Illegal malware marketplace and hacker forum Darkode is back online, weeks after a US-European sting operation claimed to have arrested those behind it.

At the time of the takedown, announced 15 July, Europol estimated that between 250-300 members were using "the most prolific English-speaking cybercriminal forum to date… to trade and barter their hacking expertise, malware and botnets, and to find partners for their next spam runs or malware attacks". 28 people were arrested at the finale of the 18-month operation, including a 26-year-old from Coventry.

But already a holding site, darkcode.cc, is live and advertising its new and improved services, showing you can't keep a dedicated hacker down. A post on the homepage not only reveals that the ringleaders are still operational and not behind bars, but offers up instructions to the marketplace to ensure customers don't get itchy feet.

The first of two posts says: "Most of the staff is intact, along with senior members. It appears the raids focused on newly added individuals or people that have been retired from the scene for years."

It goes on to confirm the forum will be "back in onion land" -- referring to secure, anonymous router Tor -- in an invite-only format. A "generate onion" button sits on the page, but is currently not operational. Knowing the eyes of the law are squarely on it, the forum claims it will only accept known members it can confirm - authentication will be made using the Blockchain API. Like Silk Road 2.0 before it, all this is designed to attract users back and assure them their details will be secure after the raid, with the post continuing: "We will not store any form of user information except a hash of the BTC Guid, a BTC Wallet, and an alias if the user chooses to create one." It warns members to avoid anyone publicly claiming to be a member, and anyone who joined Darkode in the last six to eight months (they'll likely be an informant).

"We believe full disclosure on how the new forum will function is necessary to allow members to have confidence in its security. Our mission is to cast out any doubts in the setup as well as allow the world to critique the new system."

As spotted by the Register, 21-year-old UK programmer and malware analyst MalwareTech seems to have the inside track on the site operators, and has backed up suggestions that the main admin at Darkode was not arrested in the July raid made by the FBI and European Cybercrime Centre.

"Originally the main admin known as 'Sp3cial1st' had posted a statement on pastebin declaring that he wanted to wait and see who all of the 70 users arrested were before bringing the forums back online," writes MalwareTech. Sp3cial1st launched darkcode.cc as a holding page a few hours after that statement, though. The new format, with all members having their own onion address, "would allow the darkode admins greater control over who gets access, preventing people from accessing a hacked account without the owner's onion url," writes MalwareTech. "It would also allow them to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers."

"Even more interesting it states that bitcoin wallets would be tied to accounts and used for users to authenticate on the forums, this would mean that hackers could not use a hacked account to scam with unless they know the user's private key."