The OxyMonster Arrest - Opened Questions

I was reading the limited article out there regarding the bust of OxyMonster. Here are some thoughts/concerns/confusion. If the article and LE are to believed, OxyMonster was betrayed due to BTC analysis and LE somehow became aware of a reused BTC address that eventually linked to his LBC account. I can only assume that the BTC address referenced is one that was used to accept withdraws from Dream. The following is a lot of speculation/options but these I believe are very good questions we should be asking in analyzing what the fuck is going on.

In August, agents learned that "OxyMonster" was using a certain bitcoin address for the sales transactions. They soon analyzed incoming and outgoing transactions from that bitcoin address and discovered that most of them went to Vallerius on Localbitcoins.com

Has anyone wondered how this was made possible? If this is true, this implies that Dream is infiltrated at the server level at least right? If LE was performing controlled buys, how would it be possible that LE could do bitcoin analysis? Dream is definitely big enough that vendor withdrawals shouldn't be able to be linked to a purchase. The chain would have been broken between the buyer deposit (LE controlled buy) and the vendor withdrawal. Can anyone else figure how this would be possible without LE having server access? Its not enough to just know the hot wallets. They had to have insider information to know that OxyMonster withdrawals went to that particular BTC address.

was using a certain bitcoin address

Seriously?? Does this imply that OxyMonster was reusing the same Bitcoin address for withdraws? I'm not a vendor so I don't know how withdraws work on Dream. Do vendors specify a single BTC address on their vending account and then all withdraws go there? If so, that is a shitty system. BTC addresses should NEVER be re-used. Ever. And its for this reason. However, if LE had a servers compromised, its a moot point.

If LE didn't compromise servers, does that imply vendor was hacked?

We have seen a BUNCH of vendor accounts hacked lately. LE would be able to get transaction history with hacked vending account. The question is - is this how they are doing this? By hacking vendor accounts, they get what they need to bust a vendor and it does not require LE have server access. This would be sobering. Are hacked vendor accounts then a part of a large LE operation to bust vendors and not just hackerz for lulz? Perhaps this is why? The other question is, I would assume OxyMonster would have 2FA. Did he get phished somehow via a sophisticated phishing site that would "forward" the PGP to be decrypted? One thing though is that it seems like vendors who have been hacked also had their PGP changed to enable future logins since hackers would be doing it for coin and not to arrest a vendor. LE would not want to do it this way. So does this imply that Dream's auth mechanism is fundamentally flawed? Vendors get phished. But would a sr. moderator (and potential admin) be that gullible? I'm torn on this being likely. Perhaps LE wouldn't care about future access to the account (like a hacker would who wants to steal) and thus if they phished him once, they get one time access and they see the withdraw address and that's all they need.

An alternative to the way BTC was discovered

It is also possible, but I think unlikely, that LE worked the other way. They went from his LBC account for some reason and worked their way back and found a connection between his LBC account and dream hot wallet. I'm thinking its unlikely because he wasn't American as far as I know. If he was American, it might make sense that the IRS could look into an LBC account to ensure taxes were paid. But since he wasn't, I don't see why US LE and IRS would be involved unless they were investigating it from a drug angle from the start. I just don't think LE worked from LBC back. THey worked from Dream and linked his LBC. This would also imply that he didn't tumble or that tumbling is absolutely worthless.

I'll post more confusion points I've had with this. There are some potentially wide reaching implications. Perhaps its as simple as he got phished but my original thought was "LE is inside Dream" and they have access to the servers and its just busting guys at this point.

If LE had server access, why wait? What of the luckyduckquack who claimed that Dream woudl go down August 20?

luckyduckquack was that guy who predicted the Hansa takedown if I recall correctly. He also predicted Dream would be taken over Aug 20. That date came and went. Perhaps he wasn't fully incorrect. LE would have known at some point that Oxy was heading to get his beard judged in Austin, Tx. This would be enough for LE to want to wait to make any move until he was nabbed. This is due to my understanding that France will not extradite their citizen to the US and this could have played a role in LE waiting until he landed in Atlanta. So its possible luckyduck was right but the timeline was skewed so they could nab this guy.

Is this related to the bitcoin wallet and coin loss and other weird bugs/issues/problems at dream?

To sum up, does the fact that Dream has had a lot of bad issues since this guy's arrest relate to OxyMonster's arrest? If so, then it seems pretty damning evidence that OxyMonster is more than just a Forum Moderator and is an admin or LE were able to locate servers/gain server access and LE has caused the issues. This might imply LE didn't have server access before b/c why would the arrest change how things are being run on Dream if they had it compromised before. But then, it begs the first question - how did they find OxyMonster's BTC address in the first place? Or perhaps they did have servers compromised before, the arrest of OxyMonster is just changing the nature of the operation now. Before, they were quiet and doing nothing and with OxyMOnster arrest, they are now entering another phase.

All speculation but I think these are fair questions I wanted to pose to you guys.


Comments


[22 Points] Throwabix:

Oxymonster has a btc address on his dream market profile...claiming its a dream market staff tip jar... could it have been his on the sly?


[8 Points] ThrowawayURlifedrugs:

Thinking they could have done a DD to obtain an address.


[5 Points] ajax_jives:

I am almost certian the luckyquackduck guy was LE. He called the Hansa seizure to look omnipotent, and then warned everyone off dream too, to get them to stay away. LE's last tactic after Operation FuckTheFeds was to spread FUD about the remaining markets.


[5 Points] SpeedflyChris:

Something else you've missed that would fit in with the August timeline:

https://anonimage.net/image/lcs4fEFWZ7

The dream forum server was leaking its IP in August.

It's probably safe to assume that the forum server was taken over and imaged around this time. It's even possible that 0-day exploits were used at this point to infect forum users (sounds like the guy used windows).

Alternatively (and more likely imo) they did it based on the "staff tip jar" address he apparently had on his profile.

You can see his whole wallet on walletexplorer, I suggest taking a look.

And look, you can see the transaction from a few days after they arrested him when they moved all his coins to a government-controlled wallet:

https://blockchain.info/tx/0bbfdd810b3f889b88ca42243c8dbb28a08858486310652eef19a5d76a55b215

It's really not all that hard if you look at the other outputs from that address on the blockchain to work out that it's going directly into a mixer. Then it's just a matter of the mixer being compromised/a honeypot (because why wouldn't grams be a honeypot?) or contacting sites like Localbitcoins and finding accounts that had deposits of amounts similar to the amounts of withdrawals from this address.


[3 Points] 69456:

Could be parralel construction to spread fud about bitcoin.


[2 Points] Throwaway1092873:

When I created accounts on TradeRoute in August, I would always recieve an auto welcome message from TR explaining the market and providing their PGP key.

I recently created a new account and noticed a couple things:

1) I never received a welcome message with their PGP key.

2) When you go to open a support ticket, the PGP key provided is different than the one that was originally provided in the welcome messages I received from my old accounts.

Here is a picture of the original welcome message w/ PGP key:

https://anonimage.net/image/sVBQDBerHF - Message

https://anonimage.net/image/up5Od9Nkcx - Message PGP key

https://anonimage.net/image/hjabna0PZB - TR PGP key details (Made in 2016)

Original Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFeN8VABCACwXCoh+Nn9JqPYo3CU69GgSfawKxKAYSwQvXQq4j/jZX2ZGZuS
krExVTy/A2Y4WsYT5t0bNjDMnEdMz8sFtFmAej1JODLy1kcE0bZSd3hZbf1D4Niw
ywQx5HUbJOIPGIA9IGklY+LYsTwb/Ez4UpTcY7JSduhB8tPYGc04U9K0gJV5Zurd
/b8MRFeaPIJw3Kv5flWqcXeeq/WJG3+yV+oMTTIPvOySzBYzjcNfZ07JpcE5H+eW
NDapO++0e4ZwQKkkve1xk9n03SUVZxGVVcQW80nGKaN//e5nQEacVjSB94wpkeyl
hDWdMCH7XXEvAG8rv+4OCHO0LuZSPxLViyz5ABEBAAG0IFRyYWRlUm91dGUgPFRy
YWRlUm91dGVAZmFrZS5jb20+iQE3BBMBCgAhBQJXjfFQAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEG1uaxOEo4CA/DcH/iZBHqxCK/+BvPwDeuBP/u0s5N7v
POxHXxAsBxb6knRst+k8N7Rp6xe9GpprVpS43B9peK7rodSDimH+vcnCSl1wlofi
sEKEpfkdbscO5WLGTZG0B3IVWfHVShHmQhg1UlchdqF4oSvzww08w7Rz9SOfcSO2
NgVaKPd2RlFTK3C8761XUfaep/OaY7XU+lpO1C9iswus6pAQUTbo0rVpEWFwkBif
0kScHqnbh2J6INAHNZRQAoM852asTxYzMiJHPGNtmErG2z1z4yzSbwNVxOQS0gPU
eSy9XR8xvNY3JBYw1ef46YLpHneY8r/4zzGAnBvfbs+kyIYqclqWA6/QMt25AQ0E
V43xUAEIAMxPnMGj2/JkOa2sOq+TbIzy91ayMlyFC/Ye2BeSPf+simf55s/hGkUH
rG9o4Qe84A3bD1bq6wQqhxXocyuKBkPpx+jXuYDoJHptYoiK3Gv09lO/NcIz/lec
dAXGxj0SckafE5g3WIPf9E+ADfSWPUzHaHd7QiW0T9kTJMnXGB6i1MG4DGhO5LTx
p7/4/t9+7y0SOqrfvOg9YIkUA4iNKWeXiO7N/O3N6AJiOS/l6ewZMI0Z9RN9pY/y
d2Dn/BpVu16D9YB7ifgYANPJJb2FivQxGeV9jp3uvT322erhetlYd2kzHDH4Jes3
VXfLjP4rPv9AF0HvbrzokcOM9wBabAMAEQEAAYkBHwQYAQoACQUCV43xUAIbDAAK
CRBtbmsThKOAgAcfCACf1a95GGPIWigNIcgkFQ4SAHlNjKluju79QyUeaF92Yt3W
w+Gt0zOBNOwyRfm+ZLWC80R4MNYCwxUzOWiJCtAMMh8iCEzenHr0hMfZzcRdl7X/
/qFaLFscjt6nDUmNYQOytoVg4FSa3alpXnt+Cg7JQc0e0gPCm+EAJ2rBcbAnnDU/
YAI4sIHiUIpBR9ghJn/CFus1/bSOD9shdkw8huCghZg392cUbxeaCmD048kTYekN
+NyT4FbWcqNL5tMzRhSJSa5rLZEUL9S8Ktz8dtcTiO2R06jLJRr5lsPe1kEjFGpH
Ii9B2d+5no3oD6TogiP8U5eBohESfYU40G9hQ1Za
=/Swg
-----END PGP PUBLIC KEY BLOCK-----

Here is the PGP key provided when you try to open a support ticket:

https://anonimage.net/image/mqIBCiP57 - Support PGP key

https://anonimage.net/image/Pjr3VRVJyQ - Support PGP key details (name: Sam Culper, created 8/15/17)

New Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFmTL2EBCADeKRlfxNmkuChCtbe1jWgxX4WU3wHn5taqjlQgGmHF8npA+BKz
DZSKeswH1FPIJyrAoXo3blVoFu7eG84OzBSi3JI+RMCGftS02dnCrpBexYeEF0an
k2oLexccmyJhl2eFmJMly5I9yaSbvpMIwRERDh2z1cKKsfs96AfTpdL1SOIQ2wb0
jqRqR8BIJkrwbDTn/SaNjXhqzDlZTax7bt7QZFFf2P0KAS87VIWq2MdDC5Jn3zKv
/sRpwU+zp+nfRZnUcJpn0e9dPVoBU7Bf/QMXPx3XzcWvBPVkMz6TE9bJL6jB9bj9
6m9FpTTcRb9dh83V9nD0VWQgEPmfal5Cc4xrABEBAAG0JFNhbUN1bHBlciA8U2Ft
Q3VscGVyQHByb3Rvbm1haWwuY29tPokBOQQTAQgAIwUCWZMvYQIbAwcLCQgHAwIB
BhUIAgkKCwQWAgMBAh4BAheAAAoJEAbUx1nKmpJXakwIAJI7oR12ZE55gLGFKtgZ
3gFcGtrF4Rq0hSfLryqQ8Eal4QKM4PYIu1VbBVjvp7BUTfi88RIvdjUP3avrvOF2
rY89Mb5Bw8gtp/mCBsjcYugCxx3P3/h3sr9OnDEH2kcQrqJlrezmvixrET/QMuMC
ZfGz0WB34VKBZmnlRS0AYDH5sYFwtQqQapTCWZXec32LXWEBG/8YDd12+6HCheuV
7Kdqd57Q5Mv4tZyrzrkpGqt4PTrR75qcpNUapUyv7j5luCVkTD2brosFJCFhVh8u
WYJ3QBupsqlxbmPw387aoL8f/0knoKbbsztjfdcZtvFZtHc42iEF6RtBNkTTNRFH
/by5AQ0EWZMvYQEIAMyQbphl2HZrWVub0FVj8yVBtpQ/WpL7tSRoVMKE0I7qyqEq
jRbTgH1xcEw+vJZAUvj/rKruRcLQA7ZCr0j/DYhAxMmYCbP0b/v2VM8j0rd9g29e
0loOifjRV8VfBh3V5Q41xOAzaOVJxOgBsYXm0c59fDyfBIkgFD/lezU3wTGdxcGf
rIbmvTwYpa9o5UpZFlEetsW2lkaO8zr66nho+SrpIFcIgmNUmX1uzjKvDnFzPLHe
0Ptbj3BRdqGmaySpt8wT+8b70HVj6Jb+vGpQJ8HtWXtp8fDhSU8BfRfUqEqZQ6Ba
1azrAqwf7XFBeIsZgurWlC+9FBQqW3ekTcTr21MAEQEAAYkBHwQYAQgACQUCWZMv
YQIbDAAKCRAG1MdZypqSVyXtB/9u+ort/iDohg3pF3vO8V15oVOw4/hguIOSHItc
vpmhLe69msA4bosNCfnrDZG+PlDYx4nrSnYlQSqdxP+UgPD/ilaUdf1ViZpmv646
vr2E62uivu5yPDOjalCHjKOg0hix8bmM0gdRX0Mh0l9jPnhI6kK5oFiQn3TNcRmx
ydCqsCLfIcNj7b5ETxpB2aBU1p/rV7cPWQBwMlJhQFwu5+ENi3kNkjiilbmXyMvI
LdN8jHYnWMwuC150ZFbjj3lsy4tCsAxWRZaQTXMKKfEmWzwQ9eUZxPf998S/qV7e
XnkNRj3vOAQZUuI8OxWcrhFs2dKxTDpojdO97ZEXyNfbL5B8
=+1Ji
-----END PGP PUBLIC KEY BLOCK-----

Now I could be wrong and maybe they have always had a different PGP key for support tickets? But it seems very fishy to me that welcome messages with TR's PGP key would stop sending, then, the support PGP key is different from that message.

Someone chime in


[2 Points] morethanon:

this whole case was ment to confuse


[1 Points] None:

[removed]


[1 Points] gangstahippy:

it was confirmed information by dreams admins that their servers where seized around the same time hansa and ab went down.. they where able to backup the site onto new servers.

i bet oxymonster was caught sending drugs first, then they where able to follow the money second.


[1 Points] None:

[removed]


[1 Points] None:

[removed]


[1 Points] None:

[removed]