Step By Step Dissection of a DarkNet Vendor Bust in US

Some info about the Central California Darknet Strike Force (CCDSF) which apparently operates a PO Box in their home city of Fresno, California. Sworn to in an affidavit establishing probable cause for the arrest warrant for these 2 alleged heroin vendors from AlphaBay, John X. XXXXXX, Special Agent with the DEA states:


I am part of a dark web/digital currency task force focused on identifying narcotics vendors operating on the dark web and using dark marketplaces (like AlphaBay) to advertise and sell narcotics. As part of this task force, I have been trained by various law enforcement agencies on how to operate an undercover dark marketplace account and, acting in an undercover capacity, purchase narcotics on these market places, which includes how to encrypt messages utilizing Pretty Good Privacy (PGP) keys and how to purchase and use digital currency (bitcoins) to make payments for narcotics.

As a result of this training, I began analyzing and investigating the top heroin vendors operating on the dark marketplace, Alpha Bay, in January of 2016. Through the course of my initial investigation, I came accross two vendors, "AREA51" and "DARKAPOLLO," who were advertising that they import heroin directly from Afghanistan and whose vendor web pages were selling the exact same products and quantities. Based on my training and experience I suspected that these two vendors were operated by same individual(s).

During March of 2016, I initiated a full investigation into AREA51 and DARKAPOLLO. Popular dark markets online forums that review Alpha Bay vendors indicated that customers who had previously received shipments from AREA51 and DARKAPOLLO indicated that the packages originated from Brooklyn, New York.

AREA51 and DARKAPOLLO advertise on AlphaBay as vendors of Burmese and Afghan heroin, as well as uncut Peruvian and Columbian cocaine. The quantities of each of the heroin and cocaine range from one gram to five grams. Based on my review of AlphaBay transactions, as of July 25, 2016, DARKAPOLLO has sold approximately 610 grams of heroin and approximately 25 grams of cocaine. In total, DARKAPOLLO has made approximately $139,594 from the sale of heroin and cocaine on AlphaBay. As of July 25, 2016, AREA51 has sold approximately 810.5 grams of heroin and approximately 47 grams of cocaine.

Initial analysis of DARKAPOLLO and AREA51's public PGP key indicated that both keys were registered to the same email address: Adashc31@g___.com. A social media search for the phrases "Adashc31" and "Adashc" resulted in the discovery of a Twitter, Instagram, and Facebook account belonging to someone identified as "Ahmed Farooq" or "Ch. Ahmed Farooq" (Herinafter referred to as FAROOQ). The Facebook profile belonging to FAROOQ indicated that he resided in Brooklyn, New York. As a result, in April of 2016, I submitted a grand jury subpoena to Facebook for the subscriber information for FAROOQ.

On May 3, 2016, I received the grand jury information from Facebook. Analysis of the Facebook information indicated a verified telephone number for FAROOQ's Facebook account: ***--0414. A DEA de-confliction search for this telephone number indicated that the user of this telephone number was part of an on-going investigation targeting a Drug Trafficking Organization (DTO) that was selling heroin in Brooklyn, New York.

... *************************** TONS OF REDACTION --- Probably confidential informat / cowardly snitchery goes here. ***************************************** ...

On May 11, 2016, I purchased approximately .451 bitcoins to use in purchasing heroin from either DARKAPOLLO or AREA51.

On May 16, 2016, acting in an undercover capacity, I logged into my undercover Alpha Bay account and purchased approximately on gram of heroin from AREA51 for $165. I included a message to AREA51 to send the package to a predetermined undercover address. I also instructed AREA51 to address the package to "Alex Mendoza."

On May 19, 2016, *DEA SA CXXXXX BXXXX received a notice from US Postal Service Inspector JXXXX XXXXXX that a package had arrived at the undercover address I had instructed to AREA51.

On May 20, 2016, I retrieved the package from Inspector BXXXXX and noticed that the package from addressed to "AXXX MXXXXX."** The return address of this package was to "Jessica Brown" at XXX Ave X, Brooklyn, NY XXXXX. The tracking number for this parcel was identified as "ELXXXXXXXXXUS" (hereafter referred to as "UC PARCEL #1")

I brought UC PARCEL #1 back to Fresno Resident Office to open it and to begin processing it into evidence. I, as witnessed by DEA SA JXX DXXX, opened UC PARCEL #1 and located a silver Mylar envelope inside the parcel. Inside of the silver Mylar envelope was a small clear zip lock bag that contained a white powder. I, as witnessed by SA JXX DXXX, conducted a presumptive test on the powder, which tested positive for the presence of heroin. I submitted all of the contents of UC PARCEL #1 to the DEA Western Regional Lab for fingerprint and drug analysis. On this same day, I also released approximately .3507 BTC that was in escrow to AREA51 as payment for UC PARCEL #1.

On May 24, 2016, I purchased approximately .458 bitcoin for another undercover purchase of heroin from AREA51. On this same date, I, acting in an undercover capacity, purchased approximately 1 gram of heroin from AREA51, as witnessed by SA JXX DXXX. I instructed AREA51 to ship the package to a pre-established undercover address. I also instructed AREA51 to again address the package to "AXXX MXXXXX."

On May 27, 2016, Inspector BXXXXXX notified me that a package had been delivered to the undercover address I provided to AREA51. On this date, I picked up the package from Inspector BXXXXX and noticed that the package was addressed to "Alex Mendoza" (hereafter referred to as UC PARCEL #2). The return name and address writeen on UC PARCEL #2 was "VXXXXXX Desperado" at "XXX Avenue X, Brooklyn, NY. This return address was the same address as UC PARCEL #1. The tracking number for UC PARCEL #2 was EKXXXXXXXUS.

I then brought UC PARCEL #2 to the DEA Fresno Resident Office for processing. When I opened UC PARCEL #2, as witnessed by SA JXX DXXX, I found a cream colored envelope. Inside was another silver Mylar envelope. Inside of the Mylar envelope was a small clear plastic bag that contained a white powder. SA JXX DXXX and I conducted a presumptive test on the powder, which tested positive for the presence of heroin. SA JXXX DXXX and I sent all of the contents of UC PARCEL #2 to the Western Regional Lab for fingerprint and drug analysis.

On May 31, 2016, I received the laboratory and fingerprint analysis back for UC PARCEL #1. According to the drug analysis, the white powder was identified to be heroin. Additionally, three latent fingerprints were found on the Mylar envelope located inside of UC PARCEL #1. These fingerprints were positively identified as belonging to ALMASHWALI.

On June 13, 2016, I received the laboratory and fingerprint analysis for UC PARCEL #2. The white powder was positively identified as heroin. Additionally, one latent fingerprint was found on the silver Mylar envelope inside of UC PARCEL #2 and three latent fingerprints were found on the USPS envelope. All of these latent fingerprints were known fingerprints of ALMASHWALI.

ALMASHWALI and FAROOQ Purchase Postage for Narcotics Parcels

As result of the undercover purchases that I conducted, Inspector BXXXXXX was able to conduct comparative analysis on these parcels to identify who purchased the postage for them.

Inspector BXXXXXX was able to identify the time, date, and location the postage was purchased via the Postage Validation Imprinter (PVI) label. The postage for UC PARCEL #1 was purchased via an SSK (Self Service Kiosk) located at Homecrest Post Office, XXXX Avenue U, Brooklyn, New York XXXXX, on May 18, 2016 at approximately 19:39 Greenwich time (15:39 Eastern Time). This location is approximately .8 miles from the FAROOQ's residence and .5 miles from the ALMASHWALI's residence. Upon pulling the transaction data, Inspector BXXXXX identified five (5) total transactions conducted utilizing the same credit card number, in which postage was purchased for a total of twenty-five (25) PVI labels in the amount of $22.95 each, including the postage for UC PARCEL #1.

Due to SSK transactions being non-face to face transactions, photos are taken during each transaction that is conducted. Inspector BXXXXXX retrieved the photo of the suspect who purchased the postage for UC PARCEL #1 and provided the photo to me. I positively identified the individual in the photo as ALMASHWALI.

Based on historical data, and postal databases, Inspector BXXXXXX was able to identify additional postage being purchased utilizing card number ____________ 1214.

Inspector BXXXXX identified the following transactions that occured on May 4, 2016 at the James A. Farley Post Office located at XXX Xth Ave, New York, NY XXXXX, which is approximately 12 miles from FAROOQ's residence and approximately 12 miles from ALMASHWALI's: **** details of 5 more purchases of 5 express labels ***

Because SSK transactions are not face-to-face transactions, photos are taken during each transaction that is conducted. In pulling the photos Inspector BXXXXX identified ALMASHWALI conducting the transactions that occurred from 20:09:05 through 20:11:15. The transactions which occurred from 20:12:09 through 20:14:49 were conducted by FAROOQ using [the same] credit card. Inspector BXXXXXX was able to locate USPS Priority Express parcel ELXXXXXXXUS, in which postage was purchased by ALMASHWALI during the above listed transactions. This parcel was addressed to _____________________, Amherst, New York and listed a return address of Jessica Brown, XXX Ave X, Brooklyn, New York XXXXX, the same address listed on the two undercover purchased I conducted.

PDF LINK TO UNSEALED INDICTMENT (PUBLIC DOCUMENT):

No TOR allowed:

https://regmedia.co.uk/2016/08/12/almashwali_arrest.pdf

No JS required:

http://s000.tinyupload.com/index.php?file_id=09174389604905975048

JS required:

https://uploadfiles.io/755d6

http://www69.zippyshare.com/v/VPE2FHL7/file.html


Comments


[92 Points] sapiophile:

This is a fucking top-notch post, thank you so much. Lots and lots of (fairly obvious) lessons for vendors here - wear good gloves and a hairnet or hat while packing, wipe down packs with alcohol or other residue-free solvent, don't shit/ship where you eat, don't use your fucking facebook email on your DNM GPG key (??????), and don't fucking use your personal credit card to buy the serial numbered postage that you ship packs with (!?!??!?!?!??!?!!!!!???!?!?!?).

Fascinating stuff, truly.

/u/gwern I know this would pique your interest, have a look

Edits to add less obvious tips: obscure your face in some way if buying postage at a self-serve kiosk (you're on camera), fingerprints can be reliably lifted from plain paper, be wary of buyers in or around Fresno...


[28 Points] xSwrvs:

Atleast the guy finalized his orders. Wonder if we can find his feedback LOL


[28 Points] Tittyboi_3Chainz:

As part of this task force, I have been trained by various law enforcement agencies on how to operate an undercover dark marketplace account and, acting in an undercover capacity, purchase narcotics on these market places, which includes how to encrypt messages utilizing Pretty Good Privacy (PGP) keys and how to purchase and use digital currency (bitcoins) to make payments for narcotics.

good to know tax dollars are being wasted to train someone how to turn on a computer multiple times


[24 Points] good_sense:

Wow seems like these guys were total morons. Trafficking so much dope they were being watched in real life then not wiping down packages and using personal credit cards to buy postage?? Also using a moniker of your name in your pgp email that can be linked to your Facebook???

It's also dumb on the dnm side to use the same email for the pgp key to run 2 separate accounts. I'm assuming they were planning to exit scam on one of them at one point and then keep selling on the other.

Overall seem like they were asking to be arrested


[18 Points] None:

They need to find a new drop. That Fresno PO box is burned now


[9 Points] undeadhead420:

opsec 5/5


[5 Points] None:

fucking kidding me i can't even find my ex gf on instagram and they're pulling CSI level shit


[5 Points] 4-MAR:

Nice, post!

the Central California Darknet Strike Force (CCDSF) which apparently operates a PO Box in their home city of Fresno, California.

Did you conclude that from this statement?

I brought UC PARCEL #1 back to Fresno Resident Office

Or was there other info you've found to indicate that? The PO Box could be in a surrounding city if not.


[4 Points] pooppooppants:

Mod's should sticky this post or add it to the sidebar for people who want to get into vending. So many critical mistakes made which now is going to destroy this guys life. What a shame, but he was pretty dumb.


[3 Points] LordDongler:

It seems like any number of simple op-sec precautions would have stopped this investigation in its tracks. Don't buy postage yourself if you're a vendor, have some fiend do it for a couple bars or something. Don't use your damn gmail with your PGP. If you're a heroin dealer, you shouldn't even have a Facebook account where people will people will hit you up and give police evidence. You should wear gloves when packaging drugs. Recently, I got a pack of wax with a full fingerprint right in the middle. Open and shut case with some small investigation if the cops got that pack


[3 Points] Solid716:

what a dumbass hahaha


[3 Points] Chems-HQ:

Great post.


[3 Points] zman-3000:

what a dick i bet officer John didn't even remember to log back in to finalize the order


[2 Points] Thinkingafrica:

I am assuming they had been arrested before to have their fingerprints in the system.


[2 Points] Thinkingafrica:

On May 3, 2016, I received the grand jury information from Facebook. Analysis of the Facebook information indicated a verified telephone number for FAROOQ's Facebook account: ***--0414. A DEA de-confliction search for this telephone number indicated that the user of this telephone number was part of an on-going investigation targeting a Drug Trafficking Organization (DTO) that was selling heroin in Brooklyn, New York.

They were getting arrested no matter what.


[2 Points] Thinkingafrica:

Additionally, three latent fingerprints were found on the Mylar envelope located inside of UC PARCEL #1. These fingerprints were positively identified as belonging to ALMASHWALI.

Did they match the fingerprints before the arrest or after the arrest? If the former, I am assuming he had been arrested/incarcerated beforehand. Why didn't they find the postal workers prints as well?


[2 Points] ThatOneCriminal:

Great post OP!


[1 Points] None:

[removed]


[1 Points] cashadava:

Glad to see this got reposted. This is valuable information for everyone.


[1 Points] pancakepro5:

same stupid error than ross ulbrich


[1 Points] TheRealRocketship:

oh shit l o l


[1 Points] woahtuber:

If you had your money in escrow w an order from them, would you be able to get it back? Obviously won't be getting sent now


[1 Points] jaydee0007:

Real email addy on PGP key? Thanks dude for being low lying fruit and keeping the rest of us safe.


[1 Points] Merolanna:

Okay, let's run down the list of things they fucked up:


[1 Points] D4rk-H0r5e:

Yo! Few days ago I bought from an Area51 on Oasis who is claiming to be from the Netherlands and is not selling heroin or cocaine. Any idea if this is the same guy?? If so, gotta get my money back from escrow. It's been a couple of days and I haven't heard any word about shipping or anything so I'm gettin skeptical.


[1 Points] None:

am i glad all those years of trolling Craigslist for strange dick taught me to NEVER USE A REAL EMAIL ADDRESS TIED TO MY REAL FUCKING IDENTITY

for fucking jesus's sake those salamis are so stupid


[1 Points] 2cbking:

It is hard tobelieve how stupid some vendors can be. To not even take basic precautions that all vendors should take, let alone someone as large as them. I mean, fingerprints on a mylar bag inside a sealed envelope, wtf?!?! Atleast fingerprints onthe ouside of the box could be reasonably explained away (someone droped it so you picked it up ..whatever..etc...But fat chance coming up with an excuse for why your print is inside of a sealed up drug package.

Also, buying postage from a kiosk!?!? Serious? That is some seriously retarded as shit right there. That stuff is not like a priority mail stamp (that has no numbers or identifiable information that could be tied to who purchased them), it has information that can be used to look up who purchased that postage. That right there is enough for them to find out who you are. Never use printed stamps, period. You might as well print your name on the envelope. As others have stated, exhibiting a little common sense would of prevented this investigation from going anywhere (well, assuming that other invetigation the guy was being looked at for was not already happening)

Great post tho, for no other reason but to wake up some vendors that aparently lack basic common sense and probably do some of these really stupid things themselves. I have learned common sense apparently isnt so common.


[1 Points] spicepirate:

Thanks for this post. Damn everything they did seems so easily avoidable. I feel like these are mistakes people would have made in the early days, but not now.


[1 Points] MindFunked3000:

Hypothetically, if someone ordered from these deuchebags, is their address burned? Name burned?


[1 Points] gwern:

Probably confidential informat / cowardly snitchery goes here.

Yes. The request to seal the original complaint & 3 other documents in PACER references the need to protect a "confidential source": https://www.dropbox.com/s/bmu24ggtb0jltxz/caed-03309001910.pdf

Inspector BXXXXXX was able to locate USPS Priority Express parcel ELXXXXXXXUS, in which postage was purchased by ALMASHWALI during the above listed transactions. This parcel was addressed to _____________________, Amherst, New York and listed a return address of Jessica Brown, XXX Ave X, Brooklyn, New York XXXXX, the same address listed on the two undercover purchased I conducted.

My guess is that they used the mailcover database to look for all packages with that return address (OCR, of course) and then looked up the postage on them.


[1 Points] None:

Damn- please stay safe, vendors. We're counting on you. This guy obviously made some extremely stupid decisions, but please, PLEASE be careful. We need our safe lucy :)


[0 Points] None:

[deleted]


[0 Points] asdsadsadsa232434343:

can you please post a link to the full indictment


[-1 Points] re-ignition:

[deleted]

What is this?


[-6 Points] OGPACKS:

why the fuck would LE ever make a post like this wtf haha