Infrastructure Traces Identified Behind the THIEF Dark Web Marketplace
By Threat Intelligence Unit
Executive Summary
- The dark web marketplace THIEF advertises a wide range of illegal goods and services.
- Infrastructure analysis identified a domain and multiple IP addresses historically associated with the site.
- Historical IP mapping records indicate that the service infrastructure relied on Cloudflare-based network ranges.
Site Analysis
The THIEF marketplace operates on the dark web and advertises a broad spectrum of illicit goods and services.
Items listed on the platform include:
- Fake currency
- Counterfeit identification documents
- Hacking tools and services
- Weapons
- Drugs
- Stolen credit cards
- Cryptocurrency exchange services
- Western Union transfers
- Electronics and ready-made businesses
- dump+pin services
The diversity of product categories indicates that the platform functions as a multi-purpose criminal marketplace rather than a single-commodity vendor.
The marketplace content can be viewed without requiring account authentication, enabling casual visitors to browse listings before registration.
Identified Onion Domains
The service operates through two Tor hidden service domains:
- Primary Domain:
darkn5g756epq6t6fkqdo3mvkxlvwjtgabsbh3x47yhqg3uguiy5z5yd.onion
- Mirror Domain:
qsw7iurcrdwyml5kg4oxbmtqrcnpxiag3iumdarefzeunnyc2dnyljad.onion
The use of multiple onion domains suggests redundancy or migration capability, allowing the operators to maintain service availability if one entry point becomes unavailable.
Figure 1. THIEF dark web marketplace site (1)
Figure 2. THIEF dark web marketplace site (2)
Figure 3. THIEF dark web marketplace site (3)
Infrastructure Analysis
Associated Domain
Using Oasis Security’s dark web infrastructure analysis service Arthur, a domain associated with the THIEF marketplace was identified.
- Domain:
thief.*********.shop
The domain's lifetime is registered from September 12, 2024 to September 12, 2025.
At the time of analysis, no active IP address was directly resolving from the domain. However, historical mapping records provided valuable insight into the infrastructure previously used by the service.
Figure 4. Domain registration details for the THIEF marketplace
Historical IP Mapping
Between September 21, 2024 and March 8, 2025, three IP addresses were identified as being associated with the domain.
Figure 5. IP history mapping records
All addresses fall within Cloudflare's infrastructure range, indicating that the service might have operated behind a reverse proxy or protection layer.
172.67.***.***— United States — Cloudflare104.21.***.***— United States — Cloudflare188.114.***.***— United States — Cloudflare
The repeated appearance of Cloudflare-range addresses suggests consistent reliance on the same CDN-based infrastructure layer rather than frequent hosting migration.
Although the domain did not resolve to a visible IP address, log artifacts suggested that the service infrastructure might have been reachable through previously associated IP addresses.
Conclusion
The THIEF marketplace represents a multi-category dark web platform offering numerous illicit goods and services. Infrastructure analysis identified an associated domain and multiple historical IP addresses, all within Cloudflare-managed ranges.
Despite the absence of an active DNS resolution at the time of analysis, log evidence referencing domain activity suggests the service might have been operational on related infrastructure.
Given the historical variation in IP addresses associated with the domain, continued monitoring of the domain registration status and related network indicators is recommended to track potential infrastructure reuse or migration.