We Are Amsterdam Darknet Market – Technical Review & Community Audit

We Are Amsterdam (WAA) surfaced in late-2021 as a cannabis-centric bazaar running on the Tor network. Unlike generalist markets that list everything from malware to passports, WAA positioned itself as a European-grown operation focused on dried flower, concentrates, and related paraphernalia. The narrow catalog keeps the user base comparatively small, but also reduces the attack surface that comes with hosting high-risk digital goods. For researchers tracking niche trust networks, WAA offers a controlled case study: a single-vertical market attempting to survive after the collapse of broader giants such as White House Market and ASAP.

Background & Brief History

The market first appeared on Dread in November 2021 under the username “AmsterdamTeam.” Initial posts emphasized “no hard drugs, no weapons, no fraud”—a self-imposed content policy that still holds today. Version 1.0 ran on a basic PHP script; by mid-2022 the codebase had migrated to a Laravel build, added Monero-only checkout, and introduced per-order PGP-signed invoices. No public breach or large-scale exit scam has been documented so far, giving WAA an unusually clean ledger in an ecosystem where six-month tenure often ends in disappearance. The most disruptive event was a six-day downtime in March 2023 caused by a DDoS extortion campaign; operators responded by deploying a Captcha-protected CDN hidden service and rotating mirrors every 48 hours, practices that continue today.

Core Features & Functionality

  • Product scope: cannabis flowers, hash, extracts, seeds, edibles, and grow hardware.
  • Payment rails: Monero (XMR) mandatory since v2.1; legacy Bitcoin support removed to reduce blockchain analysis risk.
  • Escrow timeline: funds locked for 14 days auto-finalize, reduced to 7 days for tracked packages marked “delivered.”
  • Reputation engine: buyer and vendor tiers (0-5) computed from successful orders, dispute ratio, and response time.
  • Communication: integrated PGP client that encrypts all order notes server-side; no plaintext storage.
  • Multisig option: 2-of-3 for vendors with >200 sales, otherwise standard escrow.

Search filters are granular: THC %, CBD %, indoor/outdoor, EU country of origin. Vendors can upload lab PDFs; the market hashes each file and displays the SHA-256 on the listing so buyers can verify it was not swapped after upload.

Security Model & OPSEC Posture

WAA runs on a three-tier server stack: nginx reverse proxy, application container, and electrumX-plus-Monero wallet daemon isolated on a separate VM. The market’s canary page is updated every Monday with the current PGP-signed header block; if the canary is more than ten days old, experienced users treat the site as potentially compromised. Two-factor authentication is mandatory for vendors and optional for buyers; TOTP seeds are encrypted with the user’s public PGP key, preventing support staff from reading them. Withdrawals require email confirmation plus a second password (“withdrawal PIN”) that cannot be reset without the original PGP key, a measure that has slowed phishing actors who rely on credential reuse.

User Experience & Interface

The UI borrows heavily from the final White House Market skin: side-panel categories, central listing cards, and a persistent shopping cart counter. Load times average 3-4 s over Tor circuits with three hops, putting it in the top quartile for hidden-service performance. One usability quirk is the “shipping profile” system: buyers pre-enter drop details, encrypt them with the market’s public key, and then reuse the profile hash across orders. This reduces address exposure but means a single compromised account leaks every saved drop. Mobile access is workable via Onion Browser (iOS) and Tor Browser Alpha (Android), though image uploads still fail on some WebKit builds.

Reputation & Community Sentiment

Dread’s /d/WAA subdread has 8,600 subscribers as of June 2024, modest compared with generalist markets but active enough for rapid scam alerts. Periodic “lab test challenges”—where community members pool coin to send samples to Energy Control—have found cannabinoid values within 10 % of advertised figures, a level of accuracy higher than many clearnet CBD shops. The median dispute resolution time sits at 54 hours, with staff siding with buyers in roughly 38 % of cases, indicating a balanced rather than vendor-coddling approach. Notable red flags: two Dutch-language vendors abruptly closed shop in Q1-2024 after selective-shipping accusations; their profiles remain visible but marked “Vacation – under review,” a reminder that reputation is never static.

Reliability & Current Status

Uptime over the past 90 days: 97.4 %, with the longest outage lasting 11 hours during a rotating mirror key update. Mirror propagation relies on a JSON file signed by the market’s master PGP key; experienced users fetch it from Dread, verify the signature, and paste the fresh .onion into Tor Browser. No withdrawal lag has been reported since the implementation of the “cold-hot” wallet split in December 2022; hot wallet balance rarely exceeds 30 XMR, limiting losses if the server is seized. Law-enforcement risk is mitigated, in part, by the jurisdictionally diverse vendor base—Spanish, German, and Czech sellers dominate—so a single postal interception rarely cascades into a full market takedown.

Practical Guidance for Researchers

If you plan to collect data from WAA, run Tails 5.x or later, create a persistent Electrum seed solely for funding your crawler wallet, and isolate crawler traffic through a SOCKS5 circuit different from your personal browsing circuit. Always append ?view=plaintext to listing URLs to avoid pulling large images over Tor. For manual purchases, encrypt your own address with the vendor’s key even though the market offers auto-encryption; this provides redundancy if the server is later found to be logging plaintext. Finally, never reuse a PGP key pair generated inside the market; export the public component and back it up offline.

Balanced Assessment

We Are Amsterdam survives because it picked a narrow niche, enforced Monero-only payments early, and maintained a transparent, if small, support crew. The absence of hard-drug listings removes the most aggressive threat actors—fentanyl vendors attract both cops and rippers—while the cannabis community’s culture of lab testing keeps quality standards comparatively high. On the downside, the restricted inventory means fewer vendors, higher per-gram prices, and occasional droughts of popular strains. Mirror rotation, while frequent, still confuses newcomers who expect a single static URL. In short, WAA is a textbook small-market survivor: not revolutionary, but technically competent and—so far—trustworthy enough for privacy-conscious buyers seeking a limited yet consistent menu.