There are many reports and articles on dnm vendors getting busted, but it is not always easy to find valueable information about the bust and what led to it. In order to provide a safer dnm experience for everyone I will post a summary of 6 busts which contain things that the vendors did wrong and gave law enforcement and advantage and things that they did right which disrupted the investigations.
To vendors reading this: please take 5 minutes of your time to read the summaries and make sure that you are not doing the same mistakes that your competition did. Also I know some of you have already collected information about vendor busts and I am asking you to share it with the community here to make the dnms a bit safer.
Bust #1: Alexandrus
sources:
http://fokus.dn.se/alexandrus/ [english: https://translate.google.com/translate?hl=en&sl=sv&tl=en&u=http%3A%2F%2Ffokus.dn.se%2Falexandrus%2F]
http://norran.se/nyheter/blaljus-nyheter/harifran-skotte-han-storsta-narkotikaligan-408757 [english: https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fnorran.se%2Fnyheter%2Fblaljus-nyheter%2Fharifran-skotte-han-storsta-narkotikaligan-408757&edit-text=]
notes:
continued to vend under the same alias after SR got seized, his data was handed to Swedish LE by the FBI
selling unique products in his country [no other vendors who sold cannabis edibles in Sweden]
no job, might be suspicious although he had no criminal record
didn't pulled the Tails USB stick out when the raid took place → be always in the same room when you have booted Tails
use many different mailboxes [he used 60]
keep the packaging area clean [no DNA]
use a printer for the destination and return addresses, use real return addresses but they shouldn't report the letter to LE if it is mailed back to the return address [i.e. drug house instead of a company address]
LE monitored only the most strategic mailboxes, not all 60
when he delivered the letters to a monitored mailbox, LE got his name because he drove there with his car
LE opened the mailbox right after he left and took out the letters he sent, but let the letters go through [329 letters in total] → no warning signs for the vendor that he was being monitored
LE made test purchases from the vendor and found that he sent drugs to the test purchase address after they opened the mailbox again → maybe only accept buyers with a history after some time
Vendor was watched by LE out of cars parked near the mailboxes
Vendor had the latest issue of the Narcotics Officers Association's magazine → stay informed about LEs tricks
Bust #2: Area51 a.k.a Darkapollo
sources:
discussion link: https://www.reddit.com/r/DarkNetMarkets/comments/4y34cp/step_by_step_dissection_of_a_darknet_vendor_bust/
timeline: https://www.deepdotweb.com/2016/08/26/timeline-arrests-alphabay-vendors-area51-darkapollo/
notes:
both vendors had their PGP keys registered to same email address
they used this email address on social media accounts linked to their real name
LEOs made two orders and a drug and fingerprint analysis showed the fingerprints of one suspect on both packages (on the Mylar and USPS envelope)
LEOs did a comparative analysis with the already gained information to identify who purchased the postage:
a) they were able to identify the time, date, and location the postage was purchased via the Postage Validation Imprinter (PVI) label
b) postage for parcel #1 was purchased via an SSK (Self Service Kiosk) located near the residences of both suspects
c) PVI labels were bought with the same credit card -> LEOs were able to identify additional postage being purchased utilizing the same card number
d) photos are taken during each SSK transaction -> LEOs identified one of the suspects
vendor(s) used the same return address for both undercover purchases and one intercepted parcel, probably for many other ones too
the intercepted parcel was probably detected because LEOs searched the mailcover database for the return address used for the two undercover purchases -> switch return addresses regulary
vendors were already part of an investigation because they also sold their products near their residences in real life
Bust #3: CaliConnect
sources:
notes:
used the same account on several markets over a long period of time → strong case for LE
weak PGP password ("asshole209" with 209 being his area code)
LE installed a GPS tracking device on his car with a search warrant
trademarked his own vendor name using his real name
used post offices near his home to ship his packages
he accepted non-bitcoin payments in the past which had his identity tied to them
kept incriminating things at his home: numerous items associated with the distribution of narcotics, including anti-static bags, a digital scale, food saver vacuum sealing bags; Amazon boxes with plastic storage bags; a trash bag containing marijuana, a box containing a sealed bag of marijuana, also pieces of clothing apparel with the label 'caliconnect'
allowed law enforcement to search his nearby storage units → do not consent to searches or seizures
told agents who questioned him that he traded bitcoins
he and his SO had no job for 6 years but could still pay all the bills
found unencrypted things associated to the CaliConnect profile: the black and gold 'Caliconnect' logo in use on AlphaBay, an installation of Tor, and a decrypted message that matched, identically, the controlled Buffalo, New York, transaction
Bust #4: Owlcity
sources:
notes:
used no protection for looking up tracking numbers -> use a VPN [not Tor because it is too suspicous] or a third party tracking website
LE began in-person surveillance of Leslie [owner of the wifi from which the tracking number was checked] -> watched him drive to the post office with additional orders and intercepted the packages
ISP monitoring of Tor activity, correlation of Owlcity inactivity with computer repair
Bust #5: Pfandleiher
sources:
https://web.archive.org/web/20160317052841/http://www.zeit.de/2014/12/drogenhandel-silk-road-pfandleiher and https://web.archive.org/web/20160317052819/http://www.zeit.de/2014/12/drogenhandel-silk-road-pfandleiher/seite-2 [no direct translation link available, please copy the text from the article and manually enter it into a translator]
notes:
was jobless and drug addicted but also lived a lavish lifestyle
investigation started after one wrong delivered package and a tip
LE monitored the suspect over months
Bust #6: Shiny Flakes
sources:
http://www.nbcnews.com/news/world/germany-drug-bust-finds-4m-haul-destined-online-sale-cops-n322146
https://www.gwern.net/Black-market%20arrests
notes:
investigation was sparked by an undelivered package which was opened for insufficient postage bouncing to the fake return addresses
lead to profiling of his packages, tracing them back through the postal system, surveillance of package stations and him mailing them, and finally undercover buys & seizures of additional packages
had not purged his customers' data, and in conjunction with the profiling and intercepting of sent packages, this led to a reported total of "38 locations were searched and five other individuals were arrested" on 2015-03-10
had a clearnet site
operated from his home
stay safe.
What..