Tech

7 Ways the Cops Will Bust You on the Dark Web

Because users are protected by a veil of technological anonymity, the dark web is often portrayed as a space beyond the reach of law enforcement, where criminals can run amok without fear of prosecution.

That couldn’t be more wrong.

Videos by VICE

In fact, police all over the world have deployed a wide array of different techniques to identify and ultimately convict dark web drug dealers, weapon buyers, child pornographers, and more in the past several years. If anything, law enforcement agencies have become more accustomed to working in this space, and are likely to develop even more ways to bust technologically savvy criminals.

GOING UNDERCOVER

Just like in analog investigations, going undercover on the dark web can be a highly effective tactic. For six months, investigators posed as a weapons seller. Naturally, anyone wanting to purchase guns had to provide a postal address, making it fairly trivial for the police to then link real identities to potential customers. In all, law enforcement busted over a dozen people. Similar operations have been carried out against those trying to buy poisons.

Undercover agents have also penetrated wider dark web organisations. On the original Silk Road, authorities took over the account of a staff member. The imposter gained so much trust that they were quickly invited straight into the site’s replacement, launched in late 2014. From the very start of the second Silk Road, investigators already had a man on the inside, able to contact directly with the marketplace’s owners, and feed information to other agents. In Australia, Queensland Police’s Task Force Argos assumed the role of a notorious child abuse site administrator for months, leading to the arrest of pedophiles all over the world.

In a way, law enforcement have taken advantage of the protections offered by Tor to blend in with everyone else—on the dark web, you never really know who is on the other end of a conversation.

Alexandr Trubetskoy/Flickr

HACKING

One way to circumvent Tor is to attack the endpoint; that is, the computers of users themselves. That’s what the FBI did on a massive dark web child pornography site called Playpen: the agency deployed malware, so that when a user clicked on a child pornography related forum their real IP address was sent to investigators, revealing their likely location. (The FBI seized Playpen after the administrator had misconfigured the site, exposing its IP address to the normal internet).

Hacking could quite possibly be the most effective way of identifying people on the dark web, at least judging by the number of computers unmasked. As part of the operation, the FBI harvested over 1000 US based IP addresses, and Europol generated 3,229 of its own cases. Those leads won’t all necessarily lead to convictions, but over 135 people have been charged in the US so far, and new cases keep on rolling in. The FBI has used this mass-hacking approach several times, and could very well have hit innocent users of a privacy focused email service.

At least one foreign law enforcement agency has hacked dark web suspects too. In December 2014, the unnamed agency sent a child pornography site moderator a link to a video, which was configured to route their traffic outside of the Tor network.

Another hack didn’t attack endpoints, but abused a vulnerability in Tor itself, allowing researchers from Carnegie Mellon University’s Software Engineering Institute (SEI) to learn the IP addresses of dark web marketplaces as well as users. Even though this attack wasn’t carried out by the FBI itself, the feds just subpoenaed SEI for the identifying information. SEI’s research was carried out back in the first half of 2014, but likely related convictions are still coming through: a man recently pleaded guilty to running a dark web marketplace after the FBI fed UK police with a slew of IP addresses.

In general, armed with an IP cops just need to then subpoena the respective internet service provider or datacenter for the customer’s details, get a warrant, and then raid their house.

OPEN SOURCE INFORMATION

Even if a criminal’s business exists primarily on the dark web, they might have left digital breadcrumbs—in forum posts or public documents, for example—that lead investigators to the suspect’s identity. Famously, a real breakthrough in the Silk Road case was down to some creative Googling by Gary Alford, a tax investigator. He found that Ross Ulbricht, the creator of the site, had advertised Silk Road on a popular bitcoin forum, and in another post included his personally identifiable email address.

Something similar happened with the man alleged to be Variety Jones, an enigmatic figure who pulled many of the strings behind Silk Road. Through online sleuthing of old cannabis enthusiast forums and business documentation, independent researcher La Moustache managed to name Variety Jones as Thomas Clark. Olford cited much of the same evidence in his criminal complaint against Clark, filed two months later.

In another case, suspected cannabis dealer David Ryan Burchard tried to trademark his dark web brand “caliconnect” in his own name. Naturally, this publicly available nugget of info helped investigators link Burchard to the caliconnect moniker.

MASS SURVEILLANCE

The UK has set up a dedicated unit for tackling dark web crime, which is taking advantage of the country’s mass surveillance capabilities. The National Crime Agency (NCA) and Government Communications Headquarters (GCHQ) “Joint Operations Cell” (JOC) was launched in November 2015, and is “initially”focused on online child sexual exploitation. According to a government document from February, “Bulk data has supported the disruption of over 50 child sexual exploitation offenders in the UK in the last 30 months alone.” Because evidence obtained by interception is not admissible in UK courts, people caught by this method are unlikely to ever have a chance to contest its legality.

DIGGING THROUGH SEIZED DATA

An arrest of a vendor or the seizure of a marketplace can generate a mountain of new leads for investigators to follow. Prominent German vendor ‘Shiny Flakes’ was busted last year with a staggering 320 kilos of drugs. Fortunately for investigators, Shiny Flakes had kept a tidy spreadsheet of all orders which is being used to track down buyers, according to local and state police.

And buying drugs on the dark web can even come back to bite people years later. After arresting another vendor who stored details on his customers, German authorities recently fined someone over €3,000 for purchasing small quantities off the original Silk Road.

FOLLOWING THE MONEY

Dark web marketplaces typically use the pseudo-anonymous currency bitcoin for all transactions, the idea being that transactions can be carried out with no link to the buyer or seller’s real identity. Homeland Security Investigations (HSI), part of the Department of Homeland Security, however, has set up a dedicated task force for tracking down those who launder their proceeds with bitcoin and other cryptocurrencies.

Image: Cool Cats Photography/Flickr

HSI Special Agent Mathew Larsen started investigating David Burchard in part because of his sale of millions of dollars of bitcoins to an unlicensed currency exchange, according to a criminal complaint filed in March. It’s not totally clear which exchange was monitored, or how the transaction was flagged in the first place; the case is still ongoing. But HSI is certainly paying attention to the sale of large chunks of bitcoin.

Blockchain evidence was also used in the conviction of Shaun Bridges, a Secret Service who ripped off Silk Road staffers while simultaneously investigating the site. In a diagram included in the criminal complaint, prosecutors mapped out how thousands of bitcoins were funneled from Silk Road into a Mt. Gox account belonging to Bridges. Investigators were then able to follow wire transfers to a company created by the agent. Just like in tax evasion or similar investigations, transferring funds and assets sourced from the dark web can create a solid path for the cops to follow.

THE POSTAL SYSTEM

For all its technological sophistication, the dark web drug trade relies on postal systems or ordinary couriers. Dealers have to properly package their product and make sure its “stealth” is up to scratch, otherwise customs officials may seize the package. But the feds might also investigate who the package was being sent to, or where it was coming from.

Post boxes or offices also provide a perfect surveillance opportunity for law enforcement. Authorities intercepted multiple packages of heroin from notorious Silk Road drug dealer Steven “Nod” Sadler in September 2012. Post office employees were then able to identify Jenna White, Sadler’s girlfriend, as the person regularly depositing the parcels across the Seattle area. Her hand-writing was the same as that on the packages, and post office cameras picked up her license plate number.

Although the drugs weren’t sourced from the dark web, in 2013 the US Postal Service (USPS) opened a package that contained 500 grams of what would turn out to be synthetic stimulant methylone. Investigators would eventually make a controlled delivery, and arrest their suspect.

Criminals have always tried to be one step ahead, and technology often revolutionizes how illegal goods are traded or sourced. But when drugs, guns and pedophilia moved onto the dark web, the cops came too.