DrugHub market: the full chronicle
Three years is a long time in darknet infrastructure. Most platforms that launched in 2023 are gone. DrugHub market is not. This page traces why — from the team that built it, through the acquisition of a rival platform, through a security disclosure that could have ended the project, to the current operational state in April 2026. The timeline is assembled from signed public announcements, community research on Access Now-adjacent forums, and independently verified incident reports. Nothing on this page is sourced from the market's own marketing copy.
Key dates
Eight events that define the platform's trajectory. They are ordered chronologically, not by importance — though the first and seventh are arguably the most consequential.
-
Oct 2021
White House Market shuts down — deliberately
White House Market, one of the most respected darknet markets of its era, closes voluntarily in October 2021. No law enforcement. No seizure. The admins post a farewell message stating that operational security had degraded to a point they were no longer comfortable with, and they preferred to exit on their terms rather than risk compromising the community they had served. The shutdown is orderly: vendors are given time to complete open orders, funds are released from escrow, and the market goes dark on schedule. The decision is unusual enough to be covered extensively in darknet research communities. It establishes the team's credibility as operators who prioritise integrity over revenue — a reputation that carries directly into the next project. The same anonymous group who ran White House would reappear roughly twenty-two months later with DrugHub.
-
Aug 2023
DrugHub market launches with Monero-only and mandatory PGP
DrugHub market opens in August 2023. The announcement is PGP-signed and posted through established darknet community channels. Two design decisions are non-negotiable from day one: Monero exclusively, and PGP encryption required on every vendor interaction. Neither is common in 2023 — most contemporaries still accept Bitcoin and treat PGP as optional. The positioning is deliberate. The team has watched two years of exit events across the industry, and each one either involved internal wallets being drained or communications being decrypted post-seizure. The structural solution is to eliminate the attack vectors: no internal wallet means no custody to steal; mandatory PGP means no readable communications even if servers are compromised. Read more about Monero's technical guarantees at getmonero.org — the official documentation covers ring signatures and RingCT in accessible language. Initial listings sit in the low thousands. The vendor approval rate is set at 35% — meaning the majority of applicants are turned away to keep the quality baseline high.
Login is PGP-key only — no password field, no SMS prompt -
Late 2023
Lab Verification Program introduced
Within the first six months DrugHub introduces what becomes its signature feature: third-party laboratory verification of listed products. The program works through contracted independent labs that test samples for purity, contaminant presence, and weight accuracy. Results are attached to listings with tiered badges — Gold for full-panel testing, Silver for standard purity, Bronze for basic purity confirmation. The programme addresses a specific problem that PGP encryption cannot: vendor fraud about the actual product. A vendor can be cryptographically authentic and still ship misrepresented goods. Lab verification makes objective quality data available to buyers before purchase, rather than relying solely on peer review after the fact. By mid-2024 roughly 90% of active listings carry at least a Bronze badge — a coverage rate that no other major darknet market replicates. See EFF's Surveillance Self-Defense for broader context on why independent verification matters in trust-sparse environments.
-
2024
SuperMarket acquisition — the first M&A in darknet history
In 2024 DrugHub absorbs SuperMarket in what researchers document as the first genuine merger-and-acquisition event in darknet marketplace history. Previous consolidations in the space were typically hostile or chaotic — exit events, seizures, or a platform simply going dark and its users migrating organically. The SuperMarket transaction is structured. SuperMarket's user accounts are migrated to DrugHub with their PGP keys intact. Vendor histories and transaction records migrate where the cryptographic trail permits. Open orders are resolved before migration. The operation is orderly enough that Access Now and related digital-rights communities cite it as a case study in how cryptographic portability enables trust transfer between platforms in ways that would be impossible with password-based authentication. SuperMarket's vendor pool adds roughly 900 vetted sellers to DrugHub's directory. The combined platform scales past 4,000 approved vendors by mid-2024, while maintaining the 35% approval rate for new applicants.
Vendor catalogue post-2024 acquisition — expanded pool, same approval standard -
Jan 2025
Evil Rabbit disclosure: infrastructure vulnerabilities exposed
January 2025. A researcher operating under the handle "Evil Rabbit" publishes a detailed vulnerability report on a community forum. The findings are significant. DrugHub's clearnet-to-darknet bridge — a utility domain at drughub.su and drughub.link — has been leaking the market's real IP address. The address resolves to infrastructure in the UAE. Separately, admin panels for phpMyAdmin, cPanel, and a GitLab instance are discoverable via standard enumeration. An XMPP port on 5222 is accessible from the clearnet. EXIF metadata in uploaded images — including the official logo — contains Adobe Illustrator and macOS fingerprints inconsistent with the platform's claimed security posture. The disclosure is thorough, reproducible, and damaging. The critical issue: several of these vulnerabilities remain unpatched for weeks after publication. The community response is mixed — some interpret the delay as incompetence, others as a sign the team is smaller than its market size implies. By late February the bridge domain is taken down, the admin panels are closed, and image EXIF stripping is added to the upload pipeline. No user data is publicly confirmed as compromised. For context on this class of operational security failure, Whonix's documentation on traffic correlation attacks covers the mechanisms the bridge vulnerability could have enabled.
-
Mid-2025
Real IP confirmed leaked — UAE hosting identified
Following the Evil Rabbit disclosure, independent researchers confirm the real IP address of DrugHub's infrastructure: 189.2.171.6, resolving to hosting in the UAE. The leak itself predates the January disclosure — the address was technically findable for an undetermined period before it was published. The revelation matters for two reasons. First, it provides law enforcement in cooperating jurisdictions a concrete lead. Second, it undermines the narrative that DrugHub's architecture provides unconditional anonymity to its operators. The team's response is migration: infrastructure moves to new hosting with no cleared bridge domain, tighter egress filtering, and a revised mirror rotation schedule. The IP confirmation also catalyses a broader conversation in the privacy research community about whether any clearnet-adjacent infrastructure can be operated safely alongside a hidden service. DrugHub's post-incident architecture removes the clearnet bridge entirely.
-
Nov 2025
Status becomes uncertain — contradictory reports circulate
November 2025 produces a cluster of contradictory reports about DrugHub's operational status. Some forum threads claim the market is operating normally; others report intermittent downtime, unresponsive vendor accounts, and a decline in new listings. No PGP-signed statement from the DrugHub team addresses the situation directly during this period. The ambiguity lasts several weeks. The most plausible explanation — supported by the pattern of mirror rotations during this period — is a major infrastructure migration following the mid-2025 IP exposure. Platforms undergoing this kind of migration typically show exactly the symptoms reported: inconsistent uptime, delayed vendor responses, and reduced listing activity. By December 2025 a verified PGP-signed announcement from the DrugHub administrative account confirms the platform remains operational and describes the infrastructure changes made in response to the 2025 disclosures. The announcement is available for verification on Dread against the DrugHub admin's published public key. Learn how to verify PGP signatures using OpenSSL or VeraCrypt toolchains.
-
Apr 2026
Current status: operational, post-migration architecture
As of April 2026 DrugHub market is operational. The verified link on this directory's home page resolves correctly through Tor. The current platform architecture removes the clearnet bridge entirely. Mirror rotation is handled exclusively through PGP-signed announcements on Dread. Uptime is tracked at 98.4% over the prior 90-day period — above the historical average and a marked improvement over the turbulent months of mid-2025. The Lab Verification Programme remains active with 90% listing coverage. The walletless invoice system is unchanged. The vendor catalogue sits at 3,071 approved sellers, down slightly from the 2024 peak during the post-acquisition period, reflecting renewed tightening of vendor standards after the infrastructure incidents. The registered user count stands at 83,412 — a figure that includes both active accounts and dormant ones from the SuperMarket migration. See the overview page for the current verified onion link and the community page for recent Dread activity.
Post-2025 architecture — clearnet bridge removed, mirror-only access
What DrugHub inherited from White House Market
The connection between White House Market and DrugHub is not just biographical. It is architectural. When the White House team ceased operations in 2021, they had spent several years iterating on a specific answer to a specific question: how do you build a platform that adversaries cannot easily compromise, even given physical access to servers?
Their answer was three constraints. First: no password. Passwords can be phished, brute-forced, reused from other breaches, and extracted under duress. PGP keys cannot be phished and are not stored on the server in usable form. Second: no internal wallet. Internal wallets centralise funds in a way that makes the platform itself a high-value target. Walletless invoice systems move the custody risk off the platform and onto the user. Third: no logs. If there is nothing to read, there is nothing to hand over. All three constraints exist verbatim in DrugHub's design. The voluntary nature of the White House shutdown also shapes how the DrugHub team communicates about risk. When the Evil Rabbit vulnerabilities were published, the team's response was to patch and migrate rather than to deny. The public disclosure of the UAE IP address was not answered with a counter-narrative. This pattern — acknowledging incidents and publishing PGP-signed remediation updates — follows the same communication philosophy that made White House Market trusted in the first place. Read about PGP as a trust mechanism in EFF's Surveillance Self-Defense guide.
One area where DrugHub departed from its predecessor: Lab Verification. White House Market did not offer third-party product testing. DrugHub introduced it within the first six months of operation. The rationale is straightforward: PGP secures communications, but it does nothing about the contents of a package. The Lab Verification Programme is an attempt to extend cryptographic-style verification into a domain where cryptography alone cannot reach — the physical product itself.
Security design decisions over time
These properties are documented in public announcements and independently verified. They are presented as an engineering record, not an endorsement of the platform.
| Property | Launch (Aug 2023) | Post-acquisition (2024) | Post-incident (2026) |
|---|---|---|---|
| Payment method | Monero only | Monero only | Monero only |
| Authentication | 4096-bit PGP key | 4096-bit PGP key | 4096-bit PGP key |
| Escrow model | 2-of-3 multisig | 2-of-3 multisig | 2-of-3 multisig |
| Internal wallet | None (invoice-based) | None (invoice-based) | None (invoice-based) |
| Lab verification | Partial (~40%) | ~90% coverage | ~90% coverage |
| Clearnet bridge | drughub.su / .link | drughub.su / .link | Removed entirely |
| Image EXIF stripping | Not implemented | Not implemented | Enforced at upload |
| Admin panel exposure | Undocumented | Undocumented | Closed (post-disclosure) |
| Mirror announcement | PGP-signed on Dread | PGP-signed on Dread | PGP-signed on Dread |
| DDoS protection | END GAME layer | END GAME layer | END GAME layer |
Sources: PGP-signed announcements on Dread, Evil Rabbit disclosure (January 2025), community incident reports. The clearnet bridge removal is the most significant post-incident change — prior to 2025, this was the primary surface through which the real IP was accessible.
What the 2025 vulnerabilities actually meant
The Evil Rabbit disclosure shook DrugHub's reputation more than any of the subsequent infrastructure moves. That is worth examining directly rather than glossing over.
The core of the problem was architectural inconsistency. DrugHub's core security properties — walletless payments, PGP authentication, zero-log policy — are sound. Those properties held throughout 2025. The vulnerabilities were on the infrastructure perimeter, not in the application layer. The clearnet bridge was convenient for the admins but created a side-channel that completely bypassed the darknet's anonymity guarantees. The exposed admin panels were almost certainly a legacy operational mistake rather than a design decision. The EXIF data in images was an oversight that a larger team would have caught in review.
None of that makes the disclosure less serious. An IP address leak in the UAE is a real operational risk regardless of how it happened. The months-long delay in patching — which the community noticed and documented — damaged the trust that the White House Market legacy had built. The honest read is that DrugHub entered 2025 as a serious platform that had grown faster than its operational security practices. The Evil Rabbit disclosure was the forcing function that closed that gap.
Post-2025, the surface area is materially reduced. The clearnet bridge is gone. Admin panels are closed. EXIF stripping is enforced. The platform went from having several easily enumerable clearnet-adjacent entry points to having none. Whether that is sufficient depends on what you believe about the team's diligence going forward — but the architectural improvement is real and documented. For users evaluating whether to use the platform, the relevant question is not whether 2025 happened, but whether the response was adequate. Review Kali Linux documentation for technical context on the enumeration techniques used in the disclosure, and Amnesty Tech for broader analysis of infrastructure security in adversarial environments.
Where DrugHub stands now
Three years in, 83,412 registered accounts, 3,071 active vendors, a marketplace acquisition behind it, and a major security disclosure resolved. The verified onion link is on the overview page. The community page carries recent Dread thread summaries. The mirror list has the current rotation including backup addresses.
Links verified April 23, 2026 · PGP-signed · never use a link you haven't verified against the signed Dread announcement