Still Under DDOS, but here is a status update anyway. The Tor network is breaking.
/d/OpSec icon


17,155 subscribers

Anonymous Planet Onion

Discussion of OpSec, Threat Models, Protection, Assessment & Countermeasures.

Vendors: /d/vendor_handbook.

While the focus of this community's OpSec discussions may center around Dark Net (DN) activity, all members of this sub are encouraged to think about, discuss, and share ideas relating to OpSec.

Some interesting stuff I found in Tracers in the Dark that might be worth knowing

by /u/alienoftartaria · 2 votes · 2 months ago

I'm way too late on this one, but I'll try to owe up for that one by doing a decent rundown of what I figured might be of interest in this book. I think it's best to break it up into a couple of sections just for formatting's sake.

PS: Sorry for all the quotes, easiest way to show what was in there. Also hopefully it's alright making a new post about it

Background on Chainalysis and Michael Gronager (Part II, Chapters 15-23 in the book

This part was of quite informative and interesting for me, but probably nothing too groundbreaking if one were following all the info and Chainalysis from the beginning. Goes into how the company made it's name by tracking down the missing coins from Mt Gox all the way back to BTC-e and WMK/Alexander Vinnik. There's mention of Chainalysis' tryout of a Sybil attack on the Bitcoin blockchain by setting up hundreds of their own Bitcoin nodes and then being able to tie different transactions that pass through these nodes to IP addresses. This was found out and discussed on BitcoinTalk when it happened/people discovered it, but not usually mentioned elsewhere. In means of taking down BTC-e and the Carl Force/Shaun Bridges (the LEOs who stole BTC from SR1), all they needed to track their stuff down was some info from cooperating exchanges and all 3 players using their real info to cash out. With BTC-e in particular, their servers being on the clearnet and only masked by Cloudflare made LEA's getting ahold of their IP address easy enough. Server located in the US, feds imaged it and went from there. Nothing too surprising, but good to know. Lots of other details that are interesting, but nothing really relevant besides this stuff for the subdread at hand.

(Maybe) New info on the AlphaBay/Alpha02/Cazes bust

This might be another one that some of this info was known/at least speculated before on various forums (here, bitcointalk, the old r/DNM subreddit, etc), but it is at least out in front and confirmed in this book. Probably doing this section in bullet points to make it a bit bearable

- the original tip that led the feds looking into AlphaBay/Alpha02 as being Alexandre Cazes was someone that tried to get ahold of every other US federal agency to drop the info on the misconfigured server and his email being on the welcome page. From the book:

Miller explained what his tipster had told him: In AlphaBay’s earliest days online, long before it had gained its hundreds of thousands of users or come under the microscope of law enforcement, the market’s creator had made a critical, almost laughable security mistake. Everyone who registered on the site’s forums at the time had received a welcome email, sent via the site’s Tor-protected server. But due to a misconfiguration in the server’s setup, the message’s metadata plainly revealed the email address of the person who sent it——along with the IP address of the server, which placed it in the Netherlands.

That shocking mistake had been quickly fixed, but only after the tipster, who made a habit of scrutinizing dark web sites, had registered and received the welcome email. The source had kept it archived for two years as AlphaBay grew into the biggest dark web market in history.

Lots of more info on how the feds used this with some Google-fu to track down the handle to Cazes. Check out Chapter 26 for more details. I know it was fairly certain that someone dropped the dime on him, but never seen it confirmed with at least that many details as laid out in this book from interviews of agents working on the case

- In Chapter 28: Tunafish, it explains how Chainalysis was using some "secret sauce" technique to track down and label the AlphaBay wallets by using a technique tracking the transaction fees being taken for the tumbles/withdrawls/deposits on AB. Quote from the book:

Levin refused to divulge most of the clues that Chainalysis unearthed; some he described as “secret sauce” (a term that would come up in interviews with Chainalysis analysts with greater and greater frequency). But Levin offered as an example the trade-off that every wallet has to make between the speed of a transaction’s “confirmation” and the fees it pays.

In order to persuade the Bitcoin network to record a transaction, a wallet has to offer a fee. The greater a fee the wallet is willing to pay, the better incentivized other nodes are to quickly rebroadcast the transaction so that all the Bitcoin nodes around the world eventually come to agree that the transaction occurred. Most wallets allow users to set their own fees along a sliding scale of speed versus cost. Dark web markets, however, typically use their own set configuration.

Chainalysis began to see the unique way that, for AlphaBay, the fee settings shifted depending on the size of a transaction. This set of fingerprints didn’t offer a complete solution, isolating all AlphaBay addresses at once. But it represented a tell—one of many, Levin says—that would allow them to delineate the market’s tangled web of payments. And just as with Meiklejohn’s clustering tricks, every discovery of a new trick like these fee fingerprints produced a new set of addresses that would help them refine again the profile of the other hidden addresses they still sought.

By the end of 2016, Chainalysis had labeled more than 2.5 million addresses as part of AlphaBay’s wallet. But even that years-long project of excavating the entire, massive shape of AlphaBay’s finances was only a starting point. For Chainalysis’s users at law enforcement agencies, the task ahead would be following the money from somewhere in that vast pile of numbers out to the bank account of a real human being.

Nothing earth-shattering or never-discussed, but I think it's the first time I've seen people in Chainalysis admitting this is at least part of the way they mapped it out. Smarter/more tech-savvy people than I would probably have more info/words to say on this one

-From the same chapter, there were two FBI analysts (pseudonyms Ali and Erin in the book) that were able to analyze Bitcoin transactions leaving AB wallets and traced them back to Cazes independent/unaware of what the Fresno team and Chainalysis were doing. Using Chainalysis' Reactor software, checking the largest sums going out of AB wallets, back to Cazes. For obvious reasons the agents didn't lay it out word for word, but it does suggest they had methods that were able to pass through CoinJoin and multiple tumblers to get to the end user. From the book:

Tunafish lay at the end of a long string of hops Ali and Erin had followed out from one of the initial addresses they’d hypothesized might be Alpha02’s. It held special significance, however: It connected directly to an exchange. For the first time, they realized with excitement, they had managed to trace what they suspected might be a collection of the AlphaBay admin’s commissions all the way to a transaction in which Alpha02 had traded them for traditional currency. They knew it was at those cash-out points, the blockchain’s connections to the brick-and-mortar world of finance, that they might be able to match the transactions to a real person.

It was here, just as they were on the verge of ferreting out a name behind Alpha02’s money that Ali heard a rumor of a criminal suspect’s identity that was spreading among law enforcement agents across the country. As a longtime dark web analyst, she had kept in close contact for years with the cybercrime-focused FBI agent in Sacramento who had first opened a file on AlphaBay. So when the Sacramento office joined forces with Grant Rabenn’s Fresno team, Ali was among the first people the agent called. He told her that they had finally matched a real person to Alpha02’s online persona. He gave her the name.

The Sacramento agent knew Ali was already busy tracing AlphaBay’s blockchain tentacles. He asked her to join their growing investigative team. Ali returned to Erin’s office at FBI headquarters, cornered her in the hallway, and insisted she join, too.

“This is going to be a massive case,” Ali told her. “We need to do this together.” Erin agreed.

Now they were hunting Alpha02 no longer as an obsessive hobby but as part of an official investigation. Ali and Erin explained their Tunafish discovery to a D.C.-based assistant U.S. attorney who had also joined the team: a seasoned cybercrime prosecutor named Louisa Marion. She, Rabenn, and Hemesath immediately filed a subpoena for the identifying records on the exchange where the Tunafish address had been cashed out.

That legal request took weeks to bear fruit. Finally, one evening in the early weeks of January 2017, Ali was in the middle of a law school night class when she got a call from the Sacramento-based FBI agent with the news: The subpoena results had come back.

The agent told her the name on the exchange account tied to the Tunafish address. It was Alexandre Cazes.

Again, more details in the actual chapter (and Tunafish is the nickname used for the address they figured was Alpha02's). Not sure if I 100% buy this one, but it is definitely an interesting development and seems at least fairly plausible.

Finding Alphabay's Bitcoin Wallet IP address

It seems like the feds along with Chainalysis came up with a method of identifying the IP address of the wallet for AB using undisclosed methods (probably using their own Bitcoin nodes among other things). From the book:

Levin and Gronager were both up early, before the conference began. So Levin used this spare moment to check the results of his and Gambaryan’s “advanced analysis” experiment. Neither Levin nor Gambaryan has revealed a word of how their method works. (In fact, in our conversations, they never treated any piece of cryptocurrency-tracing tradecraft with more secrecy.)

Nonetheless, there the answer appeared, without fanfare, on Levin’s screen: an AlphaBay IP address. Or rather, a handful of IP addresses that were likely to belong to the site’s wallet server, with one especially likely candidate. A quick search revealed that the most salient IP wasn’t, in fact, in the Netherlands. It was in a data center in Lithuania.

Interesting that they had a method of doing this at the time. Don't remember this being disclosed before this book

lots of other stuff in the AlphaBay section of this book about the takeover of Hansa and other details about Operation Bayonet that might be interesting to some, but nothing that hasn't been well tread on here among other places I think

The busts of Helix and BitcoinFog

-a decent amount of details for both busts in Chapter 47: Open Season, but I'm pretty sure I've seen the stuff about BitcoinFog a lot before. This stuff on Helix seems new though:

Chainalysis had long tracked Helix’s cluster of Bitcoin addresses, scoping out its massive hair ball of transactions designed to confound any detective. Many of those transactions were going into and out of AlphaBay; in the market’s final months, Cazes had even partnered with Helix and went so far as to advertise its services on the site.

In mid-2017, Chainalysis had tipped off IRS-CI to what appeared to be a pattern of hundreds upon hundreds of small sums of bitcoins, all coming out of that cluster. The payments looked inhuman in their timing, likely the work of an automated program. Were these Helix’s commissions?

The IRS-CI computer crime unit’s new agent Matt Price picked up the thread just after the AlphaBay takedown. He eventually followed one trail out of those hundreds of payments to the service BitPay—the payment processor that offered to let users buy any goods or services with cryptocurrency—and found that the recipient of those apparent commissions had spent some of them to buy a gift card at a hardware store.

A subpoena to BitPay revealed the spender’s identity: an Akron, Ohio, man named Larry Harmon. Searching Harmon’s Google account revealed an incredible slipup. In 2014, not long after launching Helix, Harmon had taken a picture—perhaps accidentally—of the view of his work space with his Google Glass augmented reality headset, and then uploaded it to his Google Photos account. The photo showed his computer screen. He was logged in to Helix’s administrator control panel.

Also there is info that it seems they found the person who stole over 69k BTC from SR1 by info they grabbed from the BTC-e server image. From the book:

Gambaryan and an IRS-CI colleague named Jeremy Haynie began examining that mysterious treasure trove. They found that weeks after Ulbricht was arrested and in jail, 101 of the coins had been moved into a BTC-e account. That gave them two clues: First, it confirmed that the money almost certainly wasn’t still controlled by Ulbricht, who wouldn’t have been able to transfer the 101 coins from a jail cell. And second, they could dig into BTC-e’s seized database to look for hints of the real owner.

As with all BTC-e data, there was no identifying information associated with the 101 coins moved from the Silk Road into the Russian exchange. But when Gambaryan and Haynie checked the same user’s BTC-e account for other transactions, they found a payment that had come out of BTC-e. After a few hops through addresses on the blockchain, the money had been deposited into a different exchange—one that responded to their subpoena for account information.

Methods of tracing Monero and Zcash[/bold] Nothing too surprising here, but good to know what Chainalysis figures they have and what researchers think might be part of their methods. From the book:

Gronager even cast doubts—albeit vague ones—on whether Zcash’s and Monero’s privacy guarantees will stand up to scrutiny for years to come. “Any of these systems, anything that’s developed, you always see a couple of years later, someone finds something,” Gronager said. In fact, a 2017 study by one group of Carnegie Mellon, Princeton, and other university researchers discovered that in as many as 80 percent of cases, they could use clues like the age of coins in a Monero transaction to carry out a process of elimination and deduce who moved which coins. (Monero subsequently upgraded its privacy features to foil those techniques. Chainalysis, for its part, hired one of the paper’s authors.) Another group of researchers, including Sarah Meiklejohn, had found in 2018 that Zcash wasn’t quite as anonymous as it appeared either—largely just because the number of users turning on “shielded transactions” was so small. “And that’s only the stuff that’s being printed in public, right? So I just don’t believe in anything being safe,” Gronager said. After all, he deadpanned, wasn’t Bitcoin once understood to be anonymous? “There is always a cat-and-mouse game,” Chainalysis’s CEO concluded. Did that mean that Chainalysis had in fact found ways to trace Monero and Zcash? Gronager, unsurprisingly, declined to answer. “We are not really interested in revealing capabilities,” he said slyly. “Even if we did say something, it’s likely people wouldn’t believe it.”
Nothing big, but worth taking note. [b]Closing Thoughts

The last two chapters dive into criticisms of Chainalysis software likely being used by other state actors to hunt down journos and activists in certain countries,and a great interview with DeSnake talking about the info in the DarkLeaks dossier. Read up on the DarkLeaks stuff for more info, but especially the stuff on Rumker. Seems to be the tool that lead the LEAs to find Alphabay and WallStreetMarket's Wallet IP addresses. Also the closing epilogue with Sarah talking about why she turned down a job at Chainalysis is pretty interesting. Anyways, sorry for the long post with lots of quotes, just didn't know how to trim this down any further without losing something. Hopefully something here is useful to others here.

Also hope this works and is alright /u/Pygmalion

Comments (1)
/u/tropicalslugs · 1 votes · 2 months ago · Link

thanks for posting this and nice job on formatting