Daniel’s Hosting (HD), one of the most popular and largest web hosting providers on the dark web, has been hacked, compromising thousands of dark web websites which have since gone offline. According to the Daniel’s Hosting homepage, the sites were compromised on Thursday night, November 15, and the provider has been looking for entry points since then.

Dark web sites have recently grown in popularity and have caught most news headlines due to their anonymity that motivates most of the activities on the sites. The users are significantly challenging to track and hence make it favorable for journalists, political activists, and criminals. However, the dark web is more famous for illegal drugs, weapon trafficking, and cybercrimes among other criminal activities.

Daniel’s Hosting has been one of the largest and most popular dark web site hosting providers since a similar hacking of another provider occurred, which led its customers to move to DH. ‘Freedom Hosting II’ was a popular dark web site hosting provider until February last year when it was compromised by an anonymous hacker.

According to Daniel Winzen, the software developer and founder of Daniel’s Hosting services, he is still investigating what exactly happened as well as identifying the hacker’s entry point. “According to my analysis, somebody must have hacked and gained access to our database and deleted all our accounts compromising more than 6,500 dark web sites hosted on our platform,” Daniel admitted, “This includes the account I use to manage and monitor the database itself called the Server’s roots.”

In a message sent via the DH portal yesterday, as per the design of the servers, all the data was lost in the unfortunate incident and there is no backup. However, he has promised to bring back the hosting services better and safer after identifying the vulnerable spots and the hacker’s entry points.

“At the moment I haven’t yet finished with the full analysis of the server log files to tell exactly what happened, which I need to do first. However, with the part I have already analyzed, I have reasons to believe that the hacker behind the breach got access only to the administrative database and not the full system. Some files and accounts were left unaffected, most of which are not part of the hosting configuration,” said Winzen, “I have so far identified one vulnerable point, a PHP zero-day vulnerability, but I still don’t believe that it is the hacker’s entry point.”

PHP zero-day vulnerability appeared for the first time a month ago among Russians PHP programmers and gained significant popularity among the infosec communities and the programming circles.

The German software developer has promised his customers that he will keep them updated on his investigation and findings on DH portal. “This is an opportunity to update and improve our system after a long time, and I am sure we will be back online before the end of this year.”

There is a possibility that the breach might have been easier since the Daniel’s Hosting source code has been open-sourced on GitHub for a while, which could give prospective hackers an inside look at its services.