How LE can identify buyers, vendors and market operators without compromising Tor

Identifying vendors, buyer and market operators is very easy and doesn't require compromising the Tor Network. Do what you will with this information, use it to increase your safety. Its purpose isn't to help your adversaries find you, because if they're competent they will already know this method (and be using it?).

The downside of this technique is you don't know which identity belongs to which vendor/operator. But through further investigation you can decipher who's who using Traffic analysis of observed suspects. The point is LE have the real identities of individuals of whom are of a high probability involved in drug trafficking and other organized crime on Tor. If not they can be eliminated from the suspect list and that narrows it down.


Step 1.

Buy a cheap Bitcoin VPS and install TBB. Install and run the Bitcoin daemon. Install a file manager and database manager application. Remove headers, bind all connections to 127.0.0.1 and remove server information from error pages. Use scallion or shallot to generate a custom onion URL or use the random assigned one in the Torrec file.


Step 2.

Invent a brand name for a mixing service. Example: Bitcoin Cleaner.

Design a basic logo and website design or pay someone to do this on /r/jobs4bitcoins.

Using the Bitcoin daemon commands and PHP, you will create a simple Bitcoin mixing service. It is a trivial task for a developer with knowledge of the Bitcoin daemon and PHP/MySQL. Users deposit Bitcoins which increment their balance and users withdraw Bitcoin partially from several random addresses of deposits by other users to form the taintless Bitcoin withdrawal. Developers can be hired anonymously on /r/jobs4bitcoins or other employment websites.

You now run a commercial Tor hidden service capable of providing Bitcoin laundering.


Step 3.

When the user initiates a withdrawal of Bitcoin the user enters the destination address (Bitcoin Address X). This address passes through your centralized server and will be logged. Therefore, even though the Bitcoin is successfully mixed with 0% taint and traceability, the mixing service still knows the true destination address. It's impossible for a user to know that the mixing service has logged their destination address (Bitcoin Address X).

The user does not think that anything is wrong.


Step 4.

The user using his newly mixed Bitcoins and sells them on LocalBitcoins.com. Why? LocalBitcoins.com is the largest and one of the most anonymous ways to cash out Bitcoin. I estimate that most, if not the overwhelming majority of vendors and market operators use LocalBitcoins.com. If they use Coinbase or another exchange this is no problem.

The user sells his Bitcoin via bank transaction with a LocalBitcoins .com buyer. The user has now completed his sale of Bitcoin.


Step 5.

LE has the destination address (Bitcoin Address X).

Subpoena LocalBitcoins.com, Coinbase and ANY other exchange that is obliged to cooperate with government subpoenas and request the information of (Bitcoin Address X).

LocalBitcoins.com responds to the subpoena with the user who initiated deposit from that address, and gives LE the receipt of the bank transaction initiated by the same user. LE now has the name and bank details of the user who deposited Bitcoins to Bitcoin Cleaner.

Step 6.

Monitor/CD or swoop in for the arrest. You have his real identity, and the bank will hand over details of the user who owned the receiving account of the bank transfer.

The users who use Tor based Bitcoin laundering services are extremely likely to be engaged in illegal activity. Vendors, market operators, pedophile crowd funding users, the lot. If LE does not have evidence to attain a warrant or CD, you are still listed on their database and can be watched for further activity. And you won't even know that you are being watched or your identity has been uncovered.

Not FUD or fear-mongering. I believe this is a credible threat to everyone who uses DNMs.


Comments


[12 Points] CocaineNose:

<n/a>


[5 Points] jadedsynk:

brb gotta stock up on tinfoil


[5 Points] sapiophile:

Wait wait wait. You're missing one very critical piece.

The only "crime" you have here is that this "suspect" did nothing more than use a bitcoin mixing service. You don't know why, you don't know what their DN pseudonym is, you don't know anything about their activities before they mixed the coins. And this method provides no opportunity to discover any such information.

While coin mixing could itself be considered a crime (that isn't really established, yet), the "suspect" is not actually established as a criminal in this scenario.

But yes, you do point out the very real and very troubling concerns of using centralized mixing services. Hopefully, some real CoinShuffle implementations will be coming out soon that will drastically reduce these risks.


[6 Points] ShulginsCat:

Not so fast, McCarthy.

...are extremely likely to be engaged in illegal activity...

In order to get a search warrant, LE has to show particular evidence related to a suspect - as you well mentioned. In none of the 6 steps have you shown how police can know what specific crime a user is or will be committing, leaving it completely open what they will be searching for. Are you looking for.. drugs? CP? cash? credit cards? digital evidence of a crime? Choose one.

A warrant must be based on another document called affidavit, which is signed under another oath by some person expressing the belief that certain items will be found at the location to be searched and giving facts that support the belief.... the warrant should be narrowly drawn to include only the data pertinent to the investigation, and that data should be described as specifically as possible.

http://www.droit-tic.com/pdf/digital_evid.pdf

Building a list of possible suspects and monitoring them indefinitely, with no specific charges or proof? That's NSA territory. They go after Al Qaeda and shit. Here we just do drugs.


[3 Points] lojaktaliaferro:

If you read through the complaint on CaliGirl (you did, didn't you?), it becomes apparent that most people who get popped on the darknet do so because they fucked up in all the usual ways. In other words, Cops are cops and do cop shit. They are not network engineers. They are knuckle dragging donut eaters. CaliGirl got busted using the same techniques that would have gotten him if he was a street dealer. The use of the internet doesn't make any of this magical.


[3 Points] Axaq:

Very well thought out and of course it has always been on everyone's minds that a honeypot mixer is possible, but they aren't smart enough to do this, so why the fuck did you just give them the idea? 4 new tumblers will appear over the course of the next few weeks now surely. /s


[2 Points] Theeconomist1:

Would any vendor actually use cash deposit on LBC though? This is a problem in of itself b/c any vendor doing appreciable business will have a shitload of cash come through the bank account which is problematic. The bank will start reporting deposits that reach certain thresholds, which are pretty low for any respectable criminal enterprise.

I do agree, the honeypot tumbler is a concern. Its similar to how LE used a honeypot VPN to nab a shitload of carders.


[1 Points] esterbrae:

When the user initiates a withdrawal of Bitcoin the user enters the destination address (Bitcoin Address X). This address passes through your centralized server and will be logged. Therefore, even though the Bitcoin is successfully mixed with 0% taint and traceability, the mixing service still knows the true destination address.

This would make a very poor tumbling service. bitcoind's wallet is not going through any effort to remove taint or join coins.


[1 Points] ThatsAManMan:

I still haven't figured this part out. How would someone know that a specific address belongs to LBC or COINBASE or any other such service?


[1 Points] earthmoonsun:

you can increase your anonymity by splitting up your transaction, sell/buy alt coins on different exchanges, and gamble with a high chance to win


[1 Points] tvgn9545:

LE has a limited budgets and are going to use it to catch DNM owners, admins, and the largest vendors. Investigations cost money. Prosecutions cost money. Incarcerations costs money. They are not going to use BTC tracking to catch the little people, especially if you have nothing worth seizing. Just use the best opsec you can and stick with trusted vendors, use common sense, and you probably have nothing to worry about. Keep track of who gets busted and how, and don't make those mistakes.