By WeTheNorth (WTN) is a Canadian-focused Darknet Marketplace (DNM) that emerged in 2021 following the shutdown of CanadianHeadquarters (CanadaHQ). WTN facilitates the sale of illicit goods and services, with drugs and chemicals topping its listings—totaling 5,191 as of May 17. Other prominent categories include fraud-related products such as stolen credit card data (CVVs), counterfeit documents, and similar illicit items.
According to a profile by SOCRadar, WeTheNorth is estimated to be worth over ~$3 million USD, with transactions primarily conducted in cryptocurrencies like Bitcoin (BTC) and Monero (XMR).
This article aims to investigate WTN’s presence on the surface web by mapping associated domains and examining historical cryptocurrency transactions linked to its bulletproof infrastructure providers.
Surface Infrastructure Discovery Using SilentPush
We used SilentPush to analyze the primary onion address of WeTheNorth (WTN), hn2paw7[…].onion. The scan identified 217 unique html_body_ssdeep hashes—indicators of page-level content similarity. To refine the results, we included a targeted search for the htmltitle value “WeTheNorth Market”, which significantly narrowed the dataset.
This approach uncovered a total of four surface web domains, six backend servers (excluding those protected by Cloudflare), and two associated onion domains. A detailed breakdown of these findings is provided in the table below.
| Domain Name / IP Address | IP Server / Geolocation / ISP |
| Wtnmarket[.]net | 193.3.19.91, Moscow, Russia; Tilda LLC; transit provider JSC Selectel (AS50340) |
| Wtnforum[.]net
| 193.3.19.89, Moscow, Russia; Tilda LLC; transit provider JSC Selectel (AS50340); 193.3.19.91, Moscow, Russia; Tilda LLC; transit provider JSC Selectel (AS50340) |
| Wethenorthlink[.]com | 104.21.92.16, California, USA; Cloudflare, Inc |
| hn2pawxhwytyhtexin3x65q2aza2q7zkhrybeujpsy2523r777cdxxad[.]xyz
| 104.21.44.230, California, USA; Cloudflare, Inc |
| hn2paw7zaahbikbejiv6h22zwtijlan65y2c77xj2ypbilm2xs4bnbid[.]link | 104.21.55.133, California, USA; Cloudflare, Inc 188.114.96.2, California, USA; Cloudflare, Inc |
| Freedrugs[.]co
| 45.135.232.94, Saint Petersburg, Russia; Proton66 OOO (AS198953) 91.199.137.173, South Moravian, Czech Republic; SmartApe OU (AS62212) |
| 5.188.82.108 | Moscow, Russia; JSC Selectel (AS50340) |
| 31.41.244.194 | St. Petersburg, Russia; Red Bytes LLC (Cat Technologies Co. Limited, AS57678 – BEARHOST) |
Uncovering the Broader Infrastructure of WeTheNorth: SSL Metadata, IP History, and SOCMINT Insights
To expand the visibility into WeTheNorth’s infrastructure, we conducted an in-depth analysis of SSL certificates, historic reverse IP data, and social media intelligence (SOCMINT).
A notable finding emerged during the SSL certificate review for the domain freedrugs[.]co, which listed freedrugs[.]app as the Common Name. Although currently inactive, this domain was previously hosted by Cat Technologies Co. Limited (Hong Kong), a company linked to BEARHOST, a known bulletproof hosting network.
Historical hosting records further confirmed that wtnmarket[.]net had also been served via BEARHOST infrastructure under Cat Technologies. Similarly, analysis of the historical IP address 193.3.19.89, previously hosting wtnforum[.]net, revealed other domains including app.growandshare.ca, a cannabis-focused platform targeting Canadian users. This IP was formerly registered to Chang Way Technologies Co. Limited, another entity tied to BEARHOST.
An examination of historical domains hosted on IP 193.3.19.99, which once hosted wtnmarket[.]com, revealed a series of inactive domains associated with both WeTheNorth and its predecessor, CanadaHQ:
- darknetcanada[.]com
- darknetlinkurl[.]com
- wethenorthmarketurl[.]com
- deepweb[.]news
- canadahq[.]market (former CanadaHQ)
- wethenorthurl[.]com
- canadahqlinks[.]net (former CanadaHQ)
- deepweblinkcanada[.]com
- wtnmarket[.]com
- canadahq2[.]net (former CanadaHQ)
Further analysis of historic SSL certificate Common Names for canadahq2[.]net, canadahqlinks[.]net, and canadahq[.]market indicated strong overlaps with wtnmarket[.]com, reinforcing the conclusion that WeTheNorth is a direct successor to CanadaHQ.
Another infrastructure link was uncovered via the historical IP 176.121.14.56, previously associated with wethenorthmarketurl[.]com and hosted by AjyalFi Company for Information and Communication Technology LLC (Palestine). This led to the identification of additional domains linked to WTN and CanadaHQ:
- wethenorthmarket[.]net (active)
- wtnmarket[.]live (inactive)
Finally, a SOCMINT investigation surfaced three more domains tied to WeTheNorth:
- wtn[.]market
- wtnbets[.]com
- wtnmarket[.]com
A comprehensive table detailing all identified domains, hosting information, and associations is provided below.
| Domain | Status | Notable Details |
| Wtnmarket[.]net | Active | Registered: 30 June 2021 Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED, China IP Server: 77.83.207.39; Moscow, Russia; Optima Llc Historic IP Server I: 193.24.123.249; Saint Petersburg, Russia; Prospero Ooo (AS200593) Historic IP Server II: 31.41.244.194; Russia; Cat Technologies Co. Limited (Hong Kong) |
| Wtnforum[.]net
| Active | Registered: 30 June 2021 Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED, China IP Server: 77.83.207.36; Moscow, Russia; Optima Llc Previous IP Server: 193.3.19.89; Moscow, Russia; Tilda LLC; transit provider JSC Selectel (AS50340) Historic IP Server: 193.24.123.250; Saint Petersburg, Russia; Prospero Ooo (AS200593) |
| Wethenorthlink[.]com | Active | Registered: 3 February 2022 Registrar: Tucows, Inc, Canada Historic Registrar: Shinjiru Technology Sdn Bhd, Malaysia (14 February 2022) IP Server: 104.21.92.16, California, USA; Cloudflare, Inc Associated with Reddit and Medium user wtnwethenorth3 |
| Freedrugs[.]co
| Active | Registered: 27 May 2024 Registrar: Tucows, Inc, Canada IP Server: 91.199.137.173; Prague, Czech Republic; SmartApe OU (Estonia) Historic IP Server: 45.135.232.94; Saint Petersburg, Russia; Proton66 OOO (AS198953) |
| Freedrugs[.]app | Inactive | Registered: 27 May 2024 Registrar: Tucows, Inc, Canada IP Server: 176.113.115.237; Moscow, Russia; Cat Technologies Co. Limited (Hong Kong) |
| Wtn[.]market | Active | Registered: 26 May 2024 Registrar: Tucows, Inc, Canada IP Server: 77.83.207.45; Moscow, Russia; Optima Llc |
| Wtnbets[.]com | Redirects to gumclinic.com (online casino) | Registered: 15 January 2023 Registrar: NameCheap, United States IP Server: 104.21.58.246; California, USA; Cloudflare, Inc |
| Wtnmarket[.]com
| Inactive | Registered: 1 August 2021 Registrar: NameCheap, United States Historic IP Server: 193.3.19.99; Moscow, Russia; Tilda LLC; transit provider JSC Selectel (AS50340) |
| Wethenorthmarketurl[.]com | Inactive | Registered: 17 February 2022 Registrar: NameCheap, United States |
| Wethenorthurl[.]com | Inactive | Registered: 17 February 2022 Registrar: NameCheap, United States |
| Wtnmarket[.]ca | Active | Registered: 5 July 2024 Registrar: Gandi Services Inc., Gandi SAS (France) IP Server: 172.67.187.250, California, USA; Cloudflare, Inc Historic IP address: 176.126.113.95; The Netherlands; Stark Industries Solutions Ltd (United Kingdom) |
| Wtnmarrket[.]net | Active | Registered: 17 October 2024 Registrar: UAB HOSTINGER operations, UAB (Lithuania) IP Server: 157.173.214.133, Boston, United States; Hostinger International Limited |
| Wethenorth[.]market | Inactive | Registered: 6 January 2022 Registrar: Eranet International Limited (Hong Kong) |
| wethenorthmarket[.]net | Active | Registered: 22 November 2023 Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED Historic Registrant Name: Andrey Vladimirovich Historic Registrant Country: Russian Federation |
| Wtnmarket[.]live | Inactive | Historic IP addresses: 58.64.137.69 (Hong Kong; HKBN Enterprise Solutions Limited); 176.121.14.56 (Palestine; AjyalFi Company for Information and Communication Technology LLC) 176.121.14.103 (Palestine; AjyalFi Company for Information and Communication Technology LLC) 91.214.124.202 (Ukraine; ORIZON TELECOM S.A, Greece) |
A timeline graph showing the domain registrations along with their status over time is provided below.
Bulletproof Hosting Infrastructure Supporting WeTheNorth
Multiple bulletproof hosting providers have been identified as part of the infrastructure supporting WeTheNorth (WTN) and its associated domains. These providers are known for hosting illicit or high-risk services.
Optima LLC (AS216341) is the current hosting provider for wtnforum[.]net, wtnmarket[.]net, and wtn[.]market. This Autonomous System has only one allocated IPv4 subnet—77.83.207.0/24—and maintains two peer connections: JSC RetnNet (AS57304, Russia) and RETN Limited (AS9002, United Kingdom).
According to RIPE registry data, Optima LLC is listed at the subnet’s physical address. The company (OGRN: 1247700762231) was officially registered on 22 November 2024, with its primary stated activity being the construction of residential and non-residential buildings. It is managed by Lebedev Sergey Viktorovich. However, the associated domain optimllc.ru, registered on 28 January 2025, and the company’s incongruous business registration strongly suggest that Optima LLC (AS216341) is functioning as a fraudulently registered bulletproof hosting provider.
Two previously identified Russian bulletproof hosting providers—Prospero OOO (AS200593) and Proton66 OOO (AS198953)—also feature in the WeTheNorth hosting trail. Prospero OOO was a former host for both wtnforum[.]net and wtnmarket[.]net, while Proton66 OOO was identified as the hosting provider for freedrugs[.]co.
Cat Technologies Co. Limited (Hong Kong), previously linked to the BEARHOST bulletproof network, provided infrastructure for wtnmarket[.]net and freedrugs[.]app. Additional information about BEARHOST is available in our prior reporting.
Another BEARHOST-linked entity, Chang Way Technologies Co. Limited (Hong Kong), was historically associated with IP subnet 193.3.19.0/24. This subnet is now attributed to AS50340 JSC Selectel, a transit provider for IPs 193.3.19.89 and 193.3.19.91, both of which have been hosted by Tilda LLC (AS215306).
Tilda LLC (AS215306) is yet another bulletproof hosting provider. The associated domain, tildallc.ru, was registered on 22 February 2022, and the company itself (OGRN: 1247700120414) was incorporated on 6 February 2024 in Moscow, Russia. It was officially liquidated on 17 February 2025 due to inaccurate registration data submitted to the Unified State Register of Legal Entities. Tilda LLC was managed by Gvozd Vladimir Viktorovich (INN: 931000550200), with its declared business activity being consultancy in commercial operations and management.
Additionally, subnet 193.201.9.0/24 was found to be allocated to Tilda LLC (AS215306), as confirmed via BGP records on bgp.he.net.
SOCMINT Analysis: Mapping the Social Media Footprint of WeTheNorth
Our Social Media Intelligence (SOCMINT) investigations have identified several accounts linked to WeTheNorth (WTN). These accounts serve as communication hubs, promotional channels, or points of contact for potential users and affiliates.
The identified social media profiles are listed below, with further metadata, platform affiliations, and observed activity patterns included in the summary table that follows.
| Platform | Username / ID | Notable Details |
| 296175266918485 | Registered: 14 May 2024 Primary country/region location for people who manage this Page includes: Canada (1) Display name: We The North Market Email: wethenorthmarketplace@gmail.com Physical address listed: 100 Yonge St, M5C 2W1 YouTube: youtube.com/@wtnmarket Website: wtn.market 13 likes; 15 followers Organized an event in Ontario, Canada | |
| X.com | WtnMarket / 1627571809150287872 | Registered: February 2023 Location: Canada Website: wtnmarket.net Followers: 6,023 Registered Email: we*******************@gmail.com Registered Phone: ending in 03 |
| X.com | wtn_market / 1829187075071193094 | Registered: 29 August 2024 Links to their onion site, and wtnmarket.ca 1 following; 1 follower Registered email: do************@gmail.com |
| YouTube | Wtnmarket / UCRy4as5V9CO5ur7XkyTuYUw | Registered: 27 March 2023 Location: Toronto, Canada 10 subscribers Links to: wtn.market, wtnmarket.net and wtnbets.com |
| Tik Tok | wtnmarket | Inactive account |
| Threads | wtn.marketplace | Links to wtn.market, wtnmarket.forum, wtnmarket.net |
| wtn.marketplace | Registered: February 2023 Former usernames: 1 Website: wtn.market Location: 100 Yonge St, Toronto, ON M5C 2W1, Canada | |
| Telegram (stickers) | wtn_market | Url: t.me/addstickers/WTN_MARKET |
| 500px.com | Wtnmarket / 1025217870 | Registered: 22 March 2025 |
| Imgur.com | Wtnmarket / 190030495 | Registered: 27 March 2025 Bio: tigersccsohp.bz (inactive), blackbet.bz (active; betting site), savasstan0.bz (active) |
| Wtnmarket / 978899806414182130 | Links to wtn.market | |
| letterboxd.com | wtnmarket | Physical address: 100 Yonge St Toronto, ON, M5C 2W1 Website: wtnmarket.com |
| Blogger | Wtnmarket / 8863278653428927519 | Url: wtnmarket.blogspot.com |
| Blogger | 14080312838072851836 | Registered: June 2022 Url: blogger.com/profile/14080312838072851836 |
| flipboard.com | Wtnmarket / 3974996694 | Links to wtnmarket.com |
| myanimelist.net | Wtnmarket / 19578043 | Registered: 24 January 2025 Last Seen: 2025-01-24T12:09:00 Location: 100 Yonge St, Toronto, ON, M5C 2W1, Canada Email: contact@wtn.market Phone Number: 267-615-9887 (landline) |
| Wtnmarket / vtew4q69 | Registered: 6 February 2023 Address: 100 Yonge St Toronto, ON, M5C 2W1 Verified: true | |
| ProtonMail | wtnmarket | Email: wtnmarket@proton.me |
| ProtonMail | wtn.market | Email: wtn.market@proton.me |
| ProtonMail | wtn_market | Email: wtn_market@proton.me |
| threadless.com | wtnmarket | Address: 100 Yonge St, Toronto, ON, M5C 2W1, Canada |
| SoundCloud | Wtnmarket / 1528128832 | Name: David Tobi Registered: 20 March 2025 Last Seen: 2025-03-20T07:37:37Z Links to wtnmarrket.net, savasstan0.bz, blackbet.bz, tigersccsohp.bz |
| gamespot.com | wtnmarket | Registered: 24 January 2025 Address: 100 Yonge St, Toronto, ON, M5C 2W1, Canada E-mail: contact@wtn.market Phone Number: 267-615-9887 (landline) Website URL: wtn.market |
| wordpress.com | wtnmarket | Url: wtnmarket.wordpress.com |
| Quora | Wtnmarket / 2977124138 | Registration: 25 March 2025 Links to tigersccsohp.bz |
| Telegram | Wtnmarket / -1001507158780 | 2 subscribers |
| about.me | Wtnmarket / 7431025 | Address: 100 Yonge St, Toronto, ON, M5C 2W1 Website: wtnmarket.com |
| issuu.com | wtnmarket | Address: 100 Yonge St Toronto, ON, M5C 2W1, Canada Website: wtnmarket.com |
| docker.com | Wtnmarket / f8a8142b621d4813bce57074baf7f5ab | Name: David Tobi Registered: 18 March 2025 Website: wtnmarrket.net |
| tumblr.com | Wtnmarket / t:7JmNQEulHpkuIrWpEBloeg | Registered: 22 March 2025 Links to wtnmarrket.net, blackbet.bz, savasstan0.bz, 19977.WS (inactive), tigersccshop.bz (active) |
| tumblr.com | Wethenorthmarket | Website: wtn.market Address: 100 Yonge St, Toronto, ON, M5C 2W1, Canada Email: contact@wtn.market Phone Number: 267-615-9887 (landline) |
| issuu.com | wtnwethenorth3 | Address: 3624 boulevard des Laurentides, Shawinigan, Quebec, G9N 3B6 Phone number: 819-540-6474 (landline; Quebec) Website: wethenorthlink.com |
| Medium.com | wtnwethenorth3 / 7e8d62e32d07 | N/A |
The below timeline graph shows the registration dates of the WeTheNorth (WTN) social media and online accounts. It highlights the surge in registrations from early 2023 to early 2025, suggesting a sustained infrastructure buildup following the shutdown of CanadaHQ.
Breach Data Insights – Linking Leaked Data to WTN
Analysis of breach data has uncovered additional pieces of relevant information connected to WeTheNorth (WTN).
| Breached Dataset | Details |
| Parkbench, 2024 (American network of hyperlocal sites) | Email: wtnmarket1@gmail.com |
| Epik.com, 2021 (web hosting) | Email: FREEDRUGS.CO@anonymize.com |
Email Attribution Analysis – Identifying Accounts Tied to WTN via OSINT
Using the OSINT.industries platform, we identified multiple online services and platforms registered with the email address wethenorthmarketplace@gmail.com, which is linked to WeTheNorth (WTN). These associations provide further context into WTN’s digital footprint and operational reach. A summary of the identified accounts is provided in the table below.
| Platform | Username / ID | Notable Details |
| 112740367450284085663 | N/A | |
| X.com | N/A | Phone Number Hints: *** 03 |
| N/A | N/A | |
| Microsoft | 10A977754A17F9C7 | Email Hints: wt *** @sindhier.com Name: Lee Harkin Location: Canada Phone Linked: Yes |
Below is a summary table, sourced from Osint.industries, listing the online accounts linked to the email wtnmarket1@gmail.com.
| Platform | Username / ID | Notable Details |
| 109744953178634164667 | N/A | |
| Trello | wtnmarket1 / 63e0a15c2632d6199b0a1580 | Last Seen: 2/6/2023 6:42:36 AM |
| Adobe | N/A | Authentication provider: Google |
| Gravatar | Wtnmarketon
| Registered: 2 years ago Location: 100 Yonge St Toronto, ON, M5C 2W1 Website: wtnmarket.com |
| Quora | We-The-North-Market-1 / 2087174223 | Registered: 6 February 2023 |
Analysis of Infostealer Data via Infostealers.info
Additional investigations were conducted using Infostealers.info to search for unique identifiers such as usernames, email addresses, and domain names found in earlier sections. Infostealer data was discovered for Wtnmarket[.]net, Wtnforum[.]net, and Wethenorth[.]market, demonstrating the capability of infostealer data to reveal potential users accessing the dark net market, including possible buyers and sellers. Between August 2022 and April 2025, 120 login credentials were identified for Wtnmarket[.]net. Further examination of these logs revealed repeated logins from certain users, one of whom was linked to a registered IP address located in Calgary, Alberta, Canada.
A screenshot from Infostealers.info is provided below.
For another user who repeatedly logged into Wtnmarket[.]net, 621 logs were identified across various platforms such as PayPal, Microsoft, Google, Facebook, Discord, and Apple. This user was linked to an IP address geolocated in Sechelt, British Columbia, Canada.
Additionally, 28 login records for Wtnforum[.]net were found via Infostealers.info. Analysis of a frequent Wtnforum[.]net user revealed 292 logs connected to multiple platforms including Scotiabank, eBay, Microsoft, Apple, Discord, Facebook, Publicmobile.ca, and staples.ca. The user’s IP address was traced to Medicine Hat, Alberta, Canada.
For Wethenorth[.]market, 25 login details were discovered. Investigation of recurring logs identified one user with an IP address located in Surrey, British Columbia, Canada. This user was associated with 368 logs on platforms such as Apple, Roblox, GoDaddy, Amazon.ca, Facebook, Coinbase, and PayPal.
This infostealer data highlights a rich source of information that can be utilized in OSINT investigations to identify potential buyers and sellers operating on Dark Net Markets with activity extending onto the Surface Web.
Blockchain Analysis – Key Insights
A blockchain analysis was performed to identify the infrastructure providers used by WeTheNorth (WTN). Using Arkham.com, a transaction chart was created illustrating the transactions between WeTheNorth (WTN) and the BEARHOST bulletproof hosting network, a connection previously established through IP address analysis. A screenshot is provided below. Additional details about the wallet(s) linked to WeTheNorth (WTN) and BEARHOST can be accessed via AMLBot.com.
Instead of Conclusion – Multidisciplinary Intelligence Linking Darknet Markets to Surface Infrastructure
This investigation into WeTheNorth (WTN) demonstrates how multidisciplinary intelligence workflows—combining open-source intelligence (OSINT), credentials and metadata extracted from infostealer data (via Infostealers.info), and blockchain transaction analysis—can reveal the surface web infrastructure of a darknet marketplace with Canadian roots.
Using SilentPush’s dark web scanning capabilities, investigators were able to pivot from onion domains to surface mirrors and backend hosts, ultimately identifying a broad web of linked infrastructure supported by bulletproof hosting providers in Russia.
Historical SSL certificate analysis, IP resolutions, and WHOIS records enabled attribution to BEARHOST-linked entities, while SOCMINT provided visibility into WTN’s outreach and operational presence on mainstream platforms, including YouTube, Reddit, X (Twitter), Facebook, and Instagram.
This type of intelligence fusion can support international law enforcement by generating actionable leads, uncovering key infrastructure nodes, and enabling targeted enforcement strategies against darknet markets. By mapping threat actor infrastructure and exposing operational weaknesses, agencies can prioritize investigative resources, issue takedown requests, and coordinate cross-border efforts to disrupt illicit ecosystems.
