Cebulka Darknet Mirror-5: A Technical Field Report

Cebulka Mirror-5 is the latest iteration of the Polish-language market that has quietly served Central-Eastern Europe since 2018. While it never reached the volume of Empire or White House, it has outlasted both by keeping a low profile and sticking to a single language niche. Mirror-5 went live in late March 2024 after its predecessor was knocked offline by a sustained DDoS campaign that lasted almost three weeks. For researchers tracking regional ecosystems, Cebulka is a useful case study in how smaller markets survive when giants fall.

Background and Evolution

Cebulka started as a Tor-only forum for exchanging PGP keys and local vendor contacts. The first real market module appeared in 2020, grafted onto the original forum database so existing user reputations carried over. That continuity is still visible today: vendor profiles display both “forum age” and “market age,” giving buyers a quick sanity check against fly-by-night accounts. Mirror-3 (2022) introduced bulletproof hosting in Moldova and switched from Bitcoin-only to Monero-first checkout, a move that now looks prescient. Mirror-4 added per-order 2FA tokens and a rudimentary dispute timelock; Mirror-5 refactored the entire frontend into a lightweight Single-Page Application that loads in under three seconds over a 1 Mbps Tor circuit.

Features and Functionality

The market is intentionally spartan. There are no flashy banners, no coin mixers integrated into the checkout flow, and no “autoshop” for digital goods. What it does offer is:

  • Monero multisig escrow with optional finalize-early for vendors above 250 trades
  • PGP-encrypted checkout notes that are automatically wiped after 30 days
  • Per-listing stealth shipping templates that buyers can favorite and reuse
  • A “regional only” filter that hides offers from vendors who refuse to ship within the EU
  • An API endpoint that returns PGP-signed mirror links every six hours, making link rot less painful

One subtle improvement in Mirror-5 is the “vendor signal” metric: a color-coded dot derived from median response time, dispute rate, and the age of the most recent PGP key rotation. Green dots correlate strongly with successful deliveries, while red ones almost always precede exit-scam chatter.

Security Model

Cebulka’s threat model assumes the server itself is compromised eventually, so everything short of order metadata is encrypted client-side. Vendors upload public GPG keys at signup; the market never stores private keys. When a buyer places an order, the shipping address is encrypted in-browser with the vendor’s key before the plaintext ever touches the wire. The server only sees a blob it can’t decrypt. Disputes work similarly: both parties upload evidence encrypted to the arbitrator’s key; the arbitrator downloads, decrypts offline, and posts a verdict hash that the market publishes. That hash is later used to prove the verdict wasn’t tampered with if the loser cries foul.

Withdrawals require two signatures: one from the market hot wallet and one from a cold key held on an air-gapped machine that is booted once every 24 h. The timelock means even a fully coerced admin can’t empty the pot in less than a day, giving users a narrow but real window to notice and panic-exit.

User Experience

First-time visitors are greeted by a plain-text captcha that asks for the fifth word of the market’s signed canary—an elegant way to force new users to verify the signature before they can even register. Once inside, the layout borrows heavily from old-school Libertas: left-hand category tree, center listings, right-hand vendor panel. Search is Boolean and supports “ships from,” “FE allowed,” and “max price” filters. Order flow is three clicks: select listing → encrypt address → fund multisig. The entire process feels like using a 2014 market, but that familiarity reduces support tickets.

Mobile access is possible via Onion Browser on iOS or Orbot on Android, though the UI is still desktop-first. A handy “mirror token” (a short random string) is displayed on the footer; if the string changes across page reloads you’re probably on a phishing clone.

Reputation and Trust

Cebulka has had one publicly confirmed exit-scam attempt: in mid-2021 a sub-admin tried to disable withdrawals for 36 h while still allowing deposits. The cold-wallet timelock kicked in, users noticed on Dread, and the rogue staffer was booted. Since then, the market has kept a remarkably clean rap sheet. On the Polish Tor forum “Kryptoszczurzy” (literally “crypto rats”), a running poll shows 78 % “would deposit again,” the highest score among active regional markets. Vendors like “Chemik_” and “DHL_PL” have five-year tenure and <1 % dispute rates, numbers that are hard to fake without sustained operation.

Current Status

Mirror-5 has been online for 42 days at the time of writing, with one brief 7-hour outage attributed to a MikroTik vulnerability that affected a third of Moldovan hosting providers. Deposit confirmation times average 22 minutes for Monero, largely because the market waits for two additional confirmations beyond the default to avoid chain-reorg drama. Listing count hovers around 1,850, down from Mirror-4’s peak of 2,400, but vendors say the drop is seasonal—post-Easter slump combined with Polish border controls that slow postal routes. The biggest operational risk right now is the market’s dependence on a single arbitrator handle “@mod_kalina”; if that key is lost, disputes stall indefinitely.

Conclusion

Cebulka Mirror-5 is not revolutionary; it is deliberately evolutionary. It survives by limiting its attack surface: one language, one region, no gimmicks, and a codebase small enough to audit over a weekend. For researchers, it is a living reminder that longevity on the darknet often comes from subtraction, not addition. For users, it offers a functional, low-drama environment as long as they remember that “low-risk” is not “no-risk”: always verify the mirror token, always encrypt sensitive data client-side, and never leave coins sitting in a market wallet longer than necessary. In the current landscape of constant exit scams and law-enforcement takedowns, that level of predictability is itself a rare feature.