Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management
FBI Shutters DeepDotWeb Portal; Suspected Admins Arrested
Suspects Accused of Receiving Bitcoins Worth Millions for Referral FeesThe DeepDotWeb portal, which provided a guide to darknet marketplaces, has been shut down by the FBI and its alleged administrators arrested as part of an international operation.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The portal provided links to a number of darknet markets, which are reachable only via the anonymizing Tor browser. Such markets sell illegal narcotics, firearms, counterfeit currency, malware, stolen jewelry, stolen payment card data and more. The portal also listed the top markets as well as their availability status.
"The message from international law enforcement is clear: You are no longer anonymous when you sell or buy drugs online and the police will try to find you."
—John Fokker, McAfee
But police say that DeepDotWeb was also earning referral fees from sending users to darknet markets, which, over time, earned the portal's administrators bitcoins worth millions of dollars. Police say the referral fees came from at least 15,000 users.
As of Tuesday, both the publicly exposed DeepDotWeb.com as well as its sister .onion site - reachable only via the anonymizing Tor network - had been seized. Both sites resolved to a takedown and seizure notice posted by the FBI, also containing the logos of Britain's National Crime Agency and Germany's German Federal Criminal Police - aka Bundeskriminalamt.
The seizure notice reads: "This site has been seized by the FBI pursuant to a seizure warrant obtained by the U.S. Attorney's Officer for the Western District of Pennsylvania, the U.S. Department of Justice's Computer Crime and Intellectual Property Section and the Organized Crime and Gang Section under authority of 18 USC 1956 (h), 981, 982" - referring to U.S. money laundering statutes - and in coordination with European law enforcement agencies acting through Europol in accordance with the law of European member states."
Europol is the EU's law enforcement intelligence agency.
Arrests of suspected DeepDotWeb administrators were first reported on Tuesday by Israeli media, including The Times of Israel.
Tel Aviv Police say that as part of the cross-border operation involving the FBI, Europol and others, its detectives arrested a 35-year-old resident of Tel Aviv and a 34-year-old resident of Ashdod.
As part of the operation, other suspected administrators were arrested in Brazil, France, Germany and the Netherlands, police say.
"The investigation revealed that the suspects operated a website that contained references to illegal sales sites in a dark network where weapons, drugs, abductions, stolen credit cards and more can be purchased," Tel Aviv Police say. "The suspects used the 'affiliate marketing' method through which they profited from every sale made, thus earning millions of dollars. Payment for the completed transactions was transferred to the suspects via the digital currency 'bitcoin.'"
Police in Brazil say that the primary suspect was an Israeli citizen residing in Brasilia, who was arrested earlier this week at Charles de Gaulle Airport in Paris. At the same time as the suspect was arrested by French police, authorities in Brazil said they executed a search warrant at the suspect's home in Lago Sul, Brazil, where they recovered cryptocurrency as well as $50,000 in cash.
Police in Brazil reportedly also arrested another suspect during the course of their investigation.
Em ações simultâneas, enquanto o investigado era preso em #Paris, na #França, buscas eram realizadas em sua casa, em Brasília. Na busca foram apreendidos dispositivos utilizados para a guarda de criptomoedas e R$ 200 mil em espécie (moeda estrangeira e reais). pic.twitter.com/hNMXM40SaQ
— Polícia Federal (@policiafederal) May 7, 2019
Police say the primary suspect amassed some of those funds by DeepDotWeb referring some 15,000 users to darknet markets, where they illegally bought or sold goods, after which the suspect "obtained a share of the proceeds from illegal product transactions."
Police in Brazil say the primary suspect previously came to their attention in October 2018, when they executed a search and seizure warrant based on their suspicion that the individual was "committing the crime of child pornography." Police say that at that time, they seized Brazilian reals and foreign currency worth a combined total of $250,000, as well as computers and smartphones for digital forensic investigation.
Security experts say DeepDotWeb was popular with darknet market users. "The site featured a list of darkweb markets that many users of darkweb marketplaces used as their only list of onion addresses," says the self-described "non-academic cryptomarket researcher" known as Caleb (@5auth), in a blog post.
As a result, the site's closure could complicate darknet consumers's efforts to access such sites.
Press reports have named the suspected administrator of DeepDotWeb, known as Deepdot, as being "T. Prihar." Caleb says the suspect "moved from Israel to Brazil more than a year ago," where he received expedited Brazilian citizenship.
"Brazilian citizenship is important in this scenario since the Brazilian government would not have extradited Prihar (as a citizen of Brazil) for money laundering or related crimes," Caleb says.
"After the news of the seizure surfaced, a number of people asked about the links DeepDotWeb had hosted. The links, unlike those on dark.fail, generated revenue for DeepDotWeb," Caleb says. "Every purchase made via DeepDotWeb's referral links (or with the referral code) earned the site's admin(s) a percentage of the sale. This is usually between 2 percent and 4 percent."
The DeepDotWeb takedown and arrests follow an international law enforcement operation last week that disrupted two of the world's most notorious darknet markets - Wall Street Market, the world's second largest darknet market, as well as the Silkkitie, aka Valhalla Marketplace (see: Darknet Disruption: 'Wall Street Market' Closed for Business).
The German Federal Criminal Police shuttered Wall Street Market, backed by support from Europol, the Dutch National Police and U.S. law enforcement agencies. German police also arrested three German nationals, aged 22, 29 and 31, in late May, having monitored their activities since March.
Authorities say the alleged Wall Street Market administrators, perhaps spooked by other recent darknet market busts, appeared to be trying to cash out. In April, vendors began reporting that bitcoins worth $13 million being held in escrow by the site had become unreachable. Police said the administrators were attempting to conduct an "exit scam" in which they'd steal the bitcoins for themselves and desert the site.
High-Profile Darknet Market Risks
"It is interesting to see that after the all consecutive takedowns and vendor arrests in the recent year, other marketplaces aren't as eager anymore to step into the limelight and take pole position," John Fokker, head of cyber investigations for McAfee's Advanced Threat Research group, tells Information Security Media Group (see: The Art of the Steal: Why Criminals Love Cyber Extortion).
"Probably, they're afraid of all the extra attention they get from the security community and law enforcement. I did notice that some vendors are moving to Telegram for more direct communications," Fokker adds. "Nevertheless, the message from international law enforcement is clear: You are no longer anonymous when you sell or buy drugs online and the police will try to find you."
Operation SaboTor
Law enforcement agencies are pursuing more than just darknet site takedowns and arresting suspected site administrators.
On March 26, the FBI reported that its Joint Criminal Opioid and Darknet Enforcement team had participated in Operation SaboTor, which was then the latest international effort to disrupt opioid vendors selling via the darknet, as well as the criminal enterprises facilitating such opioid trafficking.
As part of the operation, which ran from Jan. 11 to March 12, U.S. and international law enforcement agencies had arrested 61 suspects and seized 50 darknet accounts that had allegedly been used for illegal activity.
"Law enforcement executed 65 search warrants, seizing 299.5 kilograms of drugs, 51 firearms, and more than $7 million ($4.5 million in cryptocurrency, $2.48 million in cash, and $40,000 in gold)," the FBI reported. "They also conducted 122 interviews. In addition, participating agencies engaged in public education efforts regarding the dangers of opioid abuse during the operation."
As part of last week's disruption of Wall Street Market, the FBI also arrested in Los Angeles two of the site's alleged top narcotics vendors.