Closed For Business: Taking Down Darknet Markets

and welcome to the talk my name is Jon Scheyer some of you might have seen me earlier on doing the keynote with Chester and we didn't really introduce each other so let me do that now just to give you a bit of a you know an idea of what I do at Sophos I I do security research but unlike the folks in our labs you know the really smart switched-on folks that try to protect against malware I kind of look at this security landscape as a just the general discipline and try to understand what's happening what are the the trends that we're seeing what are cyber criminals up to what might they be up to

tomorrow those kinds of things kind of synthesize that information and then try to bring it to you know community events like this talking to our partners or customers and speaking at other security conferences so as you probably you know read in the talk description we're gonna talk about law enforcement operations against dark net markets and specifically we're gonna talk about markets like Alpha Bay enhance which at the time we're two of the biggest you know drug-peddling markets on the dark web and then we'll kind of round out the top three by talking about dream and then along the way I'm gonna have to explain a little bit about you know what they are how they work for those of you

who haven't been on the dark web and you know don't really know how how it all works it isn't as scary as it sounds and it is quite simple but there's there's a little bit of nuance there and we'll talk about some of the OPSEC failures that really led to a lot of the stories I'm going to tell today and what can be fun about doing this kind of research is you kind of never know what's gonna happen between the time when you think about doing the research and you come up with the talk and you kind of pitch these things and then when you actually deliver the talk the dark web is a very

dynamic place in in many respects and stuff happens all the time you know from with day to day a site might be up one day you might be down the next it might be up one minute and down the next as well and so you know I I was stymied a couple of times while doing this research but it actually made for a better story what this talk is not gonna be about however is just the moral and ethical implications of what these markets are peddling that is very much subjective but if we can just all agree that what they were doing is pretty much illegal and just about every country on the planet you

know will stick to that and before we get to the main event we need to talk a little bit about Silk Road so Silk Road as many of you may remember is probably the first darknet market that kind of rose to popularity and became massively successful in terms of its its you know its appeal outside of the dark web and it was founded in 2011 by Ross Albrecht and it was founded on the has a sort of an expression of the philosophy of a ger ism and counter economics so basically screw the government right it's a libertarian ethos I can do whatever I want don't get in my way and Silk Road was the first dark net market that gained

massive popularity but it also showed the way how into other markets what was possible out there the kinds of things that you know the types of security using the types of just even the code that they were using but also it was one of the very first adopters one of the early adopters of things like vendor reputation systems and payment escrow systems which back in the day weren't really a thing one notable aspect about Silk Road and I managed to get some screenshots a long time ago was the policy that only goods and services which did not harm or defraud were allowed on the site and this applied to things like check child sexual exploitation material services based on

violence and goods that were used to aid and abet fraud like a carding in stolen identities now it this wasn't always the case right so some things did sneak in there every once in a while but those were at least what the Terms of Service stated and in keeping with that libertarian ethos of do no harm to others the site focused mostly on drugs and drug paraphernalia now there were only illegal goods on Silk Road there were legal wants too so you could get things like jewelry in books and artwork sporting goods and war memorabilia and replicas now according to some Silk Road continued it's contributed to the rise of Bitcoin so you know Bitcoin was kind of still a

very young cryptocurrency at the time and and prior to Silk Road other markets didn't actually rely on cryptocurrencies for purchases they would accept things like PayPal and Western Union transfers now that ultimately led to a lot of those markets downfalls because the feds were able to do you know just basically follow the money quite easily an in plain sight and get to the the individuals that were behind some of these links but Silk Road was a Bitcoin only market and the large transaction volume that Silk Road was generating actually helped pump up the Bitcoin price somewhat and when Silk Road was seized on 2 October 2013 there was a rather profound as we can see here in

the chart albeit you know brief and short-lived impact on the price of Bitcoin now it didn't take long for other people to notice what was happening with things like Silk Road and then people wanted to cash in on the action so in about mid 2013 we started seeing a lot more markets open up on the dark web so the second thing we need to talk about is just how these markets operate right how do they make their money some of the markets that are still around today are following the the path that or the blueprint that was laid down by Silk Road way back in the day and they also kind of support that liberal

libertarian ethos as well of you know basically only selling drugs and do no harm to others actually that's why we're seeing a lot of markets nowadays banning things like fentanyl right because fentanyl has been associated with a lot of deaths especially with the opiate and the opioid epidemic in the US and so they want to stay largely away from that the majority of the more popular markets today they just actually sell anything to anyone drugs weapons hacking services of malware counterfeit goods you name it the only thing that most of these markets prohibit is child sexual exploitation material and sometimes murder sometimes so as we can see from government exhibit 113 a that was entered by the prosecution in Ross

Ulbricht trial this is the way that most markets make their money to this day it's basically a supply and demand equation right so a vendor will place an ad so if I just scroll back right these these are all ads for for products that are available a vendor will place an ad on a market and as a buyer who's interested in one of those ads you would simply click click on it click buy and then what you need to do is you need to take your real money exchanged for fake money and then you take that fake money and you buy the product buying the product means you take your bitcoins it goes into what's called an escrow

account and that is an account that is holding the funds so that the body the vendor then has time to deliver the product and if you're satisfied that the transaction was complete then you notify that yes I did receive my whatever and then the buyer or sorry the vendor will then get their cut of the money but also the market will take a commission so that's how these markets operate they basically take a cut of every single transaction just kind of like the app store right or the Play Store of every single transaction that goes through these markets so if you're buying 100 quid worth of cocaine you know Silk Road takes 2% and the the

vendor gets the rest and most markets today still have this this commission scenario and it's generally around 2 to 6 percent there are other ways to make money so as far as markets being concerned these are the rules for becoming a vendor on a fairly popular alpha bake loan right now that's that's in operation currently called Empire market and you know there's the usual rules about things like no sexual child sexual sexual exploitation material murder-for-hire sir services no daxing users and no selling outside the market that's a big no-no with these guys because once you sell outside of the market then they don't get their cut and they get really upset Empire also charges a vendor fee in this

case it's a USD $300 bond basically just keep the scammers away write the security for these guys is also a top priority right they want you to make sure that you have a PGP key and that 2fa is mandatory for all of the vendors on their site so it's just imagine if like Facebook had Terms of Service like this be great right and here are the rules for another relatively new market called nightmare nightmares I think it's been about a year now since it's been in full operation and we see you know much of the same rules as Empire but here they only charge a two hundred and fifty dollar bond and if you maintain what

they call you know a hundred percent fair dealing rating you get that back after three months so a fair dealing basically means you know you've got no strikes against you the all the buyers have reported that you're a reputable vendor and they like your services and you didn't docks anybody and you didn't go outside the market and the number one rule though if you look at the very top right it says you will there will be no shenanigans against Russian citizens as a matter of fact they're so adamant about this that they felt the need to put it in there twice so I wonder where they're from lastly there's some other kind of creative ways that you can make

money as a darknet market the Empire market used to run so this one of these things where they this was active originally and then now they've it's been defunct for a little bit but they used to run a lottery that basically for the low fee of the equivalent of one u.s. dollar you enter into this lottery you pick some numbers and if your number comes up at the time you could win just a little over eight thousand US dollars so just another money generating scheme however they can get the money they will do it and off we go so what makes these markets come and go there's a variety of reasons and this is a big chart but

we're gonna kind of work our way from the top working our way down and this chart tracked 87 markets over the course of about six years so the length of the colored bar the thick colored bar indicates how long the market was in operation for and the color indicates the Reese and why it was he's taken down or why I disappeared for example so at the top of the very top of the chart we see the original Silk Road one it's coated in green which means that it was taken down by law enforcement it's followed by something called black market reloaded in gold which allegedly suffered a hack that forced the market to shut down now

there's still some contention about whether that was actually the case and then below that there is a sheep marketplace which exit scammed so an exit scam is if you recall when I was talking about the ex crow imagine the amount of transactions that are potentially going through a lot of these markets there could be a lot of Bitcoin sitting in those escrow accounts a nexus scam is simply the market operators just pull the plug on everything and take the bitcoins that are in there and off they go so depending on the size of the market obviously this can be quite a haul the the criminals behind sheep market made off with about six million u.s. dollars when they exit scammed and

then shortly after Silk Road one was raided Silk Road two came around and it was run by a former moderator of the original Silk Road who basically just wanted to use the Silk Road name for you know marketing and branding purposes so I just call it Silk Road - and it only lasted about a year before it - was taken down by law enforcement I think you know as they were doing the investigations of Silk Road one they got a lot of individuals of interest and the space could put the pieces together and find this guy as well and then the pinky purple sort of by itself in the middle there those are markets that voluntarily

shut down for whatever reason this means the administrators they decided to shut down but they let the users they let the vendors they let the buyers know that they were shutting down they gave everybody ample notice in time to withdraw so if you put a buy order in and it goes into escrow at you can until the the orders finalized withdraw those funds so they let the user withdraw the funds and then they shut down agoura was was the market that shut down in this case and then there was evolution which is the last one with the the blue as well and it exits scan to the tune of twelve million dollars so it was

basically a göran evolution with the two biggest markets at in that timeframe of dark net markets and they were the you know the most popular ones on the dark web okay so just as with nature the dark web of horrors a vacuum although I'm quite partial to my Dyson made in Great Britain so when those two markets went away there was a need for another market to take their place and really this was the moment that alpha Bay was waiting for in the three days three following evolutions closure alpha Bay gained 18,000 new customers and we're trading about 300 thousand US dollars every single day alpha Bay was like many of the other ones that we saw previously but also

like many of the newer markets it dealt in drugs but you could also get yourself some digital goods so you've got things like there's some Netflix accounts and all sorts of other things but you could also get yourself some air mouse accounts right so if you've ever wondered when an account gets fish something like a ba account where those credentials go this is where they end up right so the criminals behind a fish like this would basically sell the accounts to whomever wants to buy them and then you could just pilfer the air miles out of those accounts but you could also get some luxury goods like these Yeezys I never knew what a Yeezy

was before doing this research but a trainer wasn't what I immediately came to mind now because of the explosive growth of this market it drew a ton of law-enforcement attention this was really one market that absolutely needed to be shut down due in large parts of just the massive amounts of drugs that were moving and being transacted through this market on a daily basis so the cops kind of went to work and said alright we need to find who that you know find out who's behind this market there were mentions all over the site about that that it was founded and designed by a guy or a person calling himself alpha zero - right so pseudonym alpha zero -

using tor kind of hard probably tails and VPNs and all that kind of stuff right but alpha zero - did an interview with a site called deep top web which we'll talk about a little bit later where he actually admitted to being the owner and founder because again with with things on the dark web this is just so much scamming going on that you never know when somebody says yeah I'm behind this or I'm not behind this if anybody's actually telling the truth and because of you know if you're OPSEC is tight you just you know you're never gonna know so the car the cops they had a target alpha zero two they just didn't

know who that was who that really was in in the real world right so they started ordering drugs from the market to see if they could deduce anything from the transactions themselves or the shipments so they ordered some marijuana and some heroin and some more heroin and then they ordered some more heroin and some more marijuana and 50 grams of meth just for good measure right that didn't get him anything so they ordered some stolen driver's licenses and ATM skimmers but nothing came out of any of this and it wasn't until they decided to register an account on the discussion forum that they caught a bit of a break so a lot of these markets there's there's really

kind of two parts there's the market itself and you can register an account there and you can see what what's going on what the ads are and and purchase something if you want you can become a vendor as well and then there's the discussion forums and that's just kind of a wild west of mostly dealing with support issues so if you go on some of these forums it's just people like hey I ordered from you know strawberry shortcake and he never delivered my ecstasy and I'm pissed off and I had a big party this weekend in your room my day and then there's there's moderators who try to sort of act as the go-between between the people who are making the

complaints and the vendors and they try to make everything all nice nice and it's interesting if you have a chance to go check it out but that's really what they're there for its for it's for people in the community of that market to discuss things with each other and there's that the usual like you know that's complaints and then there's specific forums that are dedicated to you know cocaine and marijuana and heroin and then there's the general discussion forum where anything goes and some of them have also really unique cultures as well so the feds caught a break because they registered in count on the discussion forum on alpha Bay and one of the features of the

signup process was that a news user had to provide an email address for password recovery so as you sign up you said okay here's my email address and then the system would send you an automated email acknowledging that you registered and when the feds looked into the headers of the email they basically found this address of here pimp alex 91 at hotmail.com so the feds called up Microsoft and said who owns this account and it turns out it was a Canadian by the name of Alex Koz whose birthday was 19 October 1991 his LinkedIn profile indicated that he was a software designer based in Quebec that worked at a company called EBX technologies a company that upon further investigation

and digging they learned that he actually just owned and controlled the EBX technologies was just a front company it wasn't particularly productive you know he was using this company to launder money through I mean the website at the time was was interesting it had a lot of things like you know blog posts and data sheets and solutions that they had no suit well this is all in French but you know you got your the software or the portfolio you've got the services that they have he spent a lot of time putting this together in order to try to make it look like it was a real company but when they started looking into things like

taxation records for the company they found that it really wasn't taking in much money there was a lot of money moving through the company but there wasn't really much coming in in terms of things like sales so they also found mentions of both the hotmail address and an EBX technologies address associated with a PayPal account so now they're starting to see some of the pieces kind of line up a little bit right and then further digging leads us to a post on a French computer help forum you know kind of like a Stack Overflow but for a french-speaking citizens in Canada by a user calling himself alpha 0-2 okay might have been a coincidence sure

could have been somebody else using this pseudonym if it hadn't been for the fact that Alex cos gave his email address to the form as pimp Alex 91 hotmail hotmail comm and actually registered at alpha 0-2 as a matter of fact this is a Wayback Machine screenshot but they've since scrubbed that site of the actual sign off that was down here that said you know Alex cause and pimp Alex 91 at hotmail comp so for whatever reason the people on this site decide to scrub the the mention of it and then just like you know we all do is when we have an email address we want a little know bit more information about we stick into have I

been poned calm and see what happens right and sure enough like even cyber criminals and are not immune to being part of breaches he used this address all over the place including at the very top here triple 0 web host which is a it's a known repository for basically shady web scripts right so if you've got a shady web script that scrapes tunnel crypto coins on your Bitcoin wallets then you probably can find it posted here and somebody can download and use it alright ironically I mentioned that deep dot web interview that he did earlier he bragged about his OPSEC saying how tight it was so you know the feds they had their man now they just had to bring the trap now

around that same time period we had Hansa which was another market that was getting a lot of attention both from the users of the site it was growing quite rapidly in terms of the membership but also of law enforcement so like Alpha Bay and many of the other markets you know I dealt on all sorts of illegal goods and services including drugs counterfeit items stolen digital information there's the thing with the next flex account Spotify accounts again you know this is where phishing ends up right the the credentials very often end up here and then one day in late 2016 a security researcher discovered something interesting he was trolling around the web doing the regular security

researcher thing and he noticed on the clear web there was a what appeared to be a development server or handsome market so the Reis because the the server was being hosted in the Netherlands the researcher contacted the Dutch police and the Dutch high tech Crimes Unit see the HTC you quickly got a warrant and installed some network monitoring equipment in the data center where the server was located because they want to sort of see what was happening on the tree on the wire and see where that traffic you know going to and from the server was originating from or going to to their surprise they found that this development server was very chatty and it was communicating with

some poor protected nodes in the same data center that was hosting Hans's live site as well as some other servers in Germany so the HTC you they immediately made a copy of each servers hard drive that they could get their hands on which included every single transaction record that had been processed through Hansa up to that point as well as the entire conversation history from its anonymized chat system now since all the conversations were using pseudonyms and it was it wasn't really possible to then match the you know the identities in the chats with the real-life identities much like alpha 0 2 we had that problem earlier but there was another huge OPSEC mistake because as the Dutch police were

you know combing through the logs they found that both of the admins full names and the home address of one of them appeared at a you know a very very very old chat so in the beginnings of the market come when they were setting stuff up so they they basically doxed themselves at that point to the police so the because these servers were in Germany they approached the German police and said oK we've got these two guys we're interested in can you go and you know knock in their door and have them arrested and extradited and the German said oh we know who those guys are we're already looking at them so it turns out these two are already under

investigation for running a site in Germany called Lu LTO it was selling pie books audiobooks mp3s and so the Dutch had an idea here they thought well maybe we can use the arrest of these two guys as sort of a smokescreen therefore their involvement in this particular site for a smokescreen for the operation that we want to launch and unfortunately as the Dutch were planning this and getting ready to spring the final trap everything went dark signals gone okay so the assumption is that the Hansa admins had actually noticed the hard drive copies panicked and then acted quickly to take their servers and move them to some other tor protected location so now the HTC use got nothing

they don't know now they know who the individuals are but they don't know where this stuff's gone and they need more evidence right so it was you know back to analyzing the chat logs now luck was on their side again because in April of 2017 they found a Bitcoin wallet address buried in one of the chats when they took that Bitcoin address and chucked it into some fancy blockchain analysis software they discovered that the that a payment was made through a provider located in the Netherlands and using a warrant in the Netherlands they then discovered that that payment was made to a hosting company in Lithuania so with another warrant and a little bit of multilateral cooperation they went to

Lithuania and found the server once again so it wasn't long after this second break that the FBI notified the HTC u these guys talked internally about the operations that they're doing sometimes the HTC u they told the FBI told the HTC u that they had found the servers hosting alpha beta and we're planning to take them down so this gave the Dutch police another idea if alpha BAE was shut down it was the big dog at the time right users would have to go somewhere and as has happened so many times in the past they kind of go to the next biggest market which in this case happened to be Hansa so they they just

assumed that hey they goes down everybody moves too handsome so on 20 July 20 June 2017 the Dutch police sent a couple of agents off to Lithuania to the data center while the German police were on their way to arrest the two administrators so in one of these know carefully cord synchronize your watches raids they were able to arrest the pair while they were actually at their keyboards and their computers were unlocked and encrypted so that was great meanwhile in Lithuania the Dutch police immediately began migrating the Hansa code from that server over to another server under the control in a data center in the Netherlands and under questioning in Germany the two admin's just finally said yeah it was us they

handed over all the keys all the credentials everything that they had associated with the site but the crucial thing here is there was no down time and no one noticed a thing any of the users vendors on the Hansa site it was just business as usual and with all the pieces in place you know this is how we got operation bayonet it's just a play on words of alpha Bay and Internet basically so on 5 July 2017 the FBI with the help of authorities in Canada and Thailand shut down alphabet the Canadian RCMP the Royal Canadian Mounted Police took down the servers which were being hosted in Montreal and the Thai police arrested Alex cos at one of his many

residents this case one in Bangkok the Thai police for their part used and this is one of his homes used an unmarked car to fake an accident outside his home so he's lives in a gated property here and so what happened was one of the undercover officers used this car to purposely smash into his gate to cause a commotion a bunch of other undercover officers came kind of running out proposing as you know neighbors yelling and screaming and they were just trying to make a ruckus so that he could come outside right but it wasn't working so they basically they backed up the car and ran into the gate once again and just caused even more of a commotion and

so finally he noticed and he came outside and came down the stairs and apparently at the time he was you know shirtless wearing shorts and flip-flops and had his cell phone in his hands and that's when the cops rushed him pinned him to the ground took his cell phone and then immediately another set went up the stairs to his office where he was again logged into his computer so it was unlocked and he was actually logged into the Alpha Bay admin portal because he was trying to figure out why are the servers in Montreal going down meanwhile in the Netherlands the Dutch police had been fiddling with the code on Hansa they rewrote the site's code so that it would

no longer store passwords as hashes but just as plain text instead so anybody who knew who registered would have their passwords stored in plain text they also made a change to the messaging system so that all messages would get copied in plaintext before they got PGP encrypted and sent off to the recipient so that helped you sort of cap or capture buyers home like physical home addresses because they would say I live at this address this is where you need to send my cocaine right they also removed a feature that stripped out metadata and pictures that you know tags it by default most pictures get tagged with with GPS coordinates and you can turn that off if you want but that's usually

a opt-out not opt-in feature until they stripped that code and then they basically staged a server glitch saying you know we lost a bunch of pictures so they just deleted them and said you need to re upload your pictures you know dear vendors need to be upload your pictures and they were just trying to get as much geolocation data as possible and most often you know these are just pictures people take in their own homes right so this just the simple action netted them fifty dealers and then finally they tricked some of the sellers into downloading a booby-trapped excel file that that was posing as a backup key for their profiles and when they opened them

what it did is it just basically pinged a clear web address so now they were able to get their clear addresses not their tour protected addresses and then this got them another 64 targets shutting down alphab a had the desired effect more than 5,000 users were registering on Hansa every single day this is a notice that they put up because a week after the news broke that alpha Bay had been raided by the police the unluck some new users was just so large that the police controlled Hansa they just had to shut it down they couldn't accept new registrations anymore and again doing the research for these things I was just periodically I just jump on the dark web see what's up see

what's going on and I noticed this I took a screenshot not knowing it's gonna use it for a talk later on but you know due to the influx of alpha Bay refugees which is apparently what they call these things you know we're dealing with technical issues we've you know we've temporarily stopped new registrations unfortunately for the cops Dutch law states that they had to track and report every single transaction that was going through Hansa to Europol and with about a thousand transactions per day occurring on Hansa at the time the paperwork is basically just getting completely unmanageable and after 27 days the Dutch finally gave up and pulled the plug on the site entirely so

if you can imagine that a thousand orders per day that they had to then you know get the old form and triplicate and fill out all the details and enter that into evidence it was a bit much so the results were pretty staggering the police had obtained data because of this operation they obtained and about four hundred and twenty thousand users including a hundred thousand home addresses which were turned over to Europol and police agencies worldwide and they also seized about 12 million US dollars worth of bitcoins following this operation the police in in various countries did a bunch of what they called knock-and-talk basically knocking on the door of 420 thousand users they kind of like hey

yeah we know you bought some stuff in the past clean up your act kind of thing we're gonna look away this time but don't do it again by the time it was seized alpha bay had over three hundred and seventy thousand listings on the site 400,000 members and was trading anywhere from 600 to 800 thousand US dollars per day in its heyday Silk Road had only 13,000 listings on the site so you can imagine just the the orders of magnitude that growth that this market had achieved and it's estimated that alpha bay grossed over a billion dollars in the roughly two years that it was active at the time Alex was living the highlife he had you

know several properties if you read the forfeiture document which is the just the the piece what it lists the asset is like five pages long enlists you know several luxury properties including this particular villa here in Thailand there was a time where you could actually rent this for vacations I went to the site recently and and that's no longer available for rent but you know if you were at the vacation or you could go to Thailand and while he wasn't there you could rent his luxury villa for however long you wanted premium luxury villa he was also an economic citizen which what that means is he would look around the world and see well where can I get

citizenship simply by investing money and in usually it's it's in the form of real estate so depending on the country some it's only a couple hundred thousand euros some countries it's a you know a couple million so he's kind of spreading money around trying to get economic citizenship in as many of the countries that I guess he fancied as possible you know distribute his wealth a little bit don't have all your eggs in one basket if only he had been at my b-sides talk in London last year where I talked about being a cyber criminal on the web he would have learned to stay away from countries that have extradition treaties with the US because when you're a cyber

criminal or when you're a criminal and you're in any one of these blue countries and you do crimes against American citizens or American companies they will come after you if they know who you are and that's really how a lot of these guys get arrested is is by you know they make a pile of cash ransom wearing a bunch of machines and then they feel that they've worked so hard they're in a holiday so they go down to Ibiza and then the cops find him in Popham so in addition to his many real estate properties the police also see seize 10 luxury cars including this beautiful Lamborghini Aventador LP 708 cheat on his computer where he tracked

his own net worth in terms of you know Bitcoin cash in different currencies real estate properties assets like cars you know expensive jewelry fancy luxury goods all that kind of stuff he kept track of all this and he estimated his own net worth and it was sort of corroborated by police at about twenty three million dollars so not bad not great but not bad if you you know just sitting on your butt collecting commission off a bunch of drug transactions now unfortunately the good news of taking this market down was somewhat tainted while awaiting his extradition to the US Alex cause hung himself in his bangkok jail cell so you can only imagine he was a pretty young

guy and you know he's he was married he they had just been married fairly recently and when your world comes crashing down sometimes things like this happens so it's unfortunate for for Alex but you know at least the markets shut down and people can stay a little bit safer now so with alpha Bay and Hansen gone it was time for for dream now to basically step up they were the third guy in line right so by all accounts dream had inherited basically all the refugee community from both of these markets to emerge as the leading dark net market at the time so back in March when I started putting together just the research and you know

looking at the outline and thinking okay how we know how am I gonna tell this story right because operation bayonet had already happened and dream was just like doing just stellar business it was doing gangbusters business I thought you know this could be a good story and I could talk about what dream is doing and the kinds of things that they've been up to and so I was doing my regular rounds of going okay what's on dream these days are there fun things that we can find on dream and I saw this notice which said that the markets going to get shut down on 30 April of 2019 it's gonna transfer the services to another partner company now

this was big news on the dark web because nobody had a clue really what was going on there was a you know wild rumors and speculations on many of the forums staying that speed stepper which is the alleged owner and operator of this site had either been arrested or he was just exit scamming which you know both of those are fairly common and and fairly there used to that so but a bunch of people have vouched for him and and he said no no it's take this at its word it would all be fine don't worry about it just sit tight and but curiously unlike all the most of the messages that usually come from site administrators

and speed stepper himself this message was not actually signed by speed stepper so this kind of fuelled the conspiracy theories that maybe the cops had him but they didn't have access to his key so they just popped a message out there and during the this particular period of time dream continued to stay up but all the products were gone so you could log into the site but there were no ads anymore and you could look at your account and you know do all sorts of other things but there's no product to buy anymore now apparently you could still withdraw your bitcoins because there were stuff stuck in escrow at the time from your account but but a bunch

of users complain that the either couldn't withdraw or they couldn't withdraw all of their bitcoins at a time or there was just some weirdness happening with the withdrawal system and then 30 April came and went and this you know the site was still up and it was showing the same message now in early May a post on reddit which if you're not familiar with that is it's kind of like the dark web is equivalent to reddit attempted to kind of set the record straight it turns out the dream had been on the receiving end of a sustained seven week DDoS attack and the attacker was were simply demanding a four hundred thousand dollar ransom now DDoS attacks

on the Tor network are not new they happen all the time and darknet markets are very often the targets of these because of their high profile because of you know the the service that they provide to the dark web a lot of people find them necessary and therefore taking down dark net market upsets people and they want it back up now the thing is that there's a systemic issues with the the protocol itself that allows DDoS attacks to occur and be amplified and a it can't easily easily be mitigated by the site administrators it actually needs like code changes to the Tor protocol itself and what's interesting is the a bunch of these dark web operators and site operators

actually started crowd funding sources to the Tor project to fix this one particular bug so that they wouldn't be victims to DDoS attacks but it seems that instead of giving up and paying the ransom the dream admin or admins decided to shut down the site improve the site's code and then relaunch bigger and better than before shortly after that a different notice appeared on the market saying that it would be back in August and then in the companying post again on a reddit confirmed the same thing now as of today all the dream mirrors they've gone offline you can't access any of they were there were a lot of them and the true fate of the site is still

unknown I keep trolling dredit and the specific specific specific particular specific whichever one you want sub dread that is the dark the dream market sub dread and they're still posting but you know the Riddick and the the one before that I can't remember the name but they are still saying yes it's coming yes it's coming but we still haven't seen anything yet and that address that we saw in the very first notice that the partner site is not up yet and so I was kind of here with an unfinished talk now cuz I had nothing to talk about anymore about dream and that's when I caught a bit of a break cuz law enforcement came

and gave me a hand along with the dream market Wall Street Market in Valhalla were the other two so you know Alfa Hansel go away dream gets promoted and then Wall Street in Valhalla becomes sort of the the next large and well trafficked markets out there and on the morning of 2 May I woke up to this notice the German National Police had seized Wall Street market and finished customs and French police had seized Valhalla so this again rocked the darknet community and there was panic in the proverbial darkweb streets now only five days later the FBI not wanting to be left out of the fund seized the extremely popular dark web news site deep web now it's easy to understand why

Wall Street in Valhalla went down but why deep dot web prior to being shut down deep dot web was a new site that dealt with all things dark web but focused on dark net activity deep dot web was not only a new site but it also served amongst other things as a portal to dark net markets it had a sidebar that listed the many popular markets available you know at the time and their availability so if we look at the top you got the top market was dream at the time with a ninety eight point five four percent availability and you can see some of the other markets that are maybe more focused there's vendor shops so a

vendor shop compared to a market is the markets have multiple vendors the vendor shops are run by one vendor and then you've got discussion forums and non English country are specific sites and then sometimes they had no these these categories changed a little bit sometimes they had other stuff in there as well it also had referral links on each one of these markets and you know a little bit of information and what you can get there so this was the bridge between the clear web and the dark web but it still doesn't really explain why this site was shut down which less left a lot of people you know kind of scratching their heads both on you know

the dredit and reddit and all over the place as part of the press release the FBI published the a handy infographic which explained why what they were doing was illegal the deep' dot web admins would create an account on all of the markets listed on their site they would then publish that referral link as we saw on the Deep Web and then promote those sites and you know the they would promote the market itself they would promote on their site they would promote their site Deep Web on other sites and just basically promote the hell out of everything all over the place users who would subsequently use that referral link to open their own account

let's say on Hansa or alpha Bay and proceeded to buy goods and services would then basically be using that referral link as a way to sort of thank the Deep dot web admins because it turns out that the Deep Web admins we're receiving a percentage of all the transactions that those users subsequently produced in perpetuity so basically they would take the money and then finally they would launder the money they had through a bunch of shell companies that the two individuals behind Deep Web controlled now according to the indictment again deep webs referral link was associated with nearly 24% of all alpha Bay transactions and 47% of all handset transactions the admins themselves received over 15

million dollars in kickbacks and from the various dark net markets and you know I believe this is what most law enforcement and JE agencies call the proceeds of crime right I also believe that this is probably the first time that a clear web site was taken down just for containing things like information and referral links now interestingly a couple of very very similar site to Deep Web have since disappeared off the clear web so I guess people are taking notice and doing something doing business a little bit differently these days so like many of their predecessors a slew of OPSEC operational security mistakes were to blame for the takedowns of both Wall Street and Valhalla now unfortunately we

still can't find much public information on Valhalla but I'm willing to bet several pints of bitter that it's probably an OPSEC fail this is generally the way that these things turn out and that's probably what was central to that bust as well it doesn't take much to bring your criminal empire crumbling down the deep dot web indictment identified two gentlemen at al pre Harr and Michael fan as the admins of the site now how the police got there was simply a matter of following money and a little bit of open source intelligence actually I think there's an ocean CTF later on today so if you want to if you're interested in that kind of stuff go participate now by

watching certain wallets they were able to identify which companies were being used at shell companies to transfer money and then something as simple as a company look up on LinkedIn would have identified who the individuals were so they found the company first by following the money and then a LinkedIn search said well there's talent and Michael so tell pre Harr was the owner at OTS our biz tech and MN team market limited and then Michael fan was the owner of jazz coffee trade limited if you look at Michael fans Facebook profile you can see that he also claims ownership in addition to the coffee shop of M&T marketing the authorities had identified OTS R and M and T as two of the

companies that were actually being used to launder the money so basically starting with some shell companies following the money it led to the real-life identities of these two individuals another good example is the story of a senior dream market admin who was arrested in the u.s. on his way to a beard growing competition oxy montz what's that I can't hear oh I'm pretty sure that's not an onion headline I saw I've read the indictment his identity that's oxy monster was a prominent member of the dream community as well as also being a former admin he was also a vendor that's why he was called call himself oxy monster and his identity was pieced together by analyzing public

Instagram and Twitter posts of an individual by the name of gal Valerius and then comparing those posts with those made by dream forum admins and specifically tying to this dream for madman called oxy monster where it actually really started to go wrong for him was when the feds were able to associate one of the Bitcoin wallet addresses used as a tip jar on dream market with an individual by the name of gal Valerius now a tip jar is something that gets used in dark web and by dark web vendors in the dark web community basically just the four vendors to receive bitcoins from satisfied customers so if you like their service you give him a couple extra couple extra

shekels and off they go and on 31 August he was detained in question in Atlanta on his way to the competition in Texas the indictment indicated that during the search of his laptop login creds for dream and an encryption key tied to oxy monster were found on his lap laptop and it's like these guys have never heard of tails they keep using their own laptops for both their criminal and public activities so gal Valerius was tried and subsequently found guilty that's how we know of distributing drugs and sentenced to 20 years in an orange jumpsuit in the USA pretty sick beard though right he didn't get there pardon me they were well money laundering and then basically

proceeds a crime essentially right because they were they were paid by money that was gained through selling drugs right now as of April of this year Wall Street Market was one of the larger dark net markets out there and had 5,400 vendors over a million customers it was one you know the many places where you get yourself some Donald Trump ecstasy along with the raft of other illegal goods and like the other markets they took a cut know that their whole transaction model was taking a cut anywhere from two to five percent depending on the vendor status or rating so if you're a vendor of high status and rating you got a less you know they took

less of a cut of your transactions and aside from all the obvious reasons why this market would come under scrutiny by law enforcement it's the allegation that drugs sold on this market specifically were directly responsible for the death of a Florida resident Wall Street was also apparently the successor of German Plaza Market which exits scammed back in 2016 so by using some again some fancy blockchain analysis the federal agents were able to follow the money and establish that money from the wallets associated with the previous German Plaza market were used to fund the operations of Wall Street in order by things like advertising and marketing services now since this bust is relatively still new the details haven't all emerged but

again we've got some indictments that we can sift through that give us some clues as to how the three men behind Wall Street were actually identified the police discovered several servers thought to be those belonging to Wall Street image them and then started analyzing the images for clues there weren't any immediate smoking guns but the cops were able to get some pseudonyms from the code that would later be associated with the defendants now if you're going to use a pseudonym don't reuse that on the clear web don't be stupid the authorities were also able to analyze some network traffic and get additional clues in this case one defendants VPN connection betrayed him when it would drop and then unmask his

real IP address while he was actively using the Wall Street market administer an administration port on the Wall Street market infrastructure it turns out that the IP address was associated with a mobile UMTS device that was registered Albia twith a fictitious name but surveillance of that stick so a good old-fashioned police work revealed that it was used by one of the defendants at both his home and his place of work another of the wall street market administrators had his VPN service registered in the name of his mother poor mother so they just basically went to her house and knocked on the door and questions oh that's my son yes and then this admin later admitted that you know

his role in running Wall Street market and meanwhile analysis of the images continued and turns up turned up some PGP keys they found that those PGP keys were associated with a wallet that was used to pay for against some digital marketing services right and some ads maybe on Deep Web who knows and the same PGP key was also found associated with a wallet of a handset user and the moniker is used in the various locations basically all traced back to the same user further blockchain analysis indicated these guys use a lot of blockchain analysis I guess it's not as anonymous as some people think indicated that other wallets associated with this particular user were all

somehow associated with the same email address down here Klaus - Martin frost at web de what makes the WSM case even more interesting is the fact that the three admins were planning an exit scam in late April this message appeared on the site so apparently the site was gonna go down for maintenance and would be back shortly it never came up law enforcement noticed and so did others so law enforcement was like we need to step up on these guys because something's happening but if you went to dread it there was the hug punter who's the alleged owner and runner of dredit basically said you know if you if you're living under the rock and you haven't

noticed like Wall Street market is exit scamming as a matter of fact the big big story right now on wall around reddit is that nightmare market the one I mentioned earlier there also apparently allegedly exit scamming although the market as of yesterday is still up and apparently processing transactions and then it's this thing down here but law enforcement having access to the IP address of the panel a what was that all about well shortly after the site went into maintenance another interesting post appeared on Reddit which it seemed like someone using the username of Medellin had leaked the credentials to the Wall Street Market admin panel well who could have done it and why well more indictments to read this one

is a treasure trove of OPSEC failure reading this indictment you kind of almost feel bad for this individual he was a wall street market mod and a subreddit mod he spoke English and Portuguese and interestingly he actually interacted with the Dutch police on Hansa during Operation bayonet as a matter of fact here's part of the conversation from the indictment where he's chatting with the police and they were basically trying to get information out of him so they he was he was trying to get a job with them as a foreign mod and they were trying to get information like you know where do you live and all this kind of stuff and and he's like

well you know I we need to exchange secure information so they're like well we'll send you as a key so what's your address right they want to send like a key fob right he's like all the the postal system in Brazil is really slow I'll probably never get it by the time all this stuff sorts out so eventually you know they convinced him to give them his home address which turned out to be an address in camp penis province in Brazil further digging into the indictment reveals even more fun stuff so he had this page here that had you know a website link it had his key base proof it had github accounts Twitter accounts if you look at his

github account it says you know it's associated with somebody called coins of pixel he had a personalized Bitcoin address as well that was on his website which is no longer in operation but it was you know Marco sandy Bali com had a personalized Bitcoin address that started one Marco's didn't make much money with that one apparently his reddit account uses the same Twitter name as so the same name as Twitter and here's the key base proof from earlier on his Twitter account he had an MSDN account as well with a picture of Marco Santa Valley right and coins of pixel calm as his website and for good measure he had flicker and discuss accounts using the name Marcos

and a valley on both of them what I thought was particularly clever is that the federal agent in the indictment talked about one of the ways that he kind of basically sealed the deal on who this guy was because there was as they were going through the chat logs they found a discussion discussing a particular book called Gomorrah he was discussing this with another enthusiast of that same author saying hey have you read this book yeah I've got it I've read it so mark was saying yeah I've got the book I've read it but have you read his other book as well and and B this is actually a photo from his employment profile at a former company and so the

Fed noticed the book Gomorrah back there and he's like that's gotta be him with all the overwhelming evidence that's got to be him and then finally just like the rest of us he too ended up in a password dump this time for the steam platform with the username of Marcos and a valley and the password of Campinas zero zero zero so where do we stand now continuous you know continues cooperation between the researcher community and law enforcement is is doing some good like we are winning some of these battles if we continue to research and do good work and bring these guys down they are taking harm off the street this regardless of how you feel about the

products they are taking harm off the street especially some of them that's are still selling things like fentanyl and so it's a good news bad news story but just remember this bad OPSEC will always bring you down so regardless of why you feel the need to keep your identities private on the web whether you're doing good things or bad things on the dark web on the clear web for goodness sake don't mix them up thank you [Music] [Applause] you