Closed For Business: Taking Down Darknet Markets

as Craig said my name is Jon Scheyer and I work as a researcher in the office of the CTO at Sophos and last year I was up here talking about the dark web and how you could gather the necessary resources tools and skills to basically become a cyber criminal and during that talk I I made a passing remark at how there's this fascinating story on some dark net markets and how they got taken down but I didn't really have the time to tell that story so this year thanks to you guys in your votes I get to tell that story so what we're gonna talk about today is is just that is how law enforcement goes

about taking down some of these dark net markets and we're gonna specifically look at the Alpha Bay and hence takedowns we're also going to look at the fate of dream market which is currently the biggest drug marketplace as well as other illegal stuff marketplace around there and and we're going to talk a little bit about you know how these markets work and why they get taken down from time to time and and generally talk about some OPSEC failures which inevitably you know take these guys down and one of the things we're not gonna talk about though is just the sort of morals and ethics of these markets you know morals are subjective and we may not disagree on the details

but the fact remains that what these markets are providing are goods and services that are considered legal in most countries and so that's why law enforcement takes them down so before we get to the main event the fun stuff we got to talk a little bit about some history and we got to talk about Silk Road and if you turn on your clicker then it works so Silk Road many of you probably remember this as one of the first sort of massively popular dark web markets out there the most you know the really successful one and this was founded in 2011 by Ross Ulbricht and Silk Road was meant to be an expression of the theory of or the philosophy of

agar ISM and counter economics and it was the first dark it wasn't the first dark net market but it was the first one to really gain massive popularity amongst the people the denizens of the dark web and it kind of helped guide the way that many of the future dark net markets would evolve and emerge and be coated from then on for example it was an it was an early adopter of things like escrow payment systems and also vendor reputation systems one notable aspect of Silk Road was the fact that it had had a policy that the goods and services that were sold on the site had to not pose any harm or defraud people this applied to

things like child pornography obviously services based on violence or other goods used to aid and abet things like carding and stolen identity so things aiding and abetting fraud essentially it wasn't always the case some stuffs nukkie and every once in a while but no that's at least what we're in the Terms of Service and in keeping with that libertarian ethos most of what you could buy on Silk Road were things like drugs and drug paraphernalia now there weren't only illegal goods on this market there were actually some legal ones too there were things like jewelry and books and artwork and sporting goods as well as war memorabilia and some replicas now according to some Silk Road contributed

to the rise in value of Bitcoin at the time prior to Silk Road there were markets like the farmers market which actually took payments and processed transactions using PayPal and Western Union which ultimately led to their downfall but because of Silk Road and the huge transactional volume that was getting processed through the site some people think that no that really helped pump up the price of Bitcoin at that time and when Silk Road was seized on 2 October 2013 there was a profound albeit temporary dip in the price of Bitcoin but which can be represented which is represented by the line over here in the price on the right hand the right hand access so you know that market really

was an integral part of the Bitcoin economy at the time and it wasn't long before a lot of other people noticed what was going on with Silk Road and wanted to get in on the action so in about mid 2013 we started seeing a lot more of these markets start to open up the second thing we needed to need to talk about is how these dark net markets operate right some of the markets that are around today still fall that originals or libertarian ethos of Silk Road of do no harm to other others and they only trade in things like drugs and drug paraphernalia but the majority of the most popular markets out there today will sell just

about anything to anybody so drugs weapons hacking services malware counterfeit goods you name it the only thing that most of these markets still prohibit are things like child sexual exploitation material and sometimes murder so as we can see from government exhibit 113 a from ulbricht's trial this was entered by the prosecution this is pretty much how all darknet markets still operate today it's basically a supply and demand equation with the facilitator in the middle so the vendors get on the site they would put ads on the site for whether they want you to buy drugs guns whatever it is and as a user you would browse that site and then eventually if you find a product that

you like you would create a demand order order or a buy order first thing you need to do obviously is take your real money and turn it into fake money and then deposit that into your market account once the buy request has been initiated the funds then go into escrow and are held there until the buyer acknowledges receipt of those goods and services once the buyer acknowledges receipt the funds are then released to the vendor and the market will take a cut of the proceeds so generally they take around a two to six percent commission somewhere in there for the market and that's that's how these guys basically make their money today there are other ways to make money too so this

is the these are the rules for opening a vendor account on the alfa bake loan empire market which is currently in operation today and there's the usual rules on here about you know not daxing other people know child pornography or murder no selling outside the market but what these guys have done is they've also instituted a $300 bond for being a vendor on the site and this is a non refundable bond so they've basically they're trying to keep some of the scammers off the site at this point they also trade security very seriously so you have to have a PGP key if you're going to be on this site and you have you know have to have two-factor

authentication it's mandatory for all users now imagine if Facebook had these kinds of terms of services right here's rules for a relatively new market called nightmare market we see many of the same rules as Empire market as matter of fact some of the stuff is very much copy and paste but these guys only charge a two hundred and fifty dollar bond which is refundable after three months if no scammers reports and 100% fair deal so basically if you're a good vendor and everybody's happy you get you $250 back but the number one rule is there will be no shenanigans against Russian citizens as a matter of fact they feel so adamant about this that they felt the need to

mention twice so I wonder where those guys are from and there's some other creative ways as well that some of these markets try to make money this is again is from Empire market and they run a weekly lottery for that for the low price of one dollar u.s. which is of course payable in bitcoins you get a chance to win the jackpot and six correct numbers right now we'll get you around eight thousand US dollars depending on the price of bitcoins but they also have as you can see here the wind class and the the basically the numbers that you need to win in the payout it goes down and if if they say in their rules that if you know if you

get all six numbers and nobody gets five then you get the combination of both pots so you could stand to win a lot of money so it's another way that these markets kind of find creative ways to generate some money all right so why do these darknet markets get shut down why do they come and go so this a chart is a chart tracking eighty-seven different markets over the course of six years so the colored bars indicate the longevity of the market while the color indicates why the market went down so the very top we see Silk Road one which is coated in green which means that it was taken down by law enforcement right below that we

have black market reloaded which is coated in gold which allegedly suffered a hack and they were forced to shut down there's still a little bit of contention over that one but at least that's what they say happen below that in blue we have the Sheep of the sheep marketplace which exits scammed now an exit scam is when the administrators of the market basically take whatever is in escrow at the time and just take off with it and so depending on the size of the market and the popularity and the amount of transactions that could be quite a haul now in the case of sheep market they made off with about six million dollars below that the next green line that I've

highlighted here is Silk Road - so Silk Road - was opened by a former administrator of Silk Road one and he wanted to use the same name because you know it was popular it was it was a catchy name and everybody knew it so he he wanted to trade on that name but he wasn't an operation for very long before it too was shut down by law enforcement next is so the pinky purple lines these markets that Cygnus signifies a market that was shut down voluntarily meaning the admins in this case instead of exit scamming what they did was as they told their community were shutting down for whatever reason maybe law enforcement was getting hot on their heels were

shutting down and they gave people time to withdraw the money that was in their accounts so nobody lost any money and then finally we've got evolution down here which also ats exits scammed to the tune of twelve million dollars at the time evolution in Agoura were two of the biggest markets on the dark web but just like nature the criminal underground abhors a vacuum and so when those markets went away there was a need for another market to take his place and that's the moment that alpha bay came into the picture in the three days following evolutions seizure and shut down alpha bay gained 18,000 members and was soon trading around 300 thousand dollars per day alpha bay was like many

of the newer markets it dealt in drugs but you could get all sorts of other things like malware some hacking services you can get things like British Airways air miles accounts you could get yourself some luxury goods like these Yeezys now I never knew what a Yeezy was before I started doing this talk but a trainer really wasn't what came to mind at first but because of the explosive growth of this market it drew a lot of law-enforcement attention and this was really one market that needed to be shut down due in large parts just to the massive amounts of drugs that were processed and moving through this market at the time that it was around and

especially things like fentanyl which were being sold on this market so at this point the cops took notice and they went to work there were mentions all over the site about this that it was founded and designed and maintained by this alpha zero 2 and alpha zero 2 also did an interview with deep web a news site where he admitted to being the site's founder so now that the cops at least they had a target at least they had a moniker right but they really didn't know who that was in real life so what they did is they started buying drugs so they bought some marijuana and some heroin and some more heroin and some

more marijuana and 50 grams of meth just for good measure then they bought some drivers licenses and they bought an automated an ATM skimming device but nothing really came of it what they were trying to see is if they could gain some clues as to you know the way that things were delivered or processed if they could get some identities it wasn't until they decided to register an account on the discussion forums most of these markets have a discussion forum that they caught a break one of the features of the signup process was that a user had to provide an email for password recovery purposes the system would then send an automated email and buried in that header was this address

pimp Alex 91 at hotmail.com so naturally the feds called up Microsoft and said who owns that address and it turned out that it was a Canadian by the name of Alex on Waqas whose birthdate was 19 October 1991 if we look at his LinkedIn profile which was associated with the same email address we see that he was a software designer based in Quebec and that he worked at EBX technologies now the the feds later learned that this was a company that he owned and controlled ABX technologies was really nothing to talk about it wasn't very profitable it wasn't particularly productive if you looked at their statements it was simply a company that caused used to launder

the money from alpha Bay so that he could get it out into the real world they also found mentions of both the the 91 hotmail account and another email account associated with EB X technologies associated with a PayPal account so now they started a piece to get these things right little OPSEC leak here and there leads to getting a better and broader picture of who this person was further digging led to this post from a French computer help forum by a user calling himself alpha 0-2 now this might have been a coincidence if it weren't for the fact that the post was signed an accident that caused it with his email address of hotmail com

now that the post has actually since been edited to remove that piece of information for whatever reason and if you take that email address and you stick it and have I bidden pwned it shows up all over the place including obviously and LinkedIn and some very notable things like exploit a n which is a an underground forum for trading exploits in malware and triple zero web host which is a known repository for shady scripts ironically in that deep thought web interview the interviewer asked if he you know was afraid of getting caught and actually alpha zero 2 here is bragging that he thinks his OPSEC is secure and he lives in an offshore country where he's safe so the

feds had their man they knew who this guy was they now had to set their trap around the same time as alpha Bay was around there was another market that was getting a lot of attention both by the use of the site and by law enforcement like alpha bay and many of the other markets at the time it dealt with all sorts of illegal things goods and services including drugs counterfeit items digital accounts you name it then one day in late 2016 a security researcher found something interesting they found a server on the clear web that happen appeared to be a development server for the hanson market platform the researcher notified the dutch police since the server was being hosted at a

data center in the Netherlands the Dutch high tech Crimes Unit or the HTC you quickly got a warrant to install some network monitoring equipment to spy on the traffic going to and from that development server just to see what it was communicating with to their astonishment and surprise they found that that server was communicating was very chatty and was communicating with another set of servers in the same data center that happened to be running Hans's live site they were also communicating with another pair of servers in Germany at another data center so the htc you immediately made a copy of all the hard drives of these machines so that they could analyze what was going on in there and they got it

basically by doing that they got every single transaction on record that had been processed through Hanson market as well as all the chat logs for the encrypted messaging system now since all the all the chat logs although the chats used pseudonyms we didn't you know he couldn't really map one to one the the person that was speaking with an actual real-life identity but the handset mins had made a huge OPSEC mistake yet again if you look way back in the history of the chat logs down near the bottom both of men's names appeared in clear text as well as the home address of one of those admins and both of them were German nationals so when the Dutch police

approached the Germans to say hey we need to get these guys arrested and extradited it turns out that the German police was already on the case and already had these guys on their radar it turns out they were running another site that was selling it was called Lu LTO and that was selling pirated a books audiobooks and mp3's so the Dutch police kind of had an idea here they thought well maybe we can use the arrest of these guys for this as a cover for our other operation and everything was kind of ready to go and when the Rue Dutch were ready to set their trap everything went dark the assumption is that the Hansa admins had noticed the hard drive

copy panicked and moved the servers to a different tor protected location the HDC you had nothing to go on anymore and now it was really just back to analyzing all those logs and those images to see if they could find yet another clue luck was on their side again in April 2017 when they found a Bitcoin wallet address buried in one of those chat logs it turns out that that Bitcoin address and in using some blockchain analysis it turns out that they found that a payment was made out of a payment processor in the Netherlands so they were able to go over there with a warrant and say give us some information the information they

got was that the payment was made to a hosting company in Lithuania and again with another warrant in hand and a little bit of multilateral cooperation they found the hands of servers once again that's the actual server in the server rack so it wasn't too long after this second break that the FBI notified the HTC u that they too had found some interesting servers namely the servers hosting the Alpha Bay infrastructure and they were planning to take them down so this gave the Dutch another idea they said well if alpha Bay goes down users would as have happened so many times they would flock somewhere else and the likely source or the likely destination for that would be handsome so on 20 June

in 2017 the Dutch police sent some officers to Lithuania to the data center while the German police went to arrest the two gentlemen in Germany now they waited until they could see that there was actual admin on on the network as they were obviously monitoring it and when they were sure the two guys were at the keyboard the German police swooped in and arrested the two the two German nationals while their computers were online unlocked and unencrypted now in that carefully coordinated raid they also phoned up the deed the Dutch police who were in Lithuania and they immediately started imaging those servers over to some servers that they controlled back in the Netherlands under questioning by German police the two

guys just basically gave up everything and gave up all the passwords all the keys to everything effectively because of this operation and the way they did the swiftness and the and and the way that the secrecy that they did it under there was no downtime nobody noticed the thing enhanced I just kept running as usual so with all the pieces in place now this is when Operation bayonet was born this was an operation that involved multilateral cooperation between the U of the Americans the Canadians Dutch the Germans and a bunch of other law enforcement agencies around the world on 5 July 2017 the FBI with the help of the Canadian authorities and the Thai authorities shut down alphabet the

Canadian authorities went to the data center that where the servers were being hosted it was in Montreal and they started taking down these servers and the Thai police arrested cause at one of his luxury homes in Bangkok what the Thai police did is they this is his home but the Thai police did is they took an unmarked car and brought it down the street and then they staged an accident they banged into his gate pretending to turn the car around then some other undercover officers came running out pretending to be neighbors and causing a ruckus and yelling and they're trying to draw this guy out right and because they knew he was online because obviously

they were monitoring his traffic and so he didn't come out so they you know kept moving the car kept banging into his gate kept making more ruckus and eventually he came out he had a phone in his hand he's wearing you know just trainers and shorts and no shirt and that's when the cops whoop tin he kind of tried to run away but he didn't make it too far they tackled him and put him in handcuffs and grabbed his phone right away to make sure it didn't lock and when they went inside his house his computer was logged into alpha base servers and unlocked and the police were able to seize everything the reason he

was on his computer was because his servers were going down and he was trying to figure out what was happening meanwhile in the Netherlands the Dutch police had been fiddling with the code of the of the Alpha market oh hey sorry handsome market they rewrote the site's code so that passwords were no longer being stored as hashes but in plain text instead they also made a small tweak to the messaging system so that before messages got encrypted there was a copy of them that was made in plain text and this got them a lot of the buyers home addresses they removed a feature that stripped out metadata from product photos as they were being uploaded into

the market and so that you know basically could get them some things like geolocation coordinates hopefully they actually staged a really interesting server glitch where they said you know all our photos are gone you need to re-upload all your product photos and they were able to actually grab 50 dealers that way and then finally they also tricked some of the sellers into downloading a backup file which is a booby-trap excel file that when the sellers open that file it would phone home and reveal the user's real IP addresses and that got them another 64 targets so shutting down alpha bay had the desired effect more than five thousand users were registering on Hansa every single day a

week later though once the news broke officially that alpha bay had been seized by the police the influx of users was so large that the police actually had to shut down registrations temporarily because they just couldn't deal with it anymore and unfortunately for the Dutch cops and Dutch law states that you had to track every single transaction and report that to Europol and this was becoming just a massive nightmare and paperwork headache for these guys so after only about twenty seven days they had to shut down the operation because they were at that point there was about a thousand transactions a day that were going through the Hansa market so if not you're doing paperwork a thousand times

a day it's not fun so they shut down the site and pull the plug on hansa and the results were pretty staggering the police had attained data on four hundred and twenty thousand users including a hundred thousand home addresses which they later turned over Europol and a few believe they called knocking talks where police show up at your door and say hey I think you bought something um you might want to rethink that in the future and they distributed these home addresses worldwide to some of the other police agencies and they also seized around 12 million dollars worth of Bitcoin which we're currently sitting in the escrow accounts by the time it was seized alpha

bay had over three hundred and seventy thousand listings on its site over four hundred thousand members and was trading anywhere from 600 to 800 thousand dollars per day just for comparison in its heyday Silk Road only had 13 thousand listings so a massive improvement I guess if you will over the the older markets and it's estimated that alpha bay over it's very short lifetime of roughly two years grossed around 1 billion dollars now Alex was living the good life the forfeiture document when he was arrested list self several luxury properties including this villa in in Phuket in Thailand you could actually rent this villa for a period of time well before he was arrested now when you go to these

rental agencies it just says it's unavailable but he had a whole bunch of other properties as well he was what he called an economic citizen he would buy properties in certain countries where if you spent enough money on real estate or development they would then offer you citizenship so he had a citizenship with Antigua coz he bought a four hundred thousand dollar beachfront property and then he was in the process of getting a property in Cyprus for the same reason so in Cyprus if you spend over two million euros then you get economic citizenship as well if he hadn't been at my talk last year he would have learned that if you stay out of the blue

countries you don't get extradited to the United States but unfortunately all his properties and he lived in Thailand and all of his assets were in extradition available countries there was also ten luxury cars including this lovely Lamborghini Aventador LP 708 as be around 23 million dollars so he made a lot of money unfortunately the good news of alpha Bay was somewhat tainted while awaiting for extradition in to the u.s. in Thai jail he hung himself in his bangkok jail cell rather than face the long arm of the law in the US so with alpha Bay Conn and Hansa gone it was Dreamz turn to inherit the spotlight by all accounts dream had inherited all the what they call the

refugees from these markets and it basically emerged as the number one leading market of the time and back in March when I began putting together this talk at least of the pitch for this talk I was kind of doing my regular rounds on the dark web and I saw this notice this is big news no one had a clue what was going on there were wild rumors and speculation on many forums that saying that speed stepper the owner and operator of the site had either been arrested or exit scheme let's exit scammed many people still vouch for him said you know don't worry about it he's okay he's just taking a break whatever everything will be okay but you know the

rumor mill starts to get starts to turn and things start to you know conspiracy theories start to take hold and curiously unlike most of the messages that are from administrators this one was not signed and that's usually a big red flag on the dark web if you're not signing your messages as an admin or just even as a user so during this time that the site stayed up and but you just couldn't buy any product there was no product listings anymore just this notice and said you know for 30 2019 we're going down and transferring to a partner market now apparently you can still withdraw your bitcoins at this time which meant that users could you

know if they wanted to liquidate their accounts they could but apparently there were some problems with that as well and if you read you know if you were on the forums people were all panicking and then the rumors of exit scams started all over again and it was it was a lot of fun to read 30 April came and went and the site was still up still showing the same banner then in early May a post on reddit which is kind of like the dark webs equivalent of reddit attempted to set the record straight it turns out that dream had been on the receiving end of a sustained 7 week DDoS attack and the attackers were demanding a four

hundred thousand dollar ransom now DDoS attacks on the on the Tor network are nothing new there quite common actually and and markets like this are very often the target just because of the profile that they occupy and DDoS attacks are also kind of systemic there's there's a there's actually issues with the protocol that make them really successful and really possible and so it seems instead of giving up what the what speed stepper or whomever is behind this particular market decide to do was just shut it down and maybe you know start coding from scratch or at least what they're saying is they're trying to improve the site's code maybe may more DDoS brazilian maybe add some new

features and they're gonna relaunch bigger and better than before shortly after this notice appeared on the market so now instead of saying they're moving to a partner market they're saying they're going to reopen in August with new infrastructure and an accompanying post on reddit confirmed the same thing as of this week the dream mirrors have all gone offline and the true fate of the site is still unknown so here I am with an unfinished talk and wondering what to do and that's when law enforcement steps the law enforcement stepped in to give me a hand along with dream market Wall Street Market in Valhalla were a couple of other large and well traffic sites on the morning of

2 May I woke up to this notice the German police had seized Wall Street market and finished customs and French police had seized Valhalla this again rocked the darknet community and there was panic in the proverbial dark web streets the forum's got really excited exciting on that day and then only five days later because they didn't want to be left out of the fun the FBI seized the extremely popular dark web news site deep web so it was easy to understand why Wall Street and Valhalla went down but why D top deep web those of you who might have been here last year might recall that deep thought web was not only a new site but also amongst other

things a portal to dark net markets on the sidebar here you can see a bunch of popular markets that are highlighted as well as their availability it also had some referral links for all of these markets and this was the bridge between the clear web and the dark web but it still doesn't explain why the site was shut down which left a lot of us kind of scratching our heads as part of their press release the FBI published this handy infographic which basically explained why all of this was illegal so it turns out that the Deep top web admins would create an account on one of these markets when you create an account you get a referral link they would take

that referral link publish it on Deep Web and then promote the site now anybody who wanted to go to one of these markets and found them let's say through Deep Web and a lot of people did when they opened their account they would use that referral link from that day forward every single purchase that that user made would would be a cut of the the purchase would actually go to the Deep Web admins and from there they would take the money and this is in perpetuity they would take that money and then they would subsequently launder it through some shell companies and the indictment we see that deep dot Webb's referral link was actually responsible for nearly

twenty percent twenty four percent of all alpha Bay transactions and 47% of all handset transactions the admins received over fifteen million dollars in kickbacks from the dark various dark net markets that they promoted I believe most law enforcement agencies call these proceeds of crime I also believe this is the first time that a web site a bust has occurred of a web site a clear net site that only contained referral links and what was also interesting is there are a few other sites around at the time when these guys got busted that I've since just disappeared off the internet so like many of their predecessors a slew of OPSEC mistakes were really to blame for the takedowns of Wall Street

and Deep Web unfortunately I couldn't find any public information on the busts of valhalla but I'm willing to bet a few pints of bitter that an OPSEC fail was probably very central to that bust as well it doesn't take much to take down your criminal world the Deep Web indictment identified tau pre har and Michael fan as the admins behind Deep Web tau pre Hara is listed as the owner on his LinkedIn LinkedIn profiles the owner of ot s our biz tech in mmm marketing and Michael Phan is the owner of jazz coffee trade limited so the cops by watching these sites knew what the who the shell companies were and by doing just a simple bit of you know

open-source intelligence they were were able to start piecing these things together and gather who the real life identities were of the deep web admins as a matter of fact if you looked at Michael fans Facebook profile you can see up here that he was also the the owner of MNT marketing so starting with some shell companies and following the money led the authorities to the real-life identities of Deep Web admins that's all it took another good example it's the story of a senior dream market admin who was arrested in the US on his way to a beard growing competition oxy monster was a prominent member of the dream community as well as a form admin

and vendor his identity was pieced together by analyzing the public Instagram and and Twitter posts of a guy by the name of gal Valerius and comparing those posts to other posts are made on dream forms by oxy monster another really helpful tip bit was they were able to link the this dream key here with oxy monster and further link it to gal Valerius as well so this is what one of these tip jar Bitcoin wallet a tip jar basically on the darknet market is just if you want to tip the admins a couple shekels for you know a satisfied being a satisfied customer you could do that but they were able to tie this Bitcoin address not only with oxy

monster but with the real-life identity of gal Valerius so on 31 August of 2017 he was detained in question in Atlanta on his way to Texas the beard growing competition and the indictment indicates that they found the login credentials to dream market as well as a PGP encryption key titled oxy monster like these guys have never heard of tails gal Valerius was tried and subsequently sentenced and found guilty and sentenced to 20 years in prison for distributing drugs and is now serving his time in federal prison I think he got a little bit of time off for clemency probably ratted out some of the the other admins as well it was a pretty sick beard though

as of April this year Wall Street market was one of the largest darknet markets out there it had over 5,400 vendors over a million customers it was one of the many places where you could get yourself some Donald Trump ecstasy as well as all sorts of other illegal goods and services and like all other markets had generated money by taking a cut of each transaction in this case anywhere from two to five percent depending on the vendor status and/or rating and aside from the obvious reasons for why this would get law enforcement attention they were also allegedly tied to a real-life death of a resident of Florida because he ordered a fentanyl fentanyl laced nasal spray off of Wall Street Market

Wall Street Market was also the successor of German plasma market which exit scammed in 2016 so again by using blockchain analysis the federal agents were able to follow the money and establish that the money from the wallets associated with German plasma market were being used to fund the operation of Wall Street Market now since the busts are relatively new we don't have all the details yet but reading through some of these indictments can kind of give us some clues as to how the three men behind Wall Street were identified the police discovered several servers thought to be those belonging to Wall Street image them and then start analyzing those images for clues there weren't any

immediate smoking guns but the cops were able to get some pseudonyms from the code and from the databases and all sorts of other things that would later be associated with the defendants if you're going to use a pseudonym don't reuse that pseudonym on the clear web it's that simple the authorities were also able to analyze some of the network traffic coming in and out of those servers while they were monitoring them and in this case one of the defendants VPN services betrayed him when it shut down unexpectedly on him while he was actively using the WSM or being administrating the WSM infrastructure thus revealing and unmasking his real-world IP address it turns out that that IP address was tied to one of those

mobile UMTS sticks that was registered to a broadband company in Germany under a fictitious name and by using additional monitoring of that IP address and some geolocation of the stick itself they found that the stick was being used not only at his place of work but also at his residence in Germany another guy registered his VPN service in the name of his mother that was nice and easy that admin later admitted to all charges and his complicity in the inn as being an administrator of adult wall street market now meanwhile the analysis the images the images kept kept going and they turned up a bunch of PGP keys it was found that some of those PGP

keys and some of the other keys that they found were associated with wallets that were used to pay for some digital marketing services for Wall Street market these guys do advertise after all a lot of them advertised on Deep Web as a matter of fact and one of these PGP keys was also found to be associated with a wall of a Hansa user and because the cops had all the hands of stuff they were able to dig through that and find some additional information and then further Bakhtin chain analysis of all the wallets that were found in the infrastructure indicated that the other wallets were that wallet and the other wallets were also associated with this

Martin frost and this email address so basically this guy was opening wallets all over the place and opening accounts for you know on gaming sites and other places using the same email address so again if you're gonna be a criminal don't be stupid use a different email address what makes the WM WSM case even more interesting is the fact that the three admins were actively planning an exit scam in late April this message appeared on the site I happen to just stumble upon it just by accident I was like oh maintenance Kyle check back in a couple days apparently just they were gonna go down for maintenance and they were gonna be back you know shortly the

site never came up the feds because they were watching this notice that these guys were planning an exit scam and decided to actually you know push up their their their seizure a little bit earlier than planned so law enforcement noticed but so did a bunch of other people on dredit there was a post that happened shortly after that saying like it goes without saying Wall Street's exit scamming so get your stuff out now and there's also this mentioned down here Ellie having the IP address to the admin panel so what was that about well shortly after the site went into maintenance another interesting post appeared on dredit it seemed like somebody had just leaked the admin panel

URI and a username and password for the Wall Street Market admin panel so who could have done this and why so this is where things get interesting again and we started looking at a big bucket of octet fail now so if we look at this username here Medellin I guess he wants to be a big-time drug dealer we find this indictment for Marco's Paulo de Oliveira anabolic also known as Medellin or Medellin WSM for a while reddit used to actually allow subreddits of darknet marketplaces and this bottom aka here was the the pseudonym or the moniker that this person used to you know speak with people on them on the market because he was a representative

of Wall Street Market answer questions settle disputes whatever the case may be and he spoke fluent English and and Portuguese and he actually interacted with the Dutch police on handsome when he noticed that alpha bay went down on 5 July on 10 July he actually contacted the administrators of Hansa and said hey you're probably gonna get an influx of users you could need some help you know can I have a job and so they started questioning about his skills and what he could wait what he could offer and because he was a community manager for WSM and had been in this game for a little while he said you know I I've got some experience with you know moderating

disputes and dispute resolution and support I also have some experience with Bitcoin trading Bitcoin exchanges I have a little bit of coding experience but you know I'm willing to do anything you guys you guys you know you're trusted market you're gonna need the help I just I feel like I want to be part of this and help you guys you know have the best market around little did he know he was actually talking to the the Dutch police at the time and they kept stringing him along and they eventually asked him for his home address they said they were gonna send them a security token and he said well I live in Brazil OPSEC mistake I live in Brazil and the

post here is really slow and I'll take like 60 days before it gets to me and the key will probably expire so don't bother doing that and they kept pressing the issue and kept pressing the issue and finally he relented and gave them an address in the city of Campina in the state of são Paulo in Brazil it was registered so and and what he said was it was one of his drop addresses right so drop addresses basically if you're ordering illegal things it's kind of good to have a drop address this is where the goods arrive you either pick them up from there it's not your home residence or you have somebody there who's an accomplice of yours that's

gonna forward those packages on to you later on and most of these are often registered under fake names or or under other people's names but he registered this address under Marcos Paulo so not a good idea and then I found this in the indictment which I thought was pretty interesting please don't send the cops to this address you know you guys you know I trust you guys because Hance has always been good don't do any bad joke I've had this drop for a long time and I don't I don't want it I don't know it lost so some of the federal agents did is they took that address they took the name Marcos Paulo they gave it to the

DEA agents in Sao Paulo and they returned the full name of the person who was actually registered behind that address that wasn't the only object fails this guy made this medi II mean was all over the place there was an about me profile that stated he was a student small business owner and consultant in camp penis Brazil so again we've got a location here visit my web site this went to Marco's Sandy Valley comm if he went there there was a QR code with an Bitcoin wallet address as a PGP key in here a key based audio profile this onion address which no longer is in operation a github profile and a Twitter profile the github profile

was - a username by the by the name of coins of pixel and the Twitter account was for dark net citizen now the Twitter account has since been shut down but the github profile still up now it wasn't a very prolific github contributor but you know you start piecing these things together you can get a better idea of who these people here's his Bitcoin address it was sort of pseudo personalized so now we know that you know it's probably a good bet that this one Marcos blah-blah-blah-blah is probably Marco sandy Valley seeing as we found that on Marco sandy valley calm his reddit profile used the same thing as name as his Twitter profile darknet

citizen and here's his key base proof again further tying his name to his real real life name if you go down at the end you see a profile for Marco sandy Valley with a website of coins of pixel calm if you go to the Whois records recording to pick coins of pixels calm you find it was registered to a Marco Santa Ballet in Campinas Brazil and he also had a Flickr profile by the name of dark net citizen and a disgust profile by the name of Marcus Andy Bally that wasn't just yet there was just there were digital crumbs all over the place for this guy he had multiple email addresses but he kept freezing them over

and over and mixing them between his clear web and his dark web presence they pulled his employment records and found that he was a customer feedback supervisor four packs full a company that did Bitcoin trading which may kind of make sense right this this was his skill he makes sure communication Lou between users and developers is constantly improving he was a community manager for a real company and what was really interesting is if we look over here at this book this is a book by Robert Saviano called Gomorrah while the feds were analyzing the WSM chat logs they stumble on one chat that said that where Markos had posted a message saying I love Robert saviano's work and I'll

have you read I think is zero zero zero is one of these books another user said yeah I've read that book have you read Gomorrah and he said yeah I have it it's a great book and I like the movie too and then of course the obligatory you know password dump right so Marco Santa Valley one of his email addresses in Brazil and a very super elite password alright so where does that leave us what do we stand now a bunch of these markets have gone down there's good news in this bad news right the good news is a lot of the drug pushers specifically the ones pushing dangerous drugs like fentanyl are being taken off the street and a lot

of these markets are shutting down the bad news is there's always going to be another one it's a game of whack-a-mole these markets come back up and very often they learn from past mistakes and they become stronger than ever as a matter of fact right now Empire market and nightmare market are kind of the two Biggie's on the street there's a couple other minor players but those are the two that are seeing a lot of traffic right now and that OPSEC will always bring you down whether you're a cyber criminal or just a private citizen looking to stay private remember if you're going to have dual identities don't mix them it's true for good people it's true for bad people

so I hope you found that somewhat entertaining thank you very much and enjoy the rest of the conference [Applause]