometimes offline?

We are working uninterruptedly on fixing the the mentioned problem hence the reason why the market will be offline as the fixing is carried out. Your patience is highly appreciated. The wallet and your account transactions are safe, no need to worry. The market will soon be back online!

I cannot login I forgot my login username/password?

Please take note, save or take a screen-grab of your login details to avoid losing or forgetting them. One will not be able to recover the login credentials because there is no option to contact admin. The admin is only able to be contacted on special cases like when settling and resolving disputes.

How long does it take to solve a dispute?

It can take about 24- 48hours. Sometimes its faster than the mentioned period depending on the severity of the dispute.

Why was my account suspended?

In order to identify if your account has been suspended. Below are reasons for  the suspension:

Sharing of personal contact information

A request from our abuse department in regards to violating our acceptable Usage Policy. This may involve human trafficking, hit-man service, child porn or even in negatively affecting other(s) characters or well being(s).

The asking of free tests in this site is prohibited hence will lead to ones account being suspended.

Direct deals on this site are prohibited and will make your account viable for suspension.

Scamming is prohibited on this site hence will cause your account to be viable for suspension.

What is a PGP message?

A PGP message cannot be read or seen by anyone until the message has been encrypted with a PGP key which is more secure. An alien market has the PGP encrypted system that is used in messaging from one account to another securely.

Wallet: Market main wallet is an offline wallet, your coin is safe and don’t worry about any exit scam, withdrew fee 27% and order commission 3%, dispute and refund no commission balance will add to your account automatically.

Freedom: Dark web market means you can have anything, we have no rules. You can buy and sell any product, but only, we do not allow child porn, hitman service, kidnap human trifling, because it does not look nice, plus, not a human minable work.

Disput: click my profile then click my purchase click Invoice id number what you have paid then CLICK Please to see your order then click Raise Dispute Request!

Edited on September 13 to reflect the fact that multiple people have hacked the market.

23 Comments

It's Called We Engage In A Mild Amount of Tomfoolery

9bddc5c4

e71f7da0 Tue, Sep 13, 2022

oh my god

ccf38a55

18172050 Tue, Sep 13, 2022

Not allegedly. And not someone, multiple people have over the past months. The credentials obviously work, nearly every parameter was vulnerable to SQL injections and the passwords were saved in cleartext. The server also holds a git repository with material, which could possibly lead to the market admins identity. It was an absolute shit hole. I posted about the vulnerability months ago on Dread, took long enough for someone to leak it. Looking at the market, this shouldn’t be the most shocking part. Trying the same credentials from both customers and vendors on Dread and other markets is scary though. You can also tell by the looking at the passwords, that they are all being reused.

0b985116

ebf5cdc0 Tue, Sep 13, 2022

Yeah there are certainly some reused usernames and passwords in there, I hear.

2162f7dd

3f777650 Tue, Sep 13, 2022

Reply to 0b985116’s reply:

Check this one out: http://aliennbox4vb25ipxqxhpo6bby7sjcop6xxcvaigewloym2lrxpwotyd.onion/.git/
If LE would care about a hobby project like that, he would most likely be done.

9153cda2

65f0f2f0 Tue, Sep 13, 2022

“You can also tell by the looking at the passwords, that they are all being reused.”
Why can you / one tell that?

44459bee

7573e8a0 Tue, Sep 13, 2022

Why can you / one tell that?

It is more of a guess, confirmed by trying it out. If people use password managers, they usually generate the password and it is obviously in most cases not hard to differ between a password that has been randomly generated and a password someone came up with on their own, both by length and the content. If they have passwords like supergod123 for example, you can be damn sure they don’t create a password like that for every single market or site. Imagine having to remember them all. And if you use a password manager, why use shitty passwords like that and even take the time to create them?

102059c6

224a8320 Tue, Sep 13, 2022

Thanks, right. Does LE actually look for known passwords if reused on other sites, apps (also clearnet,…)? (I do not want to question using individual and good passwords on websites with prohibited activity and of course there are also non-LE hackers)

df77f3dc

514c5d60 Tue, Sep 13, 2022

yes, they have done it during darkweb investigations in the past. See the Hansa/Alphabay investigation where LE signed into Dream accounts with shared creds.

de8f6b73

051d2550 Tue, Sep 13, 2022

I would guess they do + see df77f3dc.

I think there is something more interesting they can do though than logging into other accounts. If I was an investigator in a dark web case, I would pick passwords that stick out (as in looking like they are being reused, not having a dark web reference in it or alike and be unique enough to not be used by thousands of people) and run them through a breach database. Much more powerful to suddenly have a breached login with the mail john.bellington@gmail.com than accessing another dark web account with the same pseudonym.

2a0c7e3a

04f3cf60 Fri, Sep 16, 2022

true, but they don’t ask lets say facebook, if someone uses this password / user name there

a3e06d76

0c8a8590 Tue, Sep 13, 2022

text files, not even once

125d7428

3a20f7e0 Tue, Sep 13, 2022

ayo dnl u trust dark eye?

alien sound lame as hell imo

if me was finna makin a site would u list it dnl?????

🥺
👉👈

ce86b3fd

4e9b9870 Tue, Sep 13, 2022

You launching DonkeyBay now huh

75e2b778

9c972a10 Tue, Sep 13, 2022

ayo donkeybay sound dumb as hell i was gonna call it assbay dawg?

so is u gon research it so future generations can know how great assbay was an how they got hot dumps from it?

a3dbf1bb

0bd7a1f0 Tue, Sep 13, 2022

But their website is very vulnerable, the ID parameter is a vulnerable entry point. It smells like federal.

f7306805

7e9a9bc0 Wed, Sep 14, 2022

I saw thus being skilled fir the first time this week. Coincidence or failed exit scam after they realised?

d68d60b4

32e8c9e0 Wed, Sep 14, 2022

it looks like some rookie has made the site
1 min silence for the admin

28fec8de

68be1840 Wed, Sep 14, 2022

Fed honeypot

8716da31

39ad2cb0 Thu, Sep 15, 2022

by the way only me not several people

4ef83550

1ebce510 Thu, Sep 15, 2022

I can give everyone vendor accounts for free just give me contact info
jelly_dog@firemail.de

75c44aa6

d3a3be00 Fri, Sep 16, 2022

**give me ur contact info lol

9830b321

a9e365e0 Fri, Sep 16, 2022

sure dude take my info

New comments are disabled after ten days in an attempt to limit spam.