/d/OpSec icon

/d/OpSec

16,634 subscribers

Must read: https://anonymousplanet-ng.org/guide.html

Discussion of OpSec, Threat Models, Protection, Assessment & Countermeasures.

Vendors, please use /d/vendor_handbook.

While the focus of this community's OpSec discussions may center around Dark Net (DN) activity, all members of this sub are encouraged to think about, discuss, and share ideas relating to OpSec that extend beyond the bounds of the DN.

How LE took down many of the top markets

by /u/Starless Night · 42 votes · 1 week ago

This is a list of all major DNM which have been comprimised by LE, a short summary of them, and how they were caught. This does not cover DNMs which have been hacked.

This is a long post, I've tried to make it as detailed as possible for those who want to know the details of market takedowns. I try to provide more details on the less well known markets. This is also not meant to hate/support on any specific markets. Just laying out the facts so people can see what went wrong and mistakes they can avoid.

List of markets listed here

Farmer's Market

Silk Road

Silk Road 2.0, Cloud 9, and Hydra (Operation Onymous)

AlphaBay 1

Hansa Market

Farmer's Market (AKA Adamflowers)(2006-2010 Clearnet 2010-2012 Onion Site)- In 2006 a drug market by the name of Adamflowers appeared on the clearweb. This website would run as a small drug market (selling "LSD, ecstasy, fentanyl, mescaline, ketamine, DMT, and high-end marijuana" and more), flying under LE radar, until 2010. In 2010 Adamflowers changed its name to Farmer's Market and switched over to the Dark Web, using TOR. This was a new idea for online drug markets and caused Farmer's Market to rapidly grow in popularity. As is the case, with this newfound popularity, LE began to take a stronger notice in it. Thus in 2010 an investigation (aptly named "Operation Adam Bomb") began, led by the US Drug Enforcement Agency (DEA). While this takedown did take nearly two years, a part of the reason was due to lack of urgency. Farmer's Market wasn't near as big as future DNMs, and thus had less incentive for LE to hurry with their takedown. What led to Farmer's Markets takedown eventually though was lack of OpSec technology/innovation of the time. Farmer's Market came before the creation of Bitcoin, and so instead customers could buy using PayPal, WU, I-Golder, or cash by mail. This created a easy way to track market users and admin, compared to future DNMs which used cryptocurrencies. The other thing that led to the takedown of Farmer's Market was their use of Hushmail for communicating, an "encrypted and safe method of communication [which] would not produce e-mails to law enforcement officers." Despite this claim, it is largely believed that Hushmail gave LE their unencrypted e-mails. (*cough*, don't just trust VPNs that say no-log without checking court cases or audits) Information of Farmer's Market's takedown is a big hard to find but a major souce of information comes from the 66 page indictment. This court indictment list the charges for the market admins, as well as 284 bits of "evidence" on these charges. Most of this evidence comes from e-mails logs, hence why it's assumed that Hushmail gave up their encrypted e-mails. LE was also able to track where certain Paypal, cash, etc. payments were going to and coming from, and use that information to arrest several users. Eight admins were arrested as well as at least seven users. All eight admins were charged with at least one crime. Of the eight, one passed away before trial, the other seven pled guilty and got ten years or less. After the LE takedown, Farmer's Market had had thousands of users, and approximately $2.5M worth of sales.

Silk Road (2011-2013)- I won't spend too much time on this market since it already has so much coverage. If you want detailed info, I highly suggest a book "American Kingpin by Nick Bilton," of which /u/hugbunter has a pdf here. Basically Ross Ulbricht made a mistake in his websites code which leaked his Icelandic servers IP address. This along with the fact that he discussed Silk Road on a clearnet forum linked back to him. There's tons more to this story (like a 320 page book above lol,) but also short articles that can explain the story a lot better and more entertaining then I can.

Silk Road 2.0, Cloud 9, and Hydra (Operation Onymous 2014) Operation Onymous was a six month long, international operation with LE from the US and Europe to take down several illegal sites, including several DNMs. This operation reached the beginning of the end on November 5-6 2014, when a number of dark web websites were shut down. What was claimed by the government as 410 sites, soon shrunk down to 267 sites shortly. This Operation also led to 17 arrest and (only) $1M worth of Bitcoin seized. How Operation Onymous was carried out, and how LE was able to take down so many sites at once remains unclear. However, there is a lot of interesting facts and information to look at, which help give some ideas. It is believed that Operation Onymous was a widescale "sweep" of illegal sites, and that no particular websites were targeted. Instead it is believed that popular dark web servers were targeted. Part of this thought comes from the fact that many illegal sites remained uneffected from Operation Onymous, including other major DNMs such as Agora (was already bigger than Silk Road 1.0 at this point), Evolution (which allowed the sale of weapons) and Andromeda. The TOR developers still do not know how LE was able to comprimise so many sites. There are four main possibilities: 1) Poor OpSec on sites parts (I personally don't think this one is the case. You would have to assume that LE exploited the poor OpSec of 267 sites within a 6 month period, yet they executed those flaws all in a sigle day. Also many of those 267 sites were mirrors for sites that didn't get taken down. If a sites mirrors have bad OpSec, then I assume their main site would too.) 2) SQL injections 3) Bitcoin Deanonymisation and the most interesting 4) attacks on the TOR network by DDOSing nearly all relay nodes, so as to force all traffic through LE owned attacking nodes. With this they could perform traffic confirmation attacks aided by a Sybil attack. The admins of Cloud 9 market took to Reddit saying that they could no longer access their site, but they still had access to all their Bitcoin. 17 arrest were made, although it is unsure what number of these 17 arrest were website admins or users. With what info we do have (as previously stated) it is assumed that this operation targeted hosting companies rather than individual sites, based on the randomness of sites taken down. More detailed/further info can be found here.

AlphaBay 1- Launched September 2014, officially so on December 22, 2014. As with the Silk Road I won't spend much time on this popular market. When the creator of the market (Alpha02) first released the market he sent welcome messages from his clearnet email, pimp_alex_91@hotmail.com. This was quickly fixed and went unnoticed for several years. He used the same username that he had since at least 2008. When LE caught Alpha 02 (Alexandre cazes) they found his laptop completely unencrypted, performing a administrative reboot on the site. His servers were linked to his real name, he had multiple open, unencrypted hot wallets which he put his funds in. He bragged about all his illegally obtained money by showing off expensive things he'd bought. Overall a massive amount of OpSec failures. It was by pure luck that the site remained as long as it did (July 2017.)

Hansa Market- Hansa market opened its doors in August of 2015. Very quickly it rose to become one of the top markets on the Dark Web. Within a year it had become one of the biggest DNMs and caught the attention of the Dutch police. The Dutch police began an investigation into the market, however they organized this investigation quite differently than previous DNM investigations and takedowns. This time they planned a take over. This way they could control the DNM and gather more evidence against its vendors and buyers. Thus began a 10 month investigation, from October 2016 to July 2017.

What began the investigation was a tip from an anonymous source. A security and research foundation had found a Hansa development server. A server where the Hansa admins could test out new features and ideas before implementing such features and ideas on the main market. Due to some (unknown) OpSec falure on the parts of the Hansa admins, this development server exposed its real IP. Dutch LE went to that server and installed network-monitoring equipment. Using this they were able to find what servers this development server was communicating with, and copy all the data from all the servers. While this normally wouldn't help (as all market users are protected by TOR and the fake usernames) the Dutch LE found something very surprising. A massive OpSec failure by the Hansa admins left unencrypted IRC chat logs on the servers. On these chat logs LE found tons of information, including the admins real names and even addresses. Everything was going to plan for LE, and just as they were about to take over the servers and arrest the admins, a set back came. The admins moved the website to a different, now unknown server. At this point the Dutch LE could have just accepted their loss, arrested the admins, and then search for the servers, or let the website crash and burn without any admins. Instead, determined to complete a takeover instead of a takedown, they started searching for the new servers. After several months (in April 2017), they got their next lead. A BTC address that was mentioned on those unencrypted IRC chat logs became active. Using chainanalysis LE was able to see where that BTC had gone to, a Bitcoin payment provider in the Netherlands. LE contacted this payment firm and gave them a legal order to hand over information on where that BTC had come from... a hosting company in Lithuania. Again, just as Dutch LE was about to arrest the admins and try to implement a takeover, the FBI contacted them, saying they were just about to take down AlphaBay. So Dutch LE again waited a bit until after AlphaBay had been shut down. They did this so all the AlphaBay users and vendors would transition to Hansa right before the take over. And finally, the Dutch LE was ready to put everything into action. Similar to the Silk Road 1 takedown, they had to catch the admins with their laptop opened and unencrypted. So they waited until they were home and logged onto the market. At that time, on June 20th 2017, German police (in coordination with Dutch LE) raided the admins homes, arrested them, and seized their unencrypted laptops. At this point Dutch LE began transitioning the servers to LE owned servers. The admins gave LE all their login information (to help reduce their sentencing,) and Dutch LE officially owned Hansa. Over the next month they rewrote parts of Hansa code and gathyered info on its users. These changed included storing all users passwords, record plaintext messages before it encrypted them (Hansa had a feature that automatically encrypted messages. This is why you always encrypt your own messages, don't trust markets to do it for you,) not remove metadata from photos (Hansa also had a feature that automatically removed pictures metadata. With this change LE was able to find the location of many vendors.) The biggest move they made though was sharing a file with all users supposed to be a backup key for the users BTC if the website ever went offline. Instead this was an excel file, that when opened would record and share the users real IP if they weren't using Tails/Whonix/Qubes. This one move led to the arrest of 64 sellers. After 27 days, the Dutch LE had gathered all the info they wanted and took down the site. They wrapped a few things up, which I'm not going to talk about because this already super long, and that was the end. Main source and further reading.

What markets did I miss or what information did I get wrong/missed. I'm sure I did considering I wrote all of this on about 2.5 hours of sleep and way too many candies.

STARLESS

Comments (28)
/u/PrinceHarry P · 5 votes · 1 week ago · Link

And now DeSnake is sticking up the middle finger to LE because of what happened to his friend.

Did anyone see the youtube video of the fed scumbags laughing at the footage of the arrest during a presentation? Fuck them, they will never win, Now LE look like the chumps that they are.

The whole community assumed that both admin accounts were Cazes', but now we know that we were thankfully wrong. When I first registered in December I didn't use my account because it looked too well designed and I was suspicious tbh. That's why I stayed on the dumpster fire that was World Market (big mistake in hindsight).

It's nice to finally have a functional and dominant market again. Alphabay 1, Empire (they exited but was good while it lasted), Whitehouse , and now Alphabay back and going no where. Growing at a crazy rate.

IMO, it's better when we have a dominant market that is secure. Then have a few smaller markets that specialize in one thing (such as cannazon with weed or majestic garden for psychedelics etc).

Some people still prefer to use BTC for some strange reason. 10 minutes of research and you will be able to use XMR which is far superior for use on any darknet market these days.

Rip alpha02

Free ross https://freeross.org/

Free Assange

/u/boh22 🍼 · 1 votes · 6 days ago · Link

[removed]

/u/vekocy · 4 votes · 1 week ago · Link

Great write up and the history of all the fall of great empires of the DN. This should be pinned in OpSec sub to make a reminder to all so that history does not repeats itself again.

I will write a follow up post regarding on of the point you have mentioned. DDOS attack on relays and forcing all users to go to LE Guard and LE Exitnode.

/u/Starless 📢 Night OP · 1 votes · 1 week ago · Link

Sounds good, I'll look out for it. There's a short research paper someone wrote called "poster: Application-layer routing attacks on tor" on the topic that provides some good information on it if you need help on certain parts of it.

STARLESS

/u/vekocy · 5 votes · 1 week ago · Link

I did a very simple test, to look for what it is in the packet that can match me, if LE controls Guard Node and Exit node.

It is very easy to replicate, I use Wireshark first to snoop all my packets going to my own private OBFS4, then I snoop my packets coming back from tor to my onion web server, all of this is done in the same machine. The browser and onion web server in a single VM.

The most unique data in the packet that can match it back, is the session cookies. Even with all the JS disabled, the session cookie must be there in order for the web site to recognize it is you when traversing from page to page.

Now they have my entry point and exit point matched. It is easy to find out my IP and which web site IP I am browsing.

What you mentioned in the post regarding DDOS attacking the public operated relays and they put all the LE operated relays as exception in their powerful botnet, is definitely possible. It can be easily done by them especially when they have enough firepower. All they need is 30% of entire Guard and Exit node and DDOS the rest which are the weaker relays, that will make them having more than 50% after DDOS attack. If all of their Entry Nodes and Exit nodes are logged into a single database server, everyone is just waiting to be searched.

After seeing such packets, I quickly installed an anonymous private OBFS4, to guard myself. If they are able to match my packets from the beginning till the end, all they got is my OBFS4 server.

My other work and personal stuffs goes through Work VPN and other VPN. My entire network topology consists of 3 categories.

Personal browsing VPN Server owned by me.

Work related VPN owned by company.

DN related routed through OBFS4 owned anonymously by me.

All located in different countries.

/u/HeadJanitor

/u/nugget Polymath · 2 votes · 1 week ago · Link

Good write up mate, very informative.

/u/StuckInTheMiddleWithYou · 2 votes · 1 week ago · Link

Such are the lengths that LE will go through to deanonymise and bust us. They spare no expense, they don't give a fuck if they have to bend or break the law.

We're talking targeted DOS attacks, 0days we probably have no fucking clue about, honeypots, so on and so forth.

And yet we have admins here that do not find it a 'big risk' that the markets today are using clearweb "rotators" for their links.

I wonder who will end up paying the price for their gullibility.

/u/B34R · 2 votes · 1 week ago · Link

Civ = easy mode

LE = normal mode

Criminal = hard mode

/u/youfailedcaptcha 🍼 · 1 votes · 6 days ago · Link

muh happened to raidforums meme

/u/Hungry_Eyes O_O · 1 votes · 1 week ago · Link

Some good reading here. Lots of information I wasn't aware of before reading this. Thank you.

/u/adruguser · 1 votes · 1 week ago · Link

thanks again to the dutch police for hosting the market, proper opsec and it was just nice of them

/u/M3V · 1 votes · 1 week ago · Link

Thanks for this writeup!

A couple things, RE Adamflowers being new using onions in 2010, we were on multiple onion sites for 2 or 3 years before Adamflowers made this transition (was clearnet forums before this time), some of these onions were quite large (more user-level amounts offered) and some were small and elite, focusing on bulk. I remember literally no one accepting PayPal, but yes a lot of MoneyGram and Western Union which was horrible, and a bit of centralised e-currencies as well. Hushmail was indeed common, but everyone worth their salt encrypted with GPG locally before pasting messages into Hushmail, especially on bulk-focused forums. There were enough of us making posts warning others to never trust website-server-side encryption (apparently this is still a problem in some places??).

Also why is Hydra listed in 2014? Was there another Hydra that was not the RU market taken down this year? I still want to know how they found that server... spooky.

/u/Starless 📢 Night OP · 1 votes · 1 week ago · Link

Ok, I didn't know that there were other semi-big onion sites before Farmer's Market. I thought they were first, thanks for that info. As for the Hydra thing, that slipped right over my head. I just did a bit more reasearch and found multiple sources saying that Hydra was taken down by Operation Onymous in 2014. Yet I couldn't find any proof of a Hydra market before 2015. Maybe it's just widely spread false information, or maybe there was some small market called Hydra back before the big Hydra was created. I'm not sure, maybe someone else here will know?

STARLESS

/u/encryptedbrain · 1 votes · 1 week ago · Link

Ain't nan spooky it's a blockchain.

Idk I think Hydra came back online like a week or 2 later lol

/u/Sun P · 1 votes · 1 week ago · Link

You are mistaken.about Operation Onymous. It is well known. In behalf of LE, researchers ran many relays (Sybil attack), and did traffic confirmation. In this case, confirmation was easier. Because a Tor bug allowed injecting something and recovering it the other end. So, when an onion posted its hidden service descriptor, if the researchers were running the guard and hidden service directory of that hidden service, they got correlated. This bug was fixed shortly after the operation. Today, traffic confirmation needs to rely on traffic timing and volume, which is harder than what this bug allowed.

/u/Grazelda P Code Hunter · 1 votes · 1 week ago · Link

Really don't think they had to work nearly that hard. Odds are that they got into 1-2 servers at a single web host or co-lo facility. Probably thru just one server backup or (their more common ground level penetration point for markets) a SQL server backup. The volume roughly matches what many web hosts pack onto a single server. In Onymous the oxymorons only needed to capitalize on one simple and easy access point and then obfuscate that source by pointing at Tor as intentional convenient propaganda. At least 5 of the LE entourages claimed to be involved are known DN web hosting countries, each with "highly flexible" data gathering techniques and sources. Occam's razor in action.

/u/phishware7 · 1 votes · 1 week ago · Link

Any word on the Darkmarket sentencing?

/u/asfaleia · 1 votes · 1 week ago · Link

What you describe is the official narrative provided by the friendly media, trials and LEs themselves. This is not how it really happened. The official narrative must comply fully with the targets of the given agency (like for example successful trial; fruitful intelligence gathering; recruiting) and cannot contain anything that could undermine the legitimacy and lawfulness of the agencies actions, like using surveillance tools without warrant and so on.

LEs and intelligence agencies use tools and measures as outlaws, almost in all significant cases but they must cover it with so called anonymous source, mistake in the code and clearnet mistakes. They cannot say "Well, we found the Tails user through indiscriminate surveillance of the population, bugged the house of the guy without warrant, recorded his strokes, watching the screen of his computer, or even using IME backdoor (most high-profile cases) or even bugging the computer itself and after we knew it is him, we just fabricated the narrative that would stand the trial."

How do I know that? Because we were successfully helping few advocates with their cases, concentrating on the mistakes in the official narrative, causality in the intelligence processing and other helpful stuff.

I mentioned this already many times - OpSec was not present at all in most of the cases. Therefore it cannot be an OpSec mistake.

/u/rasclatbunn · 2 votes · 1 week ago · Link

What was it then?

Allowing yourself to be infected with malware is an OpSec mistake...

/u/asfaleia · 1 votes · 6 days ago · Link

Actually not. You can only make an OpSec mistake if you have an OpSec in place. If there is no OpSec you cannot have an OpSec mistake.

OpSec mistake is a deviation from the planned, existing protocols, procedures, measures and countermeasures, actions that are clearly defined, or from omitting some of the threats and/or adversaries, or from wrongly placed measures and countermeasures against those threats and adversaries.....

Examples of real OpSec mistakes:

1. you defined in your OpSec 7 adversaries to pose threat to you, but you were attacked by an 8th adversary. That is an OpSec mistake - OpSec adversary list failure. You should have that list.

2. You were attacked by one of the 7 adversaries defined in your OpSec but he attacked you from an attack vector you didn't include in your threat model list in your OpSec. That is OpSec mistake - OpSec attack vector omission failure.

3. You were attacked by one of the 7 adversaries, through a known attack vector present in your threat model but your planned countermeasures failed. That is an OpSec mistake - OpSec countermeasure selection failure.

4. You were attacked by one of the 7 adversaries, through a known attack vector present in your threat model and your countermeasures worked as intended but you failed on your contingency planning....

The difference in between OpSec and non-OpSec is a clear planning for different scenarios, based on your intentions, interests, environment in which you operate, real adversaries and their attacks, covered by your countermeasures and possibly escape routes, if the shit hits the fan.

If you have such clear planning, you have an OpSec and any deviation from that existing OpSec plan is an OpSec mistake. Otherwise it is not.

/u/rasclatbunn · 1 votes · 6 days ago · Link

In this case I was refering to LE-distributed malware, meaning that an adversary now got hold of the system... and not having that in consideration (plan, as you say) - is an OpSec adversary list failure. Number 1 on your list...

/u/asfaleia · 1 votes · 5 days ago · Link

Not necessarily. It depends what was the mistake. Did you not include that particular adversary in your adversary list? Did you omit the attack vector through which the adversary planted the malware into your computer? Or you forgot to include your computer into the protected tools list?

Do you actually have such complex counterintelligence plan called OpSec in place? Can you look at it now and tell yourself that this particular issue is precisely here in the phase 1,2,3,4,5 of the OpSec? If you can spot it, you can identify precisely where you did the mistake in you REALLY existing OpSec.

If you don't have such OpSec plan, you cannot tell from what desired state did it deviate. Right?

My question therefore is: Was the REAL OpSec plan in place or not? Or it was again the case that someone just followed some advises (no OpSec) and he (of course) got busted?

/u/koreaiscool · 1 votes · 1 week ago · Link

So the synopsis of this story is everyone of these fallen markets share one thing in common...

Human Error.

/u/banacek · 1 votes · 1 week ago · Link

I look forward to the future where I buy my drugs from robots

/u/heavyhitta · 2 votes · 1 week ago · Link

The synopsis of this story is LE's unwarranted surveillance.

/u/peacemaker_free · 1 votes · 1 week ago · Link

Where can I read more details?

/u/Starless 📢 Night OP · 1 votes · 6 days ago · Link

About what? Throught the article I linked certain sources that contained further details, or if there's something more you want details on I can maybe help and direct you to some articles.

STARLESS

/u/partyparty 🍼 · 0 votes · 6 days ago · Link

[removed]