Operation Return To Sender
DHL Admins - we noticed you have dissapeared with all user funds and likely have no plan of returning.
Here is what we want you to do, either:
- Come back, bring the site back up and allow users to withdraw all their funds
- Come back and allow us to provide you with return addresses for user funds which you will then process
Why would you do this? Because if you don't we will be publishing a series of posts with all of the information we found on your server and other correlated information that can be used to identify you.
We are starting this process right now with this post to give you a hint at what is coming next
Timeline
First a DHL timeline. I'm not going to directly reference certain events, this is more left here as a hint.
- Early-2015: Development on DHL started in early 2015
- 11-Jun-2015: It was announced here (DHL-1 created his account the same day) - but that post was removed and noone noticed
- 11-Jun-2016: It was announced properly here by the DHL-2
- 17-Jun-2015: Synala is released on bitcointalk
- 21-Jun-2015: It was added to the superlist
IP Address and Servers
You lied in your statement when you said that the location of your server was leaked by an internal employee
Anybody could have located your server at any time by simply searching for title:"Darknet Heroes League"
in Shodan
Here is the full results page for that server also on Shodan
Note the ssh key. Search Shodan for that key.
Interesting.
Since you took down all your onion services at around the same time, they stand out in an index of onion sites.
Bitcoin
We have taken a keen interest in DHL's use of Synala.
Synala is an Open Source Bitcoin payment gateway written in PHP. The website is at:
A key feature of Synala is the offline transaction signing so that the private keys can be kept on a separate machine (even a users desktop!) and then pulled from the server using a (bad) API to be signed and then broadcast.
Most of the features of DHL relating to Bitcoin that they listed as their own are actually features of Synala.
What makes Synala most interesting is that it isn't very popular so DHL's use of it stands out.
First piece of interesting information we found is that somebody noticed in September of 2015 that DHL was using Synala. There are a few ways an anonymous person could have found that out at that time but we think they found out the same way we did (ie. broke the server)
Here is an interesting GitHub comment on a Synala repository left by a user with throwaway GitHub username dhlol (funny)
The person who owns the repository attempted to scrub the comment not knowing that GitHub leaves a history of changes.
DHL Withdraws
edit note required anymore - got what we were looking for quickly. thanks everyone.
We are asking users of DHL if they want to contribute to send us transaction id's of Bitcoin transactions that you know are withdraws from DHL.
Not deposits or anything else, just the txid's of withdraws.
You can do this anonymously and i'll leave contact details below.
Complete confidentiality - only i'll see it and i'll delete the info and we might not need many.
Fingerprinting Files
Remember Hansa? The operators of that site were found because antivirus and security software provider bitdefender sent a tip to law enforcement.
The way that works is this: These antivirus programs are setup on users desktops or they're running on a corporate, government or educational network. It is very common to setup antivirus to run on all web traffic as it comes into a network and to scan the files.
Many antivirus companies share signatures of files into a number of different threat research databases.
What most people don't know is that these databases end up becoming large repositories of unique files with associated data.
If you have a unique file that you're accessing on the web, or emailing or on your desktop and it passes through an antivirus gateway there is a good chance it will be logged and mark you out.
DHL had a very unique file on their website. It got caught and scanned by an antivirus company and logged. The log shows the date that it was caught and it was before DHL was announced. The records also contain a lot of information including the IP address it was logged from.
A Preview of Part 4
Coming up. Anybody else notice the DHL handles on this subreddit? It would be a terrible idea to mix business on reddit. It's amazing what slips out in the comments here when you pay attention.
I just spent 30 minutes setting up stylometry tools until I noticed that I didn't need it.
Credit
Don't credit me with all this - it really is a group effort with a lot of very sharp people messaging me tips and working together. I'm amazed at some of the things that are found and some of the work done. Most don't want to be called out but i'll update as appropriate.
Contact
EDIT: Please consider what you pm me here - use email + PGP or ask for XMPP. Chances of those messages staying between the two of us are high
electronic letter: tomcheck at protonmail.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org
mQENBFmAWeMBCADjZoR/eIrlZU6KmeKiKEuoYI0eKQ3vL5XSLB/LgNeu6h/oIRJ7
Xw690fzIcfYAiY3U0IjFIzxVoPEEXuEcXi4gSddTl83F7tJu+BbQVoxm8LRzkcaB
FLBjp91Q2tP61Ak85jC8KW0IN+bBqUkuEGBbtDWkxOrxvZmVzdrgWvv7r5xjbAIw
SNYye9sJ3QWWdDNcGQuSBpYt83c4Fmep76CdiVZUGSI60t/+F65j116Vofmjc07O
trn8T/Yc3pdr5wkI4Cxt6OogcGrexK9LIjzbRVWxJPPHs+qW9yngSanykeUutPZ7
vNPN5jbQ0XZ4wniyFMRx6/hzzb8Sk6C1Qw75ABEBAAG0CXRvbWNoZWNrMokBVAQT
AQoAPhYhBNldhwyVo3hJOu3o9lqNGW99NTA5BQJZgFnjAhsDBQkDwmcABQsJCAcD
BRUKCQgLBRYCAwEAAh4BAheAAAoJEFqNGW99NTA5tz4H/20dM6rFw59T2+9a3YIP
HRbQpTlcFDi7lbzEiw4nuz1pUve4Nhu9lJAKu0PY8c7ll8CnA+bSirpdmiEdnPuL
5eGUC0vpyVoMPnbYs8pb/4RVDKDsayGj9FmXSRCCo+99RujacPy9G+DK+bBTPGkn
cgEvgao4IQIEem3IpVIC6xyvRDp03bakDjqVWjzao6lfWzWCHVxVPP1mJrEIOR+X
m6AetFsAfwkOh9BWe+9d8/B1KzO2LL+ANqUk8sVZLxwO4eOmfAxfVR9tQ5ndn2PT
9zSLutxKquuNWB6/bsLK02F9hspr7jfnHPoMpQeNl0acILHkk0Hcekgcv2vhfZJf
iMW5AQ0EWYBZ4wEIAMhsh8e4325KdXaHVkudZJ8mYQ+tVJ1t2XafbXhqKeB1JWzD
DsFJQRjCc9oHpZyhFb8RN9ZIZcI7OXMSzi9hJ0oK4nBLnXHLEk80fQwVpXOC15dV
M5o1mdGFpcaaIu9QEFjPsl5ayZiy09unZhFI+4KUUmu45gOQNyNY/ZrFRusCW2cY
bcecA+17sOiXZS+k75D2Yyoq3z3nrpzsPCjgbou+aoZ6lIwSKiyTvBn8r3cZ65c2
tJxj2mhLkbaCb2SqS/d52nKI9VQs/0xcZpkGFWMT9UcYMZO7J6STbr5IaqV7+5QG
dkGMMu9gJiUa+nsUUKrTe8l2SLpeuTALPWVdXl8AEQEAAYkBPAQYAQoAJhYhBNld
hwyVo3hJOu3o9lqNGW99NTA5BQJZgFnjAhsMBQkDwmcAAAoJEFqNGW99NTA59+oH
/2gMBVNV0+L/2yvmf4Neu/1Y0wsuI2ju49ueTyUG70wbGZGED4h1nh3jU8BHPFgt
xPg/Zbxr/wb5qg4C1aFnX8V+fz/MiFO7kkcFrRtGsizPodWwL0oZ+nwu0JZxSdy+
aWWxZBq7nZwN6cXB+ODsCB5XpqS65uxT5w/GbvX5bcK4kG1AK3ADy53VRYTMQR32
K2CbAu7lQIBgamAmdLA8fiRMsTySuB7lcWXYVkONx+1KI2sAN1Ph0uxhPlMieyZo
uNuJSFDSXLFudhvclpTdApAirXbUdLNUn/NoY8m2csfFrtrAMyUH+tKBfFL2aGNW
ProQygbztRY/zkg8cfNja1k=
=cRIz
-----END PGP PUBLIC KEY BLOCK-----
edit if you're the dhlol
person who left the issue on GitHub get in touch
grabs popcorn