This is an archived post. You won't be able to vote or comment.

all 91 comments

[–]512austin 41 points42 points  (10 children)

Is this shit your job?

[–][deleted] 1 point2 points  (0 children)

Lol perfect answer

[–]0-_1_-0 1 point2 points  (0 children)

Studying modafinil?

[–]annul 0 points1 point  (3 children)

so people pay you to research things and write about them? are you affiliated with a university or anything?

[–]annul 1 point2 points  (1 child)

how did you get started with this type of stuff? is this your sole income?

[–]pscifi 0 points1 point  (0 children)

started with a lot of reading and writing and free time

[–]ShulginsCat 8 points9 points  (10 children)

Most people here laugh at his OPSEC mistakes or mock him, but i'd bet that come arrest 90% of users here would have similar issues.

I like that you're bringing this up, because this has been on my mind for a while.

Q: Is it really possible, as a vendor, to have pretty-damn-good opsec without becoming a complete hermit? And can you describe, in points, what you would do to achieve that? (perhaps this deserves a thread of its own)

[–]0xb44d 13 points14 points  (9 children)

We could begin by defining OPSEC properly. Most people here when they refer to OPSEC they're actually referring to COMSEC or INFOSEC.

OPSEC is the process which you identify which information is critical, analyze the threats, risks, vulnerabilities and then develop and apply the countermeasures.

So asking the question "what can I do to secure myself as a vendor" is part of OPSEC, but those threads with titles like "Rate my OPSEC" and a list of "Tor, Tails, Bitcoinfog, etc." definitely are not (especially when they don't even mention what the threats risks to the user are).

Your biggest threat is that your vendor ID will be associated with your human ID. That leads to probable cause for a search warrant, which leads to a raid on your house and likely an arrest.

Risks, threats, etc. very high - so what you have to do is isolate your real identity from your vendor identity completely

How might you do this? compartmentalization - have one virtual machine where everything vendor related is stored. Put it in a truecrypt container. anything you do with your vendor ID happens in that virtual machine, and it never shares anything (IP address, bitcoin addresses, reddit accounts, etc) with your real identity

If you start thinking about OPSEC in this way, how it is supposed to work, you'll find that the answers start coming to you - especially if you have a decent understanding of what your tech options are.

Another examples: for buyers the risk and vulnerability profile is a lot lower. Very few (to no) buyers have been arrested. For them having a separate identity using only different browsers is ok - you don't need the complete isolation of a separate machine.

Noone can decide this for you, only you know what your threats and vulnerabilities are - but it is always good to describe your entire situation to someone else so they might see things you don't because of your biases.

[–]ShulginsCat 3 points4 points  (7 children)

Ok this is a good stuff.

Let's assume that I'm a vendor, and LE can determine my IP address one way or another. Commercial VPN offers no real protection because LE can probably subpoena my VPN provider. (Potentially one could set up his own VPN but let's leave that option aside for a minute)

Now, if I decide to work from a hacked WiFi or a public place I have a tough choice. I will need to airplane mode my smartphone completely because with or without WiFi it gives away my location, allowing LE to triangulate my presence at a certain location at a certain time. I should also stop using credit cards or debit cards because those also tie my real identity to my location.

And so my question is, can this game be played perfectly without becoming a complete off-the-grid weirdo?

[–]0xb44d 5 points6 points  (0 children)

Were I a vendor, i'd spend time reading the legal docs on other arrested vendors. My recollection is most have been caught based on package profiling, nothing tech related. I definitely can't think of a single case where a vendor has been identified using the blockchain (which might tell you that the overemphasis on tumbling coins is overrated while the lack of emphasis on rotating packaging, shipping points, etc. is underrated).

Ulbricht case demonstrates that being in public can be more dangerous than being at home - it allows LE to grab your laptop unlocked and encryption key loaded into memory (making full disk encryption useless). There are ways to not share IP addresses between your real and vendor identity without leaving your home (use multiple Tor circuits, use Whonix, use a separate laptop with Tails on it, etc.)

[–]EarnestMalware 1 point2 points  (5 children)

"Perfectly" will depend on the kind of heat typical to your particular market.

[–]ShulginsCat 4 points5 points  (4 children)

I'm in the US. Here, a few vendors got caught. When that happens everybody on /r/DNM looks over their investigation and makes fun of their opsec. I started thinking - really once the FBI has decided to get to you, how long can you extend the chase without losing your entire social life and living in a fucking cave?

Some of these vendors are plain dumb, granted. But some aren't. And they still got caught. Are the ones who didn't get caught smarter or just luckier?

[–]AgoraMarket 9 points10 points  (3 children)

really once the FBI has decided to get to you, how long can you extend the chase

Some of this is confirmation bias. The fact is, since DNMs themselves began, probably 98% of vendors have never been caught.

You only read about the few mistake-prone vendors who were arrested. You'll never see a headline "Man sells on DNMs for 3 years straight, remains unidentified, continues to vend with impunity" -- despite the fact that the vast majority of vendors fall into that category.

[–]brassmail 5 points6 points  (0 children)

And a lot of those vendors and Ross had pretty clear warning signs that the feds were closing in on them, yet were too cocky or naive to GTFO, burn shit down, etc.

Not saying Ross (homeland security already had confiscated his ID's, chronicpain knew "too much"), the admins who eventually were arrested due to him having their dox, or DoctorClu (who had feds come to his door a week earlier) would've been in the clear, but they certainly could've limited the damages a bit if they had paid attention to pretty big red flags. The dealers I know IRL also had the same warning signs of police investigations but never stopped when it was clear they should've. Hindsight is 20/20, but damn...

[–]ShulginsCat 2 points3 points  (1 child)

Does that mean the FBI is investigating every vendor and waiting for one to make a mistake? Or do they just choose one based on the postal inspector finding a few packages, and then follow the lead until they nail the vendor ?

[–]AgoraMarket 6 points7 points  (0 children)

I doubt FBI can identify which vendor sent a random package [addressed to a random buyer] just by intercepting it... they have to do controlled buys, so they know with certainty the vendor's username, and can then start profiling packages.

I have no idea if they're actively investigating "all vendors" or only the high-value ones (1000+ deals, bulk sellers, sellers of toxins, etc). Either way, their 2% success rate is abysmal.

[–]kloudykat 0 points1 point  (0 children)

Damn good post

[–]AgoraMarket 4 points5 points  (3 children)

Most people here laugh at his OPSEC mistakes or mock him

It sounds like he simply didn't have the programming expertise to single-handedly code a functioning DNM. So his [very bad] idea was to start farming out for more competent people to refine and upgrade the site's capabilities.

That was probably his biggest mistake, again showing that he was totally naive as a criminal. A savvy criminal would recognize that he couldn't do the job himself, and that it would require trustworthy accomplices -- "trustworthy accomplices" being an oxymoron, anyone with common sense would have nixed the plan altogether at that point.

[–]VirtualMoneyLover 2 points3 points  (2 children)

anyone with common sense would have nixed the plan altogether at that point.

What if he had moved to a country with no extradiction? Even if he is discovered, he can not be touched.... Assuming he was serious about the business...

[–]Vasyrr 5 points6 points  (0 children)

Ultimately it would not have helped him, either he was going to get caught by law enforcement, or he was going to get robbed/rolled by a trusted accomplice.

It bears repeating, there is no such thing as a trusted accomplice.

One or the other were just a matter of time, there is already plenty of suspicion that the redandwhite/tony76 affair was Ross being played by two people who knew each other to relieve him of a large amount of Bitcoin.

When you rely on anonymity, and use anonymizing tools & communication as extensively as a DNM requires the likelihood of blackmail, extortion and/or robbery from within the ranks increases exponentially.

With the amount of money SR was turning over, Ross was either destined for prison, or ending up at the bottom of a river somewhere the moment he started hiring staff and trusting others.

[–]btcthinker 0 points1 point  (0 children)

Or just build a decentralized black market, but then he wouldn't have made that much money.

[–]ChaosMotor 0 points1 point  (2 children)

Something to keep in mind the next time you're using a service that is legally questionable

Right, because white-market businesses like banks never fuck over their customers!

[–]creamynebula 1 point2 points  (0 children)

Or the implication is, keep in mind that grey-area business will fuck you over just the same, don't think that they are heroes that will fight the man for you just because they work in a grey area.

[–]0xb44d 0 points1 point  (0 children)

There are a ton of white-market banks that have gone down for their customers.

[–]deltadopamine 14 points15 points  (0 children)

Sometimes I like to take myself out of my head and try to read these posts as a lawyer from the 1800s. What in the everloving fuck did the world turn into? Jules Verne said nothing about this.

[–]jaspmf 10 points11 points  (0 children)

Beautiful writeup, thanks for obviously taking so much time to thoroughly document thought processes

[–]drpnit 8 points9 points  (1 child)

Gwern, You are absolutely amazing. I see what you're up to when you disappear for long periods of time. The amount of work you guys must have poured in to this . . . incredible.

[–]InfinitelyOutThere 4 points5 points  (0 children)

Gwern is our patron saint

[–]Dirty_Cop 4 points5 points  (1 child)

a

[–]creamynebula 0 points1 point  (0 children)

Interesting idea.

[–]brassmail 6 points7 points  (4 children)

I'm going with insider at MTGOX just swiped his BTC, I think that's the simplest and most probably, but maybe a third-party hacker too. All those $6 gas expenses are funny, he was broke as hell--or were those charges for a generator at the mushroom cabin? Some generators hold 2-3 gallons so it could be each time he had to fill it up he put it on his spreadsheet? Even I can afford to put a $10-20 spot into my tank...

[–]brassmail 4 points5 points  (1 child)

Makes sense...it's odd that he wouldn't fill up at least a ten gallon gas jug each time, funny thought imagining him going to some backwoods gas station every other day filling up his tiny little pail with 2.5 gallons then disappearing down some logging trail into the forest.

Edit: LOL and he bought some lab clothes, what a pro.

[–]wombosio 2 points3 points  (0 children)

I figured that was the gas cost to drive out to the cabin there and back, just roughly calculated by mpg, not that he actually put 6 bucks in at a time.

[–]wombosio 1 point2 points  (0 children)

I figured that was the gas cost to drive out to the cabin there and back.

[–][deleted] 3 points4 points  (9 children)

Does anyone know what fpga's are?

/u/gwern ?

[–][deleted] 0 points1 point  (7 children)

Gotcha. one more question. Do we know who Variety Jones/cimon really is?

[–][deleted] 1 point2 points  (5 children)

That's the part that gets me. This guy kinda pops out of no where. Almost seems as he was the puppet master dangling Ross's strings. Do you think he could have been created by Ross or the defense as a mirror act? I mean you would think with as careless as Ross was in every aspect of OPSEC he would of left some form of trail to this "mystery man". Thoughts? By the way I love all your research and contributions the knowledge of market history. I have read almost every article you have written on the subject. Keep up the good work.

[–]asimovwasright 0 points1 point  (3 children)

Coming with a nice security patch and all sort of advice is a good way to start undercover operation.

[–]asimovwasright -1 points0 points  (1 child)

Because Intel agency are not a PR agency

They dont care if a senator ask for the head of a website.

I could make a infinite list why it would have been better to infiltrate silk road rather than shutting off.

  • a massive amount of drug dealer in the same place... a fking wet dream for DEA

  • Bitcoin laundering : where, when, who

  • etc...

But you better know what's you're doing because if something go wrong, you gonna have a bad time explaining how you let dealers sale drugs on USA soil...

There are precedents

[–]asimovwasright 6 points7 points  (3 children)

Quick questions about the expense sheet :

  • Why so much donationt to Tor project

  • Could we know wich FPGA's he bought with 10K btc,

  • why $37.000 in Yubikeys ? SR give them to vendor or something i'm not aware ?

  • What is "op greensville" ($162K)

  • what is "loan to R&W" ($500K)

  • who is "da", some payroll before SR

Quick questio about the above report :

An important note regarding the leaked files: the insider believes parts of them to have been altered by hackers, possibly the same ones that released the files. Further, we learned that the original files were altered too. Further, hackers had full read/write access to all Mt. Gox servers for 3 days, deleting server logs after they were finished.

How can you make any assessment based on corrupted data.

Maybe it was the point. (corrupt data and wait for people to connect dots ((the dots you write)))

Anyway, nice read! Well done

[–]asimovwasright 0 points1 point  (0 children)

Yea sorry i ask about R&W without checking. i found the arstechnica article about the story

[–]AussieCryptoCurrency 2 points3 points  (1 child)

OP: fantastic post. Great read.

Just quickly... What's JTAN?

[–]impost_r 5 points6 points  (0 children)

Server host for several of DPR's servers, JTAN was used for backup server, dev server, chat(?), bitcoin storage.

[–][deleted] 2 points3 points  (2 children)

Out of curiosity... How much time did you spend on this? Lol

[–][deleted] 0 points1 point  (0 children)

Sounds like it. Thanks though man you did the community a big service.

[–]ShulginsCat 6 points7 points  (0 children)

Read through this twice and still have no idea what's going on. Take an upvote

[–]SM411 1 point2 points  (0 children)

If I were too dig down a wallet with backup-coins in case I got caught, I would also have tried to document everywhere possible that they were stolen. Maby Ross will be a millionair when he is released from jail.

[–]creamynebula 1 point2 points  (0 children)

I think the theory that a Mtgox insider figured out who the account belonged to and decided to clean it is the most plausible one.

While reading I also thought of a conspiracy theory, maybe someone from LE did "follow the money", then actually found the silk road servers because it was connecting to mtgox from clearnet. And then with access to its servers, found the login details for the hedging account hardcoded as you suggested, stole Ross money, and then proceeded with coming up with a parallel construction such as the captcha thing to bust it much later with another story, so noone would find out that they stole the money from silk road.

[–]DeeBoFour20 1 point2 points  (0 children)

It's really just speculating on who stole Ross's coins but I'm gonna guess an SR1 insider. You said he was using APIs from the SR server directly to Mt. Gox so if he's going to be that careless he probably didn't think to hide the password/API keys that were stored there. Someone else with access to the SR server probably stole them and he was never the wiser.

Is hedging on exchange intrinsically unsafe for any large black-market due to the distinctive signature, increased counterparty risk, and high volume of trades?

Yea dumb as fuck especially on an exchange. Most exchanges have AML requirements even if you never withdrawl fiat so you'd need to fake identification. If that exchange later figures out your ID is fake and suspects illegal activity they can freeze the account and seize all your funds (or turn them over to the police.) It also ties the illegal market to a specific clearnet market so LE can possibly make a connection "following the money." On top of all that, you run the risk of the exchange getting hacked, getting shut down, or your specific user account getting hacked (like what happened to Ross.) BTC in an exchange is inherently less safe than BTC where you exclusively control the private key.

And all that risk for what? Making your vendors less angry on a market crash? If the vendors are that worried about price fluctuations they can temporarilly require FE until prices stabilize or just pull their listings.

[–][deleted] 1 point2 points  (1 child)

Fascinating. Well done Gwern. Somebody x-post this to /r/bitcoin

[–]punkrampant 1 point2 points  (1 child)

[–]changetip 1 point2 points  (0 children)

The Bitcoin tip for 4,229 bits ($1.00) has been collected by gwern.

ChangeTip info | ChangeTip video | /r/Bitcoin

[–][deleted]  (1 child)

[removed]

    [–]AutoModerator[M] 1 point2 points  (0 children)

    Error- ♥

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

    [–]bitcoindark 0 points1 point  (3 children)

    Regarding Question #6, wasn't it around this time where DPR considered to create his own bitcoin exchange?

    [–]bikergirl666 0 points1 point  (1 child)

    Gwern, where is the SR spread sheet? I see the journal that has sporadic entries, but is the actual infamous spread sheet that has everything itemized in the evidence list dumb thats floating around the Internet (scribd, vice, etc)?

    [–]slowmoon 0 points1 point  (2 children)

    And how is USD-value locked in these days?

    [–]slowmoon 0 points1 point  (0 children)

    People should eventually just move to multi-sig escrowed bitUSD or nubits instead of bitcoin. Buyers won't get FE-scammed anymore. The exchange can't run with the money. Sellers can't get screwed by volatility. That's a win-win situation for everyone.

    Don't introduce counterparty risk and security loopholes by trying to hedge with options or trading. Don't expose yourself to bitcoin's insane overnight 30% drops. Don't FE. These are all inferior solutions.

    [–][deleted] 0 points1 point  (0 children)

    They say insider information makes a market more accurate

    which must be a good thing...?

    [–][deleted] 0 points1 point  (0 children)

    " It was not clear how DPR had implemented hedging"

    I'd love to know too. It wouldn't be too hard to work out the mathematics but safe guarding against some of the dangers must have been tricky.

    [–][deleted]  (1 child)

    [removed]

      [–]AutoModerator[M] 0 points1 point  (0 children)

      Hello /u/mikelucid:

      Your comment has been automatically removed. Please review the subreddit rules. Bitcoin addresses are not permitted in /r/DarkNetMarkets.

      If you have extra Bitcoins, please consider donating to one of the following organizations:

      I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

      [–]Wailuku808 0 points1 point  (0 children)

      The "Russian" hackers are a wild card. Are they that good? If so, why not? Maybe SR1's lost coin was micro-momentarily rubles...

      [–][deleted] 2 points3 points  (1 child)

      tldr?

      [–]iLoveDNM 10 points11 points  (0 children)

      No, it's worth reading the entire thing. Really, it is.

      [–]benjamindees -3 points-2 points  (2 children)

      The government did not take them.

      LOL, no.

      Scouring manipulated log files will get you nowhere. Pay attention to the big picture.

      [–]0xb44d 5 points6 points  (0 children)

      you conspiracy theorists are really annoying. absolutely no basis in logic or reason for anything that you say, which means everything is just retarded ranting.

      edit: just to prove that point, and that you don't understand what you are linking to - MtGox was based in Japan, you can't use any seizure law to take property internationally. Further, if it was used there would be a suit on file against the MtGox account which would stick out. The reforms actually reform very little, it has more to do with local and state LE agencies having the Feds 'adopt' seizure cases to help justify them when there is no indictment.