Mirror-4 Technical Review Updated June 2024
Drughub Mirror-4 is the latest iteration of a long-running narcotics-focused marketplace that first appeared in late-2022. Over the past eighteen months the crew has cycled through three prior mirrors after routine takedowns and DDoS campaigns, so the launch of “-4” is less a marketing stunt than a forced reset. For researchers who track supply-chain resilience, the speed with which the market re-appears—usually within 48 h—has become a case study in how small teams can keep a Tor hidden service alive when every layer of the stack is under pressure.
Background and Evolution
The original Drughub onion was a bare-bones Bitcoin-only bazaar with ~300 listings. It distinguished itself early by refusing to support alt-coins, arguing that multi-coin wallets increase attack surface. After the first seizure notice (likely hosting-provider level, not law-enforcement) the operators introduced the numbered-mirror convention and added Monero as an optional privacy layer. Mirror-2 introduced per-order PGP-forced encryption and a “vendor bond” pegged to 250 USD to reduce fly-by-night sellers. Mirror-3 added a multisig escrow engine that supports both 2-of-2 and 2-of-3 schemes, although uptake has been modest because most buyers still prefer the convenience of traditional escrow. Mirror-4, launched in March 2024, ships under the same code-base but moves the back-end to a new hidden-service vanity prefix and rotates the administrative keys—standard OPSEC hygiene after any public incident.
Features and Functionality
The market runs on a customized fork of the old AlphaBay template, stripped of the heavier JavaScript that tripped up Tor Browser’s Safest mode. Key modules include:
- Traditional, 2-of-2, and 2-of-3 multisig escrow
- Per-message, per-address PGP encryption enforced server-side
- Optional PIN-based 2FA plus a TOTP generator that works with any RFC-6238 client
- Internal XMR <-> BTC swap provided by a third-party onion swap service (0.75 % fee baked into exchange rate)
- “Instant” purchases for trusted vendors who have <1 % dispute ratio and 90-day tenure
- Integrated forum reachable via the same auth cookie, reducing session management headaches
Listings are categorized by region (Domestic USA, EU, AU, etc.) and by stealth rating—an informal tag vendors self-select, but buyers can down-vote if packaging is sloppy. Search filters cover price range, accepted currency, and shipping origin; there is no “finalise early” filter because FE is no longer allowed site-wide, a policy change introduced after a spate of exit-scam rumours during Mirror-3.
Security Model and Escrow Flow
Drughub’s threat model assumes the server may be imaged at any time, so the codebase keeps no plaintext addresses or message content. When a buyer submits shipping info, the input field is encrypted in-browser with the vendor’s public PGP key and the ciphertext is stored; even root-level compromise would only reveal encrypted blobs. For payment, the market generates a unique sub-address for every order, shielding the hot-wallet main address from blockchain observers. Vendors can withdraw once daily; the hot wallet is topped up manually, limiting exposure to the balance needed for 24 h of refunds. Disputes are handled by a three-person staff panel; all three must sign any forced refund, creating a minor bottleneck but reducing insider theft. Multisig implementations use the standard Bitcoin Core RPC, so vendors can co-sign from Electrum or Sparrow without uploading private keys—a real improvement over markets that force web-based key management.
Security Note
The mandatory PGP encryption and unique payment sub-addresses significantly raise the bar for adversaries attempting to deanonymize users through server compromise or blockchain analysis.
User Experience and Accessibility
Mirror-4’s landing page is still recognizably Alphabay-style: left-column category tree, centre-panel featured listings, right-panel wallet summary. Load times average 4-6 s over a vanilla Tor circuit, competitive with other mid-size markets. A “light” CSS skin can be toggled for users who run Tor Browser on Tails with unsafe browser disabled, shaving off roughly 250 kB per page. Onboarding is straightforward: solve a captcha, create username/password, optionally add PGP public key, deposit coins, browse. The market does not enforce JavaScript-free operation, but all critical actions—placing orders, releasing escrow, updating PGP—have HTML-only fallbacks, so the Noscript crowd isn’t locked out. Mobile access through Onion Browser works, though the captcha sometimes fails on iOS because of WebGL quirks; staff recommend desktop for any multisig workflow.
Reputation and Community Perception
Dread’s /d/Drughub subdread counts 8.2 k subscribers, modest compared with heavy-weights like ASAP or Archetyp, but the signal-to-noise ratio is high. Vendors with >300 completed sales and <2 % dispute ratio receive a green “Trusted” badge that is displayed site-wide; the badge disappears instantly if the ratio deteriorates, so buyers treat it as a live metric rather than lifetime status. Independent scrapers show that since Mirror-4 went live, the median delivery time for domestic US packs is 4.5 days, slightly faster than Mirror-3’s 5.1 days, probably because the vendor bond increase weeded out slower reshippers. No large-scale scam reports have been confirmed, although the usual forum chatter complains about slow support during weekends—two staff members appear to cover EU time zones, leaving US nighttime thinly moderated.
Current Status and Reliability
As of June 2024, Drughub Mirror-4 hosts ~5 400 listings, down from a peak of 7 100 in late-2023, reflecting both voluntary vendor departures and the general post-Hydra fragmentation. Uptime over the last 90 days hovers around 96 %, measured by a hidden-service monitor that polls every 15 min; outages rarely exceed three hours and usually coincide with announced server maintenance. The market’s Bitcoin hot wallet clusters have been tagged by Crystal Blockchain, but the adoption of sub-addresses and automatic churn for XMR means that cross-currency tracing is still impractical. Law-enforcement risk is impossible to quantify, yet the consistent 48-hour resurrection window suggests the operators maintain encrypted off-site snapshots and possibly jurisdiction-hop hosting—standard practice but no guarantee against future infiltration.
Conclusion
Drughub Mirror-4 is a competent, if unspectacular, continuation of a market that has learned from each shutdown cycle. Its security stack—mandatory PGP, optional multisig, XMR integration, and conservative hot-wallet policy—ticks the boxes that privacy-conscious buyers expect. The smaller catalogue and thinner staff depth mean it will never rival the giants of the mid-2020s, but that leanness also reduces the attack surface that comes with sprawling bureaucracy. For researchers, the site offers a living example of how mirror-numbering, cryptographic escrow, and community-driven reputation can keep a Tor marketplace on life support long after bigger competitors disappear. Users who decide to interact should still follow baseline OPSEC: Tails or Whonix, fresh PGP keys, no reused usernames, and wallet isolation. Mirror-4 may survive Mirror-5, or it may not; either way, its iterative approach provides more signal about darknet resilience than most academic papers manage to capture.