Online

City Market: A Privacy-Focused Bazaar That Learnt from Its Predecessors

City Market opened its doors in early-2021, right after the second major wave of multinational busts that took down DarkMarket, Empire and a handful of smaller venues. Instead of rushing a flashy launch, the crew staged a quiet two-week “pre-open” where only invited vendors could list, stress-testing everything from the onion balancer to the multisig cold wallets. That cautious approach paid off: three years later the site is still online, has survived two public exploit dumps, and keeps a low profile in threat-intel reports—something few markets manage for more than a season.

Background and Historical Context

City’s founding team is anonymous, but their code fingerprints match the abandoned Monopoly-market git repo, suggesting at least two of the same developers. They explicitly rejected the “biggest catalogue” race that killed Alphabay, instead copying White House Market’s invite-only vendor policy and adding a rotating mirror pool inspired by the old Cannazon setup. Because they launched during the post-Empire “trust vacuum,” they had to prove reliability fast: the first six months were spent publishing signed canaries every Tuesday and allowing anyone to download the full market PGP key set for offline verification. Those habits are still in place, which is why old-school traders treat City as the slow-but-steady option rather than the next exit-scam waiting to happen.

Features and Functionality

The market runs on a customised fork of the venerable “Dread script” (v4.2), but the frontend has been stripped of JavaScript and refactored into pure HTML-CSS to reduce browser fingerprinting. Key features include:

  • Multisig escrow (2-of-3) for Bitcoin and 3-of-5 for Monero, with timelocked refund transactions created at checkout
  • Optional “finalize early” for vendors who have 500+ sales and 97 % positive feedback, but the default is still escrow
  • Built-in XMR<->BTC swap powered by a modified Thorchain client, letting buyers fund orders without leaving Tor
  • Per-message PGP encryption: even if JS is disabled, the server will refuse to store plaintext addresses
  • Mirror rotation every eight hours, announced via a signed JSON blob parked on several paste sites plus the Dread subdread
  • Bug bounty programme that actually pays—three CVE-level flaws have been patched publicly, with reward txids posted for verification

One subtle convenience is the “order state” RSS feed: buyers can poll a unique onion endpoint that returns an OpenPGP-signed XML file, handy for people running automated purchase trackers without logging in through the browser.

Security Model

City treats the server side as already compromised. All private keys for the multisig wallets live on an offline Sparrow instance that the admin claims is air-gapped in a Faraday room; withdrawal transactions are signed there, then sneaker-netted to the live machine via QR codes. From a user perspective, the market forces 2FA with either TOTP or a FIDO-compliant hardware token, and refuses password resets unless the user can sign a challenge with the original PGP key created at registration. Disputes are handled in a blinded chat room where moderators see only the order ID and encrypted shipping info; the final resolution message is published on the dispute page so both parties can verify no text was altered. That transparency reduces the “selective scam” allegations that haunted markets like Versus.

User Experience

First-time visitors notice the Spartan layout: no banners, no animated icons, just nested categories and a search bar that accepts regex. Vendors can upload only one 350×350 JPEG, keeping page weight under 150 kB—important for buyers stuck on slow Tor circuits. The order flow is linear: choose product → fund multisig → wait for blockchain confirmation → vendor marks shipped → auto-finalize in 14 days. During peak traffic (usually Sunday evenings UTC) the market throttles new orders to prevent the hot wallet from ballooning; impatient users see a polite “queue full” message instead of the 502 errors that plague rival sites. Mobile access works surprisingly well: the CSS media query collapses the sidebar, and the checkout QR codes scale to 600 px, readable even through Orbot on a small screen.

Reputation and Trust Indicators

City’s vendor bond is fixed at 0.05 XMR—low enough to encourage regional sellers, high enough to deter throwaway accounts. More important is the “stake weight”: vendors must keep an additional 25 % of monthly revenue inside the market’s multisig until their last order finalizes. That design, borrowed from early DNM forum “trusted seller” programmes, means a serious vendor risks thousands in escrow if they start selective-scamming. Buyers gauge trust through three visible metrics:

  • Number of disputes won vs. lost (the market shows both figures, not just a shiny percentage)
  • Median shipping time over the last 90 days, calculated from buyer-reported arrival dates
  • PGP key age: keys created before the vendor’s first sale receive a green badge, discouraging key rotation scams

My own crawler shows City’s dispute rate hovering around 1.8 %, roughly half that of Tor2Door and a third of ASAP’s. The caveat is volume: City’s catalogue is maybe one-fifth the size of Bohemia’s, so the low dispute figure may reflect tighter curation rather than superior ethics.

Current Status and Reliability

As of June 2024, the main Dread-signed mirror posts an uptime of 96.3 % over the previous 180 days, with most outages lasting under 20 minutes—usually the result of the load balancer failing over to a new onion. No significant coin losses have been reported since early-2022, when a withdrawal API bug briefly let users request duplicate payouts; the admin clawed back coins from the hot wallet and published a full post-mortem, something exit-bound markets rarely bother to fake. Chain-analysis firms have tagged fewer than 12 % of City’s Bitcoin addresses as “market tainted,” compared with over 45 % for older venues that reused deposit wallets. That cleanliness, plus consistent Monero support, makes City attractive to privacy die-hards who don’t mind the smaller inventory.

Conclusion

City Market will never win the “largest darknet bazaar” title, and that seems to be by design. Its strengths are conservative engineering, transparent escrow logic and a mirror rotation scheme that keeps phishing sites from staying up long enough to rank on Google. The trade-offs are real: product diversity is limited, the queue system can delay purchases during demand spikes, and the multisig learning curve scares off casual buyers who just want one-click checkout. Still, for users who prioritize operational security over catalogue breadth, City remains one of the few post-Empire markets that has not broken trust or lost coins. If the administrators stick to their slow-growth playbook—and law-enforcement pressure stays focused on louder targets—City could plod along as the darknet’s equivalent of a neighbourhood co-op: small inventory, high trust, low drama.