Information Security News

DarkForums Jabber Server Exposes Its Real IP Address

by · Published · Updated

DarkForums Jabber server exposing its real public IP address through Censys and DNS records

Even services built for private conversation sometimes betray themselves. The giveaway is not the content of the messages. Instead, it is the ordinary network infrastructure behind them. Analysts at Covert Security found that the DarkForums Jabber server does not run as a hidden Tor service. Rather, it sits on a normal public IP address. As a result, standard internet-infrastructure search tools can find it with ease.

Two Domains, One Address

DarkForums promotes its own XMPP service as a private channel for forum members. At sign-up, users see two domains: darked.im and darkforums.im. The forum never mentions that their infrastructure differs. Yet a check through Censys told a different story. Both domains point to the same address, 172.234.115.5.

Where the Server Lives

The server runs on Linode infrastructure, part of Akamai Connected Cloud. Its geolocation points to Stockholm. On the same address, several services are visible: SSH, HTTP, HTTPS, and a few XMPP ports. The HTTPS web response even names the Darked.IM service for the DarkForums community. So anyone can link the address to the Jabber server. No hacking or active probing is required.

Encryption Hides Content, Not Infrastructure

XMPP encryption can protect the contents of messages. However, it does not hide the infrastructure itself. A network-level observer can still see plenty. That view includes the fact of a connection, the frequency of requests, the length of sessions, and other metadata. For a service that promises protection from surveillance, this gap matters. The distance between the claimed anonymity and the real hosting setup creates serious risk for users.

Stray DNS Records Tell More

A DNS check revealed another service on the same IP. The public XMPP service xmpp.sg shares the address, yet it shows no outward link to DarkForums. In addition, an old subdomain still points there: jdrtyipau.er18.mobi. The main domain, er18.mobi, has already expired. A Chinese registrar, west.cn, now lists it for sale. The subdomain record appears to be a leftover from an older configuration. Covert Security draws no conclusion about the connection. Still, it flags the record as worth watching.

A Lesson in Operational Security

The researchers stress an important point. This is not a flaw in XMPP or a failure of encryption. They found the address through public DNS data and Censys, without any attempt to break in. So how can operators reduce this kind of risk? Encrypting messages helps, but it is not enough. Hiding the infrastructure matters just as much. Operators should also separate public services, control their DNS records, and avoid placing private communication nodes on cloud addresses that scanners can see.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply