“Lotsa luck” is an expression that is very appropriate to law enforcement investigators who need to track down miscreants on the dark web, which is truly its own little world – and its rules and customs make identifying bad actors a very difficult task.
On dark web marketplaces, everything is anonymized, so there is no connection to actual identities. All transactions are conducted in cryptocurrency, and finding the point where the cryptocurrency is converted into cash is like finding a needle in a worldwide haystack.
With everything anonymized, law enforcement truly needs a lucky break in order to track down dark web cyber-criminals. A good example of how a lucky break helped catch a dark web baddie is the case of the OxyMonster, aka Gal Vallerius, a resident of France. Vallerius was a moderator on Dream Market, a dark web marketplace, where he brokered deals for cocaine, opioids and other illicit substances. He was only caught due to a series of mistakes he made – the biggest one being his decision last year to travel to Texas to show off his very distinctive red beard in a contest.
Officials were able to link photos of his beaded visage he posted online and a Bitcoin “tip jar” where he received money for facilitating drug sales on Dream Market. Investigators found a connection between that cryptocurrency account and a physical currency account where he cashed in his Bitcoins – and hauled Vallerius in.
Drugs are far from the only merchandise available on the dark web; there are far more unpalatable items available, like child pornography, for example. In one recent case, the FBI utilized a defunct dark web child porn site (called Playpen) to tempt child pornographers to upload images. Using a “poison” Tor plug-in, the feds were able to trace the IP addresses of some 1,500 computers. But here, too, it was the mistake of users – who installed a third-party plug-in that eventually compromised their security – that led to their capture.
When bad actors make mistakes, they give law enforcement an opportunity to catch them. The trick is to catch them when they don't make mistakes, and doing that on the dark web is very difficult. With everything anonymized, law enforcement truly needs a lucky break in order to track down dark web cyber-criminals. Vallerius is a perfect example.
Even given the errors he made, “tracking down Vallerius — the biggest of a half-dozen dark web targets charged over the past two years in South Florida — was not easy. It involved the DEA, FBI, IRS, Homeland Security Investigations and the U.S. Postal Inspection Service,” according to media accounts of the investigation. In the FBI child porn case, it took several months from beginning to end to track down the users of the phony site, and only those who installed the plug-in were caught.
How can law enforcement zero in on dark web culprits who don't make mistakes – whom we can assume are the majority? The best way is by using big data to connect the pieces – to look for the points of confluence, where information corresponds.
For example, if a group of hackers is selling data stolen from credit card accounts for cryptocurrency, they will collect the cryptocurrency and then try to convert that into cash. A big data sweep of transactions on systems where such conversions take place could yield information about the perpetrators. Tracing the transaction back to the wallet where the cryptocurrency was converted from could help identify the crooks.
That, too, is not a simple task. In fact, the only way to make those connections is with specialized software and systems that can scan the dark web and collect this information. The system can then analyze what it has found and look for data that corresponds to the possible identity of cyber-criminals. That data could include financial transactions, geographical markers, language, style, etc – anything that can connect dots between criminals and transactions.
Using a proactive approach can also be used to track down other threats, like organized crime or terrorists. The system links all the different entities and data, and looks for a link point where there is an exit or link to the surface web. Using big data analytics on data gathered from the dark web is a lot more efficient and effective than waiting for a criminal to make a mistake.
By Liran Sorani, Cyber Business Unit Manager at Webhose