13.8.17 Dark Web and Cybercrime Roundup

Alphabay Vendor “Area51” aka “DarkApollo” Sentenced to 6.5 Years

Chaudhry Ahmad Farooq, as with many vendors, worked with a partner when selling heroin and cocaine on Alphabay. Farooq managed the operation; he handled the darknet presence, communicated with suppliers, and touched the actual product. According to court documents, Farooq’s partner, Abudullah Almashwali, ran errands for Farooq. Almashwali purchased stamps (in massive quantities) and dropped packages off at the Post Office.

Almashwali shipped the packages for Farooq. Farooq, in turn, controlled the Alphabay vendor accounts known as “Area51” and “DarkApollo.” At some point, researchers with interest in heroin, cocaine, or vendor fingerprinting noticed a connection between both accounts. Farooq had not intentionally hid the connection; he just never blatantly mentioned it. The feds found the same connection, and that connection also connected Farooq to a clearnet identity.

The PGP key used for the vendor accounts used a real email address. And not a throwaway or secure mail account; he used a Gmail address that he had connected to Instagram and other social networks. The username in the email address matched that of the username on the accounts. And, as the facade crumbled, law enforcement found the real name on the accounts matched that of Chaudhry Ahmad Farooq.

The feds moved on to the “controlled purchases stage” of the investigation. Not only did the controlled purchases go as planned, but another piece of the puzzle fell into law enforcement’s lap. Almashwali bought massive quantities of stamps which a credit card that linked directly back to the operation and the man himself. Everything else took place as one might expect following a successful set of controlled purchases.

Almashwali pleaded guilty in April 2017. He received 78 months in prison. Farooq pleaded guilty as well. The judge scheduled the 24-year-old’s sentencing hearing for January 2018.

In a way, the entire ordeal had an element of irony about it. The vendor’s weakest link—himself—betrayed one of the strongest parts of a opsec toolkit. Another example of how no level of protection matters when a failure to keep darknet and “real life” identities separate. The next article caught the attention of mainstream media for a very similar reason. DeepDotWeb

• Timeline: Arrests of AlphaBay Vendors AREA51 and DARKAPOLLO
• Two Guilty Pleas from Area51 and DarkApollo

Silk Road Vendor CaliConnect Admits Marijuana Distribution

David Ryan Burchard, also known as “CaliConnect,” pleaded guilty to selling marijuana on numerous darknet marketplaces. According to court documents, he sold on almost every market of his time, many of which no longer exist: Silk Road, Agora, Abraxas, and AlphaBay. Burchard, known as Caliconnect2 on the Silk Road, bought a fake ID from another Silk Road vendor. For the mailing label, he asked the vendor to use a name that later incriminated him. His own name.

The investigators found that Burchard sold on Agora market as the_real_caliconnect. On Agora, one agent wrote, the vendor had claimed to have been CaliConnect from the Silk Road, Silk Road 2.0, and the Black Market Reloaded. That agent used Grams next; he searched the PGP key on the Agora account for vendors on other markets. The Alphabay account then surfaced as it shared a PGP key with the Agora account.

Reverse PGP key searches on Grams helped locate compromised Dream accounts after the Hansa takedown.

Law enforcement conducted controlled buys. They identified Burchard. Burchard attempted to trademark a clothing line under the name “Cali Connect.” Towards the end of his reign, buyers reported receiving branded T-shirts with some of the larger purchases.

He let someone pay him via Greendot and information on the card linked to Burchard. Officers noted that he had not worked in years. His wife stayed at home as well, yet the family had a house and several vehicles. Half-a-dozen law enforcement agencies raided the man’s home and found his laptop. Through a password that forensics provided, the FBI gained access to Burchard’s PGP encrypted messages. The password was “asshole209.”

The husband, father, and drug dealer escaped the cocaine charges, but faces up to 20 years in prison for the marijuana charges. His sentencing hearing was scheduled for October 30, 2017.

His case, as with any case of this sort, provided a look into the opsec failures that led to how arrest. He slipped up throughout, and the government bloodhounds would likely have caught him regardless, but Burchard had taken a path no other vendor had attempted to walk down. One could guess, with a reasonable confidence level, that the trademark was an undeniable smoking bullet. Especially when law enforcement found CaliConnect branded clothing at his house during the raid. DeepDotWeb

• Timeline: Arrest Of The Darknet Market Vendor ‘Caliconnect’

Ukraine Police Arrest Man for Spreading NotPetya Ransomware in Tax Evasion

After Ukraine fell victim to the NotPetya ransomware, investigators discovered a connection between the ransomware and a backdoored server of a software company. The company, Intellect Service, made a popular program and/or service known as M.E.Doc. The program, according to BleepingComputer’s Catalin Cimpanu, was used as an automated tax reporting service. The unknown that actor pushed an update to the software that contained the NotPetya ransomware, rendering many companies unable to properly manage financial records.

The Ukrainian state tax service, Cimpanu reported, extended the deadline for companies to turn in reports by several months—for companies that were hit by NotPetya, a December 31, 2017, deadline was granted.

Naturally, if some reason existed that impeded one’s tax reporting ability, infecting one’s self with ransomware would be the way to go. Several companies took this route, thanks to the work of a 51-year-old man. The man had uploaded NotPetya to a file-sharing service and created “how-to” videos that went along with it.

Companies shared this file in an effort to dodge the standard deadline. Unfortunately for the file uploader—who showed no signs of malicious intent or encouraged any illegal use of the ransomware—someone pointed police in his direction.

Police arrested him for “unauthorized interference with the operation of computing systems.” He could spend three years in prison. Authorities have a list of companies that installed or downloaded the file and plan on” cracking down” on said businesses. BleepingComputer.

Timeline: British Model Supposedly Kidnapped for Darknet Auction

This timeline is a lengthy one and has no place in news briefing, so a summarized version will have to suffice. The kidnapping occurred in early July. We only just heard of the events as the police behind the alleged victim until early August to testify at a hearing.

Events lead up to her kidnapping, but in the spirit of brevity, the summary will start on July 10.

July 10: Chloe Ayling, a now-famous Instagram “model” from Britain, flew to Milan, Italy for a photoshoot. She went alone but with the comfort of knowing her former agent at the Supermodel Agency UK vetted the job and company. Early reports claimed that Ayling herself had spoken with the person in charge of her shoot. (This has relevance as the relationship predated that phone call).

July 11: Two men kidnapped Ms. Ayling, according to her reports. Both covered their faces and allegedly injected her, through her leather jacket, with ketamine. How she knew the drug was ketamine was not revealed. The men stuffed her in a car, drove her hours away to a house in the middle of nowhere, changed her into a new outfit, and took pictures of her.

According to her reports, they took pictures while she was in the nude. I can only confirm the clothed pictures. They appeared to be an advertisement for the “Black Death Group.”

Her kidnappers had left a paper on her abdomen that had details for the Black Death Group. The photographs were mailed to her agent, along with a ransom letter that told him to get in contact with three of her friends to pay a ransom fee or she would be auctioned off “to the Arab’s” on the so-called Black Death darknet auction site.

July 12: Despite being tied to a dresser the day prior, she slept in the bed of one of the kidnappers, she claimed. “I slept in his room sharing his double bed. He never sexually molested me or requested sexual relations. The ‘Black Death’ organization prohibits it and severely punishes its members who touch kidnapped girls destined for sale at auction.”

July 12 – July 16: She developed a “trusting relationship” with her kidnapper. (Police have one in custody as of August and are still looking for one more. Ayling claimed there were five kidnappers).

It later came out that a store owner recognized the duo in town during this period of time. She explained that she somehow lost her shoe and her kidnapper wanted to buy her another pair. A grocery store owner saw them shopping as well. She said that she went along with him because he had told her that the Black Death Group had hitmen everywhere. The alleged kidnapper, meanwhile, is handing out business cards that say “Permanent Solution ” on them.

The kidnappers found that Ayling had a child. A fact that was easily verifiable via her Facebook account, Instagram profile, Twitter account, or even her Snapchat account. All of which are and were publicly accessible. Apparently, according to Ayling, the Black Death Group has a “no mothers allowed” policy.

July 17: She escaped and the kidnapper turned himself in with her. Police identified the alleged kidnapper as Lukasz Pawel Herba, a self-proclaimed [hitman, kidnapper, not-a-hitman, not-a-kidnapper, a good Samaritan, a victim himself, and a cancer patient]. He admitted to kidnapping her and later denied the accusation; he said that he had saved her. Police found a long note from the Black Death Group on the suspect’s computer. The note was intended for Ayling. She was not to speak poorly of the Black Death Group, among several other regulations. All of which she had seemingly broken not but a day after arriving in Britain.

Italian police questioned both the legitimacy of her story and the entire existence of her captors. They doubted that the Black Death Group existed as the Black Death Group known to the public. Instead, if it was anything at all, it was a creation of his own mind. DeepDotWeb

Reddit: Fraud Listings on the Superlist: A Community Debate

The discussion on fraud and fraud related markets has perpetually been a touchy subject on the /r/darknetmarkets subreddit. While darknet marketplaces have never been confined to a single product, the absence of everything but drugs on said subreddit seemingly implies otherwise. Alphabay once filled the slot; the marketplace allowed fraud listings just as it allowed drug listings. But, since the market was likely used used and known for drugs more than fraud, Alphabay was allowed on the Reddit superlist.

Here’s what a moderator on /r/DNMsuperlist wrote (summarized) regarding “things to consider” when discussing the pros and cons of allowing fraud markets on the superlist:

• Fraud attracts more attention from law enforcement.
• Fraud may give the subreddit or list a bad reputation from the public and Reddit admins.
• Fraud is inherently a harmful practice that can ruin lives.
  • This one stuck a chord with many users arguing for fraud.
  • The process of disproving fraud and correcting credit scores is tedious and not always possible, this is especially the case if the fraud goes unnoticed for a great length of time.
  • Identity theft can sometimes be impossible to correct and may ruin their lives for years to come.
• Are digital goods like stolen Netflix, Spotify, Xfinity, porn, etc accounts considered fraud as well?
• Are fake ID’s fraud or considered separate? Is financial and identity fraud what we are really worried about?

One user pointed out that, despite the claim that fraud would bring more heat to the community, Alphabay was taken down because of the drug dealers. Little to no reference was made referencing fraud. Some users suggested dedicated subreddits for fraud markets. Others pointed out that those currently exist but fail to gain traction. /r/DNMsuperlist

Tor Node Operator Freed from Custody

On July 24, Russian courts freed Dmitry Bogatov, a math lecturer at the Moscow University of Finance and Law, after his arrest in April. Although officially arrested for inciting terrorist activities, privacy advocate believed the charge was only used to shut down the exit node Bogatov operated from his home. According to Raymond Johansen, an activist supporting Bogatov, authorities arrested Bogatov for allegedly uploading a still image from a rapper’s music video. The still image is clearly not calling for peace, but the issues are more deeply rooted than the image itself.

Johansen believes Bogatov played no role in the uploading of the freeze frame from Jay-Z’s “No Church in the Wild.” And this is for several reasons; the entity that uploaded the video used 104 VPNs, spoofing I.P. addresses to match seemingly random addresses instead of one’s own—and one of the spoofed I.P’s coincided with an I.P. address that led back to Bogatov. And futhermore, a camera in a public location captured Bogatov out of his home, in public, during the timeframe wherein someone uploaded the picture.

“[W]e can only conclude that he was arrested for running an exit node,” Johansen said. (Read about the recent ban on Tor and VPNs here—Johansen refers to this as a war). “Dmitry is a casualty of that war. A war that is waged not only in Russia but in the US and UK too,” the activist added.

Bogatov is far from the home stretch, however. He still faces 19 years in prison for inciting terrorist activities. Judge Yevgeny Naidyonov graciously freed a likely innocent man, but only under strict terms and conditions. He is currently under house arrest for medical reasons. The judge permitted him to leave every third day, as long as he avoids the press and stays off internet-enabled devices. DeepDotWeb