The Versus Market, one of the most prominent English-speaking criminal darknet marketplaces, is shutting down after a severe vulnerability was discovered that might have given access to its database and disclosed the IP addresses of its servers. 

Dark web markets must keep their physical assets secret when performing illicit operations online; otherwise, their operators risk being identified and arrested. The same is true for users and vendors who must stay anonymous while utilising these unlawful sites. Anything that undermines their faith in the platform to secure their information makes it exceedingly dangerous. Apparently, after discovering these flaws, the Versus operators opted to pull the plug themselves, considering it too unsafe to continue. Versus debuted three years ago and quickly gained traction in the hacking world, offering drugs, coin mixing, hacking services, stolen payment cards, and exfiltrated databases. 

Versus went offline to undertake a security assessment, as the website claims it has done twice previously, in response to concerns of serious problems or possibly real hacking. Users were concerned that the Versus was executing an exit scam, that the FBI had taken over the site and other common assumptions that follow these sudden moves. However, the platform's operators soon reappeared, announcing the closure of the marketplace. 

The following PGP-signed message was uploaded by a Versus staff member who is one of the major operators: "There is no doubt that there has been a lot of concern and uncertainty regarding Versus in the last few days. Most of you that have come to know us have rightfully assumed that our silence has been spent working behind the scenes to evaluate the reality of the proposed vulnerability. After an in-depth assessment, we did identify a vulnerability which allowed read-only access to a 6+-month-old copy of the database as well as a potential IP leak of a single server we used for less than 30 days. We take any and every vulnerability extremely seriously but we do think that it's important to contend with a number of the claims that were made about us."

"Specifically of importance: there was no server pwn and users/vendors have nothing to worry about as long as standard and basic opsec practices have been utilized (for example, PGP encryption) Once we identified the vulnerability, we were posed with a fork in the road, to rebuild and come back stronger (as we had done before) or to gracefully retire. After much consideration, we have decided on the latter. We built Versus from scratch and ran for 3 years." 

The letter concludes with a note to platform providers, pledging to post a link allowing them to make transactions without time constraints, permitting the return of escrow amounts. 

Versus was revealed for IP breaches in March 2020, and then in July 2020, a large Bitcoin theft from user wallets occurred. In all situations, the platform accepted responsibility for the errors and was extremely open about what occurred. Versus was able to grow and become a significant marketplace in terms of user numbers and transaction volumes as a result of this. 

However, the operators most likely recognised that the risk of exposure was too considerable to continue. It remains to be known if or not personnel of law enforcement has already exploited the current vulnerability in the next weeks/months.