Tor Market is a simple darkweb market that was created to make trading on the darkweb less risky than using other well known darknet markets.
|2 Factor Authentication||YES|
Overview of Tor market
Tor Market is a simple darknet market created to make trading less risky than using the large well known darknet markets. History has shown that the larger a market website grows, the more headwinds it faces to continue operation. When they eventually fail, users often lose a lot of money. The goal of this site is to maintain stability and uptime for the long term.
Many past darknet markets have implemented their wallets live, accessible to the web server so once hacked it is impossible for them to recover. This site implements the wallet and payment systems in a separate location isolated over the TOR network. This is a direct pay market, which means there is no balance of funds maintained on the market.
Tor Market is free for anyone to create a buyer account. To become a vendor a bond payment is required on Tor Market. Bond can be waived for established vendors on Tor Market.
Some features of the market are: 2FA login, no-escrow, single payment for multiple orders, product cloning, stock quantity management, vendor order queue to reduce rate of new orders, custom products for a single buyer, automatic payments to vendors using unique addresses for enhanced privacy, export order list, private URLs, very simple and quick order process, feedback system.
The website operator provides an escrow service and dispute resolution so vendors receive funds after buyers have finalized their orders.
The security of funds is top priority and is achieved by separating the wallet from the web server. The web server has no way to contact the wallet or even know its location. The code is custom written by authors with experience in web application security. PHP is not used.
The market provides a solution for vendors to advertise products and manage the order process, while minimising costs by using a shared platform. Most of the features have been added to simplify order managment by vendors, while the buyer feature set is minimal.
Cryptocurrencies supported on Tor Market
Bitcoin, Litecoin, Monero, Zcash are the only payment methods. Vendors set the payment methods they accept on each product. Payments by the market to users are always made in the same currency that the order was paid with.
Read more about the technical differences on Tor Market.
An order becomes paid after payment has sufficient blockchain confirmations. These are the confirmations required for each payment method. BTC: 3 LTC: 10 XMR: 12 ZEC: 18
Bitcoin transaction basics on Tor Market
Bitcoin is the worlds slowest database and performs only one update approximately every 10 minutes. Each update is a collection of payment transactions and updates are only done by miners. When your bitcoin wallet makes a spending transaction, it will show a reduced balance but the spend has not yet actually occurred until the time when a miner adds your transaction to the database, usually within the next 10 minutes. Your wallet is broadcasting a request to spend and offering a fee to miners to perform the database update with your transaction. Although your wallet balance is reduced, this is a wallet interface anomaly and you still own/control the funds. After some time, when your transaction is added to the bitcoin database by a miner, this is described as being confirmed or receiving a confirmation. The receiver of the funds can not spend them before a confirmation has occurred. If your request to spend did not offer a sufficient fee it could take much longer than 10 minutes because miners will ignore your request. It could take days or weeks for your spend to confirm. Many wallet software programs have features to increase the fee to help it confirm faster. More info about this here.
If you have made a bitcoin payment to this market and the payment has no confirmations, the market cannot provide any assistance because the market does not yet own the funds. We can’t return the funds to you because we don’t have them yet. This is confusing for new users of bitcoin because most wallet software shows the funds as being spent when in reality the sender still owns/controls the funds using their wallet. ie it is possible to resend the funds to a new different address during the time before it confirms. You will need to investigate the features of your wallet to see if the fee incentive to miners can be increased on an unconfirmed transaction to allow altering the spend.
How to avoid your account being hacked or phished
- Bookmark this website and always use the bookmark for future access. Official URLs will always be announced with a PGP signature. If you use links provided by someone else, such as on a forum or wiki, they may be links to a fake (phishing) site which looks identical to the real site.
- Turn on 2FA (two factor authentication). This will require you to decrypt a random string of characters every time you login and when you make account settings changes. When 2FA is turned on the encrypted message shows the legitimate URL. If you compare this to browers URL and it differs, it means you are logging into a phishing site. This is a very effective method to identify if being phished because it is very difficult for the phisher to combat this protection. 2FA also minimizes the impact of a phisher stealing your login details – they can’t change some settings and enforces a time limit on how long they can control the account for.
The phisher first makes informational clearnet websites about Darknet Market news and links and markets the site to top of Google search results. The links point to their own fake markets.
A fake market phishing site steals your login credentials and presents payment addresses that they own within a real-time fake construction of the market. A more technical name for this would be an “active attack MITM proxy”. The phisher will use your login details to connect their server to the real market and obtain a realtime feed to make you think you are visting the real site and make you believe nothing is wrong. It is nearly impossible to tell if you are logged into the real site or a phishing site by looking at the content. You must check the URL , especially characters at the end, just before the “.onion” to verify a match to the real URL.
If you don’t have a Tor Market bookmark saved, use two or three well known sources for the URL. If all sources show the same URL then it is very probable legitimate.
Record in your password manager this markets PGP key details. If you do this and verify every order you make has a correctly signed payment address, you will never loose money. It is very quick and simple but few buyers take the 10 seconds to check before they send their money away.
This is the message displayed when your account is created on Tor Market.
The are many fake copies of this market that regularly steal bitcoin from new users that have not verified the URL. Ensure you obtain a valid URL from the forums (link in left sidebar) or a reliable source such as DarknetLive or Dark.fail.
When instructed to pay for an order, the Bitcoin address always begins with a 3. If the Bitcoin address does not begin with a 3 then you have logged into a fake site and will lose your Bitcoin.
Important – Save the Tor Market public key (link /publickey) because it will give you a way to authenticate information in future to avoid being scammed. All orders will show a PGP proof of ownership of the Bitcoin address. If you always verify this proof on every order, you will not lose money to scammers.
Read the help page (/help) and ensure you understand the terms auto-finalize, no-escrow order, finalized order. The meaning is the same across all markets. This market does not provide you with a wallet. You must make a Bitcoin transaction for every order, or set of orders. This is to maximize security so no Bitcoin is stored on the market.
Create your own PGP key and save it in Account Settings. This is needed if you ever forget your Tor Market password.
Explanation of PGP for authentication purposes
PGP solves the problem of proving your are seeing data that was created by the market and not someone else who is trying to impersonate the market or modify the market. In most cases if you have the correct URL then you can be 99% sure that what you are seeing is real. But suppose the market was hacked, or had a type of bug (XSS) that allowed parts of the site to be altered, or the TOR keys were stolen. These are ways an attacker can change the content of the website you see even when using the correct URL.
Most likely the attackers objective is to steal funds and by market design the only way they can achieve this is to provide buyers with different bitcoin addresses that attacker owns, when ordering. The solution to prevent this – the market provides PGP signatures of the payment addresses on every order. Even if the market is completely taken over by an attacker, if you know how to use PGP to verify data then you can detect that the market is compromised and avoid paying the attackers bitcoin address.
The attacker will probably remove the section of the page that shows the PGP signature, so if you don’t see a signature on the order view then you know the market was hacked. Or they will make their own signature with their own key, which will fail validation if you know how to check it.
The verification process: first you need to have saved the market key. The best time to do this is when signing up. But what if the market was already hacked when you signed up? Therefore you need to verify with another source that the key you saved is correct. Visit Darketlive and Dark.fail to ensure the Tor Market key they store is the same as the key here. Now you are sure you have the correct key saved, going forward any PGP signature data on this market that you verify will always show it was signed by that key you have saved in your PGP software.
Order states change based on events like payment being received. Some states change automatically such as paid or expired states. Other states such as shipped, finalized are manually set by the vendor, customer or administrator.
This diagram shows all possible state transitions of an order.
When an order is in one of the finalized states, there is no way to reverse the process or make any changes. Funds will have been paid out already and the market is no longer be involved. So if problems with the trade remain, the buyer and seller must resolve it themselves.
All orders have an attribute named delivered which should be updated by the customer when their package arrives. For escrow orders it can be updated at the same time as finalizing. For no-escrow orders, click the Delivered button to update it. The delivered attribute has no effect on payments. It is only for informational purposes and helping detect problems with vendors.
When viewing an order or a list of orders, the status field may have a solid border , a dashed border , or no border. Before an order has status paid, it will be either payment pending or expired. In these two states, the border style indicates zero payment, payment less than required, or sufficient payment. The dashed border means payment has been received but is less than required. The solid border means sufficient payment was received and the order state will soon change to paid when it has enough confirmations. No border means no payment seen.
You will need to create a new account to send a support message. Create a PGP clear signed message using the key belonging to the account that needs password reset. By providing a clear signed message, support is able to perform the reset faster on Tor Market.
For buyer accounts PGP is the only acceptable proof of identity. Phishers know everything about their victims so no information you provide can prove your identity other then signed messages.
Note, if you have logged into a phishing proxy website in the past then the phishers will know your password.
It is safe to leave feedback because the system hides the identity of who left the feedback and also what other products that customer purchased. Only the vendor knows which customer left the feedback.
The buyer usernames displayed in feedback are hashes but additional data (salt) is added to the hash input which differs for each vendor. So the buyers hashed username is different for every different product they leave feedback on. This means that a vendor who has received feedback from a customer, cannot determine all the other vendors that the customer purchased from by looking at feedbacks of other vendors.
Market rules and policies
Product listings must be medications, drugs and drug paraphernalia.
No fentanyl or its analogs.
No fake drugs or inaccurate descriptions.
No USA vendors on Tor Market.
No impersonating other vendors. Avoid similar vendor names.
Do not deceive other users of the system on Tor Market.
Do not program automated requests without asking permission first.
Personal information in messages, orders, and support tickets must be encrypted with PGP. This includes tracking numbers, and address details.
If a vendor does not visit this site for 7 days and not in vacation mode, their products listings may be automatically disabled.
The administrator may remove product listings and disable accounts to enforce these rules.
Payments owing to buyers from refunds, expired, or declined orders will be held for 21 days waiting for buyer to enter the wallet address. After 21 days the funds may be removed from the system.
Russian vendors can request a lower commission rate of 3.5% on Tor Market.
Do not create orders that are left deliberately unpaid.
When you receive your package, promptly Finalize to expedite vendor receiving their payment.
Do not send spam messages to vendors. Messages should be product related.
Feedback left on an order should be specific to that order. Therefore you should not alter historical feedback from good to bad based on a newer order.
New vendors go through a trial period to assess their suitability on this market and if there are multiple customer complaints their ability to sell and the bond can be revoked. This rule applies even when the vendor is not deliberately scamming, ie they could be ignoring orders and causing problems in other ways. New vendor accounts that appear to have characteristics of scams may be frozen before any orders received and their bond held for six months.
No doxxing customer information.
Vendors must not ask buyers to finalize early unless their account has been given permission to create no-escrow products. Result is immediate account closure with no warnings.
Shipping information such as time between order being placed and expected shipping date must be clearly described in the product listing or vendor profile.
Vendors must not set status to shipped prior to day of shipping.
When accepting an order, the vendor is confirming that they can fulfil the order and delivery details could be decrypted, and shipping options are correct.
When you have products available for sale, you need to login every 4 days to avoid orders being withdrawn by the customer.
Only make products available for sale if you have the product ready to ship. Occasionally you may sell out elsewhere so can’t fulfill an order. Vendors who decline orders are reviewed and may loose vendor status if it happens without good reason.
The vendor must respond to a customers refund request in the form of Tor Market messaging and maintain consistent communication until the issue is resolved otherwise escrow funds will be paid to the buyer.
When vendors are out of stock for an extended time they should hide the product listing to keep the site uncluttered. Please try to minimize products showing that are not purchasable.
Only one product listing per product is necessary. Clones and duplicates should be made hidden or configured with a custom buyer.
Avoid use of all-caps when listing products and make it descriptive of the product. ie “MDMA” is acceptable but not “MOLLY ON SALE NOW SHIPPING NEXT WEEK”.
No advertising for direct deals or listing products that are advertisements for another website.
Asking users to communicate directly with you (ie wickr) is deemed suspicious because scammers typically use this technique. Keep communication on the market because if any disputes occur they will be resolved easier.
You are advised not to run multiple accounts selling the same product. Operating multiple vendor accounts is permitted but if they sell the same product, it can appear suspicious and it wastes the customers time. The market may decide to close down your accounts to avoid wasting customers time.
Buyer help on Tor Market
There are no fees for buyer accounts. Vendors pay a commission on their sales.
Each product purchase results in a separate order and each order has a unique bitcoin (or litecoin) address. The usual method of payment is to pay each order’s bitcoin address. There is no shopping cart but orders can be aggregated into a group for payment; this is described next. When bitcoin transaction fees are high, paying for multiple orders can be expensive. If you have multiple orders to pay, it can be more efficient to use a wallet that supports paying multiple bitcoin addresses in one transaction. This is called payment batching and will allow you to pay less in bitcoin transaction fees.
There is also a Tor Market feature called multipay. The market allows you to pay for two or more orders by paying a single bitcoin address. This is even cheaper than payment batching. To use multipay, first create two or more unpaid orders. Now at the top of the order list, a button will show ‘Multipay using bitcoin’. Clicking this will show instructions on how to pay all your unpaid orders with one payment. Basically, it sums the total owing of selected payment pending orders. If this total is paid to the bitcoin address of the oldest payment pending order the server will change all those orders to paid.
There are some differences to be aware of when using multipay compared to standard order payments. Although the market accepts over-payments both for standard orders and multipay, any over payment with multipay is absorbed by the market. Vendor payouts from multipay orders are always set using the order price. Therefore, if you pay extra thinking the vendor will receive extra, they will not. The vendor will always receive the same payout amount no matter what you pay. Same with refunds – the maximum refund amount is the order price.
Using multipay can help buyer privacy on the public blockchain. The benefit occurs when ordering from different vendors and paying them using multipay. The vendor will have difficulty discovering your transaction details like your source wallet address because they do not know how much you paid in the multipay transaction.
Signed payment addresses
The payment address you see on an order is unique and will not exist yet on the blockchain. The order shows you a PGP signature of the order address. Buyers should verify the PGP signature is valid and signed by Tor Market key. Provided the signature is valid you can be sure your funds are being sent to the correct wallet and not an address belonging to a hacker or scammer on Tor Market.
Expired, under-paid and over-paid orders
When the order is created you lock in a price, then have 24 hours to ensure payment confirms on blockchain. If payment is received after the payment window expires, your order will be set to state expired.
If payment arrives within the 24 hour period, the vendor is obligated to process your order. Past 24 hours, the exchange rate may have changed too much from when the order is created and the vendor should have the option on whether to process the order or not. When the order expires the vendor has another fixed time delay where they can choose to process the expired order. During this time the buyer cannot configure a refund. If the vendor chooses not to process the order, then the buyer can enter a refund address after the fixed time delay.
When orders are under-paid they will also become expired. If you have under-paid, then make additional payments to the same order address to cover the order price. There is no problem if you over-pay an order, but once status is paid you cannot be refunded any overpayment unless the vendor declines the order.
Vendors have the ability to convert expired orders into paid. They can also make payment pending and expired orders change to paid when a order is slightly under-paid.
Ensure your payment transaction has a sufficient fee to allow it to confirm on the blockchain before the order expires. Some wallets have RBF (BIP125) support which allows the payment to be sent again with a higher fee to speed up confirmation.
If you are manually choosing the fee to use on your bitcoin transactions then this site is helpful http://core.jochen-hoenicke.de/queue.
Sometimes the blockchain can become congested and orders may expire due to having zero confirmations in the 24 hours after order creation. In this case the market cannot do anything until the payment receives a confirmation. Once funds confirmed, vendors have the chance to process the expired order and after that, the market can return funds to buyer if vendor doesn’t process the order. The bitcoin protocol allows you to reverse the transaction if it has zero confirmations and return the funds to your wallet (double spend to replace the prior transaction). But if your wallet does not support this action, the funds are stuck in limbo until they eventually receive a confirmation.
Expired orders are generally refunded to the buyer unless the vendor or admin makes it become paid. The buyer enters their refund address on the order view page.
Tor Market Payments to already paid orders
Once a vendor accepts an order, the market will not register any further payments to the order address. Vendor receives the amount of money that was shown as being received at time of accepting.
So if you keep paying old order addresses of finalized orders (or shipped, accepted orders) then the money is lost. The market system will not be aware of more payments made. Any transaction that does not have the required number of confirmations at the time vendor accepts, is ignored and will never register receiving the funds.
With crypto-currencies you must be very careful about paying the correct address because transactions are irreversible, and the blockchain has no safety for mistakes.
Encrypted postal addresses
It is strongly recommended to use PGP to send postal address details on Tor Market. Other darknet markets have been compromised and customer postal details exposed because the customer did not encrypt their address. If you don’t want to install PGP then there are web based alternatives for encrypting messages but those sites may record what you encrypt. ie https://sela.io/pgp/
The address field can be left empty when ordering products such as ebooks or when you have already given the vendor your address.
Old orders and deleted orders will have the address field deleted from the database to further increase privacy.
Auto-finalized orders on Tor Market
Orders autofinalize one week after they are shipped to ensure vendors receive payment when the buyer forgets to finalize the order. The Extend autofinalize button will delay autofinalizing when you are still waiting to receive the product. This option appears in the three days leading up to the autofinalize date.
Finalizing before receiving the product bypasses escrow and there is no way to be refunded.
No escrow orders
A single product listing may have both escrow and no-escrow price options. “Escrow: no” or “Escrow: optional” will show on the product listing. When a no-escrow order is choosen, after being paid the funds are immediately allocated to the vendor instead of being held until you finalize. Therefore no dispute resolution is possible – the market cannot assist you with no-escrow orders after the vendor has accepted the order.
If you don’t want the added risk of buying no-escrow, choose a different vendor or ask the vendor if they will create an option to buy with escrow.
When you choose to purchase a no-escrow product you will be warned – This order will automatically finalize upon vendor acceptance. Any shipping problems or disputes will have to be resolved directly with the vendor and the market cannot mediate conditions of sale.
When you receive a no-escrow order, click Delivered button so the vendor and market can keep track of undelivered packages, and provide an early warning of problems to other buyers.
When the order status is changed to “refund requested”, then the vendor must approve the amount and a payment will be scheduled.
To specify a refund address once order is “admin finalized”, “refund finalized”, “withdrawn” or “expired”, view the order details and look for a button that allows entering the refund address. Refunds will be paid out same day or on the day after you specify the address. Payments occur at a random time. You can expect a confirmation on the blockchain within 24 hours after payment broadcast.
Withdrawing and cancelling orders
During the first hour after order creation, the order may be cancelled provided no payment is seen. Use this feature if you made a mistake choosing options for the order. Cancelled orders do not allow refunds so it is important to never pay funds to a cancelled order. After the first hour the order cannot be cancelled and it can only be removed by waiting until it expires. Once expired it can be deleted.
Sometimes a vendor will go missing and you may decide to be refunded instead of waiting for the vendor to return. After 72 hours (3 days) you will have the option to withdraw the order. Click the Withdraw button and you will be able to enter a refund address. They are given three days because during weekends the vendor may not login to accept new orders.
Vendor accounts cannot make purchases. This is to prevent de-anonymisation of vendors.
Vendor account creation and bonds
Register a new account with no purchase history – there is a reason markets keep buyer and vendor account separate. With the new account, purchase the bond. Once bond is paid, your account will change to vendor type within ten minutes. The bond is refundable (the exact amount paid is returned) after six months from the purchase date if a good sales history is established. To be eligible for the refund, the account must have generated some sales. The bond is to dissuade the vendor trying to scam customers and the bond may be forfeited for breaking the rules.
Also the bond will be held and not released for six months if any products appear to be deceptive. Basically if it looks like a possible scam, your account is locked preemptively before you can sell anything. You will receive the bond back after six months because the market could have made a mistake in assessment.
Record the details of the bond payment because when the account is changed to vendor type the bond purchase order will no longer be visible.
Waiving bond for established vendors
13th June 2022 time expectation for processing waiver applications – after you complete the application form it may take one week before verfied. Usually done during weekends.
Bond waiver is possible when you have a vendor account already on another market. It needs to be recently active with sufficient sales volume and feedback to gauge reliability. To prove identity, load the PGP key into account settings and then either turn on 2FA or else use the verify procedure. Your account displayname and PGP key must match other markets. Complete the application form, then send a support ticket asking for the account to be changed to vendor type.
If you have not been active selling in the last three months on any market, we do not give a vendor account. In that case first establish some recent sales on another market before applying here. Each verification can take over 15 minutes of work due to finding a working URL, CAPTCHAs, creating account, searching for the PGP key and profile, reviewing sales and feedback. There is often a queue of vendors requesting verification. Therefore it could take a week before the verification is done. You need to keep visiting this market while waiting for the verification. If we see you stopped visiting we assume you lost interest and won’t proceed with verification.
Commission is 5% of the funds paid to an order. The only other fee is the withdrawal fee. This changes each week and is displayed to vendors in nav bar. Each time you receive a payment from the market, the withdrawal fee is deducted to cover miner fees.
Stock available must be specified on each product. When orders become paid then the product stock value is reduced automatically until the product listing changes to sold out.
Disabling sales can be done in different ways.
- Vacation mode will disable sales of all products.
- A product stock value can be changed to 0.
- A product can be set to disabled. It will still show in product lists but customers cannot purchase it.
- Using the vendor order queue settings to limit the number of new orders.
Hidden products are only accessible to someone that knows their URL and do not show in product listings. Hidden products can also be located by entering their ID (uuid) into the search box.
Custom buyer products – a product can be configured so only one buyer can see it and purchase it. This option was added to ensure custom products are private and do not show to everyone. The vendor doesn’t need to send the buyer any info about locating a custom product. It appears to the buyer in their product list.
When taking photos for product listings, do not use your everyday phone. Use a dedicated phone/camera. This protects against correlating sets of images taken by the same camera that are publicly accessible on sites such as Facebook.
Examples of how the form fields effect the purchase options the buyer sees.
No escrow products are those which have the no escrow setting enabled. On the product form, each unit price will have a no-escrow checkbox on the right. Without permission, the no escrow checkbox is absent. Historically once a vendor reached 200 orders they could apply for no-escrow permission but this policy was dropped after exit scams kept causing too much trouble. This market will rarely give no-escrow permission now. The vendor would need to have it elsewhere as a requirement, or have exceptional trade volume / revenue. If the vendor meets the criteria and asks for no-escrow, a review of order processing is done (check following rules), and must not have history of disappearing letting orders withdraw, or a lot of declined orders, or complaint tickets.
When the order is finalized by the customer, you need to click Set address on the order view to specify your wallet address for receiving payment. To automate this, you can specify your wallet address in account settings, then you will be paid automatically.
Payments from finalized orders will be processed at least once per day at a random time. If multiple orders have been finalized the amounts owing are summed and you will receive a single payment.
A network fee will be deducted from your payment. The network fee will show in the navigation bar for vendor accounts (if the fee is not zero). The network fee only changes on Monday (UTC time), then remains constant for the week. In most cases, the fee is deducted once per bitcoin transaction. When you have multiple orders being paid out to the same receiving btc address, one bitcoin transaction is used and the fee deducted once. However, if you configure a different bitcoin address on each order and they are paid at the same time in one transaction, you will pay more in fees because the fee is charged for each unique bitcoin address.
When the withdrawal fee is cheap you may want payments sent to you as soon as possible after the order finalizes. But when the withdrawal fee is expensive you can save money by configuring payment settings so send your payments less frequently.
Advantages of receiving your payments less frequently is your wallet will be cleaner and have less UTXOs. This means when you eventually spend from your wallet, the transaction sizes will be smaller (less inputs used) so your future spends from your wallet will cost less in miner fees. Also it helps with privacy making it much harder for the buyer to follow the trail of funds to your Tor Market wallet.
After the payments are broadcast by Tor Market, you can expect a confirmation on the blockchain within 24 hours. You can see the transaction id of your payment by viewing the order. To ensure a confirmation in that time frame, payments may be re-broadcast by the market wallet with a higher fee. Most wallets allow spending unconfirmed payments and that could be an option for you if the blockchain is congested and you want to spend the funds without waiting for a confirmation. If you do try to spend your unconfirmed funds, you must set a high fee to ensure a quick confirmation.
When customers over-pay an order, the vendor will receive the over-payment, less commission calculated on the paid amount.
All order payments for every vendor go into the escrow wallet and payments are generally paid out from this same wallet. The source bitcoin addresses of your payment are selected by the wallet algorithm and will be addresses from other orders placed on the system.
Automatic payment settings on Tor Market
Each payment method (Bitcoin, Litecoin, etc) has a settings page allowing vendors to setup automatic payments from finalized orders. You save one or more addresses and your payouts from orders will be paid to these addresses.
The objective of the payment settings is to give vendors control of when they get paid to help minimize withdrawal fees, and to improve privacy by minimizing address re-use. The automatic settings promote the use of fresh addresses being used each day or week. This makes wallet analysis more difficult. It is recommended to uncheck the checkbox option ‘Re-use address’. This option was added to replicate old behaviour when it was not possible to save multiple payout addresses. For Bitcoin and Litecoin automatic payments, you should save multiple payout addresses and keep replenishing the set with new addresses as they get used.
The automatic system does not assign a different address to every finalized order. It uses the same address over a 24 hour day UTC time. The reason is that a separate address for every order would reduce privacy by making amounts easier to spot. It would also cost more in withdrawal fees. Therefore over the period of one day UTC time, it assigns the same address to orders as the finalize.
Every finalized order on Tor Market has a schedule setting (daily, weekly, etc) that determines when the payment will be made. The automatic system sets the schedule onto the order at finalization time, using your current payment settings. It can be changed later by viewing the order and clicking ‘Set address’ button. Delayed payments such as daily, weekly will be paid just after midnight UTC time.
The Immediate schedule on Tor Market means it will be immediately queued waiting for the remote payment server to synchronize the data set. The payment server runs batches of payments, usually ten or more batch runs daily. Blockchain congestion effects the frequency of payments. More detail in receiving payments section.
Disputes and refunds on Tor Market
When the customer wants a refund, the vendor and the customer try to resolve the issue. ie re-ship, return goods, partial or full refund. The customer can change the refund amount they request. When it is something both parties agree on, the vendor can accept the refund amount and funds are paid out. Or the buyer can cancel the refund request and finalize.
If no agreement is reached, the market decides how to distribute the money in escrow. In the case that the vendor has ignored a refund request, the market may approve the customers refund after 7 days. The vendor must respond to the customers refund request in the form of Tor Market messaging and maintain consistent communication until the issue is resolved.
The archive button simply removes the order from the order list and you need to click the Show Archived button to see it. An archived order can be moved back again to the main order list page by Unarchiving it. This can be helpful to keep track of which orders need attention. ie Shipped orders can be archived so the order list only shows orders that need processing.
Should vendors mix their payments from Bitcoin and Litecoin orders? If you need to spend the funds and that process reveals your true identity, you may want to mix the funds first. Monero and Zcash have privacy features built in to the protocol. The following describes Bitcoin and Litecoin mixing.
Buyers can see funds being paid out to vendors by watching the blockchain. Mixing is the process of making it too difficult to use blockchain analysis alone to follow the funds.
In the first step of being paid by Tor Market, you can avoid the buyer following the funds by choosing to be paid in batches instead of one payment at a time. When paid once a week for example it will be harder for the buyer to see which payment out of the Tor Market wallet was to you.
The cheapest and less risky way is to self mix (rather than using an anonymous service) but the process is time consuming. This is done by holding accounts on several websites that allow bitcoin transfer into a pool of funds and out again as different coins. For example, crypto exchanges. Using TOR or a proxy when using the websites means no site will know the user identity. Funds are sent through a chain of these exchanges.
PC wallet => online wallet 1 => online wallet 2 => online wallet 3 => PC wallet 2
This is analogous to having multiple bank accounts with anonymous identities. As the funds flow through the chain of accounts it becomes very hard to trace without co-operation from all the companies to provide their log files of transactions in and out. The more wallets in the chain the harder is it for someone to get all the logs. Using geographically diverse websites will help more (ie China, Russia, Venezuela) because no juristiction has authority everywhere. You would need to vary the amounts throughout the process.
Other methods can be used such as coinjoin algorithm which is implemented in at least two wallets – Wasabi is one. A wallet with coinjoin ability will allow you to participate in building a large transaction with other users of the same wallet software. The outputs of the transaction all look identical and there should be no way to know who owns each output. Since bitcoin lacks sufficient privacy, use of coinjoin wallets is needed for many general use cases such as an employer running payroll to prevent the employees knowing the salaries of all the other staff. Or to prevent each person you have transacted with from knowing how much bitcoin you own so they can assess whether it would be cost effective to kidnap or forceably take your keys.
Avoid using mixing services (aka tumblers) like Helix because it is not known how effective they are, or what is their motivation for running the service. Some of these services have failed to adequately mix coins.
The majority of the order processing code has been in use since Sept 2015 and is well tested. As a multi-vendor market it has been running since early 2018.
What does the Tupolev Tu-95, AK47 rifle, and Tor Market have in common? An engineering philosophy.
The architecture consists basically of two separate systems.
- The public system running the market web server and TOR has no bitcoin private keys stored. It only holds a list of payment address strings in the database. The market server provides an API for retrieving data about payments owing.
- An isolated payment server running the private bitcoin wallet(s) , locked down with minimal software installed. It only runs a wallet process, TOR and an application to process payments from data retrieved via the market API. It connects out to the market web server API over the TOR network. This helps to conceal the location of the bitcoin wallet so even the market webserver can never access the payment server.
There is a tradeoff engineering decision in the design of a market between ease of use with fast withdrawals, and security of the wallet. On most markets since Silk Road the web server process interacts directly with the bitcoin daemon process. With these markets, account balances, functions like withdraw are handled by the bitcoin process – the webserver has a direct connection to issue instructions without delay. The web server has full control of the bitcoin process so if the web server is hacked by an error in the developers website code, it leads to full control of the wallet. The advantage of this setup is functions like withdraw and account balance happen without any delay. Refunds and reallocating funds from a cancelled order to a new order do not involve the blockchain which is cheap, convenient and fast. However this design has a disadvantage that it becomes a huge lucrative target for hackers to steal the funds off the market. The Tor Market design puts security of the wallet ahead of other requirements by moving wallet off market, and therefore loses features of fast, cheap payments and simple refund procedures.
There is no support for bitcoin multi-signature addresses because it is difficult and time consuming for most buyers to use.
With Tor .onion addresses, https is not necessary because Tor ensures you are connected with the real authenic website and not a fake one. Tor also handles end to end encryption between this website and your Tor Browser to keep communication private. Traffic never leaves the encrypted Tor network. Provided you enter the .onion URL correctly Tor will take care of network security and privacy for you.
Theft of escrow funds would be extremely difficult because the public server doesn’t store bitcoin. A hacker would need to modify the database to have their own bitcoin addresses so payments go to the wrong recipient. Any database tampering to effect payments made by the market would likely be detected by the scripts on the payment server that process payments. Security checks use the blockchain database as an immutable record of payments received to ensure payments out are based on trustworthy data that hasn’t been compromized. Buyers paying into the market can use PGP to ensure wallet addresses are authentic and not served up by a phishing proxy.
Periodically the escrow funds are replaced with fresh coins from Chaumian CoinJoin. This means that anyone who has paid into the wallet so they can analyse it, will have a limited window in time between their payment and when all the funds are replaced, to follow transactions. Then the trail stops and it’s like a new wallet was started. This is a work-in-progress because it means all users must cease using their old wallet addresses too.
The web server does not hold any PGP private keys. This means PGP encrypted messages in the database can’t be decrypted, even if a full copy of the Tor Market server is obtained.
The web server (and all systems used in maintaining and administering tor Market) have full disk encryption and use the most secure open source operation systems (not Windows, or Apple).
All network access to the web server is through TOR and includes additional hops though other networks in addition to TOR. This means that network traces of the server do not reveal any users or operators of the server. All servers that process traffic from Tor (ie market HTTP traffic) have DNS resolver set to lookup via TOR. General outbound traffic to the internet is restricted with firewall rules. These precautions are to avoid any inadvertent outbound traffic that would reveal IP addresses.
Session data (cookies) are all stored client side, signed and encrypted. No session data is stored on the server. This gives speed improvements and additional security because database leaks cannot reveal session tokens.
Crypto currencies technical
Litecoin, Monero and Zcash were added because their network transaction fees are cheaper than Bitcoin. At times the Bitcoin network can be too slow and expensive so alternatives are needed. Compared to Bitcoin, the other payment methods are riskier to hold funds in and their main advantages are as fast, cheap transactional currencies, not long term stores of value.
Zcash has very good privacy. No other crypto-currency has better privacy than Zcash, hiding both transaction amounts and addresses. With Bitcoin, to make some details of a transaction private requires building a special type of transaction called a Coinjoin. This requires specialized software that coordinates with other users contributing to the transaction. Using Zcash is much better alternative to Bitcoin coinjoins in terms of privacy.
There is only one software implementation of Zcash that supports shielded transactions, called zcashd. zcashd is a full node and stores the entire blockchain. Desktop wallets ZECwallet and Zepio are graphical frontends to zcashd.
Monero has better privacy than Litecoin and Bitcoin. It obscures inputs to transactions by adding additional dummy inputs, and hides the amounts transferred. The addresses used in a transaction are visible on the blockchain for analysis but the blockchain overwhelms the analyst with too much data , much of it fake. This has the effect of bloating the blockchain and causing transaction fees to be relatively high because transaction byte sizes are bigger than other blockchains. The Monero blockchain has been de-anonimized before when its privacy features were weaker. Many of the old transactions prior to 2017 were revealed by researchers.
Although Litecoin, Monero and Zcash offer many advantages over Bitcoin, they are not decentralized in the same way Bitcoin is. Decentralization is what protects against censorship and theft of funds by government.
In summary, Bitcoin is the best way to safely store value long term. Other crypto-currencies can offer cheaper transaction fees and privacy features but it is advisable to exchange them for Bitcoin instead of holding them, in all cases other than short term holding.
How Tor Market generates payments
This section applies to crypto-currencies that support transaction replacement and tx fees are expensive. Currently this only applies to Bitcoin. If the bitcoin transactions for buyer refunds and vendor payouts are broadcast but awaiting confirmation, more payouts may arrive for the payment server to pay. Instead of making new separate transactions, the old transactions are replaced. This process keeps repeating and the transaction gets bigger as more payments get rolled in. Each replacement is broadcast with a higher fee on Tor Market.
You can try spend any payout funds before they are confirmed, but ensure you set the fee high enough to confirm quickly. If you set a high fee on your spend but it is still not confirming then during this time the market will stop making any more payments to you. Your payouts will start being paid to you again only after your spend transaction confirms, or is discarded from mempool. Suppose your spend transaction (of unconfirmed funds) uses a low fee. Then your spend is in the mempool waiting confirmation along with the market’s transaction that paid you. In this case where it has a low fee, when the market replaces its transaction (as above) then your spend in the mempool is orphaned and discarded from mempool. Your spend is effectively reversed and your wallet should return the balance to pre-spend. A problem occurs when you spend with a high fee, but not high enough to confirm. This prevents the markets automated payment system from making further payments to you.
To prevent your wallet spending unconfirmed funds, look at wallet settings. Some wallets consolidate inputs in the background, making transactions that pay itself.
In summary, if Tor Market pays you and it hasn’t confirmed yet, avoid spending these unconfirmed funds. Wait for a confirmation before spending. If you try spend unconfirmed funds, ensure you provide a very good fee so it confirms quickly. Because once you spend unconfirmed payout funds, it stops the payment server algorithm from making further payments to you.