Tesseract
The easy to use online drug supermarket
A Royal Mail postman approaches the front door of a modest house in a suburban town with a small package in hand. The sender has used Track24, Royal Mail’s premier next day delivery parcel postal service. He knocks on the door and, faster than usual, an excited looking recipient eagerly takes the package out of his outstretched hand. “Thank you.” he says. “No, Thank you!” the customer replies, clutching their parcel.
He does not know it, and probably never will, but for this delivery, this postman was an unwitting drug runner. He walks away, none the wiser, and continues on his usual Thursday round. On the other side of the door, a first time user of an online service called Tesseract is hurriedly tearing open a beige parcel to reveal a vacuum sealed bag with three and a half grams of high quality cocaine inside. It is just before midday, but he is too excited to resist and racks up a line on his phone and snorts it. He paid far less than he usually would to his in-person dealer, didn’t have to take any risks meeting up with dangerous criminals and is surprised by the high quality of the product.
This was a typical Tesseract order, over 300,000 of which have been successfully completed. Whilst ordering drugs from dark corners of the internet to be delivered via post is nothing new, Tesseract dramatically lowers the technical barrier to entry that exists on traditional dark web markets. No specialist software is required, no knowledge of cryptographic techniques is needed, and most importantly, the whole process can be done on a single app on a smartphone with no sluggish Tor connection speeds to frustrate the process. The experience is slick and streamlined, and uses an eBay style cart and checkout system. Tesseract operates on the clearnet, not the dark web, meaning a simple Google search will return it as the top result. Tesseract’s URL is short and easily memorable, unlike the mammoth 30+ character URLs that traditional Dark Web drug markets use.
Dark Web Markets
The first modern online drug marketplace was SilkRoad. Launched in 2011, it, alongside the vast majority of its successors were and are hosted on the dark web, a corner of the internet not accessible when using normal web browsers (Chrome, Firefox, Safari) and search engines (Google, Bing, DuckDuckGo). As a result of this, the online drug trade has remained a growing, but niche avenue for illicit dealing. The vast majority of users still pick up their drugs in person. Tesseract is different. None of the listings can be purchased on the website, it only operates as an index for vendors with links to Telegram shop bots (more on that later). This insulates the owners of Tesseract from the drug vendors, although many of the senior figures in the Tesseract team are associated with vendor teams. This may go some of the way to explain why the site has been online for so long, despite operating on the clearnet.
Telegram
The actual sale of drugs all happens on Telegram, an instant messenger and social media platform. Telegram’s legal domicile is in the British Virgin Islands, its operational headquarters is in Dubai, and was founded by Nikolai and Pavel Durov, two Russian-born brothers with citizenship in St Kitts and Nevis, France, and the United Arab Emirates. A few days ago at the time of writing Pavel was arrested in France, accused of turning a blind eye to fraud, drug trafficking and other criminality on Telegram. He was arrested on the tarmac of Paris–Le Bourget Airport as soon as he stepped out of his private jet, which had flown into France from Azerbaijan. There, he is speculated to have met with Vladimir Putin. It should be noted that a Russian security source has said that Putin declined the meeting and that it never took place. In 2014 Durov refused to hand over the user data of Ukrainian protestors to the FSB, and later refused to delete the opposition leader Alexei Navalny's VK page, a Russia-centric social media platform Pavel also founded.
Telegram’s moderation policy is among the most lax of any social media platform. Criminals operate group-chats for networking, and run broadcast channels for the sale of drugs, stolen information and arms with impunity. Although in theory Telegram users cannot use the platform to break the law, as there is very little platform-wide moderation these rules are rarely enforced (Telegram has just 30 employees, making effective moderation impossible). Other than Telegram’s instant messaging functions, recently the developers have added a crypto wallet into the app, enabling users to send and receive money anonymously outside of the international banking system. Shop bots are a feature that enables users to purchase items using a chat by interacting with a bot, and can pay with a variety of mainstream methods as well as with practically any cryptocurrency.
Tesseract shop bots feature reviews, discount codes, wish lists and order tracking. Tesseract approaches vendors from traditional dark web markets, and gives them the opportunity to use their bot system in exchange for a cut of profits from sales made through the system. The vendors, as far as I can see, enter into an exclusivity arrangement with Tesseract, and no longer sell products manually on their own Telegram channels, however they do continue to sell on traditional dark web sites. A Tesseract partnership will drive a huge number of extra sales to a supplier as soon as their name appears in Tesseract’s index. Dealers are queuing up for a Tesseract partnership.
Other than its greater usability, Tesseract’s major advantage over traditional dark web drug markets is its reliability. In recent years dark web markets and forums have been under increased pressure from DDoS attacks, a cost effective way of slowing down a site and overloading its servers with more requests than it is able to handle. Crucially, DDoS attacks do not require a breach in website security to execute, all that is required is a web address and capacity to direct huge numbers of requests towards it. The US government is widely suspected of being behind these dark web DDoS attacks, as it is a cheap way of diminishing a websites user experience without having to do additional work in order to breach a hardened and hidden websites security. Tesseract does not face the same issues. The Index website is vulnerable to DDoS, however as the bots run on Telegram servers that are extremely resilient to these attacks, the bots are (usually) up and running 24/7.
So, Tesseract is more reliable, more convenient, easier to use and can be used with a normal web browser and the Telegram app. However, it is less secure, a fact which few seem to care, mention or think about.
Security?
Telegram chats, contrary to popular belief, are not encrypted by default. The public and private group chats that Tesseract runs are unencrypted. In these chats, customers discuss the price and quality of the drugs on offer and exchange reviews on different vendors, most of them probably not realising how vulnerable they are to prying eyes. To add insult to injury, Telegram shop bots are not encrypted either. This means that the product, quantity, price and in some cases shipping address on a purchase are sent to the bot unencrypted by the user. Whilst the data is encrypted by the bot before it is forwarded to the drug vendor, crucially, the address is still sent to Telegram servers unencrypted and can be viewed by anyone capturing network traffic in the right place and at the right time1. Secret chats, on the other hand, are encrypted. Telegram’s secret chat feature is not enabled by default, does not support encrypted backups, and uses an encryption algorithm that is extremely opaque. The industry standard Signal protocol combines several high quality encryption algorithms and is used by WhatsApp and Signal messenger. It is open source, meaning security vulnerabilities are quickly identified, and has received security audits by independent organisations and passed every one. Most other respected security focussed messenger apps are similar. Threema, another encrypted messenger platform, last had a 3rd party security audit in 2023. Element and Wire, two other similar platforms, last had security audits in 2022. Even Facebook’s WhatsApp and Facebook Messenger, as well as the open source Signal messenger were all audited in 2021 by a 3rd party. Telegram however, does not even publicly disclose the locations of its data centres, and has never had an independent security audit. On top of this, they use a closed source encryption algorithm for their “secret” chats. This means Telegram is asking its users to take their word for it when it comes to the security of their highly sensitive data, and has refused to have their own claims verified. Telegram says the reason they use their own proprietary algorithm is needed for “reliability on weak mobile connections as well as speed when dealing with large files”. Sceptics doubt this claim. It is entirely possible that Telegram’s in-house algorithm is great, and that it compares to Signal, Threema, and Element when it comes to its security. But, at least for now, we simply do not know what is under the hood of Telegram’s encryption beyond the unverified claims that Telegram makes.
Telegram has cultivated the image of an app so secure that even criminals can use it with impunity. This is only half true. The reason that criminals can use Telegram with impunity is not a result of its security, it is a result of the almost total lack of moderation that exists on the platform. However, this image is enough to attract a rapidly increasing number of criminals and drug users to the platform with the false belief that their illegal activity is safe from prying eyes.
The Future
Tesseract will continue to rapidly grow in popularity and profitability. From the perspective of ambitious online drug dealers and tech savvy drug users, it is a convenient and effective way of buying and selling drugs without needing an intermediate knowledge of encryption, Tor browser and how to shop safely on dark web markets. For law enforcement agencies it will most likely not be their main focus of attention, as traditional drug dealing and criminality will lead to more violence and visible harm to communities. Mr Durov, however, has not been so lucky. At the time of writing his fate is uncertain, Tesseract group chats are littered with images and messages calling for him to be freed. His defence lawyers will no doubt make the reasonable point that despite the strict moderation that for example Meta or Discord claim to do, misinformation and CSAM is still commonplace on their platforms. Yet the CEOs of these companies get a slap on the wrist in the form of a congressional hearing or fine and are not made personally liable for moderation failures on their platforms. For Tesseract’s customers and vendors, they will continue to enjoy the ease of use that Tesseract offers, most of them unaware of the risk they are taking for this convenience. And for some postmen, they will continue to unwittingly be the final link in a vast global supply chain that enriches criminals and fuels the addictions of users.
There is an option to encrypt your address using the vendor’s public key with a process called PGP encryption. This would ensure the shipping address is only known by the vendor, however most users do not use this option. Instead they send their address unencrypted to the shop bot, then it is encrypted by the bot and forwarded to the vendor with PGP encryption. This is only slightly more secure, and increases attack surface dramatically for law enforcement agencies when compared to end-to-end-encryption.