dropping docs on darknets: how people got caught

8/11/2019 Dropping Docs on Darknets: How People Got Caught

1/51

!""#$%%&'()*++,-.(/

01'23) 5'+)6!37


2/51

!""#$%%&'()*++,-.(/

& '8) &'()*++,-.(/

& !39+ 3) 2)"+'+6" 2) &):(;+.+18.3"2()

I dont know everything < Im just a

*++, 72"! "2/+ () /= !3)16

;'- &):('/3"2() ;+.8'2"= 5()68>"3)"

3" ?'86"+1;+.

5(


3/51

!""#$%%&'()*++,-.(/

& 72>> B+ "3,2)* "7( #+'6#+."29+6

C+(#>+ "'=2)* "( 6"3= 3)()=/(86

C+(#>+ "'=2)* "( 1+ 7!+'+ =(8 68':H .()"'3B3)1 3732"6


4/51

!""#$%%&'()*++,-.(/


5/51

!""#$%%&'()*++,-.(/

A3',)+"6

?!+'+ 3'+ /3)= 1+:2)2"2()6H B8" /2)+ 26

anonymizing private network

I6+ (: +).'=#"2() 3)1 #'(J2+6 K6(/+ "2/+6 ("!+'#++'6L "( (B:86.3"+ 7!( 26 .(//8)2.3"2)* "( 7!(/

;(/+"2/+6 '+:+''+1 "( 36 52#!+'6#3.+

K>(9+ "!3" "+'/L


6/51

!""#$%%&'()*++,-.(/

?!+ M)2() N(8"+'


7/51!""#$%%&'()*++,-.(/

!"#$@2'6" "!+ I; E393> N+6+3'.! F3B('3"('=H "!+) "!+ O@@ 3)1 )(7 "!+ ?(' C'(P+."

KQRS.T )()>3).+ "!3" "!'+3"+)6 #+'6()3> :'++1(/ 3)1 #'293.=H

.():21+)"23> B862)+66 3."292"2+6 3)1 '+>3"2()6!2#6H 3)1 6"3"+ 6+.8'2"= ,)(7) 36

traffic analysis. ~ As defined by their site

!"&'$0..+66 )('/3> &)"+')+" 62"+6 3)()=/(86>=H 3)1 ?(' !211+) 6+'92.+6-

(#)$F(.3>>= '8) ;M5U; #'(J= "!3" .())+."6 "( "!+ ?(' )+"7(',-
http://www.torproject.org/http://www.torproject.org/


8/51!""#$%%&'()*++,-.(/

F3=+'+1 +).'=#"2()

G2= :(.86+1 () (8" #'(J=2)* "( "!+ &)"+')+" W('+ 2):( 3" !""#6$%%777-"('#'(P+."-('*

Internet Server

Directory Server
https://www.torproject.org/https://www.torproject.org/https://www.torproject.org/


9/51!""#$%%&'()*++,-.(/


10/51!""#$%%&'()*++,-.(/Image from http://www.torproject.org/hidden-services.html.en
http://www.torproject.org/hidden-services.html.enhttp://www.torproject.org/hidden-services.html.en


13/51!""#$%%&'()*++,-.(/

Image from http://www.torproject.org/hidden-services.html.en


14/51!""#$%%&'()*++,-.(/



15/51!""#$%%&'()*++,-.(/



16/51!""#$%%&'()*++,-.(/

5>2+)"

X86" 3 86+'

N+>3=6

?!+6+ '+>3= "'3::2.H 3)1 .3) 3." 36 +J2" #(2)"6

G'21*+6N+>3=6 )(" 319+'"26+1 2) "!+ 12'+."('= 6+'9+'6H 6( !3'1+' "( B>(.,

Y83'1 E(1+6

I6+1 "( /2"2*3"+ 6(/+ "'3::2. 3)3>=626 3""3.,6

&)"'(18."2() C(2)"6

V+>#+'6 2) /3,2)* .())+."2()6 "( !211+) 6+'92.+6 N+)1+D9(86 C(2)"

I6+1 :(' '+>3=2)*%+6"3B>26!2)* .())+."2()6 "( !211+) 6+'92.+6


17/51


18/51!""#$%%&'()*++,-.(/

?32>6$ ?!+ 0/)+62. &).(*)2"( F29+ ;=6"+/

!""#6$%%"32>6-B(8/-('*%

?('Z[+B C'(J=

!""#$%%"('Z7+B-('*

?(' V211+) [2,2$

!""#$%%,#9D\,2Z9Q3*7"TQ-()2() ;.3>>2() K/3,+ !(6" )3/+6L

!""#6$%%*2"!8B-.(/%>3.!+626%6.3>>2()

M)2() 53"

!""#$%%777-.=#!+'#8),-3"%()2().3"%

N+112" M)2()6!""#$%%777-'+112"-.(/%'%()2()6
https://tails.boum.org/https://tails.boum.org/http://tor2web.org/http://tor2web.org/http://kpvz7ki2v5agwt35.onion/http://kpvz7ki2v5agwt35.onion/https://github.com/lachesis/scallionhttps://github.com/lachesis/scallionhttp://www.cypherpunk.at/onioncat/http://www.reddit.com/r/onionshttp://www.reddit.com/r/onionshttp://www.cypherpunk.at/onioncat/https://github.com/lachesis/scallionhttp://kpvz7ki2v5agwt35.onion/http://tor2web.org/https://tails.boum.org/


19/51


20/51

!""#$%%&'()*++,-.(/

KU++# 2) /2)1H "!26 26 P86" "!+ 1+:38>"6L F(.3>

^RQR%".# ?(' ;M5U; #'(J=

^RQS%".# ?(' .()"'(> #('"

K^SQR 3)1 ^SQS () ?(' G'(76+' G8)1>+L

N+/("+

ccT%".# 3)1 _R%".# /(6">=

;+'9+'6 /3= 3>6( >26"+) () #('" ^RRS%".#H 3)1 12'+."('=

2):('/3"2() () ^RTR-

W('+ 1+"32>6

!""#$%%777-2'()*++,-.(/%2-#!#]#3*+b6+.8'2"=%1+"+."


21/51

!""#$%%&'()*++,-.(/

!""#$%%*+"2Z#-)+"
http://geti2p.net/http://geti2p.net/http://geti2p.net/


22/51

!""#$%%&'()*++,-.(/

5'=#"( 58''+).=

C'((: (: 7(',

G2".(2) 011'+66+6 e C'293"+ U+=6

G>(., 5!32) K>+1*+'L

?8/B>+'6 K>38)1+'2)*L

[3= /('+ 2):( B= G(B [+266

!""#$%%777-2'()*++,-.(/%2-#!#]#3*+b921+(6%B621+61+ZRST%Z


23/51

!""#$%%&'()*++,-.(/

On Dec. 16th 2013 a bomb threat was made to Harvards student news

#3#+' 3)1 6(/+ (::2.23>6-

?!+ #+'6() 86+1 !""#6$%%777-*8+''2>>3/32>-.(/"( 6+)1

+/32> 3:"+' .())+."2)* (9+' ?('

Y8+''2>>3 W32> #8"6 3) f>3/32>-.(/j

;8BP+."$ V+= B3B=a

f


24/51

!""#$%%&'()*++,-.(/

0>> ?(' )(1+6 3'+ #8B>2.>= ,)(7) K+J.+#" B'21*+6L$

!""#$%%"('6"3"86-B>8"/3*2+-1+

O36= "( .(''+>3"+ 7!( 736 3""3.!+1 "( V3'93'1 )+"7(',

3)1 862)* ?(' 3" "!+ 63/+ "2/+ "!+ +/32> 736 6+)" K8)>+66

=(8 86+ 3 B'21*+L-

O>1( U2/ 736 .())+."+1 "( "!+ ?(' )+"7(', 3'(8)1 "!3"

"2/+-

;86#+." O>1( U2/ 73)"+1 "( *+" (8" (: 3 :2)3> 3)1 31/2""+1

!+ /31+ "!+ B(/B "!'+3" 7!+) 2)"+'92+7+1-

W('+ A+"32>6$!""#$%%3'6"+.!)2.3-.(/%6+.8'2"=%ZRST%SZ%86+

!""#$%%777-6.'2B1-.(/%1(.%S^ZT\S\cZ%U2/


25/51

!""#$%%&'()*++,-.(/

F+66()6 F+3')+1$

Dont be the only person using ?(' () 3

/()2"('+1 )+"7(', 3" 3 *29+) "2/+I6+ 3 B'21*+]

Dont admit anything

5(''+>3"2() 3""3.,6 3'+ 3 B2".!


26/51

!""#$%%&'()*++,-.(/

5MB

8MB

Client

Client

Client

Client


27/51

!""#$%%&'()*++,-.(/

Client

Client

Client& .(8>1 P86"

73".! "!+"2/2)*6-

C8>6+ "!+

13"3 :>(76

/=6+>:-

M' +9+) P86"

.!3)*+ "!+ >(31() "!+ #3"!-

A(; (8"621+

!(6" "( 3::+."

"'3::2.-


28/51

!""#$%%&'()*++,-.(/

DNS

Query

Monitored DNS Server

If I dont use the#'(J= :(' AE;H &

/3= 6+)1 "!+

k8+'= "( 3 AE;

server. It wont

6++ /= "'3::2.

"(%:'(/ "!+

1+6"2)3"2()H B8"

/3= )(7 ,)(7

Im visiting

6(/+#>3.+-.(/%

-()2()%-2Z#


29/51

!""#$%%&'()*++,-.(/

V+."(' f392+' W()6+*8' K;3B8L )('/3>>=

86+1 ?(' :(' .())+."2)* "( &N5 B8" 736

.38*!" )(" 862)* 2" ().+ 3)1 @G& :(8)1

!26 !(/+ &C- 0:"+' B+2)* .38*!"H !+

6"3'"+1 "( .(>>3B('3"+- V+."(' 6#(,+ 72"! X+'+/= V3//()1

K68#p*L () &N5H 3)1 X+'+/= .3683>>= >+"

6>2# 7!+'+ !+ !31 B++) 3''+6"+1 B+:('+

3)1 *'(8#6 !+ 736 2)9(>9+1 72"!- ?!26 )3''(7+1 "!+ 686#+." #((>H 6( "!+

@G& *(" 3 .(8'" ('1+' "( /()2"(' !26

&)"+')+" 3..+66-


30/51

!""#$%%&'()*++,-.(/

V3//()1 86+1 ?('H 3)1 7!2>+ "!+ .'=#"(

736 )+9+' B86"+1H @G& .(''+>3"+1 "2/+6

68#p* 736 "3>,2)* "( ;8B8 () &N5 72"!

7!+) V3//()1 736 3" !(/+ 862)* !26

.(/#8"+'- W('+ A+"32>6$

!""#$%%3'6"+.!)2.3-.(/%"+.!2.=%ZRSZ%RT%6"3,+(8"


31/51

!""#$%%&'()*++,-.(/

F+66()6 F+3')+1$

I6+ ?(' .()626"+)">=

Dont give personal information5(''+>3"2() 3""3.,6 3'+ 6"2>> 3 B2".!a


32/51

!""#$%%&'()*++,-.(/

@'++1(/ V(6"2)* !(6"+1H 3/()*6" ("!+' "!2)*6H/3)= .!2>1 #(') '+>3"+1 !211+) 6+'92.+ 7+B62"+6-

@'++1(/ V(6"2)* !31 #'+92(86>= .(/+ 8)1+' 3""3.,

B= 0)()=/(86 18'2)* M# A3',)+" B+.386+ (: 2"

!(6"2)* 5C-

&) X8>= (: ZRSTH "!+ @G& .(/#'(/26+1 @'++1(/V(6"2)*H 3)1 2)6+'"+1 /3>2.2(86 X393 ;.'2#" "!3"

86+1 @2'+:(J B8* 5qO+ 26 B36+1 () @2'+:(JH 3)1 "!+

)+7+6" 9+'62() 736 3>'+31= #3".!+1H B8" )("

+9+'=()+ 8#13"+6 2) 3 "2/+>= :36!2()-


33/51

!""#$%%&'()*++,-.(/

The payload was Magneto, which phoned hometo servers in Virginia using the hosts public IP-

!""#$%%*!(7+)-/+%:B26($

W3*2. F3)"+')

@Mf05&A

5(/#8"+' 3)1 &)"+')+" C'("(.(> 011'+66 q+'2:2+' K5&C0qL

?!3),6 "( X(+ 52.+'( :(' gC'293.= &) 3 ;8'9+2>>3).+

;"3"+H O9312)* A+"+."2()g KC-&-;-;-O-A-L "3>,-

I am the best Giraffe

EVAR!!! Bow to my

Giraffey goodness!
http://ghowen.me/fbi-tor-malware-analysishttp://ghowen.me/fbi-tor-malware-analysishttp://ghowen.me/fbi-tor-malware-analysis


34/51

!""#$%%&'()*++,-.(/

0) &'26! /3)H O'2. O(2) W3'k8+6H 26 3>>+*+1 "( B+"!+ (#+'3"(' (: @'++1(/ V(6"2)*- ?!+ 6+'9+'6

!(6"2)* @'++1(/ V(6"2)* 7+'+ "2+1 "( !2/ B+.386+

(: #3=/+)" '+.('16-

W3'k8+6 736 6321 "( !39+ 129+1 :(' !26 >3#"(# "(

6!8" 2" 1(7) 7!+) #(>2.+ '321+1 !2/- W('+ A+"32>6$

!""#$%%777-72'+1-.(/%"!'+3">+9+>%ZRST%R^%:'++1(

/


35/51

!""#$%%&'()*++,-.(/

F+66()6 F+3')+1$

A()r" !(6" 53#"32) C2.3'1 ('

X8>23) G36!2'C3".!H #3".!H #3".!

@(>>(7 "!+ /()+=

F+39+ +).'=#"+1 >3#"(#6 2) 3 #(7+'+1

1(7) 6"3"+ 7!+) )(" 2) 86+a


36/51

!""#$%%&'()*++,-.(/

Lets see if the

!211+) 6+'9+'

3## 26

98>)+'3B>+ "( 3)

+J#>(2" KB8::+'

(9+':>(7%7+B

3## 6!+>>

+J+.%+".L-

;+)1 3 #3=>(31

"!3" .()"3."6 3)

&C & /()2"('-

Exploit &

Payload


37/51


38/51

!""#$%%&'()*++,-.(/

The earliest they could find was from 3>"(21 () "!+ ;!'((/+'=-('* :('8/6 () RS%Z\%SS-

!""#$%%777-6!'((/+'=-('*%:('8/6%6!(7:>3"-#!#%E8/B+'%ST_dR^^Q
http://www.shroomery.org/forums/showflat.php/Number/13860995http://www.shroomery.org/forums/showflat.php/Number/13860995http://www.shroomery.org/forums/showflat.php/Number/13860995


39/51

!""#$%%&'()*++,-.(/

G2"5(2)?3>,-('* C(6"

u8("+ :'(/$ 3>"(21 () X3)83'= Z^H ZRSSH R\$cc$QS CW

[!3" 3) 37+6(/+ "!'+31a t(8 *8=6 !39+ 3 "() (: *'+3" 21+36- V36 3)=()+

6++) ;2>, N(31 =+"] &"r6 ,2)1 (: >2,+ 3) 3)()=/(86 3/3D()-.(/- & 1()r" "!2),

"!+= !39+ !+'(2) () "!+'+H B8" "!+= 3'+ 6+>>2)* ("!+' 6"8::- ?!+= B362.3>>= 86+

B2".(2) 3)1 "(' "( B'(,+' 3)()=/(86 "'3)63."2()6- &"r6 3"!""#$%%"=1*..=,2J#B8d8D-()2()- ?!(6+ )(" :3/2>23' 72"! ?(' .3) *( "(

62>,'(31cZR-7('1#'+66-.(/ :(' 2)6"'8."2()6 () !(7 "( 3..+66 "!+ -()2() 62"+-

F+" /+ ,)(7 7!3" =(8 *8=6

think!""#6$%%B2".(2)"3>,-('*%2)1+J-#!#]"(#2.bS\Q-/6*cZc\^v/6*cZc\^
https://bitcointalk.org/index.php?topic=175.msg42479#msg42479http://tydgccykixpbu6uz.onion/https://bitcointalk.org/index.php?topic=175.msg42479#msg42479https://bitcointalk.org/index.php?topic=175.msg42479#msg42479https://bitcointalk.org/index.php?topic=175.msg42479#msg42479http://tydgccykixpbu6uz.onion/https://bitcointalk.org/index.php?topic=175.msg42479#msg42479


40/51

!""#$%%&'()*++,-.(/

An account named 3>"(21 also made 3 #(6" () G2".(2)"3>,-('* 3B(8" >((,2)*

:(' an IT #'( 2) "!+ B2".(2) community and asked interested parties to contact

+#,,9=>+?8"' &' @6&?= :#' 8#6 (10/11/11L-

!""#6$%%B2".(2)"3>,-('*%2)1+J-#!#]"(#2.bc\_SS-R
https://bitcointalk.org/index.php?topic=47811.0https://bitcointalk.org/index.php?topic=47811.0https://bitcointalk.org/index.php?topic=47811.0


41/51

!""#$%%&'()*++,-.(/

Ulbrichts Google+ profile show an interest in the W26+6 Institute a world

.+)"+' (: "!+ 086"'23) ;.!((> (: +.()(/2.6.

Dread Pirate Roberts signature on the Silk Road forums had a link to the W26+6

&)6"2"8"+- 086"'23) O.()(/2. "!+('= 736 3>6( 6"3"+1 B= A'+31 C2'3"+ N(B+'"6 "(

be influential to the the Silk Roads philosophy.


42/51

!""#$%%&'()*++,-.(/

gN(66 I>B'2.!". account also posted on ;"3.,M9+':>(7 36,2)* :(' !+># 72"! CVC .(1+ "(

connect to a Tor hidden service. The username was quickly changed to frosty

KRT%Sd%SZL-

!""#$%%6"3.,(9+':>(7-.(/%k8+6"2()6%SQccQZ_Q%!(7


43/51

!""#$%%&'()*++,-.(/

;(/+()+ 736 .())+."2)* "( 3 6+'9+' "!3" !(6"6 "!+ ;2>, N(31 :'(/ 3) &)"+')+"

.3:w )+3' 7!+'+ N(66 >29+1 2) ;3) @'3).26.(- C'293"+ /+663*+6 () ;2>, N(31

/3,+ 2" 6++/ A'+31 C2'3"+ N(B+'"6 >29+1 2) "!+ C3.2:2. "2/+ D()+-

&C (: 3 ;2>, N(31 6+'9+' 736 3""3.!+1 "( 923 3 qCE 6+'9+' "!3" 736 .())+."+1 "(

B= 3) &C B+>()*2)* "( 3) &)"+')+" .3:+ () F3*8)3 ;"'++" 2) ;3) @'3).26.( :'(/

7!2.! I>B'2.!" !31 3>6( .())+."+1 "( !26 Y/32> 3..(8)" 72"! KB("! () X8)+ THZRSTL-

CW "( A'+31 C2'3"+ N(B+'"6 :'(/ 3 86+' 6321 "!+ 62"+ 736 >+3,2)* g6(/+ 6('" (:

+J"+')3> &C 311'+66g B+>()*2)* "( "!+ qCE-

@G& 6"3'"6 "3,2)* 1(7) ;2>,N(31 servers, though Im are not sure how they were

:(8)1- 5(8>1 !39+ B++) /()+= "'32> "( 3>236+6H (' 36 E2.!(>36 [+39+'

.()P+."8'+1H "!+= !3.,+1 ;2>,N(31 3)1 /31+ 2" .()"3." 3) (8"621+6 6+'9+'without using Tor so it revealed its real IP. Once located, FBI was able to get a

.(#= (: ()+ (: "!+ 6+'9+'6-


44/51

!""#$%%&'()*++,-.(/

M) R\%SR%ST I; 586"(/6 2)"+'.+#"+1 ^ &A6 72"! 12::+'+)" )3/+6H B8" 3>> !392)* 3 #2."8'+ (:

I>B'2.!"- V(/+>3)1 ;+.8'2"= 2)"+'92+7+1 I>B'2.!"H B8" !+ 1+)2+1 !392)* ('1+'+1 "!+/-

Smart: ULBRICHT *+)+'3>>= '+:86+1 "( 3)67+' 3)= k8+6"2()6 #+'"32)2)* "( "!+ #8'.!36+ (:

"!26 (' ("!+' .(8)"+':+2" 21+)"2"= documents. Stupid: HoweverH IFGN&5V? 9(>8)"++'+1 "!3" g!=#("!+"2.3>>=g 3)=()+ .(8>1 *( ()"( 3

7+B62"+ )3/+1 g;2>, N(31g () g?('g 3)1 #8'.!36+ 3)= 1'8*6 (' :3,+ 21+)"2"= 1(.8/+)"6 "!+

#+'6() 73)"+1-

Roommates knew him as Josh. PMs show DPR was interested in getting fake IDs.


45/51

!""#$%%&'()*++,-.(/

;+'9+' 86+1 ;;V 3)1 3 #8B>2. ,+= "!3" +)1+1 2) :'(6"=h:'(6"=-;+'9+' 3>6( !31 6(/+ (:"!+ 63/+ .(1+ #(6"+1 () ;"3.,M9+':>(7-

O9+)"83>>=H () SR%RS%ZRST "!+ @G& F3)1+1 () !2/ 2) 3 F2B'3'= '2*!" 3:"+' !+ +)"+'+1 "!+

#3667('1 :(' !26 >3#"(#- W('+ +921+).+ 736 :(8)1 () !26 >3#"(#-

W('+ 2):( KG2* "!3),6 "( E3"+ 0)1+'6() :(' "!+ ('2*2)3> 3'"2.>+ 3)1 0*+)" 5!'26"(#!+'

?3'B+>> :(' .(8'" 1(.6L$

!""#$%%3'6"+.!)2.3-.(/%"+.!2.=%ZRST%SR%!(7


46/51

!""#$%%&'()*++,-.(/

F+66()6 F+3')+1$

U++# ()>2)+ 21+)"2"2+6 6+#3'3"+

U++# 12::+'+)" 86+')3/+6@'(/ 12::+'+)" >(.3"2()6

V39+ 3 .()626"+)" 6"('=

Dont talk about interests Dont 9(>8)"++' 2):('/3"2()a


47/51

!""#$%%&'()*++,-.(/

W3=B+]


48/51

!""#$%%&'()*++,-.(/

?3>, () A3',)+"6 2) *+)+'3>

!""#$%%777-2'()*++,-.(/%2-#!#]#3*+b921+(6%321+

!""#6$%%777-"('#'(P+."-('*%1(.6%"('-!"/>-+)

&ZC &)1+J "( ?+.!)2.3> A(.8/+)"3"2()!""#$%%777-2Z#Z-1+%!(7
http://www.irongeek.com/i.php?page=videos/aide-winter-2011#Cipherspace/Darknets:_anonymizing_private_networkshttp://www.irongeek.com/i.php?page=videos/aide-winter-2011#Cipherspace/Darknets:_anonymizing_private_networkshttp://www.irongeek.com/i.php?page=videos/aide-winter-2011#Cipherspace/Darknets:_anonymizing_private_networkshttp://www.irongeek.com/i.php?page=videos/aide-winter-2011#Cipherspace/Darknets:_anonymizing_private_networkshttp://www.i2p2.de/faq.htmlhttp://www.i2p2.de/faq.htmlhttps://trac.torproject.org/projects/tor/wiki/doc/TorFAQhttps://trac.torproject.org/projects/tor/wiki/doc/TorFAQhttps://www.torproject.org/docs/tor-manual.html.enhttps://www.torproject.org/docs/tor-manual.html.enhttp://www.i2p2.de/howhttp://www.i2p2.de/howhttp://www.i2p2.de/howhttps://www.torproject.org/docs/tor-manual.html.enhttps://trac.torproject.org/projects/tor/wiki/doc/TorFAQhttp://www.i2p2.de/faq.htmlhttp://www.irongeek.com/i.php?page=videos/aide-winter-2011#Cipherspace/Darknets:_anonymizing_private_networks


49/51

!""#$%%&'()*++,-.(/

&)"'( "( A3',)+"6$ ?(' 3)1 &ZC [(',6!(#!""#$%%777-2'()*++,-.(/%2-#!#]#3*+b921+(6%2)"'(


50/51

!""#$%%&'()*++,-.(/

A+'B=.()

;+#" Zc"!


51/51

cZ

?72""+'$ h&'()*++,p0A5

dropping docs on darknets: how people got caught

Documents