Identification of Public IP Address of Illegal Drug Sales Website TreFratelli Drug Shop
By Threat Intelligence Unit
Executive Summary
- A public IP address associated with the TreFratelli Drug Shop dark web site was identified.
- Multiple onion domains were observed redirecting to a primary domain.
Site Analysis
TreFratelli Drug Shop operates as a dark web marketplace engaged in the sale of various illegal drugs. The platform is accessible via the Tor network and utilizes multiple onion domains as entry points.
Identified Onion Domains
- Primary Domain:
trefram7xawu7ghegagzb65q6rumoo6rhrmjp3m3y6s6g6cokem75bad.onion
- Redirect Domain:
pvgm7wj3nxps2muzl74yp5jemrzj6aiznrkl7dyexzs5cyaoqq7v2lad.onion
- Redirect Domain:
gmaopeprtpwf76tic44gvzxwxi5dyltpzdkfrw3n2vzq4dkc64golxid.onion
- Redirect Domain:
h4dkbzvrmndsqplkoeabtb4wnpf32r5nc2m2aa2v3j42sh72vl3ug7ad.onion
- Redirect Domain:
dxqjos4mhj3zethuinq6h5npo7tl3i7xoan33tsbcdcdkq5czo7y2cqd.onion
All identified redirect domains consistently resolve to the primary onion domain, indicating a centralized service architecture.
Figure 1. TreFratelli Drug Shop primary onion domain interface (1)
Figure 2. TreFratelli Drug Shop primary onion domain interface (2)
Figure 3. TreFratelli Drug Shop primary onion domain interface (3)
Infrastructure Analysis and Public IP Discovery
Public IP Exposure
Using Oasis Security’s dark web intelligence service Arthur, the backend infrastructure supporting TreFratelli Drug Shop was identified.
- Public IP Address:
193.5.***.*** - Country: United States
- Hosting Provider: HOST-INDUSTRY
- ASN: AS207461
The site was first detected on November 30, 2025, and has been continuously monitored to assess its operational status.
Clearnet Accessibility
Direct access to the identified public IP revealed that the service is not fully isolated within the Tor network.
- Port 80/TCP on
193.5.***.***serves the same web content as the Tor hidden service, once CAPTCHA protections are bypassed.
Figure 4. TreFratelli Drug Shop main page accessible via clearnet infrastructure
Historical Service Exposure
An additional service was previously observed on an alternative port.
- Port 8080/TCP hosted a site: “Counterfeit banknotes, Passports, Carding, Buy Clone Cards, Driver’s licenses, Work Permits”
At the time of analysis, this service was confirmed to be inactive.
Conclusion
TreFratelli Drug Shop represents a dark web–based illicit service that exhibits insufficient separation between Tor-based infrastructure and publicly accessible network components. The identification of a publicly routable IP address serving identical content demonstrates an operational security weakness among such platforms.
The continued accessibility of the service via clearnet infrastructure indicates ongoing activity and potential exposure risks. Continuous monitoring of the associated infrastructure is recommended to track operational changes, potential expansion of illicit services, and related cybercrime activities.