04-10-17 Dark Web and Cybercrime Roundup

 

DEA Arrests French Dream Vendor “OxyMonster”

This week’s high profile darknet market arrest landed in the United States for a competition beard event. The suspect, Gal Vallerius, boasted that his beard ranked “World Beard #8.” Vallerius, a Dream moderator and widely disliked darknet drug dealer, had travelled to the United States to crush the souls of other bearded competitors but landed in federal custody instead. Authorities placed the French citizen in custody immediately after capturing from an.international airport in Atlanta.

Like many opioid vendors, Vallerius caught the attention of a Florida-based federal drug taskforce. DeepDotWeb covered several cases connected to the Florida operation: Chrissano Leslie aka Owlcity; Robert Kenneth Decker, aka Digitalpossi2014; Joshua J. Kelly aka ustous; and Kevin C. Fusco aka Polira, among others. Vallerius made, if the Criminal Complaint (at a minimum) contains a shred of truthfulness, mistakes that connected OxyMonster to “Vallerius” to Gal Vallerius. Some pieces of evidence are clearly missing.

OxyMonster moderated the Dream forums. OxyMonster also sold various substances on Dream. His Dream vendor profile contained an “official” Bitcoin tip jar. He had also established a vendor account on TradeRoute but the account seemed only infrequently used. At some point, the Drug Enforcement agency allegedly traced deposits from the tip jar to a LocalBitcoins account. Parallel construction likelihood = high, but they did pull the Bitcoins from Vallerius’s wallet. They then searched social networks for accounts matching the last name. Found Gal.

They then, according to the Criminal Complaint, compared Twitter posts with posts from Vallerius’s days as a Dream mod. He frequently used “cheers,” multiple exclamation marks, and multiple quotation marks. (I examined every Instagram post and every Tweet from Vallerius and found not a single post that stood out. Similarly the use of “cheers” and multiple exclamation marks were oddly absent). As of September 30 and October 1, an entity deleted both the Instagram account and Twitter account. DeepDotWeb

OxyMonster x Scams x Dream Hardware Wallet

It takes less than five minutes to see that OxyMonster was among the most favored members of the community. He scammed users in a major way. His reputation as a vendor lacked notability, despite selling one kilogram or more of heroin, five kilograms or more of cocaine, and 500 grams or more of methamphetamine.

Law enforcement picked him up with roughly 500 Bitcoin. His vendor profile announced that he had only made 100 sales. $500,000 is not significant for full-time, large scale operations. Reddit users pointed out he the was not the most trustworthy darknet entity. Some users claimed that his arrest occurred on the same date that the Dream hardware wallet had failed. This was not the case. Or official court documents, at least.

His Dream forum history—after being arrested—was odd. He posted on the Dream forums, explaining that he had not been arrested. Law enforcement frequently fails at subtlety after vendor busts. (Disregard the surprise takedown of Hansa). Current moderators removed the post. Subtlety failures aside

Marketplace DDoS Attacks

Since (roughly) September 28, the top darknet drug markets got hit with (currently) ongoing DDoS attacks, reminiscent of the attacks on the markets of days past. Or, before the Russian Anonymous Marketplace downfall, the constant marketplace vs. marketplace DDoS attacks. Markets dealing with DDoS attacks rarely attracted attention, save for the Mr. Nice guy drama.

Hidden services have been frequently targeted as prime sites to hit. The attacks are often performed against drug markets or similar. Child pornography forums have been hit hard. The Federal Bureau of Investigators even participated in hidden service deanonymization via DDoS attacks. This round of attacks—focused on the new breed of markets—began in August. Unless additional markets kept their mouths shut, Sourcery Market received the first wave of attacks from what another marketplace described as coming from a “massive botnet.”

Shortly after ending the hell imposed on Sourcery, the hacker moved to two markets, both causing more of a public outcry. TradeRoute Market went down for days, T•chka Market announced that they were dealing with similar attacks.

TradeRoute came back online with unexpected speed improvements.

TradeRoute mirrors, Tochka mirrors.

Two Vendors Busted After Seven “Return to Sender” Failures

The return address debate is rarely a hot topic. But vendors using the same return address on multiple packages seems to spark a debate on the practice. One thing generally stands out: do not reuse addresses. Despite the recurring vendor busts based on the same shipping failures, two new Austrian vendors discovered this after a mere three months of “selling” on a darknet market.

They were not the most stealthy vendors. Law enforcement reported that both were “known on the scene.” For drug possession, use, and addiction. The vendor career, even if it had survived the investigation, failed at being worth anyone’s time. Since the month of June, the duo had only made 2,000 euros.

The pair had shipped an ecstasy package to a customer with less than enough postage to actually reach the customer. Naturally, the vendors had used a local business as the return address. And the package returned to that address. According to the police, they made the same mistake another time. And then continued to make that mistake for a total of seven failed packages.

Also: Belgian Amphetamine Vendor Arrested Due to Insufficient Postage on His Packages

As is the case in almost every one of these cases involving postage, the company did not appreciate the drugs that they had allegedly shipped across the world. And failed of course. The police investigated; detectives caught the suspects on camera and recognized either both or only one vendor. They only need to identify one, though, given that both had criminal backgrounds. The rest fell into place. DeepDotWeb

Black Death Group Kidnapping Case is a Publicity “Sham”

Chloe Ayling, the Instagram “model” (one can frequently “hire” Instagram “models” through their DMs), obviously lied about the Black Death Group. In the previous timeline that covered her kidnapping by the mysterious darknet human trafficking group, the inconsistencies stood out more than the attention-seeking 20-year-old.

As time went on and she grew more and more attached the “almost sold as a sex slave” narrative, her attempts at attracting publicity priced successful. To her obvious dismay, even the British tabloids cast doubt on her story. We pointed out her lies in an article that directly and blatantly pulled the evidence that supported the opposite of her work of fiction. Despite sounding like a breach in ethical news coverage, the article does not selectively ignore facts that point to get truthfulness. None exist. DeepDotWeb Article Timeline of Events

Government Contractor Offers Million Dollar Bounty for Tor 0-Days

Zerodium, a zero-day “collector,” for lack of a better term, announced a Tor Browser Zero-Day Bounty. A one million dollar bounty. Zerodium ways exploits with JavaScript blocked, but offers payouts with a lesser reward for lesser exploits. They want exploits targeting the latest Tor browser bundles. The million dollar bounties apply only to exploits that can be initialized from a website.

Thankfully, though, they announced zero interest in “exploits” that require node manipulation of general network disruption. Safe to say that list part was the only part that went uncontested. DeepDotWeb Zerodium FAQ