How the German and American authorities shot down the owners of Darknet Market Market Market – TechCrunch



[ad_1]

The large darknet market known as the Wall Street market has been seized and its alleged operators arrested as part of a joint operation between European and US authorities. Millions of cash, cryptocurrency and other assets were collected and the market closed. How investigators linked these individuals obsessed with anonymity to illegal activities is instructive.

The three men accused of managing the Wall Street Market (WSM), one of the largest hidden service markets operating via the Tor network, are all German citizens: Tibo Lousee, Jonathan Kalla and Klaus-Martin Frost; several market vendors were also charged, including one who sold methamphetamine per kilogram.

The investigation has been ongoing since 2017, but was pushed to crisis by the apparent attempt in April by WSM operators to run a scam on exit. By suddenly removing all locked and otherwise stored cryptocurrency under their control, the alleged owners would earn about $ 11 million if they could convert the coins.

Until recently, the Wall Street market was a bustling bazaar for illegal goods, including dangerous drugs like fentanyl and physical objects like fake documents. It had more than one million user accounts, some 5,400 vendors and tens of thousands of items available for purchase. It has grown as other darknet markets have been cornered and closed, dragging users and vendors into a smaller and smaller pool of smaller platforms.

Whether the owners are simply trying to convince this growth to quickly increase their budget or if they feel the law is about to break their door, the exit scam was started on April 16th.

This action prompted investigators in the United States and Germany, as well as Europol, to take action, this exit scam being not only an opportunity for investigators to gather and observe new evidence of the alleged crimes of the United States. trio, but to wait much longer could let them go to the ground. and whiten their virtual goods.

The complaint of the MJ details the means used by the three administrators of the site, despite their attempts to anonymize their access. This is not an unprecedented thing, but it is always interesting to read the judicial analyzes that lead to accusations, step by step, because it can be very difficult to link real actors to virtual entities.

For Frost, it was an unstable VPN connection, complemented by searches by the German Federal Police, the Bundeskriminalamt or BKA:

WSM administrators accessed the WSM infrastructure primarily through the use of two VPN service providers. Sometimes the VPN # 1 provider connection stopped, but since that specific administrator was still accessing the WSM infrastructure, the access of that administrator revealed the true IP address of the administrator. ;administrator.

The individual using the aforementioned IP address to connect to the WSM infrastructure used a device called UMTS key (or surfstick). [i.e. a dongle for mobile internet access]. This UMTS key has been registered under an assumed fictitious name.

The BKA has implemented several monitoring measures to electronically locate the specific UMTS stick. The BKA monitoring team found that between 5 and 7 February 2019, the specific UMTS stick was used in a residence of Lousee in Kleve, in Rhineland-Westphalia (Germany), and in its place working, an information technology company where Lousee is employed. as a computer programmer. Lousee was later found in possession of a UMTS stick.

Other indirect evidence also linked Lousee to the operation, such as similar login names, mentions of drugs and cryptocurrencies, and so on. ("Because of my training and experience as an investigator, I know that" 420 "is a reference to marijuana," says the special agent behind the complaint.)

Kalla's VPN was solid, but the metadata betrayed him:

An IP address assigned to that person's home (the account of the IP address was registered in the name of the suspect's mother) accessed the VPN provider # 2 in the same approximate time as the components reserved for the # 39, administrator of the WSM server infrastructure. VPN provider # 2.

Barely a hole in one shot, but Kalla later acknowledged that he was the user agent in question. This is a good example of how a VPN can and can not protect you from government snooping. This may hide your IP address from some systems, but anyone with a bird's eye view can see the obvious correlation between one connection to another. He does not stand alone in court, but if the investigators are good, it is not an obligation.

Frost, the third administrator, needed a more subtle approach, but ultimately it was again opsec poor; This time, an imprudent cross-contamination of his cryptographic and cryptocurrency accounts:

The PGP public key for [WSM administrative account] "TheOne" is identical to the PGP public key for another nickname on [another hidden service] Hansa Market, "dudebuy". As described below, a financial transaction related to a virtual money portfolio used by FROST was linked to "dudebuy".

[The BKA] the PGP public key for "TheOne" in the WSM database, called "public key 1".

Public Key 1 was the PGP public key for "dudebuy". The "repayment portfolio" for "dudebuy" was the portfolio 2.

Portfolio 2 was a source of funds for a Bitcoin transaction … Records obtained from the Bitcoin payment processing company revealed that the buyer information for this Bitcoin transaction was called "Martin Frost", at using the email address klaus-martin.frost@….

Essentially A is B, and B is C, so A is C. This little deductive trick is handy, but the bitcoin portfolios used by Frost have also been identified through an analysis of the US Postal Inspection Service, which, if you did not know it yet, a "highly trained, qualified and committed cyber unit."

The US Postal Inspection Service learned, through its analysis of transactions and information from the proprietary software described above, that Wallet 2 funds were first transferred to Wallet 1 and then "mixed By a commercial service; the mix of services is described above in paragraph 4.m. Through in-depth analysis, the US Postal Inspection Service was able to "tease out" the flow of transactions, ultimately verifying that funds in Portfolios 1 and 2 ended up paying the FROST account with Product. Services.

Here, the indelible record of the blockchain clearly played against Frost. Portfolio 1, by the way, processed thousands of bitcoins when used in conjunction with another darknet market, the German Plaza Market – which the three people accused today would also have run and closed via a scam to the exit.

In addition to the directors, some vendors and other site associates were billed. They have been identified by more traditional means and their market-related activities so that defense seems to be a lost cause. The record for a Brazilian who has worked as a reseller and somehow as a representative of WSM on Reddit and on the forums is an interesting study on the web of evocative accounts and names that produce an overwhelming, even circumstantial, description of associations and the interests of a person. from the banal to the criminal.

"The prosecution of these defendants shows that even the smallest mistake will allow us to determine the true identity of a cybercriminal," said US attorney McGregor W. Scott in the DOJ press release. "We are looking for the slightest bread crumbs."

The lawsuits against the alleged criminals will take place in many places and under several authorities – it is safe to say that this is only the beginning of a long and complicated process for all involved.

[ad_2]

Source link