Darknet denizens slither past the law

The darknet is the latest example of technology that’s become a breeding ground for criminal activity. Combating virtual crime in this subset of the deep web is exceedingly difficult because of its anonymity. However, here are some ways law enforcement and fraud examiners are fighting these elusive miscreants.

The advertisement read like a script from a TV movie: “ ‘Breaking Bad’ untraceable ricin for sale.” Ricin is a biologic toxin that’s fatal when ingested. Except the offer wasn’t part of a crime drama — it was a real sales listing on a popular darknet marketplace. (See LaBelle man at heart of int’l poison plot sentenced, News-Press, Feb. 18, 2015.)

An undercover law enforcement officer, pretending to be a buyer, responded to the ad and claimed he needed the poison to kill an unsuspecting victim. The officer found positive feedback online from other customers about the seller, which indicated that he or she had successfully completed other transactions. The officer believed these reviews showed the posting was probably real.

The officer was surprised to quickly receive a nonchalant and confident reply from the seller, but then he probably thought he was protected by his anonymity. The online exchanges between the two continued for several weeks. Each message from the seller provided more specifics for finalizing the deal. They eventually agreed that the seller would provide a quantity of abrin — a plant toxin similar to ricin — for a payment of several thousand dollars’ worth of bitcoin. (See Facts About Abrin, Centers for Disease Control and Prevention.)

Even though buyers on the darknet pay online, the exchange of merchandise usually requires a physical transfer from person to person, which ends anonymity, according to Inside the Dark Web, by Max Eddy, PC Magazine, Feb. 4, 2015.

Depending on the terms of the transaction, sellers often send merchandise via commercial shippers. Sometimes, buyers and sellers meet face to face. This transaction was no different. To complete the toxin sale, the vendor needed to deliver it to the customer.

The investigator elicited enough information to determine the seller’s identity and approximate location. Law enforcement then agreed to arrange an exchange of the poison. The seller and the buyer — the law enforcement agent — agreed that the seller would leave the poison in a package at a designated place where the buyer could retrieve it. The seller described in detail where and how the abrin would be packaged, and they established a date and time for the drop. Law enforcement, who set up surveillance on the drop site, was still unsure if this was a legitimate deal or a scam. But, the target showed up and dropped the package on time. Surveillance officers identified the suspect by tracing his license plate. Shortly after the drop, they arrested him.

The suspect honored his side of the bargain: The package contained abrin, which laboratory analysis confirmed. And after police secured a search warrant for the suspect’s property, they found a shocking stockpile of ingredients for making poisons, narcotics and explosive devices. Remarkably, the subject admitted this wasn’t his first darknet sale. Police learned he’d sold doses of poison to customers in four different countries. [See the Department of Justice’s (DOJ) Feb. 18, 2015, release.]

U.S. law enforcement immediately contacted authorities in those countries, which resulted in additional arrests. According to the DOJ release, the abrin seller pleaded guilty to five counts of developing, producing, transferring and possessing toxins; five counts of smuggling toxins; and one count of conspiring to kill a person in a foreign country. He was subsequently sentenced to nine years in prison. This darknet vendor wasn’t a sophisticated, international crime lord. He was just an ordinary kid in his early 20s who’d learned how to concoct poisons by reading internet articles.

Intricacies of the internet

The darknet, also called the dark web — a subset of the deep web — is the latest example of technology that’s become a breeding ground for illegally making money, viewing or exchanging child pornography, or offering illegal services, such as murder for hire. To compound matters, virtual currencies — like bitcoin — allow individuals to transfer money from person to person anonymously, which further insulates them from recognition.

Most of the World Wide Web (the web) is comprised of the deep web and the darknet. The internet is referred to as the “clear net,” or the small fraction of the web that’s available and searchable using popular browsing software such as Internet Explorer, Google Chrome or Firefox. In fact, estimates are that 80 percent to 90 percent of the web exists below the surface, according to Shining Light on the Dark Web, by George Hurlburt, Computer, April 4, 2017, and The Man Who Lit the Dark Web, by Charles Graeber, Aug. 30, 2016, Popular Science.

A common pictorial metaphor likens the entire web to an iceberg in which the clear net is visible above the surface, but the deep web is the large portion that remains under water. Unlike the clear net, the darknet isn’t indexed, which means it can’t be investigated with traditional search engines. It also means that a user generally must know the actual web address to navigate to a particular darknet site.

The deep web also contains private websites that require login access or other authentication methods, says Hurlburt in the Computer article. Examples include online banking sites or insurance company sites that allow customers to access data from their servers.

Criminals constantly develop new ways to exploit technology, so law enforcement have to constantly learn and combat new schemes and strategies. Conversely, for every legitimate use of new technology, criminals have found corresponding methods to pull off their schemes. According to one study, more than half of darknet sites relate to illegal activity.

The technology behind the dark web

The darknet operates by passing network traffic through a series of random, anonymized “nodes,” or interconnected computers that transfer data in a circuitous route from point A to point B, according to Eddy in the PC Magazine article. According to the article, connection to the darknet requires software that encrypts the data it passes. Because these computers are anonymized, the hops between the start and end points of the data are generally impossible to track. Put simply, users access the darknet via specialized browser software, typically the Tor network (short for “the onion router”), which can access hidden services only available through the Tor network.

Various websites on the Tor network have specific URLs that direct the browser to sites. These URLs are comprised of what appear to be long, random strings of letters and numbers but are recognizable to the onion router. Behind these hidden websites is where criminals conduct their illegal activity. Ironically, the U.S. Navy developed Tor technology, according to Graeber in “The Man Who Lit the Dark Web.”

Virtual currencies or cryptocurrencies

Any discussion of the darknet — and specifically of the websites and marketplaces that cater to illegal products or services — isn’t complete without discussing the financial system that fuels this economy. Criminals, at least the smarter ones, typically don’t use traditional banking methods, especially for illegal purposes.

A benefit of a darknet transaction is it provides a secure way to exchange money for payment of goods or services without having to disclose a real identity. Darknet users achieve this with the help of virtual currencies, such as bitcoin, Monero and Ethereum — all intangible commodities traded for traditional currency.

These trades are done through an exchange, according to Amanda Haasz in her 2016 study, “Underneath it all: Policing International Child Pornography on the Dark Web,” from the Syracuse Journal of International Law & Commerce. Virtual currencies like bitcoin have a fluctuating trading value and can be acquired from a number of online websites or even from certain ATMs that allow customers to exchange fiat currency for the corresponding amount of bitcoin, which they use to consummate transactions.

A user acquires any of these currencies by simply creating an account with an exchanger (usually online) and connecting that currency’s “wallet” to a bank account. But, unlike a bank account, these wallets generally aren’t tied to a specific individual’s identity. Instead, the wallet’s given a unique address, or coded string of computer characters, that the system uses as the identifier to send or receive bitcoin or other cryptocurrency.

Like the darknet, wallets that send and receive bitcoin are basically anonymous. So, unlike traditional money transfers, they might not create a traceable audit trail. The irony about the bitcoin process is that all transactions are posted in a “blockchain” (an open, distributed ledger that can record transactions between two parties) and are publicly viewable — albeit behind a cloak of anonymity. (See The Truth About Blockchain, by Marco Iansiti and Karim R. Lakhani, Harvard Business Review, January/February 2017.)

Virtual currencies aren’t inherently illegal. In fact, some legitimate merchants now accept virtual currency, in addition to regular credit cards and other third-party payers like PayPal, as a method of payment for goods or services. But, online darknet marketplaces exploit the benefit of anonymity to facilitate the movement of funds from user to user. (See “Underneath it all ...” by Haasz.) In the same way that users mask their identity on the Tor network, the transfer of virtual currencies from anonymous wallet to wallet provides the perfect cover when the substance of the transaction itself is illegal.

Criminal activity

E-commerce and huge online shopping networks like Amazon and eBay have become increasingly popular. Each day, countless transactions for goods and services are completed online. But there’s a shadier side to some of these transactions. Between the anonymity of the darknet and virtual currency, criminals have found an environment where they can thrive. Since darknet users can operate behind a veil of secrecy, criminals can openly conduct illegal activity, with little fear of recognition by or interference from law enforcement. Online darknet marketplaces offer drugs, guns, counterfeit currency, identity documents, and other illegal goods and services.

According to a Dec. 9, 2015, article by Don Reisinger, The Things You Can Buy on the Dark Web Are Terrifying, the majority of darknet sites involve drug sales (Fortune). However, many online marketplaces offer a variety of illegal products, which often are conveniently sorted by commodity. Automatic weapons, stolen identity information, fraudulent documents and even counterfeit U.S. and foreign currency are all advertised for sale. Registration on these websites is as simple as establishing accounts — usually by providing a nondescript username or moniker — and an email address (normally from an email provider that offers encrypted email service).

From there, it’s just a matter of a buyer and seller “virtually meeting,” establishing enough trust in each other and coming to terms about whatever they’re looking to exchange. The ability to conduct business on darknet market sites relies heavily on reputation, which can be difficult given restrictions that law enforcement face, according to Eddy in PC Magazine’s “Inside the Dark Web.” The ricin dealer in the case study had received positive comments from other customers, which bolstered his credibility on the marketplace.

Investigation and mitigation

It’s no secret that law enforcement has undercover presence on the darknet, either by “trolling” (sowing discord) or even offering goods and services, says Reisinger in “The Things You Can Buy on the Dark Web Are Terrifying,” and Eddy in “Inside the Dark Web.” In the ricin investigation, law enforcement simply responded to a posting that already existed and worked the investigation from there.

Infiltrating darknet websites is challenging for law enforcement — primarily because darknet users are hidden behind a wall of secrecy. Just like traditional online investigations, law enforcement must think like criminals plus learn environments and language when engaging suspects.

Unfortunately, concerns about entrapment or other legal restrictions sometimes limit what police and other investigators can do when operating on the darknet. For example, it’s extremely difficult for law enforcement to complete the number of illegal transactions that would garner enough feedback for potential customers to trust them. Expertise and experience in cybercrime is helpful, and many techniques used by law enforcement aren’t public information, according to Hurlburt in “Shining Light on the Dark Web.” However, investigators still rely on traditional investigative finesse and methods. The trick for police operating on the darknet is to exploit vulnerabilities of bad actors. Exposing a crack in the anonymity, either by cross-checking open source information or gaining a target’s trust, can break a case open.

Sufficiently masking online presence is another important aspect to darknet crime fighting. Many darknet operators use their computer expertise to expose law enforcement. Also, some underground sites are volatile, which further complicates investigative strategies. Investigators can spend much time and effort on a particular site only to have the site unexpectedly shut down, according to Charles Graeber in The Man Who Lit the Dark Web, Popular Science, Aug. 30, 2016.

As criminals continue to use the darknet for nefarious purposes, software companies are developing products that, at least to some extent, crawl the deep web to make its content searchable. However, given that this environment, by design, is difficult to expose, results of these tools are marginal. Hopefully, as ethical programmers learn more about the darknet and its vulnerabilities, law enforcement will have additional products they can use to target criminal activity.

Implications

The global reach of the internet has allowed the darknet to create problems for law enforcement worldwide. Crimes that span international boundaries — and differing laws among these jurisdictions — only complicate matters.

Trying to identify real criminal targets on the darknet is like running through the forest blindfolded. As cybercriminals exploit new ways to hide, the job of law enforcement becomes more difficult. And with less chance of being caught, criminals will continue to find ways to exploit vulnerable victims.

Charles Rabeno, Ed.D., CFE, is a special agent with a federal law enforcement agency. His email address is: charles.rabeno@gmail.com.