Over the holidays I found time to go through more than 100 pages of criminal complaints, indictments and other resources that described how the vendors Blime-Sub (a.k.a. BTH-Overdose) and CaliGirl got busted. Now what is different compared to the first two parts [#1 and #2] is that these two cases are described in great detail and walk the reader through the entire investigation step-by-step.
Since they are quite lengthy I outlined the important parts of the investigation and wrote down the mistakes that the vendors did which eventually led to their bust. While the Blime-Sub bust is quite fresh [just 2 months ago], the CaliGirl case dates back to the good old SR days. However it is one of the best documented ones and many of the investigation techniques are still used today. In this edition we have some classic pitfalls like getting identified while buying the postage or leaving a detailed money trail but also some new ones, that have not been mentioned in the previous two parts.
I strongly encourage every vendor to read through these notes and analyse their own operation so they do not make the same mistakes that their colleagues/competition did. In the end it is not only your own future that is at risk but also the one of your customers. Please read the whole post because it not only includes stupid vendor mistakes that you probably would never make, but also some tricky pitfalls which you would miss out if you just skim the post.
Before I come to the busts themselves I want to briefly talk about some aspects that are so important that I think they deserve a specific mention:
If there is one thing the government does not fuck around with, it is money. For example the CaliGirl complaint contained over a dozen sites that went over every single cent the vendor ever received or deposited into his bank accounts. Every single company, from Wells Fargo to Western Union and MoneyGram, had extremely detailed records about where every cent came from and where it went, as well as IP addresses, log-in times, locations of used ATMs, . . . This shows that vendors should avoid banks and wire transfer services whenever possible, because they all keep records and once they hand these over to law enforcement you are absolutely fucked.
Know your limit. Many vendors just keep vending under the same name for years as if law enforcement is not interested in them. However what all these busts have in common is that law enforcement simply had enough time to investigate the vendors. So vendors remember to take a break once in a while and enjoy the reward of your hard work instead of ruining everything you have worked for in the past years by vending until you get busted. Better quit with some nice extra cash and your freedom than ending up in one of these summaries below.
Law enforcement not only analyzes the content of seized packages but also the package itself. That means they look for any traces you may have left, for example fingerprints. This has proven to be useful and already led to arrests, just take a look at the Area51/Darkapollo or Blime-Sub/BTH-Overdose busts. So vendors should avoid leaving any fingerprints or DNA traces on and in the package because it not only allows to check if a suspect is the wanted vendor but can also reveal for example the eye and hair color of the person that left the DNA [http://www.medicaldaily.com/DNA-test-can-reveal-hair-eye-color-humans-living-800-years-ago-244266]. That would give law enforcement a big advantage when they stake out mail boxes. Here a really simple guide on how to remove these traces: http://biononymous.me/wp-content/uploads/2016/09/Tabloid-BiononymousGuide.jpg
Bust #1: CaliGirl [Matthew Jones]
sources:
https://www.justice.gov/sites/default/files/usao-mdfl/legacy/2014/05/30/20140530_Jones_Complaint.pdf
https://www.reddit.com/r/DarkNetMarkets/comments/2c2i3f/caligirl_criminal_complaint_excerpts/
notes:
one involved Task Force Agent [TF agent in the following] even has "additional advanced training and epxerience in Computer Networking and Unix Systems Administration" -> that was 3 years ago, imagine how many resources they put into dnm vendor investigations nowadays
vendor used an alias similar to his real name [Matthew Jones]: Mateo Jones
CaliGirl was among the top 5% of all vendors operating on SR -> high profile
law enforcement made 2 undercover purchases on SR and 6 off-site [all between July 2013 and March 2014]
law enforcement was able to indetifiy what products he sold how often and his total sales volume because SR provided a detailed public record of it -> do not use markets that do not obfuscate this information
although CaliGirl used many different return addresses some of them were handwritten and some were business addresses [not a smart idea, see part 2], plus the tracking number revealed where the packages were shipped from
for his fifth purchase the TF agent placed the order on January 3, 2014 but requested that it should not be shipped until January 23 [this could be a potential red flag for other vendors] -> the TF agent then had time to go to the mail processing plant that handled most of the previous undercover packages and attempted to profile additional packages that matched packages sent by CaliGirl
they found and seized 4 matching packages which originated from one mail collection box half a mile from Jones's residence away, all 4 packages had the same return address and one of it was the undercover order
on January 13, 2014, the TF agent opened a suspicious package [taped excessively] that was sent to one of Jones's drops [where he received the products that he resold under the CaliGirl account], it contained almost 700 Hydrocodone tablets and was addresses to "Tyler Zeddai"
CaliGirl offered the TF agent a special deal for Hydrocodone tablets and also sent him information about them [a link to a pill identification website] -> the branding and picture supplied by CaliGirl matched the seized tablets on January 13 -> the TF agent made the purchase
for his next undercover order [undercover purchase #8] the TF agent claimed to be short on bitcoins and CaliGirl provided him with a contact [name, telephone number and local bitcoins username] that could sell him bitcoins for cash -> that contact [Jones] was CaliGirl himself
apparently the TF agent told Jones [when they talked about purchasing bitcoins] that he wanted to provide him with $1k to convert into bitcoins and then transfer the coins to CaliGirl [Jones should transfer the coins to CaliGirl not the TF agent] -> indication that Jones at least knew CaliGirl [because Jones knew CaliGirl well enough to send him the coins]
after the bitcoin purchase from Jones [$952, because Jones took a commision] the TF agent contacted CaliGirl about the order -> CaliGirl said that it had already been shipped and the $1k were credited towards the purchase -> further indication that Jones and CaliGirl are somehow connected
the phone number that CaliGirl gave to the TF agent to contact Jones in order to buy bitcoins was purchased on Jones name one minute before CaliGirl mentioned it in his message -> further indication that CaliGirl was probably Jones
the features of the packages that CaliGirl sent which remained consistent included: the manner in which the sender and recipient addresses were printed and affixed, the placement and method of postage, and the type of envelope utilized -> made packe profiling easier
the postage used for the purchase mentioned above was an Automated Postal Center [APC] computer generated postage stamp -> the TF agent was able to get the purchase date and location of the machine that was used to buy the postage
since the machine stored images of the persons that used it, he was also able to get an image of the person who bought the postage in question -> compared this image to known images of Jones [including publically available images on facebook] -> matched
postage was paid for by the utilization of $5.00+ face-value stamps and the tracking numbers were affixed prior to mailing for every package -> he did not have to pass the packages over a post office counter where he could get identified by postal staff or video surveillance systems -> however he fucked up with the package sent on March 18, 2014 which had APC printed postage
he used the same return address for every package but switched it once every week -> this and other mistakes allowed detailed package profiling which made it possible for law enforcement to indentify a total of 135 packages sent by Jones -> package profiling is a great threat so take counter measures
some return addresses that CaliGirl used were connected to his real indentity [Matthew Jones]: e.g. a Hotel address were he stayed or a company which he owned -> do not do that
Jones' P.O. box [where he received his products which he resold] was opened under his name and "Tyler Zeddai" -> all incoming mail was addressed to Tyler Zeddai but always picked up by Jones or his spouse -> manager found that suspicious [he did not contact law enforcement but when the TF agent interviewed him he was very talkative -> maybe avoid P.O. boxes from "EZ Mail Services"]
vendors: if you have to use P.O. boxes switch them once in a while [and use different companies] so it is more difficult for law enforcement to uncover the whole scope of your operation. also do not use these addresses for other purposes like opening bank accounts, which Jones did.
the TF agent also reviewed records obtained from amazon about Jones' purchases which included purchase, shipping, billing, and IP address information -> he bought zip lock baggies and bubble mailer manila envelopes which were also used for shipping the undercover purchases -> do not order your shipping equipment online or at least not with your identity
he also travelled to Colombia frequently -> the TF agent compared these dates with the times when CaliGirl was on vacation -> matched -> vendors should go to fake vacations [vacation mode on the market but continuing their everyday life] and extended vactions [do not go into/come back from vaction on the exact days when you actually go away/come back]
Note: Jones bought Oxycodone and Hydrocodone in Colombia and shipped them to the P.O. box mentioned above: it is easier and cheaper to get these products in Colombia and they are marked like many other tablets -> careful inspection or laboratory anaylsis needed to indentify them -> preferred by drug traffickers
Xoom [an online wire transfer service where he had an account with his real data] revealed that he transferred over $58k from January 2012 to August 2013 to Colombia
some of these transfers were sent to "Mateo Jones" which is an alias utilized by Matthew Jones on facebook -> please learn to separate identities properly
transactions have been structured in a manner to intentionally avoid triggering money laundering and reporting requirements [e.g. multiple transaction on the same day to the same person] -> say hello to another charge
he should have taken the money in cash with him on the plane or mail it to Colombia instead of producing all the detailed evidence by using Xoom
"The Wells Fargo counter and ATM deposits [to one of Jones' accounts] were in inconsistent amounts, occurred on a variety of dates, and were made at a variety of geographical areas. Based on my training and experience, this activity is consistent with Bitcoin sales where a Bitcoin customer makes a pre-arranged counter-deposit into a Bitcoin dealer's bank account. The deposit slips contain only the minimum amount of information required to make a cash deposit. Based on my training, experience, and this investigation, this is common behavior utilized by Bitcoin exchangers and drug traffickers a when utilizing counter deposits to transmit currency." this was written 3 years ago, vendors should finally start using methods that do not create extensive and suspicious paper trails to cash out their bitcoins
he used small variations in telephone numbers, addresses and other identifying information for receiving funds in his Western Union account -> this is a common method drug traffickers and money launderers utilize to avoid detection by law enforcement -> do not do this
Jones used only one account on the exchanges [local bitcoins and and bitcoin-otc] to cash out his bitcoins for his entire vending time and also publicly linked the accounts on both sites
'fun' fact: a screen shot [exhibit 1] shows that law enforcement does not even disables javascript globally and seems to be using windows -> they really need to step up their opsec :)
Bust #2: Blime-Sub a.k.a. BTH-Overdose
sources:
https://www.justice.gov/usao-edca/pr/fentanyl-and-heroin-sold-dark-web-marketplace
https://www.justice.gov/usao-edca/press-release/file/918811/download
discussion link:
I also wrote an article on deepdotweb about this bust using these notes, so if you read it you can skip the following notes. /u/deepdot can you please post a short 'confirmed' comment so that people know that I am not bullshitting?
notes:
after getting training on how to use dnms a DEA agent began analyzing and investigating top heroin vendors on alphabay in january 2016
he initiated a full investigation into the vendors Blime-Sub and BTH-Overdose in september 2016
he knew they were shipping from the west coast (possibly somewhere in california) because customers mentioned it in forums
BTH-Overdose (Emil Babadjov) used the same email address for his pgp key as he used for his facebook account with his real name (but written backwards)
Babadjov made a public facebook post in september 2015 that people could contact him through the email address he also used for his pgp keys
on November 14th, 2016, the agent sent a subpoena to coinbase to get any information they have about the email address
he received replies from Coinbase on the very same day and one day after:
- the email address was used to create an account in November 2015 for "Emil Babadjov"
- on March 18, 2016, he attempted to create another account with the name "Emil Babadjov" and the email address "blimesub@***.com" -> do not mix vendor identities with exchange accounts and do not use vendor email addresses for any other purpose than talking to customers
on November 14th, 2016, the agent got Babadjov's address (through his drivers license) and found out that he was arrested in 2013 for possession of controlled substances (but the charge was dismissed)
on October 19, 2016, the agent bought $800 worth of bitcoins to buy 3g heroin on the next day from Blime-Sub on alphabay
the parcel (UC parcel #1) arrived on October 25 at the undercover address and he got the return address and tracking number of it
the product in the package was submitted to the DEA western regional lab for fingerprint and drug analysis after it got tested positive for heroin
the agent got a response from the lab on November 10, 2016, which stated that it was a mix of heroin and fentanyl
the US postal inspector was able to conduct comparative analysis of these parcels to identify who purchased the postage for UC parcel #1
due to the Postage Validation Imprinter (PVI) the US postal inspector was able to see that the postage was bought on september 18 2016 at 4:03 PM via a Self-Service Kiosk (SSK) 0.7 miles away from Babadjov's known address
the US postal inspector gave the photo that was taken by the SSK system during the transaction to the agent
he identified the person in the photo as Emil Babadjov according to the drivers license and social media photos of Babadjov
on November 16, 2016, the agent received another response from the DEA western regional lab that stated that two fingerprints belonging to Babadjov were found on the exterior of UC parcel #1
That is it for now, if you know other busts that could provide useful information or additions to the summarized ones please leave a comment here.
One last shameless self-promotion: I developed an Addon for Firefox [also compatible with the Tor browser] which lets you view selfposts of NSFW subs [like this one] without having to enable JavaScript. The source code is of course publicly available, so check it out if you want to boost your opsec: https://www.reddit.com/r/DarkNetMarkets/comments/5ek0lm/a_present_for_the_lurkers_on_here/
Wow. I don't know who I am more impressed with, the agents that made the busts or your time investigating and summarizing it all. Leaning towards you actually.