$ last_check --date February 11, 2026

White House Market Mirrors: Operational Security on a Shutdown Site

White House Market (WHM) was one of the last large-scale drug-centric markets that enforced Monero-only payments and mandatory PGP for every interaction. When its administrators announced a controlled retirement in October 2021, many users expected the mirrors to vanish within days. Instead, the landing pages stayed online for months, redirecting to a single farewell message and, curiously, collecting login attempts. For researchers, these residual mirrors offer a rare case study: a market that shut itself down without an exit scam, yet whose infrastructure refuses to die cleanly.

Background and Controlled Exit

WHM launched in late 2019, riding the post-Empire exodus wave. It differentiated itself by refusing Bitcoin entirely—an annoyance at first, but a policy that later looked prescient as blockchain tracing tools matured. The market peaked at roughly 3 000 active vendors and 30 000 weekly orders before volume began to slide in mid-2021. Vendors complained that Monero’s thin liquidity made cashing out expensive, and buyers disliked the extra conversion step. Rather than risk an ignominious seizure or exit scam, the staff froze withdrawals, finalized all escrow, and posted a short retirement letter signed with the market’s long-term PGP key. No funds were lost, which immediately turned WHM into the unicorn of dark-net folklore: a place that actually closed without stealing.

Mirror Life-Cycle After Shutdown

Most markets disappear the moment the backend is pulled; Tor hidden services simply stop answering. WHM’s operators, however, left the nginx reverse proxies running. For several weeks the usual sixteen-character .onion addresses returned the same static HTML page: a brief thank-you note and the retirement PGP signature. No database, no JavaScript, no phishing redirects—just a ghost landing page. Observers initially assumed the servers had been forgotten, yet uptime monitoring showed patches and TLS certificate renewals continuing through December 2021, suggesting deliberate maintenance. By February 2022 half of the known mirrors finally returned “Unable to connect,” but at least three remain reachable today, still serving the farewell page. Whether the staff is paying for hosting out of nostalgia or law enforcement is preserving the infrastructure for telemetry is an open question.

Why Mirrors Matter for OPSEC

Active or not, mirrors teach harsh lessons about link verification. WHM published its rotation addresses only inside the market itself and via two trusted PGP-signed channels: Dread forum posts and a canary file deep-linked on the Tor Project’s bug tracker. After retirement, new mirror links appeared almost immediately on phishing directories. They used slight spelling distortions—whm4dot… instead of whm4to…—and copied the retirement page verbatim, but injected a JavaScript credential harvester. Because the genuine service no longer authenticated users, the fake mirrors never forwarded credentials anywhere; instead they recorded passwords and PGP private keys for reuse on other markets. Anyone who typed seed phrases “just to see if withdrawals still work” handed adversaries a tidy package. The lesson: a market that no longer trades can still leak secrets if users abandon proper link checking.

Technical Footprint of Residual Infrastructure

Scanning the remaining mirrors shows consistent software stacks: Debian 10, nginx 1.14.2, and a Tor 0.4.2 daemon. Headers return “X-Frame-Options: DENY” and “Referrer-Policy: same-origin,” identical to the live market, implying the configs were cloned rather than rebuilt. No new content has been uploaded; directory enumeration returns 403 across every known path except /, /static/css, and /images. The market’s canonical PGP key still sits in the footer, unchanged since 2019. Interestingly, Robtex shows no overlap with seized domains from Operation SpecTor, so the IPs—presumably rented bullet-proof boxes—have not been flagged to hosting providers. That longevity hints at prepaid terms running through late 2022, possibly bought with clean Monero months before the shutdown announcement.

Community Afterlife and Reputation Recycling

On Dread, retired WHM vendors retain their flair, and the market’s subdread remains unlocked. Newbies occasionally ask whether the mirrors might “come back,” hoping for a resurrection. Old hands reply with the retirement PGP signature and remind them that no staff member has posted anywhere since October 2021. Nonetheless, three vendors have reused their WHM PGP keys on smaller markets, piggy-backing on the old reputation. Because the original market keys were never revoked, this is technically valid, but buyers should treat those profiles as legacy references only—there is no escrow continuity, and disputes cannot be escalated to the absent WHM staff.

Practical Guidance for Researchers

If you are cataloguing historical dark-net data, the mirrors are safe to visit: no JavaScript, no on-site resources except CSS, and no active sessions. Fetch the pages with curl over a fresh Tor circuit and store the retirement signature; it is useful for verifying future claims of “WHM 2.0.” Do not log in, even with throw-away credentials—phishing versions still appear in fresh Tor2Web mirrors every month. For ordinary users, the correct action is to delete any WHM bookmarks and purge PGP keys that were shared exclusively with the market. There is no legitimate reason to interact with the service anymore, and every day a mirror stays online increases the chance of typo-squatting attacks.

Conclusion

White House Market’s mirrors are the digital equivalent of shuttered shop fronts whose lights someone forgot to switch off. They serve no commercial purpose, yet they remain a valuable artifact: proof that a market can close without exit-scam drama, and a reminder that infrastructure lingers longer than reputation. Treat the remaining .onion addresses as read-only museum pieces, not invitations to trade. And when the next marketplace waves the “we’re different” banner, remember how WHM ended—cleanly, but still leaving ghost servers in its wake. If even the good actors can’t fully erase their footprints, the rest of us had better encrypt twice and verify three times.