Cebulka Darknet Market: A Technical Look at Mirror Rotation and Operational Continuity

Cebulka—Polish for “little onion”—has become a recurring name in darknet threat-intelligence feeds over the past two years. The market is best known for two things: a weed-only inventory policy that keeps it under the radar of larger multi-category busts, and an aggressive mirror-rotation scheme (currently on its third public iteration, “Mirror-3”) that lets it survive DDoS campaigns and takedown pressure better than most mid-sized venues. For researchers tracing how smaller specialty bazaars stay alive, Cebulka is a useful living case study.

Background and Brief History

Cebulka first appeared in late-2021 forum spam, advertising itself as a “Polish growers’ club” running on a minimalist fork of the 2015-style AlphaBay source. Version numbers were never published, but archive timestamps show the original captcha URL changed roughly every ten days—an early sign that the admins already favored short-lived .onion identities. By mid-2022 the site had standardized its rotation into branded “mirrors,” announcing each new address with a signed PGP message posted to Dread’s /d/Cebulka sub. Mirror-3 went live in February 2023 after its predecessor vanished during a widely reported law-enforcement round that seized a cluster of hosting nodes in Moldova. The speed of the relaunch (under six hours) convinced many observers that the crew keeps a hot-standby environment ready, a practice more common with ransomware blogs than with drug markets.

Features and Functionality

The codebase is intentionally light: no JavaScript, no third-party trackers, and a single 38 kB CSS file. Product pages are limited to cannabis flowers, hash, concentrates, and seeds; the rule against anything harder is enforced by automatic keyword filters (vendor listings containing “coke,” “meth,” or “pills” are rejected at submission). Payments are accepted in Monero only—Bitcoin support was dropped with Mirror-2 after the admins cited “unnecessary chain analytics exposure.”

• Traditional escrow (full or 50 % FE for senior vendors)
• Multisig option using 2-of-3 scripts (market key, buyer key, arbiter key)
• Internal PGP tool for encrypting addresses; plaintext is auto-purged after 72 h
• Two-factor authentication via TOTP or FIDO-compatible U2F—rare at this market tier
• Vendor bond: 0.12 XMR, waived for sellers with > 200 verified sales on other major DNMs
• Reputation algorithm that weights “resolution speed” more heavily than total volume, discouraging selective scamming

Security Model

Cebulka’s operational security mirrors what you would expect from a paranoid carding crew rather than a pot shop. Servers are rented through a chain of three resellers, each paid in XMR converted from privacy coins via decentralized exchanges. The market encrypts its entire MariaDB at rest using dm-crypt with a key that lives in tmpfs—pull the plug and the data disappears. On the user side, login cookies are tied to the exit-node IP hash and the first 16 characters of the user-agent string, making cookie replay across circuits worthless. Disputes are handled by a single staff account (“Gnome”) who signs every decision with a known PGP key; researchers have verified that the same key has been in use since 2022, giving the process a modicum of continuity.

User Experience

First-time visitors notice the retro HTML: no icons, no infinite scroll, just categorized plaintext links. Search is keyword-only and case-sensitive, which actually speeds up bulk browsing if you know the chemotype you want. Order flow is three steps: add to cart → encrypt address with vendor key → fund escrow. Mirror-3 introduces a “quick-lock” feature that pre-generates a PGP message for the ten best-selling vendors, shaving about 30 seconds off checkout for repeat customers. Page load times hover around 2.3 s over a standard Tor circuit, competitive with larger markets that rely on heavier frameworks.

Reputation and Trust Indicators

Because inventory is narrow, vendor reputation is easy to track. The top 20 sellers account for 68 % of volume, and their public PGP keys have remained consistent across all three mirrors—something researchers watch closely for exit-scam warnings. Independent seed testers on Dread have posted germination-rate photos for six of those vendors, adding a rare real-world verification layer. The market itself has no recorded large-scale exit: when Mirror-2 disappeared, all pending escrow funds were refunded within 36 h, a move that bought considerable goodwill.

Mirror Verification and Phishing Defense

Mirror links are distributed only through two channels: the signed PGP message on Dread and an XMPP broadcast list. The admin key fingerprint is 5F65 A4C1 8B92 … (abbreviated here), and the message always contains the current UTC date plus a random nonce. Users are urged to verify the signature locally; the market even hosts a stripped-down copy of OpenPGP.js so you can check the sig without leaving Tor Browser. Fake clones pop up within hours of each rotation, usually identified by a malformed nonce or a misspelled “Cebulka” in the footer—simple but effective tells.

Current Status and Reliability

Mirror-3 has maintained 96 % uptime over the past 90 days according to onion-scan probes, outperforming heavyweight multipurpose markets during the same window. The only prolonged outage (14 h) occurred after a sustained 18 Gbps UDP flood in May 2023; the crew shifted to a new guard-node set and came back online with no data loss. Withdrawals process in under 30 minutes, and blockchain analysis shows the hot wallet rarely holds more than 250 XMR—another hedge against seizure or exit temptation. The main operational risk today is concentration: only four people appear to handle code, support, and dispute resolution, so a single bust could still sink the platform.

Practical Security Notes for Observers

If you are studying Cebulka rather than shopping, spin up a fresh Tails instance and restrict outbound traffic to port 9050. Archive each mirror with wget –mirror –convert-links –page-requisites while staying on the same circuit; this preserves the static files without triggering the anti-scraping captha. Keep in mind that the market’s no-JS policy also means no client-side mitigations—if the server is compromised, a malicious HTML payload could still phish your credentials. Finally, never trust “updated” links from Reddit pastes or Telegram channels; the PGP-signed Dread post is the only source that matters.

Conclusion

Cebulka Mirror-3 demonstrates how a niche, single-class market can stay resilient by minimizing attack surface, rotating infrastructure fast, and keeping escrow exposure low. Its stripped-down feature set will not appeal to power users looking for bulk cocaine listings, but for cannabis-focused trade it offers a level of stability that many larger venues struggle to match. The heavy reliance on a tiny admin circle remains the weak link; if that bottleneck survives the next wave of enforcement, expect the mirror counter to keep ticking upward.