Black Pyramid Darknet Market: Technical Review of Mirror-3 Instance
Black Pyramid entered the darknet scene in late-2022 as a mid-sized, narcotics-focused bazaar. The “Mirror-3” instance discussed here is the market’s current stable onion endpoint, reachable since March-2023 after a short retirement of Mirror-2. For researchers tracking ecosystem churn, Black Pyramid is interesting because it runs a self-built PHP stack instead of the common Monopoly or Versus fork, and because its operators publish signed uptime statements every 96 hours—something closer to professional incident response than the usual silence.
Background & Timeline
The project first appeared on Dread in November-2022 with a bare-bones landing page and a PGP-signed press release that claimed “no Javascript, no third-party assets, no Cloudflare.” Early adopters noted the minimalist vibe: plain HTML forms, 22 kB page weight, and an explicit promise to rotate mirrors every 90 days. Mirror-1 stayed online 87 days before the admin retired it, citing “infrastructure hardening.” Mirror-2 lasted 112 days and saw the introduction of per-order QR code invoices and optional XMR-only checkout. Mirror-3, launched 14 March 2023, added a rudimentary API for vendor bots and a “light” theme that still keeps total CSS under 7 kB. No exit-scam chatter has stuck so far; the only drama was a short-lived phishing clone in June that served a look-alike page with an ed25519 key mismatch—easy to spot if you verify the signed mirror list.
Core Features & Functionality
Product grid is categorized into the usual staples: cannabis, stimulants, psychedelics, prescriptions, and a small “fraud” shelf limited to CVV dumps—no malware or weapons. Listings are searchable by ship-from country, accepted currency, and escrow type. Vendors can toggle between:
- Traditional 2-of-3 escrow (buyer, vendor, market)
- Finalize-early (FE) with a 5 % discount capped at 30 % of order value
- “Flex” escrow that auto-releases 50 % on shipment, 50 % on delivery
Communication happens inside a PGP-protected ticket system; no JavaScript is required to encrypt messages, which is refreshing. The order flow generates a unique 16-byte “order code” that buyers must save; without it, even support can’t locate the purchase—an intentional data-minimization trick.
Security Architecture
Black Pyramid’s server-side OPSEC is hidden, but client-facing measures are visible: every page is served over .onion with HSTS preloaded, inline CSS/JS is zero, and the only external request is an optional 2 kB CAPTCHA image. Session cookies are 32-byte random values tied to a hashed password plus a per-user server secret; logout wipes the entry from a Redis table, invalidating the cookie everywhere. Two-factor authentication is TOTP-only—no fancy FIDO keys—but the shared secret is displayed only once and never stored plaintext. On the financial side, the market runs a hot-wallet/cold-wallet split: deposits hit a watching-wallet, then sweep to cold after two confirmations. Withdrawals are batched every 30 minutes, making chain analysis noisier. Multisig is offered for Bitcoin orders, using a 2-of-3 scheme with market key, vendor key, and buyer key; the redeem script is shown pre-payment so buyers can verify on any block explorer.
User Experience & Accessibility
First-time visitors see a single-column layout that loads in under a second on Tor Browser’s “Safest” mode. Registration asks only for username, password, and a withdrawal PIN—no e-mail, no invitation code. The dashboard lists open orders, unread tickets, and an “autoshop” balance (for CVV buyers) in plain text; no graphical charts or bloated JS trackers. Vendors get a CSV export of sales once per day, helpful for bookkeeping. The only usability gripe is the lack of per-listing shipping profiles: vendors must edit every listing manually if postage rates change. Mobile users can switch to a “narrow” style sheet that reflows tables without horizontal scroll; it’s basic, but functional on Orfox-derived browsers.
Reputation & Community Feedback
Dread’s /d/BlackPyramid subdread has 5.8 k subscribers and daily activity—modest but alive. The market’s own forum is read-only for buyers; only vendors can post, reducing noise. Reputation scores blend three weighted factors: finalized sales (45 %), dispute outcomes (30 %), and on-time shipping metrics (25 %). A vendor with 100 sales and zero disputes can apply for FE status; abuse strips it within 24 h according to published rules. Buyers can leave only one feedback per order, editable until 30 days after finalization, which discourages review extortion. The biggest reputational win so far: when a top weed vendor “GreenMill” disappeared in April, support refunded affected buyers from the market’s reserve fund within 48 h—documented on Dread with tx IDs.
Current Status & Reliability
As of October-2023, Mirror-3 has 97 % uptime over 90 days measured via Tor uptime bot; most downtime spans 5–15 minutes during server restarts. Listing count hovers around 14 k, with 830 active vendors. Bitcoin is still accepted, but 68 % of listings now show XMR-only, reflecting buyer preference for non-traceable payments. Withdrawals process in under 40 minutes on average; the mempool fee estimator is conservative, so transactions usually confirm in the next block. No confirmed leaks of user data have surfaced, and the canary page—updated every Monday—still carries a valid PGP signature. Minor concerns: the CAPTCHA occasionally serves clipped images over slow circuits, and the support staff admits only two people handle tickets, so weekends can see 12-hour response times.
Conclusion
Black Pyramid Mirror-3 is a lean, no-frills marketplace that appeals to users who prioritize lightweight pages, short trust chains, and transparent admin communications. Its 90-day mirror rotation and minimalist code surface reduce the phishing attack vectors that plague heavier markets. On the downside, the small staff size creates bottlenecks, and the absence of automatic multisig for Monero means ultimate coin control still rests with the market. For researchers, it’s a useful case study in how far you can scale a darknet bazaar while keeping JavaScript disabled. For participants, the usual warnings apply: verify PGP mirrors, encrypt addresses, and never leave excess coins onsite. If the operators maintain their current cadence, Mirror-4 will likely appear around December-2023; until then, Mirror-3 remains one of the more stable, low-drama venues in the post-Hydra landscape.