Legal papers exposing how one moderator of some darkent market got caught. OPSec lesson!

Since rule of subreddit is no personal information I wont link original pdf. Instead I will just post important three points from document that explain how and why he got caught.

Investigation lasted since 2015 until august 2017.

40 . After observing the bitcoin ''tip jar'' advertised by [nickname mod used] agents conducted analysis of the incoming and outgoing transactions from that bitcoin address and learned that 15 out of 17 outgoing transactions from the [nickname mod used] tip jar went to multiple wallets controlled by [EU County] national [Full name and surname] on Localbitcoins.com.

41 . Open source data revealed that [Full name and surname] has lnstagram and Twitter accounts. Agents compared the writing style of [nickname mod used] on [Name of dark market] forum while in Senior Moderator role to the writing style of [Full name and surname] on his public Instagram and Twitter accounts. Agents discovered many similarities in the use of words and punctuation to including: the word "cheers'' double exclamation marks; frequent use of quotation marks, and intermittent [EU County] posts.

and.... final mistake

42 . On August 31, 2017, [Full name and surname] travelled to the United States for the first time to attend an international beard competition in Austin, Texas. A border search of his laptop upon his arrival at Atlanta International Airport confirmed his identity as [nickname mod used] On his laptop was the TOR browser, apparent log-in credentials for Dream M arket, $500,000 worth of bitcoin, and a PGP encryption key entitled ''[nickname mod used]'' which matched that advertised as [nickname mod used] on [Name of dark market].

mfw

to attend an international beard competition in Austin, Texas

Probably first guy owned because trying to attend beard competition

Here is few years old video from CCC 29C3: Stylometry and Online Underground Markets (EN)

https://www.youtube.com/watch?v=zkh7dwwfrHM

(Stylometry is identifying author of anonymous post based on writing style.)

If moderators allow I can give name of Darknet market that was involved.

[EDIT] adding link to pdf: https://linx.li/oxymonster.pdf


Comments


[9 Points] TacoJohns4life:

This was posted without the redacted much earlier today.

Cheers!


[6 Points] SpeedflyChris:

https://www.walletexplorer.com/wallet/00fee88987375a9f

Here's his wallet, you can see the ~100BTC transaction from the feds taking his coins after arrest. You can see that the other transactions sometimes go via some mixer or other and some seem to be mixed more crudely.

For comparison, here is a wallet belonging to Grams Helix:

https://www.walletexplorer.com/wallet/0003348038a29a40

You can see just how easy it is to follow the paper trail, for example look at this one:

https://www.walletexplorer.com/wallet/2ccc1f9885bce513

You can click through the individual payouts, they're split to multiple addresses so they all tend to be fairly small.

https://www.walletexplorer.com/wallet/2455c7f364aecd20

Look at this one for example, the user has specified 5 separate withdrawal addresses, but they're all part of the same wallet...

So you can say more or less certainly that whoever that deposit address at coingaming.io belongs to moved at the time about $5000 through a mixer to deposit it there. There are similar size deposits to exchanges, and some even larger ones. It's not difficult to find the current Helix wallet(s) from this info either.

Just imagine what a well-funded chain analysis company can do.


[4 Points] JasperBuds:

Literally just handing the feds money god shit makes me mad


[1 Points] sharpshooter789:

Did you snag the criminal complaint?


[-2 Points] None:

This is the mod from dream forums... old news