Darkweb Vendors and the Basic Opsec Mistakes They Keep Making
Law enforcement agencies are no longer in the dark when investigating involving darkweb vendors. Simple information leakage and a basic lack of compartmentalization end a vendor’s career. And vendors continue to make the same fundamental mistakes. Below are some examples of darkweb vendor caught due to the some of the most basic OPSEC failures possible.
Emil Babadjov
aka Blime-Sub and BTH-Overdose
Babadjov had a fairly brief career but made a surprising number of mistakes, many of which led to his arrest and subsequent incarceration. Through the accounts Blime-Sub and BTH-Overdose on Alphabay, Babadjov sold fentanyl, heroin, and methamphetamine. Records revealed that Babadjov had completed almost 2,000 sales on Alphabay alone.
In January 2016, a Drug Enforcement Administration (DEA) taskforce identified the vendor accounts as potential targets in their ongoing efforts to uncloak and arrest darkweb vendors. The DEA targeted the vendor in September 2016. According to a Criminal Complaint filed by DEA Special Agent John Rabaut, users of various forums for the discussion of darkweb markets had posted information that revealed the location from which Babadjov had shipped packages. Customers had noted that both Blime-Sub and BTH-Overdose had shipped packages from approximately the same area: the West Coast, “possibly somewhere in California.”
Special Agent Rabaut checked the user ID information on the PGP key associated with the Alphabay vendor account BTH-Overdose. Although Babadjov had not used his real name in the user ID packet, he had used an email address that led to his downfall: babadjov@gmail.com. Open source intelligence gathering led the DEA special agent to a Facebook account registered to “Lime Vojdabab.” A fake name but obviously Emil Babadjov in reverse. SA Rabaut sent a subpoena to Coinbase in which he had requested any information on babadjov@gmail.com. Coinbase provided data that indicated Emil Babadjov had signed up for an account with the same email address on November 13, 2015.
The second search submitted by the DEA special agent also yielded positive results. He had searched for user information under the name of the defendant. Coinbase records indicated that Emil Babadjov had attempted to create a new Coinbase account on March 18, 2016. He provided an email address that connected BTH-Overdose — the source of the PGP key with the email address — with the Alphabay vendor account Blime-Sub: blimesub@gmail.com.
Investigators collected more evidence before making the arrest but the rest of the case is hardly unusual. The one element that stands out is the identification of Babadjov.
The postage for a package of drugs ordered (from BTH-Overdose) by law enforcement was purchased via a Self-Service Kiosk (SSK) in San Francisco, California. Working with the United States Postal Inspection Service, investigators traced the package to the specific SSK and the specific time someone had purchased the postage.
Because SSK transactions are not face-to-face transactions, the SSK system takes photos of the person making the transaction. [Postal] Inspector Burger retrieved the photo of the suspect who purchased the postage for [one of the undercover packages] and provided the photo to me. I positively identified the individual in the photo as Emil Babadjov based on my review of his California Driver License photo and social media photos.
Babadjov is currently serving his prison sentence at the low security Lompoc Federal Correctional Institution in Lompoc, California. His scheduled release date is 01/02/2021.
Abudullah Almashwali & Chaudhry Farooq
aka “Area51” and “DarkApollo”
Almashwali and Farooq also sold opioids on the Alphabay darkweb market. They used the vendor accounts Area51 and DarkApollo as their usernames.
Unsurprisingly, the Drug Enforcement Administration (DEA) taskforce behind the Babadjov arrest also investigated Almashwali and Farooq. DEA Special Agent John Rabaut, the lead investigator in the Babadjov case, also led the investigation into Almashwali and Farooq. And he used the same tactics in both investigations.
The user IDs for both the Area51 and DarkApollo vendor accounts on Alphabay contained an email address linked to other services: Adashc3l@gmail.com. The “other services” directly identified the defendants as the account owners. “A social media search for the phrases “Adashc31” and “Adashc” resulted in the discovery of a Twitter, lnstagram, and Facebook account belonging to someone identified as Ahmed. Farooq or Ch. Ahmed Farooq,” SA Rabaut wrote in the Criminal Complaint.
Based on information from forums about darkweb marketplaces and vendors (likely /r/darknetmarkets), the special agent knew that packages from Area51 and DarkApollo shipped from Post Offices in Brooklyn, New York. The Facebook profile associated with the “Adashc31" search indicated that Farooq resided in New York.
SA Rabaut subpoenaed Facebook for the subscriber information associated with the Facebook account in question. He received information about Farooq. Of note, according to the complaint, he received a phone number that was “part of an on-going investigation targeting a Drug Trafficking Organization (DTO) that was selling heroin in Brooklyn, New York.”
Law enforcement conducted undercover transactions with Area51 and DarkApollo (Referenced in the complaint as UC Parcels). The packages contained the heroin ordered by law enforcement as well as Almashwali’s fingerprints.
Postal Inspectors identified the Self-Service Kiosk (SSK) Almashwali had frequently used to purchase postage. The DEA Special Agent confirmed the pictures of taken at the SSK matched pictures law enforcement had on file. Farooq seemingly avoided the camera; Almashwali worked as his shipper, keeping Farooq shielded from investigators. However, Almashwali used Farooq’s credit card when purchasing postage at the SSK. The card was linked to Farooq’s real name and address.
On Monday, July 24, 2017, a federal judge sentenced Almashwali to 6.5 Years in Prison. He admitted conspiracy to distribute and distribution of heroin and cocaine. Almashwali does not appear in the BOP registry.
On January 23, 2018, a federal judge sentenced Farooq to 23 months in prison for his role in the conspiracy. He pleaded guilty to a single count of conspiring to distribute heroin. The BOP released Farooq on 05/17/2019.
Jose Robert Porras III
aka “Canna_Bars” & “TheFastPlug”
Jose Porras ran a fairly tight ship. He sold premium marijuana, Xanax bars, and codeine syrup, and methamphetamine under the aliases “Canna_Bars” and “TheFastPlug” on Dream Market, Hansa Market, TradeRoute and Wallstreet Market. His problem, like many vendors, was turning dirty bitcoin into United States currency.
Even though only one of the mistakes proved fatal to the lucrative career of the vendor, that one mistake made the case fairly unique. Other interesting (but non-essential) pieces of information came from the investigation as well.
Homeland Secuity Investigations and the United States Postal Inspection Service conducted an investigation into Porras during Operation Dark Gold wherein undercover agents in New York posed as a money launderer for darkweb vendors. The vendors would send the supposed money launderer bitcoin and other cryptocurrency in exchange for physical United States Currency. (Yes, this is a real thing.) Porras, along with dozens of unrelated vendors, received cash in the mail from federal agents who had taken control of an account operated by a darkweb money launderer.
This information, of course, was under seal at the time of Porras’ arrest and the details — even after the conviction of all vendors arrested during Operation Dark Gold — remain sealed. Law enforcement agents with Homeland Security Investigations are most likely continuing to operate the seized darkweb money launderer’s account in an ongoing investigation into darkweb vendors. The money laundering details available to the public only surfaced after the Operation Dark Gold announcement. Authorities then filed a superseding indictment in the Porras case that added more than a dozen money laundering charges.
The most unique part of the investigation came from an analysis of a marijuana advertisement posted by Porras under the Canna_Bars alias. To demonstrate the quality of the marijuana available on the vendor account, Porras posted several pictures on the photo sharing service Imgur of the marijuana. Porras held the product in many of the pictures.
He failed to use gloves. A casual drug user might not have anything to worry about (see: all pictures of drug stashes found on drug related subreddits). Darkweb drug vendors, though, are playing a constant cat-and-mouse game with law enforcement. The less information about the vendor in circulation, the more likely the vendor is to stay out of police custody.
Here is what the special agent did with the pictures Porras had uploaded:
On March 19, 2018, I downloaded the highest resolution photograph available from the aforementioned album on the Imgur.com website and submitted the photo to the HSI Forensic Document Laboratory (“FDL”) for comparison with the known fingerprints of PORRAS captured from his previous arrests. On March 20, 2018, the HSI FDL replied to my latent fingerprint examination request and, in report #18–01630, stated that the visible fingerprints in the photo returned a match to the known fingerprints of PORRAS. The fingerprint identifications were established by a comparative analysis of the friction ridge detail for the fingerprint impressions in question.
Here is an archived version of the Imgur album: imgur.com/a/uy7PY.
Porras pleaded guilty to distributing controlled substances and possessing a firearm as a convicted felon. He has not yet been sentenced.
The defendants below were also caught as a result of Operation Dark Gold. (translation: they gave an undercover law enforcement officer their address). Many others have since been arrested or — according to Criminal Complaints — are still under investigation.
Nicholas Powell and Michael Gonzalez
- “TheSource,” “BonnienClyde,” BnC,” “BCPHARMA,” and “Money TS.
Daniel Boyd McMonegal
- “Sawgrass,” “Ross4Less,” and “ChristmasTree”
Antonio Tirado and Jeffrey Morales
- “TrapGod”
Jeremy Achey
EtiKing & Brohemoth
Achey has a unique case. I had to leave out pages of details in order to fit even a third of the saga in this article. Not only did the Bethlehem man run the fairly prolific darkweb vendor account “EtiKing,” he also — under various pseudonyms — actively participated in the “legal” research chemical community. Former members of some of the research chemical forums and subreddits likely remember some of his aliases. Although a countless number of mistakes resulted in Achey’s arrest, some of them stood out more than others.
According to the Criminal Complaint, a fatal overdose in Florida in February 2017 sparked the investigation into Achey.
The coroner’s report:
CONCLUSION: In consideration of the circumstances surrounding the death, and after examination of the body, and review of medical information found at the scene, it is my opinion that the death of [Victim], a 24 year old white female, is due to combined toxicity of tetrahydrofuranfentanyl and etizolam. The manner of death is classified as accident.
Local authorities alerted the Drug Enforcement Administration. The DEA analyzed the tetrahydrofuranfentanyl and etizolam and confirmed the medical examiner’s report. (At this date, tetrahydrofuranfentanyl was not yet a controlled substance in the United States.) In March, DEA Special Agent Mark Bruso and others reached out to the significant other of the deceased and learned that the couple had routinely purchased products from a darkweb vendor on Alphabay identified as EtiKing. The signficant other (SO) had spoken to EtiKing over a video chat and described his appearance to law enforcement. The DEA agents assigned to the case signed into the account used by the deceased and found messages with EtiKing and a transaction history that confirmed the information the SO had provided.
The first piece of information could have ended Achey’s career by itself; the package of tetrahydrofuranfentanyl and etizolam received by the couple in Florida had the following return address handwritten on the package: USDTO #6088 1321 Upland Drive, Houston TX 77043. Undercover purchases from federal agents confirmed that the majority of the packages from EtiKing had the same return address.
USDTO stands for US Drug Testing Organization. Achey, under the username jeremysdemo, spammed links to the site on the /r/researchmarkets and /r/RCsources subreddits. Under the username jeremysdemo and at least one similar username, Achey moderated several research chemical subreddits. He even posted about the very research chemical site used as a part of his EtiKing operation.
EtiKing packages shipped with postage from the Bitcoin postage company Stampnik. Stampnik requires the valid email address of the person purchasing postage. A subpoena requesting all information from Stampnik about the USDTO address revealed that EtiKing had used at least nine email addresses to purchase postage for his customers. Many of the email addressses linked EtiKing (and therfore Achey) to other criminal enterprises in the research chemical sector.
brohemath@protonmail.com; getups@mail.com; getups@protonmail.com; onutra@protonmail.com; pbchems@protonmail.com; pbchems@ruggedinbox.com; stevemastermind76@yahoo.com; supernOva@protonmail.com; and usdto@riseup.net.
(See how many of those email addresses you can independently link to either Achey or another one of Achey’s identities.)
Agents with the DEA in Nashville reached out to SA Bruso about a confidential source described as a person “well-versed” in research chemicals, darkweb markets, and Alphabay specifically. The confidential source had originally created and operated the EtiKing vendor account, according to the Criminal Complait. The source sold the account to someone online for $400. The source provided the DEA with multiple bitcoin addresses associated with the $400 transaction.
In darkweb vendor investigations, law enforcement does the same thing almost any time they discover an email address associated with a darkweb vendor. They turn to Coinbase. Armed with relevant bitcoin addresses, a physical address, and half a dozen email addresses, authorities subpoenaed Coinbase. In June 2017, Coinbase returned data in reference to the subpoena that identified the account owner as Jeremy Achey.
Coinbase.com provided Jeremy Achey’s user attributes.
- Achey listed his company as “USDTO” with the website of USDTO.org, as a “charity” and “sole proprietorship.”
- Additionally, Coinbase.com records indicate that Achey listed “brohemath@ruggedinbox.com” and “brohemath@protonmail.com” as his personal email addresses. “Brohemath@protonmail.com is one of the email addresses used by EtiKing to purchase labels from Stampnik.
- Coinbase turned over data on four different accounts in connection with the search.
A federal grand jury found Achey guilty of conspiracy to distribute and distribution of controlled substance analogues. Achey is incarcerated at USP Coleman I in Sumterville, Florida. He is serving a life sentence.
These mistakes are common. And now vendors have accounts on a handful of marketplaces, Reddit, Dread, and other darkweb forums. A mistake on any one of the accounts could result in the end of the vendor’s career.
The only mistakes that are perhaps more entertaining to read about are the ones documented in Operation Dark Gold. Instead of searching for information on various darkweb vendors, federal agents waited for the darkweb vendors to provide law enforcement with the addresses of their homes or drops.
Special Agents of the HSI New York Field Division, in coordination with the U.S. Attorney’s Office for the Southern District of New York, posed as a money launderer on Darknet market sites, exchanging U.S. currency for virtual currency. Through this operation, HSI New York was able to identify numerous vendors of illicit goods, leading to the opening of more than 90 active cases around the country.
Read More About Operation Dark Gold: First Nationwide Undercover Operation Targeting Darknet Vendors Results in Arrests of More Than 35 Individuals Selling Illicit Goods and the Seizure of Weapons, Drugs and More Than $23.6 Million
