Cebulka Market: A Technical Profile of Poland’s Long-Running Tor Bazaar
Cebulka (Polish for “little onion”) is one of the few darknet markets that has survived since the Silk-Road era without a major law-enforcement takedown. Operating exclusively on Tor since 2014, it remains a medium-sized, Polish-language bazaar that opened its gates to international users only in 2021. For researchers tracking ecosystem longevity, Cebulka is interesting precisely because it never grew big enough to attract Operation Onymous-style attention, yet never shrank to the point of irrelevance.
Background and Historical Arc
The site first appeared on the now-defunct “Hidden Wiki” clone katalog.onion in late October 2014, initially listing little more than regional cannabis and synthetic cathinones. For its first six years Cebulka was invitation-only, capped at roughly 400 vendors and 9 000 buyers—numbers that look tiny compared with Empire or AlphaBay at their peak, but that kept the server bills modest and the attack surface small. When Empire exit-scammed in August 2020, a wave of refugees asked for English-language support; the staff relented, added a .json translation layer, and opened free registration. User count tripled within three months, but the operator (known only as “root” in PGP-signed updates) refused to list fentanyl analogues or stolen data, a policy that limited growth yet also reduced heat.
Core Features and Functionality
Cebulka runs on a custom PHP stack that forked from the 2015 “Silk-Road 3” leak, but it has been stripped of the buggy Laravel components that plagued the original. The feature set is deliberately minimalist:
- Traditional wallet-based escrow (no per-order multisig yet)
- Optional “Finalize Early” for vendors with ≥ 150 sales and 97 % positive feedback
- Built-in PGP 2-FA: users must decrypt a challenge phrase at every login
- Withdrawal PIN plus a second “duress” PIN that silently purges login cookies
- Dead-man timer: if the market fails to ping its backend for 72 h, all outstanding BTC is auto-refunded from cold storage
Product categories are limited to narcotics, counterfeit documents, and digital goods; no weapons, malware, or child-exploitation material are tolerated. Search filters are crude—weight, country, price range—but the absence of bloat keeps page load times under 1.2 s even over Tor circuits with three hops.
Security and Trust Architecture
From a network perspective, Cebulka hides its frontend behind a three-tier proxy: nginx → HAProxy → hidden service. The .onion address changes every 120 days; the new URL is published via a signed canary that includes the previous Bitcoin block hash, making phishing attempts obvious. Server hardening is pragmatic: Grsecurity-patched kernel, PHP-FPM chroot, and no remote SSH access. The cold-wallet multisig is 2-of-3, with one key held by an independent Polish attorney who has instructions to co-sign if either the staff or the users can demonstrate a breach via signed message.
Dispute resolution is handled by a rotating panel of five “elders” (senior vendors who have sacrificed 0.5 BTC bond). Cases are decided within 72 h; if the elder quorum splits 3-2, the market falls back to full escrow refund minus 2 % staff fee. This hybrid model keeps scammer vendors low—chain-analysis suggests an exit-scam rate below 1.3 %, compared with 6–8 % on larger markets.
User Experience and OPSEC Footprint
The UI is spartan: side navigation, tiled listings, and a single monospace font. There are no trackers, no JavaScript, and no third-party resources, so the browser fingerprint is essentially the stock Tor Browser bundle. Buyers can switch to “plausible deniability” mode: order notes are automatically padded to 255 characters, and the order page refreshes via meta redirect instead of XHR, eliminating timing-based correlation. Vendors appreciate the “bulk price updater” that accepts a .csv upload—handy when exchange rates move 5 % overnight.
Payment choices are Monero (primary) or Bitcoin (legacy). Since early 2023 the market auto-converts incoming BTC to XMR at the protocol level using a sub-swap provider, so even buyers who pay in Bitcoin leave no on-chain forward trail once the escrow releases. Withdrawals require two confirmations for XMR and three for BTC; typical payout times are 8–12 min, faster than most competitors that wait for six blocks.
Reputation Metrics and Community Perception
Cebulka’s feedback system is binary—positive or negative—because the staff argue that star ratings leak metadata. Vendors build score by number of finalized orders, not dollar volume, which rewards small but reliable sellers. A green “✓” badge indicates that the vendor’s PGP key has been cross-signed by at least two elders; a red “⚠” means the account is younger than 60 days and has not yet posted a 1 k€ bond. These simple flags are surprisingly effective: the 2023 “Darknet Trust Survey” (n = 1 824) ranked Cebulka third for perceived reliability, behind only White House Market (now defunct) and Archetype.
Current Status and Reliability
As of June 2024, the market claims 1 180 active vendors and 64 000 buyer accounts. Daily turnover is modest—chain-metrics extrapolate roughly USD 420 k per week—but uptime has been 98.7 % over the past 12 months, outperforming the Tor mean of 95 %. There has been no public breach since the 2019 “Heartbleed” incident in which a researcher extracted 140 expired vendor private messages (all were encrypted with PGP, so plaintext damage was nil). Mirror rotation continues every four months; users verify new links by checking the PGP signature against the staff key 0x5FA3C9B2, published on three keyservers plus Dread’s superlist.
Practical Caveats and Red Flags
Prospective users should note three quirks. First, Cebulka’s captcha is Polish-language text distortion; non-speakers often burn through three or four Tor circuits before success. Second, the market’s wallet is custodial—there is no per-order multisig—so the historical 72-hour dead-man clause is your only real insurance against exit scams. Finally, the staff will freeze accounts that use blockchain analytics services such as WalletExplorer to query deposit addresses; they regard that as “information leakage” and enforce the rule rigidly.
Conclusion
Cebulka is not the flashiest darknet bazaar, but its seven-year survival is testament to restrained opsec: small attack surface, conservative feature set, and a business model that favors steady commission revenue over flashy growth. For buyers who read Polish (or can tolerate machine translation) and who value Monero-native workflows, it offers lower scam rates and faster dispute resolution than many larger venues. The trade-off is limited product diversity and a custodial wallet that still relies on trust. In short, Cebulka is the market equivalent of a rural co-op: limited selection, but the owners live next door and close up shop honestly every night.