People all over the globe rely on the dark web for many legitimate uses including journalists, whistleblowers, and citizens living under oppressive regimes. It is unfortunately also used by criminals.
However, their downfall is our gain. We can learn a lot from the mistakes made by now caught criminals to harden our own OPSEC to avoid making the same mistakes that can leak our identity, and location when using the Dark Web.
Here are 5 ways dark web criminals were caught, and what we can learn from it to harden our own operational security.
1. Linking Real Identity to Online Aliases or Activities
Many dark web criminals are caught because they fail to maintain strict separation between their real-world identity and their online personas.
How they were caught
- Ross Ulbricht, the founder of Silk Road, made a major early blunder by promoting Silk Road on Bitcoin forums using the handle “altoid” and listing his real Gmail address, rossulbricht@gmail.com. Investigators later subpoenaed Google for metadata, confirming his identity and IP data.
- Similarly, Alexandre Cazes, the administrator of AlphaBay, used his personal email address “Pimp_Alex_91@hotmail.com” on all of AlphaBay’s welcome emails to new users. This email was linked to posts he made on a French-language online technology forum under his real name in 2008.
- Banmeet Singh, a dark web drug kingpin, used vendor aliases like “Liston” consistently across multiple dark web markets (Silk Road 1, Silk Road 2, AlphaBay, Hansa) and tied at least 19 email addresses to his transactions, creating a digital log linked to his financial trails and shipment networks.
- Andrey Turchin, known as Fxmsp, was identified because cybersecurity firms found email addresses, domains, and Jabber and social media accounts linked to him that were also connected to Fxmsp
What we can learn from it
- Use Unique Aliases: Never reuse usernames or handles across different accounts or services, especially not between public and hidden platforms. Maintain strict compartmentalization; each alias should be disposable.
- Use Burner Emails: Create email accounts that are not tied to your real name or other aliases, preferably via Tor using services like ProtonMail or Tutanota. Avoid recovery emails or phone numbers that can trace back to you. For temporary use, services like Tempmail or AnonAddy can be utilized (Pro Tip: Do not use a custom domain).
- Diversify Behaviors and Characteristics: Avoid linking different user profiles by varying login times, linguistic expressions, and other identifiable characteristics. Consciously vary your behaviors and the details you share across different services or profiles.
2. Leaving Digital Footprints and Metadata leaks
Even seemingly innocuous digital traces can unmask your indentity on the Dark Web.
How they were caught
- The hacker ‘Waifu’ (Connor Moucka) was tracked by analyzing data transfer methods and tracking IP addresses used during the attacks. Forensic experts investigated dark web activity and linked it to the hacker.
- IntelBroker (Kai West) was tied to his online activities because investigators linked cryptocurrency addresses used in transactions with undercover officers to online accounts registered by West, including those under an alias and his personal email accounts. They also tied him through the same IPs being used on multiple occasions by both West and IntelBroker, and by correlating YouTube videos watched by West (based on his IP) with IntelBroker’s posts on a cybercrime forum.
- In the Kimberly Bell murder case, investigators revisited emails, text messages, and call logs for clues, and examined metadata from social media images to reconstruct timelines.
- Onion Service operators have a high rate of misconfigurations where metadata, especially IP addresses in logs, is leaked, making them prone to unwanted exposure.
What we can learn from it
- Stay Vigilant About Metadata in Files: Be aware that files (images, documents) can carry hidden data like creation dates, locations, and device information. Cryptographic keys might also contain sensitive information. Consider stripping or anonymizing metadata before sharing files.
- Limit Information Disclosure: Configure software to minimize information provided to clients, such as disabling or altering services that reveal software versions and unnecessary debugging information. Remove or anonymize identifiers.
- Implement End-to-End Encryption: Use end-to-end encryption for communications, but be aware that it protects content, not sender-receiver relations or other metadata.
- Use Tor Bridges with Pluggable Transports: These can help disguise Tor usage from Internet Service Providers or third parties on your local network, preventing traffic pattern analysis.
3. Compromised Devices
Keeping records, files, diaries, logs or any recorded evidence whatsoever of your activities on the dark web on your device is a very bad idea.
How they were caught
- Ross Ulbricht was physically surveilled by agents in San Francisco who tailed him to libraries where he frequently accessed Silk Road. The FBI staged a diversion to grab his laptop while it was still unlocked and in use, revealing private logs, journals, market code, server keys, and Bitcoin wallet files.
- In the Park Magic hacking case, David Young was caught after investigators seized and examined his computer, finding evidence of the breach.
What we can learn from it
- Encrypt Devices: Use full-disk encryption (e.g., BitLocker, FileVault, LUKS) and consider hidden, encrypted volumes for plausible deniability. Always shut down, rather than sleep, your machine when not in use.
- Compartmentalize Identities: Separate personal, professional, and anonymous activities using different devices, browsers, virtual machines, or bootable OSes like Tails OS (which saves no data between sessions). Never log into personal accounts from a system used for anonymous activity.
- Assume Syou are being watched: Operate under the mindset that someone is always watching. Avoid writing incriminating information, even in private journals, and use secure messaging tools like Signal or Session for sensitive discussions.
4. Poor cryptocurrency useage and obfuscation
Crytocurrencies are frequently promoted as private and secure ways to make financial transactions, but that is not always true. The blockchain itself is public and anyone can track down any transaction, or wallet history. Despite using cryptocurrencies, many criminals fail to adequately obscure their financial trails.
How they were caught
- Banmeet Singh attempted to use “peel chain” techniques and tools like Wasabi Wallet, but authorities were still able to trace hundreds of millions of dollars via blockchain analytics, linking his addresses into distinct clusters associated with his dark-web vendor alias. These seized Bitcoin assets were later transferred, underscoring their traceability.
- In the “Welcome to Video” CSAM cases, investigators seized the website and tracked cryptocurrency payments to identify the defendants.
What we can learn from it
- Understand that Cryptocurrencies Aren’t Inherently Anonymous: While some cryptocurrencies offer more privacy, many (like Bitcoin) allow third parties to see the flow of funds.
- Use Privacy-Focused Cryptocurrencies: Consider using cryptocurrencies specifically designed for privacy, such as Monero.
- Employ Decentralized Mixing Protocols: If using pseudonymous cryptocurrencies, use decentralized mixing protocols like CoinJoin to obfuscate transaction flows.
5. Device and Network Misconfigurations
Not properly setting up your devices and private TOR network can lead to data leaks that expose your identity and location.
How they were caught
- The Silk Road login form was poorly configured and pulled resources (like CAPTCHA images) from the clearnet server instead of routing them through Tor, inadvertently exposing the server’s real IP address. This misconfiguration allowed the FBI to pinpoint the server’s location and request assistance from Icelandic authorities to image it.
- The Playpen Onion Service, dedicated to CSAM, was found to have a clear misconfiguration that allowed it to be accessible directly from the internet, not just via Tor. This led to law enforcement obtaining a search warrant and copying the server contents, revealing the administrator’s IP address. The Freedom Hosting Onion Service was also deanonymized by an IP address leak.
What we can learn from it
- Tunnel All Traffic Through Tor: It is crucial to route all traffic for the Onion Service exclusively through the Tor network to prevent accidental bypasses that could expose the server’s real IP address or other identifying information.
- Implement Secure Log Management: Log files can contain sensitive information. Securely manage these files and implement policies that limit the amount of sensitive information logged.
- Avoid Reusing Configurations and Software Code: Shared characteristics, such as special configurations or reused software code, can link multiple Onion Services together, compromising their anonymity.
Cover your tracks
By understanding these common operational security failures, individuals seeking anonymity on the dark web can learn from past mistakes and implement stronger practices to protect their identities and activities. However, it’s important to remember that even with perfect OpSec, prolonged activity increases the chance of human error and eventual compromise.
Stay up to date. Stay vigilant.
Get my free Newsletter
Get the inside scoop & all the essentials: tech insights, AI tips, privacy + security issues, IT, & real talk on running a small business from Kitable Planet, Remote Desk One, and Labb.run.
Subscribe today and get the free privacy guides >
- Navigating the Dark Web Safely: A Beginner’s Guide
- Tails Linux (How to set it up and use it)
- Dark Web Websites, Marketplaces, Forums & Search Engines
Multi-disciplinary IT support strategist with 15+ years experience empowering entrepreneurs, corporate colleagues and remote teams with the knowledge, skills and technologies to get stuff done. | Sec+ – CySA+ (CSAP) – ITIL – ACSP
Comments are closed.