DHL Market Security Part 3 - Operation Return to Sender

Operation Return To Sender

DHL Admins - we noticed you have dissapeared with all user funds and likely have no plan of returning.

Here is what we want you to do, either:

  1. Come back, bring the site back up and allow users to withdraw all their funds
  2. Come back and allow us to provide you with return addresses for user funds which you will then process

Why would you do this? Because if you don't we will be publishing a series of posts with all of the information we found on your server and other correlated information that can be used to identify you.

We are starting this process right now with this post to give you a hint at what is coming next

Timeline

First a DHL timeline. I'm not going to directly reference certain events, this is more left here as a hint.

  1. Early-2015: Development on DHL started in early 2015
  2. 11-Jun-2015: It was announced here (DHL-1 created his account the same day) - but that post was removed and noone noticed
  3. 11-Jun-2016: It was announced properly here by the DHL-2
  4. 17-Jun-2015: Synala is released on bitcointalk
  5. 21-Jun-2015: It was added to the superlist

IP Address and Servers

You lied in your statement when you said that the location of your server was leaked by an internal employee

Anybody could have located your server at any time by simply searching for title:"Darknet Heroes League" in Shodan

Screenshot

Here is the full results page for that server also on Shodan

Screenshot

Note the ssh key. Search Shodan for that key.

Screenshot

Interesting.

Since you took down all your onion services at around the same time, they stand out in an index of onion sites.

Bitcoin

We have taken a keen interest in DHL's use of Synala.

Synala is an Open Source Bitcoin payment gateway written in PHP. The website is at:

http://envrin.com/synala

A key feature of Synala is the offline transaction signing so that the private keys can be kept on a separate machine (even a users desktop!) and then pulled from the server using a (bad) API to be signed and then broadcast.

Most of the features of DHL relating to Bitcoin that they listed as their own are actually features of Synala.

What makes Synala most interesting is that it isn't very popular so DHL's use of it stands out.

First piece of interesting information we found is that somebody noticed in September of 2015 that DHL was using Synala. There are a few ways an anonymous person could have found that out at that time but we think they found out the same way we did (ie. broke the server)

Here is an interesting GitHub comment on a Synala repository left by a user with throwaway GitHub username dhlol (funny)

Screenshot

The person who owns the repository attempted to scrub the comment not knowing that GitHub leaves a history of changes.

DHL Withdraws

edit note required anymore - got what we were looking for quickly. thanks everyone.

We are asking users of DHL if they want to contribute to send us transaction id's of Bitcoin transactions that you know are withdraws from DHL.

Not deposits or anything else, just the txid's of withdraws.

You can do this anonymously and i'll leave contact details below.

Complete confidentiality - only i'll see it and i'll delete the info and we might not need many.

Fingerprinting Files

Remember Hansa? The operators of that site were found because antivirus and security software provider bitdefender sent a tip to law enforcement.

The way that works is this: These antivirus programs are setup on users desktops or they're running on a corporate, government or educational network. It is very common to setup antivirus to run on all web traffic as it comes into a network and to scan the files.

Many antivirus companies share signatures of files into a number of different threat research databases.

What most people don't know is that these databases end up becoming large repositories of unique files with associated data.

If you have a unique file that you're accessing on the web, or emailing or on your desktop and it passes through an antivirus gateway there is a good chance it will be logged and mark you out.

DHL had a very unique file on their website. It got caught and scanned by an antivirus company and logged. The log shows the date that it was caught and it was before DHL was announced. The records also contain a lot of information including the IP address it was logged from.

A Preview of Part 4

Coming up. Anybody else notice the DHL handles on this subreddit? It would be a terrible idea to mix business on reddit. It's amazing what slips out in the comments here when you pay attention.

I just spent 30 minutes setting up stylometry tools until I noticed that I didn't need it.

Credit

Don't credit me with all this - it really is a group effort with a lot of very sharp people messaging me tips and working together. I'm amazed at some of the things that are found and some of the work done. Most don't want to be called out but i'll update as appropriate.

Contact

EDIT: Please consider what you pm me here - use email + PGP or ask for XMPP. Chances of those messages staying between the two of us are high

electronic letter: tomcheck at protonmail.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org

mQENBFmAWeMBCADjZoR/eIrlZU6KmeKiKEuoYI0eKQ3vL5XSLB/LgNeu6h/oIRJ7
Xw690fzIcfYAiY3U0IjFIzxVoPEEXuEcXi4gSddTl83F7tJu+BbQVoxm8LRzkcaB
FLBjp91Q2tP61Ak85jC8KW0IN+bBqUkuEGBbtDWkxOrxvZmVzdrgWvv7r5xjbAIw
SNYye9sJ3QWWdDNcGQuSBpYt83c4Fmep76CdiVZUGSI60t/+F65j116Vofmjc07O
trn8T/Yc3pdr5wkI4Cxt6OogcGrexK9LIjzbRVWxJPPHs+qW9yngSanykeUutPZ7
vNPN5jbQ0XZ4wniyFMRx6/hzzb8Sk6C1Qw75ABEBAAG0CXRvbWNoZWNrMokBVAQT
AQoAPhYhBNldhwyVo3hJOu3o9lqNGW99NTA5BQJZgFnjAhsDBQkDwmcABQsJCAcD
BRUKCQgLBRYCAwEAAh4BAheAAAoJEFqNGW99NTA5tz4H/20dM6rFw59T2+9a3YIP
HRbQpTlcFDi7lbzEiw4nuz1pUve4Nhu9lJAKu0PY8c7ll8CnA+bSirpdmiEdnPuL
5eGUC0vpyVoMPnbYs8pb/4RVDKDsayGj9FmXSRCCo+99RujacPy9G+DK+bBTPGkn
cgEvgao4IQIEem3IpVIC6xyvRDp03bakDjqVWjzao6lfWzWCHVxVPP1mJrEIOR+X
m6AetFsAfwkOh9BWe+9d8/B1KzO2LL+ANqUk8sVZLxwO4eOmfAxfVR9tQ5ndn2PT
9zSLutxKquuNWB6/bsLK02F9hspr7jfnHPoMpQeNl0acILHkk0Hcekgcv2vhfZJf
iMW5AQ0EWYBZ4wEIAMhsh8e4325KdXaHVkudZJ8mYQ+tVJ1t2XafbXhqKeB1JWzD
DsFJQRjCc9oHpZyhFb8RN9ZIZcI7OXMSzi9hJ0oK4nBLnXHLEk80fQwVpXOC15dV
M5o1mdGFpcaaIu9QEFjPsl5ayZiy09unZhFI+4KUUmu45gOQNyNY/ZrFRusCW2cY
bcecA+17sOiXZS+k75D2Yyoq3z3nrpzsPCjgbou+aoZ6lIwSKiyTvBn8r3cZ65c2
tJxj2mhLkbaCb2SqS/d52nKI9VQs/0xcZpkGFWMT9UcYMZO7J6STbr5IaqV7+5QG
dkGMMu9gJiUa+nsUUKrTe8l2SLpeuTALPWVdXl8AEQEAAYkBPAQYAQoAJhYhBNld
hwyVo3hJOu3o9lqNGW99NTA5BQJZgFnjAhsMBQkDwmcAAAoJEFqNGW99NTA59+oH
/2gMBVNV0+L/2yvmf4Neu/1Y0wsuI2ju49ueTyUG70wbGZGED4h1nh3jU8BHPFgt
xPg/Zbxr/wb5qg4C1aFnX8V+fz/MiFO7kkcFrRtGsizPodWwL0oZ+nwu0JZxSdy+
aWWxZBq7nZwN6cXB+ODsCB5XpqS65uxT5w/GbvX5bcK4kG1AK3ADy53VRYTMQR32
K2CbAu7lQIBgamAmdLA8fiRMsTySuB7lcWXYVkONx+1KI2sAN1Ph0uxhPlMieyZo
uNuJSFDSXLFudhvclpTdApAirXbUdLNUn/NoY8m2csfFrtrAMyUH+tKBfFL2aGNW
ProQygbztRY/zkg8cfNja1k=
=cRIz
-----END PGP PUBLIC KEY BLOCK-----

edit if you're the dhlol person who left the issue on GitHub get in touch


Comments


[99 Points] GiveMeTheNX:

grabs popcorn


[30 Points] JburnaDNM:

Exit scam confirmed. They aren't going to get very far though. Damn, just damn.

I honestly feel bad for everyone involved but this is just negligence on DHL's part and could hurt a lot of people in negative ways and they reassured everyone everything was ok. They did this to give themselves a head start and said fuck everyone else.

There's only one way for them to make this right and that's to return everyone's coin.

I wonder WTF law enforcement is thinking with all this info.

It sucks people will get in trouble for this but damn they did it to themselves. Hopefully with users like the ones behind these revelations it leads to future markets with amazing security and OPSEC.


[19 Points] birtdags:

Please consider that LE is also interested in this information. Yes money should return but you cant spend that shit in jail you know. Respect for all your work mate and i would love to see your reports on the current live markets. No disrespect at all so don't come find me.


[19 Points] None:

Dude your the tits fuck all the cop drama I'm coming here for your drama 😜


[13 Points] None:

[deleted]


[12 Points] jjcooli0h:

Here is what we want you to do, either:
1. Come back, bring the site back up and allow users to withdraw all their funds

Haven't we seen this movie before?

In case you missed it, the first film ended with the producer's account info, connection datetimes, IPs, private messages, etc. getting subpoenaed by ICE.

That said, it was obvious that the former director was 100% full of shit, while in contrast, I'm sure you likely have something. However, I doubt that it's enough to be able to twist the DHL admins arm and force them to follow your demand(s). Namely, to:

  1. Come back and allow us to provide you with return addresses for user funds which you will then process

 

Speaking of which, why would you be:

asking users of DHL if they want to contribute to send us transaction id's of Bitcoin transactions that you know are withdraws from DHL.
Not deposits or anything else, just the txid's of withdraws.

i.a. ⇝ vendors

 

Hmm I'm sure you can see how that might come-off and be perceived as a bit of a …strange request, right?

Could you elaborate on how (presumably) locating a DHL hotwallet will assist you in your efforts of producing this summer's blockbuster sequel:

"z-l versus Evo / Reloaded: Return the BTC Bitches … Or Else"


[11 Points] Virtix21:

See that last IP there? Shodan shows it's last scan of it was 2017-07-23 T12:52:34.282048

That means they've been exposed for weeks, at least.

Good info /u/t0mcheck.


[9 Points] DaddyBeatsMeSupreme:

If it was that easy, why didn't LE take them down years ago? They only ran Hansa for a couple weeks, so I don't think they took it over, and they didn't roll it up when they took down Hansa either, which would have been the perfect timing. The police is certainly going to get tips and start to look into them now. If they were as irresponsible with their data management as with the rest of their site, this could become a problem for more people than just them.

I just hope this doesn't end up hurting vendors or customers.


[9 Points] EatSheets:

Holy fuck. When did Keanu Reaves make a reddit and start slaying cunts?


[9 Points] Tired8281:

This would be hilarious if it didn't likely involve someone(s) going to jail. Never call out a security researcher.


[11 Points] dil_bee:

I see why someone would be crazy mad at getting screwed over by yet another DNM, and i think this probably has good intentions behind it even. But the only people that really lose with all of this craziness is the entire community. I'm sure LE is LOVING the distrust and disharmony that seems to be sweeping the vocal parts of the community AND most everyone involved has handled one or more parts of this thing SHITTILY.

I think a lot of people here seem to immediately equate the word 'exit' with 'scam'. I'm not saying it is or isn't -- and that's the point. 99.99% of people here have no idea about whats going on behind the scenes. If there really has been a massive leak this whole time then returning money is really just more risk. And that's risk to DHL staff AND it's customers.

As sneaky AND CAPABLE as LE HAS BEEN lately everyone here should be FAR more cautious -- that includes sending your info, no matter how anonymous, to random internet saviors! If you think it's beyond LE to pose as 'the good guy' to lull you in to their confidence then you are OUT OF YOUR FUCKING MIND! That is, in fact, their exact M.O. I'm not calling anyone here the law. Im just saying maybe everyone should slow the fuck down and don't be so exciteable...

And even the worst of enemies don't involve the law.


[6 Points] unc0ntr0lleddeliver4:

Why can't one of the admins take 5 minutes of their time to post a signed message here saying what's going on? And to think people berated me for a post complaining about all DNM's sucking. Their lack of communication is their worst failure of all. It's inexcusable... I wouldn't touch any of these places with a 10 foot pole that's PGP encrypted and purchased with Monero while wearing surgical gloves


[10 Points] None:

Does anyone know if you can survive off only popcorn ? Looks like it's gonna be popcorn for breakfast again.


[8 Points] JohnnyYenOnTheDnms:

hey u/t0mcheck is it not because you ripped up their shit and embarrassed them he that they have fucked off?

sure it's an exit now but did you start it by putting there shits up them and practically forcing their hand

if not i apologise in advance.


[8 Points] JburnaDNM:

I think I have a feeling where this is going and well known vendors being exposed as DHL admin. Pure speculation but that's what it starting to sound like and would make a lot of sense regarding some stuff going on around here.


[6 Points] murderhomelesspeople:

DHL had a very unique file on their website. It got caught and scanned by an antivirus company and logged. The log shows the date that it was caught and it was before DHL was announced. The records also contain a lot of information including the IP address it was logged from.

Where's the proof on this one?

The person who owns the repository attempted to scrub the comment not knowing that GitHub leaves a history of changes.

It looks like they may have just done it because it was useless and out of place. It's weird but I don't believe it's shady.

edit:

Remember Hansa? The operators of that site were found because antivirus and security software provider bitdefender sent a tip to law enforcement.

As I recall it was because one Hansa admin had a bunch of virus's on their work comp, when the techs checke it out they found it had been accessing cp, the anti virus protection was provided by bitdefender. Am I missing something?

11-Jun-2015: It was announced here (DHL-1 created his account the same day) - but that post was removed and noone noticed

Looks like automod removed it because of the white onion list, this often happens with new markets.

We are asking users of DHL if they want to contribute to send us transaction id's of Bitcoin transactions that you know are withdraws from DHL.

I wouldn't recommend people do that but up to them. Wouldn't the large majority of this group be vendors?


[7 Points] Twist3dHipst3r:

Holy fuck, I don't have a horse in this race but god damn I love you dude. Fuck DHL


[6 Points] JeffSessions_DNM:

Lets role play a bit....

Suppose im the owner of a DNM. Suppose as the owner of a DNM, i want to exit scam and take the moneys and go.

This is what i would do:

Plan, months in advance, possibly as a last resort option before even announcing my opening of said market.

Id have a secondary server to create said distraction insert catastrophic event _________ (every dnm user/vendor/admin/owners worst nightmare) and after the uprising, tske it all down for maint, making off with everything.

Create a distraction, in this case vulnerablilities to cause a stir in the forums. Also, pay someone who knows their shit enoigh to get as many ppl on board with that person being a vigilante of justice, hero of the common buyers and vendors everywhere...or have the critics who question every detail the hired help posts, scrutinize everything. The vigilante would make vsgue/borderline mysterious replies just enough to keep evryone focuded on the thread.

Not saying this is what is going on, but if i planned something as big as an exit scam....it would be quite similar to this.

Your pal, Jeffery


[6 Points] Inthewirelain:

So a few automated scans on IPs that we now all have access to and then a books worth of speculation. Hmm.


[5 Points] sexygnome:

Since we are already talking about it, can somebody please send me an invite to DHL? Please PM me!


[6 Points] DMVbandz:

I'd rather have an exit scam than you getting a market shut down. You're just doing LEOS jobs for them.


[6 Points] Th3Ultimat3d:

DHL had a very unique file on their website. It got caught and scanned by an antivirus company and logged. The log shows the date that it was caught and it was before DHL was announced. The records also contain a lot of information including the IP address it was logged from.

Every market has unique files, what is that supposed to mean? Do you have any proof that an AntiVirus tool caught such a file from DHL and that it's now used by law enforcement?


[4 Points] KingXombi:

T0m nice work bud. Let see how this turns out


[3 Points] GuruMart:

Damn. Even though there werent that many active users compared to past big markets, they have some of the largest vendors on there (Checkpoint, Kackiz etc.) Wish they would come back and say SOMETHING.


[3 Points] Nandy-bear:

I hate to say it, but it honestly feels like pwnage is the only acceptable word for that post haha.

Nicely done mate


[3 Points] TILYouLoveDrugs:

'He should've done this and that and not make a public post about, he should've etc' spare me of all this bullshit.

Its not like there's a manual with guidelines on how to deal with dnms vulnerabilities. The community should be grateful that they received this heads-up. Getting burned is part of the game, on all sides, vendors, buyers and admins.

Considering DHL's approach, that market should've never been opened. Amateurs that put the lifes of normal junkies to a risk because they are greedy and don't know shit about OpSec.

/u/t0mcheck regardless of what the community says(most talk just for the sake of doing it), you did the right thing and thank you for this. Keep up the good work and looking forward for your next posts.


[2 Points] JburnaDNM:

Anybody know of DHL's hot wallet to see if the coins are moving or not?(or is this what u/t0mcheck is trying to figure out with the TX id?) It couldn't have evo or AB type coin but I bet still had a good amount of money.


[2 Points] Fraudsterbiz:

Good luck everyone, but i dont think they will let you the funds


[2 Points] jointhaparty54:

holy fuck LOL


[2 Points] TradingRealGfForRsGf:

MY GODDAMN $1 BOND IS GONE. WHAT DO I DO? DO I BURN HOUSE? LE MUST HAVE IT R....oh, you said this is an exit scam? I thought...my bad, PTSD from this time last month...


[2 Points] Droppin__6s:

The plot thickens..


[2 Points] None:

I am now fully erect


[2 Points] NextMoveBestMove:

RIP to yet another market


[2 Points] DNMSecurityAudt:

Astounding work. No room for amateurs.


[2 Points] divinesnake:

Why is this being allowed to be stickied here? Is u/t0mcheck a mod? I don't like the position this sub is giving him.

Edit: Nice. This is as it should be.


[2 Points] yallapapi:

Tldr don't steal from drug dealers


[2 Points] MagentaIsALie:

Honestly DHL. Just run. Do not look back. Do not return any money. Run.

Once you give in to terrorism and blackmail it is game over for you. The information is out there LE have it.

Cash out to monero.

You have the money. RUN.

Fly you fools!


[2 Points] solidshitT:

DHL Admins - we noticed you have dissapeared with all user funds and likely have no plan of returning.

Wasn't DHL multisig market? If yes how could they take control over users funds?


[2 Points] The_Grid_Is_Up:

This has a hacksforcrack vibe to it.


[1 Points] cheapcab:

OP, please be aware of rule 1 and don't post anyone's dox on this sub.


[1 Points] b_ba_basshead554:

Go dude!


[1 Points] SoldadoyProfeta:

THIS IS CRAZY!!!!! HOLY SHEEEEETTTTT GOOD JOB BRO KEEP THIS UP


[1 Points] Trianglist:

We should just start pre emptively ripping off markets.


[1 Points] lovelylittlegangster:

shodan.io looks mental! I've been out of this game for a long long time, I'd have given anything for a tool like this 20 years ago!

It basically scans every IP for every port and logs all information. So if you expose your onion site to the clearnet at all it'll be found?

RAMP was allegedly found the same way. No more being lazy, firewall rules need to be tight and administration needs to be done properly!


[1 Points] JohnnyYenOnTheDnms:

well it will be interesting to see this play out and hopefully everyone's coin is returned.

can you lend any credence to the speculation that LE are already pulling the strings?


[0 Points] mrfloridamolly99:

PLEASE bring internet justice to these fucking scumbags.

They won't return the money, that is a pipe dream.

BUT you can make sure they can't spend it if they are on the run from people who they stole from and any other interested parties.

If succeded this will be a great example of how a community of drug enthusists will stand up for integrity and justice. u/t0mcheck could have just blackmailed them but instead he is informing and helping an already ravaged community.

I salute you and your efforts sir !! go getem


[1 Points] None:

Remember Hansa? The operators of that site were found because antivirus and security software provider bitdefender sent a tip to law enforcement.

This is really interesting. How could bitdefender know a file was suspicious? Seems like spying on your customer's files would be bad for business.

If this is really a think, it seems like Dropbox or any of the cloud storage providers could be doing the same thing. I just don't know how they could know? Look for filenames like "drugSales2017.txt"?


[1 Points] None:

Quick question, what does the take down of the market mean in regards to LE investigating of customers? Or their investigations as a whole. Does this protect dhl in anyway? Or were they just trying to run with the money.


[1 Points] ohmanmatt:

Regarding the fingerprinting files... Would you be happen to be using something similar to VirusTotal's private API and an image (maybe their website banner) from their website? That bit seemed vague (obviously on purpose). Wouldnt be surprised by you having api access but not sure how much info VirusTotal gives.


[1 Points] SpeedflyChris:

Interesting that Grams was vouching their announcement thread...


[1 Points] dookiedonkey:

damn G, you just handed them their asses, in a box with a neat wittle bow. Mods? your (ahem) reply?


[1 Points] AutoModerator:

Please always verify e-mails via Grams InfoDesk and also always encrypt your info with the vendor's PGP-key.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.


[0 Points] None:

Mods, I love you. Send nudes


[0 Points] JasperBuds:

Lmao to the asshole who said DHL was better than AB and that's all he used fk you asshole where are your coins now faggot


[-3 Points] BurntfightDuffy:

Am I the only one that thinks this has gone too far? Doxxing DHL compromises vendors and customers too. This guy is doing LEs job for them if they haven't targeted DHL already and handing it to them. Losing money to an exit scam is bad. Losing freedom because some guy got upset DHL wouldn't take him seriously and pay out a bug bounty is worse. The community is cannibalizing itself. It is disappointing that someone would do this. The end does not justify the means.