The Anarchy Illusion: Inside A2029’s Militarized Darkweb Marketplace

When Anarchy 2029 first appeared on my radar, it looked like background noise, another dark web “movement” built around anarchist slogans and anti-state messaging. These groups tend to follow a familiar pattern: loud ideological statements, loosely organized members, and a mix of digital posturing with low-value offerings.

Still, something felt off. Their website had recently shifted from a basic, open-price storefront to a sleeker interface with no visible pricing. Their public messaging became sharper, almost rehearsed, and their contact channels were split across multiple encrypted services. These weren’t the habits of a chaotic activist collective: they were signals of structure, control, and operational discipline.

Using StealthMole, I began pulling on those loose threads. The changes in presentation were only the surface. Buried in metadata, site archives, and communication footprints were small but persistent anomalies: role-specific email addresses, recurring geographic markers in product photos, and content mirrored across unexpected channels. None of it, on its own, was proof of anything unusual but taken together, it suggested that the “anarchist” label might be a deliberate misdirection.

The deeper I went, the more the inconsistencies piled up. Certain details pointed toward a network with far greater reach and capability than its public face implied. It became clear that the group’s stated politics were only part of the story, perhaps not even the real story at all.

What follows is the investigation that began with a seemingly unremarkable dark web entity and ended with the outline of something entirely different, a system hiding in plain sight under a name designed to mislead.

Incident Trigger & Initial Investigation

The investigation into Anarchy 2029 began not with a buried leak or obscure forum post, but on their own public-facing homepage. At the very top level of their .onion site, three contact addresses were openly listed: a********@torbox******z.onion, a********@mail2tor.com, and a**********@dnmx.cc (previous email: a********@dnmx.su). They were presented as the only legitimate points of contact, accompanied by a firm disclaimer: the group insisted they did not operate on Telegram, did not initiate contact with potential buyers, and sold exclusively through their own platform.

The decision to list these particular addresses side by side was telling. Each belongs to a different type of service: TorBox for closed, intra-network messaging; Mail2Tor for broader Tor-based communication; and DNMX, a clearnet-accessible encrypted mail provider. This mix suggested either compartmentalization by function or a continuity plan in case one channel failed. From an investigative standpoint, it meant three distinct starting points for tracing their footprint.

Choosing the Mail2Tor address as the initial pivot quickly surfaced more of the group’s infrastructure. That address linked to a primary .onion marketplace, a Tor-hosted pastebin announcement page, and a non-responsive .onion domain that appeared to be an abandoned or rotated endpoint. Even without diving into content, the presence of multiple active and inactive domains hinted at deliberate redundancy, the kind of setup common among marketplaces that expect takedowns or service interruptions.

• Primary site: http://rh*****************************************************qd.onion/
• Pastebin announcement: http://pastebin*******************************************************9
• Defunct address (archived): q5d**********************************************id.onion

At this early stage, the objective was not to map every piece of their infrastructure or dissect their public contradictions, but to establish that the group maintained multiple, distinct communication points and backed them with a network of Tor-based assets. These initial pivots were enough to justify deeper examination into how that network operated, what it was selling, and whether its public claims matched its actual activity.

Website Infrastructure & Operations

From the primary .onion domain identified in the initial pivot, A2029’s site presents itself as more than a basic vendor storefront. Its layout combines ideological messaging with structured navigation, offering dedicated sections for account registration, product categories, proof-of-delivery posts, and a forum. Notably, the “Dead Drops Info” page is given the same top-level prominence as “Guns” or “Used Guns,” signaling that physical delivery methods are a central part of their business model rather than a side service.

The homepage design balances marketing language with operational instructions. Calls to “CheckOut Glocks and New Colts” sit alongside procedural warnings: the group claims they never initiate contact, discourages interaction through non-approved channels, and explicitly denies affiliation with any Telegram groups. Such warnings are framed not as generic security advice, but as counter-messaging against what they describe as “false” vendor profiles, suggesting that the group is aware of, and potentially impacted by, impersonation or brand hijacking.

Beneath this public-facing layer is a clear strategy for operational resilience. The site references three active onion URLs, including backup addresses accessible through redirects published on external pastebin pages. The fact that these backups are actively promoted, rather than quietly rotated, indicates a desire to retain customer continuity even if a primary endpoint becomes unavailable. This approach, common among established dark web operators, also provides a useful breadcrumb trail for investigators, as each newly issued URL can be monitored for hosting patterns, SSL certificate reuse, or mirrored content.

• http://rh***************************************************qd.onion/
• http://rs****************************************************qd.onion
• http://6o****************************************************qd.onion

• http://rs****************************************************yd.onion/ (old & inactive)
• http://6o****************************************************ad.onion/ (old & inactive)

Historical indexing through StealthMole revealed clear differences between the old and new iterations of the platform. The old version featured a simple, utilitarian interface with open Euro pricing and an unrestricted list of services, a model optimized for immediate transactions but vulnerable to scraping and impersonation. In contrast, the current build is more polished and selective: prices are withheld, ideological slogans are given greater prominence, and account registration is periodically closed, requiring buyers to contact the group directly via one of their published addresses. Backup onion URLs are more systematically integrated into the platform’s communications, ensuring operational continuity even under pressure. This evolution marks a shift from a high-exposure, retail-style presence to a controlled access funnel designed to qualify customers and reduce investigative visibility.

The site also integrates its communications policy into its infrastructure. Contact details are embedded directly in the homepage and echoed in other parts of the platform, rather than hidden in account-only sections. This makes them easy for prospective buyers to find, but it also standardizes the group’s “official” identifiers, reinforcing their claims about exclusivity and authenticity. The choice of a mixed contact environment, Tor-native mail providers, surface web-accessible encrypted email, and a closed TorBox system, suggests compartmentalization of inquiries by type, a trait more typical of organized criminal enterprises than casual illicit vendors.

While the site’s catalogue and content will be examined in later sections, its architecture alone reveals a layered approach: open-access ideological framing, structured service presentation, and deliberate infrastructure redundancy. This combination allows A2029 to operate with both visibility to attract customers and flexibility to absorb service disruption, two traits that will prove important in understanding their operational maturity.

Ideology & Messaging

From its earliest public materials, A2029 frames itself as an anarchist collective: anti-state, anti-authoritarian, and positioned against all forms of institutional control. This anarchist identity is central to the way the group presents itself on its .onion site and in public statements. The language is direct and aggressive, often referencing the rejection of authority and the rejection of mainstream political structures.

However, embedded within this façade is an ideology that tells a different story. Prominent on their homepage is a slogan reading: “Fuck Islam. Keep Europe clean from Muslims and Arabs” — an explicit call aligned not with anarchist principles but with far-right ethno-nationalist and eco-fascist narratives. Rather than a rejection of hierarchy or power structures, the rhetoric embraces authoritarian exclusion, advocating for targeted violence and ethnic cleansing under the cover of “preserving Europe.”

This deliberate blending of ideological signals serves a dual function. For recruitment, it allows the group to appear accessible to a wider pool of potential supporters, from disillusioned anti-state actors to hardline nationalist extremists, by using the broad “anarchist” label as a low-barrier entry point. For operational security, it creates plausible deniability: an observer encountering the group’s anarchist branding at a glance might misclassify it, overlooking the specific ethno-nationalist agenda driving its operations.

The tone of their messaging further reflects a strategic balance between ideology and commerce. While their slogans and public declarations are politically charged, the rest of the site’s language, especially in product listings and delivery instructions, is matter-of-fact, transactional, and procedural. The ideological layer appears most visibly in the public-facing homepage and external propaganda, while the operational side maintains the pragmatic, disciplined communication style expected of a professionalized illicit marketplace.

This mix of ideological posturing and commercial precision reinforces the view that A2029’s “anarchist” label is camouflage. In practice, their worldview is rooted in exclusionary nationalism, and their operational focus is not on political action for its own sake, but on sustaining a transnational, profit-driven logistics network under a banner that misdirects casual observers and potential investigators alike.

Services & Capabilities

While A2029 publicly frames itself in ideological terms, its operational core is a diversified illicit marketplace with offerings that extend well beyond political propaganda. Both the primary .onion platform and associated promotional channels list a range of services designed to appeal to clients seeking high-risk, high-value goods.

At the centre of their portfolio are illegal weapons sales. Inventory includes new and used Glock pistols, as well as other firearms advertised as having no serial numbers and having been fully tested. Proof-of-delivery images suggest sourcing from Central and Eastern Europe, including weapons shipped in packaging from Bulgarian Arsenal, a manufacturer known for military-grade arms. Ammunition is frequently bundled as an incentive, with “packs of bullets” offered free with each firearm purchase.

A2029 also offers drug trafficking services, most notably cocaine reportedly originating from ****u and B******. While direct sourcing claims are difficult to verify, the inclusion of narcotics alongside firearms points to a broad supply network and a willingness to engage across multiple high-value black market verticals.

Their identity document services focus on forged passports, advertised as “fully registered” in national databases. This claim, while common in criminal marketplaces, serves as a selling point to prospective buyers seeking documents capable of passing automated border checks. Expansion into additional countries is framed as an ongoing process, with the promise of new jurisdictions becoming available over time.

A standout element of their delivery model is the dead-drop system, which allows buyers to receive goods without providing a physical address. Active regions include ******y, ******a, ******a, *****d, and *******s, with operations expanding into other European countries. Within 24 hours of confirmed payment, clients are provided with GPS coordinates and a photograph of the drop site.

The group itself claims to be operated by former soldiers from ******n *****e, as stated in promotional messages. While this cannot be independently confirmed, the disciplined compartmentalization of roles, the structured logistics model, and the emphasis on operational security are consistent with an organization drawing on military experience.

Taken together, these services position A2029 not as a niche vendor but as a multi-category illicit supply operation with cross-border logistics, high-risk product handling, and client management protocols suited for sustained activity in contested markets.

Communications Infrastructure & Contact Points

A2029’s communications framework is designed with deliberate segmentation, giving different operational roles their own dedicated channels. Over the course of the investigation, nine distinct addresses linked to the group were identified:

• a******@protonmail.com
• t***********@proton.me
• a********@onionmail.org
• a*********@onionmail.org (spelling anomaly)
• a**********@onionmail.com
• a*****@dnmx.org
• a**********@dnmx.su (changed to: a******@dnmx.cc)
• a****@mail2tor.com
• a****************1@tutanota.com

Alongside these was a TOX ID prominently displayed on the site:

• AA*****************************************************************A

The variety of providers is deliberate. Tor-only services such as OnionMail and Mail2Tor allow communication to remain entirely within the Tor network, insulating it from clearnet metadata exposure. Clearnet-accessible encrypted services like ProtonMail, Proton.me, DNMX, and Tutanota broaden reach for customers who may not operate fully inside Tor, at the expense of potential exposure to service provider logging. TorBox, a closed-circuit messaging service referenced on their homepage, offers a further tier of restriction, messages never leave TorBox’s internal network, making it an attractive channel for sensitive exchanges with established clients.

Within this collection, certain addresses are explicitly tied to specific functions. The remaining addresses appear to serve as backups, legacy points of contact, or specialized use cases, for example, the typo in a********@onionmail.org may be a deliberate seeding tactic to track how an address is sourced.

• Support: a*******@onionmail.org
• Orders: t******@proton.me, a******@dnmx.org
• Delivery: a**************@tutanota.com

Pivoting from the address a*******@dnmx.su revealed a gated section of the site, labelled “Private Services” and explicitly marked as being for “former buyers.” Access required a password, suggesting a tiered client system in which higher-value or more sensitive offerings are kept separate from the open catalogue.

• http://q*******************************************************id.onion/?product_cat=private-services

By splitting communication across providers and dedicating addresses to discrete roles, A2029 achieves two objectives: containment of breaches (a compromise in one channel does not automatically expose others) and operational efficiency (specialized handlers for different aspects of the workflow). This compartmentalization, paired with redundancy, is a hallmark of mature illicit operations, signalling that A2029’s communication strategy is as structured as its broader logistics network.

Behavioral Indicators & Site Metadata

Beyond its digital footprint, A2029’s platform and related media reveal much about its operational habits. Metadata extracted from delivery proof images exposed the alias “Thomas”, a name embedded in the file properties. While it cannot be definitively linked to a real identity at this stage, its presence indicates at least one operational slip, a rare lapse for a group that otherwise demonstrates strong compartmentalization.

The images themselves carry additional clues. Product and delivery photos show consistent staging: a 2-euro coin placed for scale, packaging materials bearing Czech and Polish markings, and in some cases, weapons stored in boxes from Bulgarian Arsenal, a known manufacturer of military-grade firearms. This combination of props is unlikely to be accidental; the euro coin functions as a proof-of-scale standard in illicit marketplaces, while the geographic indicators point to sourcing and distribution routes in Central and Eastern Europe.

Operationally, the site enforces role-based compartmentalization beyond email segmentation. Proof-of-delivery posts show only partial customer aliases, cropped to avoid revealing full buyer identities, yet still enough to demonstrate fulfillment to their target audience. The use of these “proofs” serves a dual purpose: it reassures existing clients of the group’s reliability, while functioning as marketing material for potential buyers who may be weighing trust in the vendor.

Geographic delivery coverage, inferred from listings and photographic evidence, aligns with their stated drop-off model: concentrated in *******y, ******a, *****a, ******d, and ***********s. These are all within relatively short logistical reach of each other, enabling a network of repeatable dead-drop operations with minimal exposure. This regional focus, combined with their photographic tradecraft and compartmentalized communications, suggests a supply chain managed with military-like discipline, consistent with their own claims of having ex-military personnel among their ranks.

While each of these indicators is minor in isolation, together they form a behavioural profile of a group that blends ideological posturing with disciplined operational control. A2029 does not appear to be improvising its tradecraft; instead, it follows repeatable patterns that enhance both its resilience and its perceived credibility in the dark web marketplace ecosystem.

Contradictions & Platform Presence

A recurring theme throughout A2029’s public messaging is the insistence that they operate exclusively through their own website. On their homepage and in pastebin announcements, the group explicitly warns customers against using third-party platforms, with a particular emphasis on disavowing any presence on Telegram. The language is direct and unambiguous: “We do not use Telegram.”

Yet, pivots from their own published contact points, particularly a*********@protonmail.com, reveal a more complicated reality. That address is associated with D******t ******n (https://t.me/d******_********n), a Telegram channel that actively promotes A2029’s .onion marketplace, reposts product imagery, and advertises their service range. In addition to D*****t ******n, two other Telegram accounts surfaced under the A2029 name: @A*****_****, which uses the group’s branding, and @A****_*s, which does not.

The consistency between the Telegram content and the group’s own website, mirrored images, identical product descriptions, and matching URL structures, makes it unlikely these are the work of unrelated impostors operating in isolation. However, the possibility remains that these channels are run by affiliates, distributors, or opportunistic actors leveraging A2029’s brand for their own purposes.

There are three plausible explanations for this contradiction:

1. Proxy distribution — Third parties mirror content to expand reach into Telegram audiences without direct involvement from the core group.
2. Covert official use — The group maintains Telegram channels while publicly denying it, to avoid moderation or investigative targeting.
3. Brand hijack — Unaffiliated actors using the A2029 name to drive traffic to their own operations, possibly scamming under the guise of legitimacy.

From an investigative standpoint, this inconsistency matters because it introduces uncertainty into attribution and brand control. A group that tightly manages its infrastructure but allows its name and content to circulate unchecked on high-risk platforms may either be strategically exploiting deniability or losing control of its public identity. In either case, the Telegram footprint undermines their public posture of exclusivity and reinforces the need to track not only what a group says about its operations, but where its content and branding actually appear.

Conclusion

The investigation into A2029 exposed an organisation whose public image is built on calculated misdirection. What appears, at first glance, to be an anarchist collective is in fact a structured, far-right-aligned illicit supply network dealing in weapons, narcotics, forged documents, and bespoke high-risk services. Its public-facing anarchist label serves as ideological camouflage, masking an operation that is logistical, profit-driven, and designed for longevity.

A2029’s infrastructure reflects this intent. Its multi-tier communications system is not simply about security, but about maintaining operational continuity under pressure. Segregated contact points, password-protected service tiers, and geographic concentration of dead-drop deliveries all point to a network that operates with the discipline and efficiency more commonly associated with organised crime than political activism.

The role of StealthMole in uncovering these patterns cannot be overstated. By leveraging StealthMole’s ability to index and correlate both active and historical dark web content, it was possible to directly compare older iterations of the A2029 platform with its current state, documenting the shift from an open, price-listed storefront to a more refined, ideologically branded and access-controlled operation. The same capabilities enabled the capture of ephemeral infrastructure, such as inactive .onion domains, redirect endpoints, and Telegram-linked assets, ensuring no component of the network was lost to time or deliberate rotation.

A2029’s resilience comes from its layered infrastructure and operational compartmentalisation, but it is not beyond reach. With the right tools and sustained monitoring, the same weaknesses that allow it to adapt, its reliance on brand continuity, trusted contact points, and repeatable delivery patterns, can also be exploited to disrupt it.

Editorial Note

While this investigation draws on a wide range of corroborated data points, it is important to note that cyber attribution remains inherently probabilistic. The connections outlined here, between infrastructure, communications channels, behavioural patterns, and claimed identities, are built from observable overlaps, metadata analysis, and platform-captured content. These findings represent the most plausible interpretation of the available evidence at the time of reporting, but they do not exclude the possibility of misdirection, false-flag operations, or the involvement of unaffiliated third parties.

To access the unmasked report or full details, please reach out to us separately.
Contact us: support@stealthmole.com