Analysis: Law Enforcement Efficiency in Darknet Investigations

Posted on the 06 March 2019 by Darkwebnews @darkwebnews

Law enforcement agencies are consistently faced with the necessity to improve their knowledge of the groups they target in investigations.

Depending on the type of operation involved, the effort may vary from little to maximum, and in some severe cases, investigators in a certain region call upon other law enforcement bodies in other parts of the world to assist in one way or the other.

One key area that authorities are finding it hard to deal with is dark web operations which have proved very complicated as it requires weeks, months and at times years of investigations in tracing key suspects before an arrest is finally carried out and the culprit is charged.

The other thing is that for bigger and complex darknet operations, security agencies tend to seek for the assistance of their counterparts.

One major example of this was evident in July 2017 when authorities in different parts of the world brought down two of the largest darknet markets at the time- AlphaBay and Hansa.

Their collaboration was essential in making the operation a success because the buyers, sellers and administrators of the forums were based in different jurisdictions.

As such, there was no possible way to succeed in one of the biggest darknet seizures in history without the involvement of partner nations.

Now, almost two years later, the operation that brought down Hansa and AlphaBay continues to yield results for law enforcement, as investigators are still in the process of linking suspects to the now-defunct markets-with the latest instance involving a California nurse who was arrested last month for allegedly selling a significant amount of opioid pills on AlphaBay, among other darknet platforms.

Cooperation Across Jurisdictions Is Key

Among the significant challenges faced by law enforcement agencies in bringing down markets is locating servers of the marketplaces, which are often found in other countries.

It could take months of monitoring activities to identify the specific location.

For example, when U.S. authorities were tracking down Ross Ulbricht, the founder of Silk Road, whose servers were located in Iceland, it was thought that the Federal Bureau of Investigation sought the assistance of the National Security Agency, allegations that the FBI denies.

If the NSA had tipped off the FBI to Silk Road's server location, the process of obtaining that information would have involved the use of a Tor-cracking procedure-a potential violation of U.S. privacy laws.

The FBI officers in charge of the operation, however, narrated how they successfully managed to trace the server in 2013 without undertaking technical procedures that would have had otherwise required expertise.

Instead, the FBI claimed it employed simple tactics such as inputting miscellaneous strings of characters into the Silk Road login page until it eventually revealed the actual IP address of the darknet market's server-thus leaking its location.

In court, the officers further divulged that there was a misconfiguration in the login page that allowed them to pull this off.

According to them, the site was incorrectly configured in the Tor network and, as a result, an attempt to track the server's location would result in the disclosure of the IP address.

By telling the court exactly how they successfully managed to pinpoint the exact location of the server, they argued that they did not illegally undertake the somewhat questionable process.

Now, after the identification of the foreign servers, the FBI contacted authorities in Iceland to assist them with investigations in the case by requesting images and routing information of the server.

Because of the cooperation between the Reykjavik Metropolitan Police (RMP) in Iceland and the FBI, U.S. authorities were able to obtain more information that was crucial to the case.

There was sufficient evidence of a high volume of traffic from Tor flowing into the website.

Furthermore, the RMP also provided the FBI with images of vendor postings, chats between users of the site and, records on the going transactions among other essential details confirming that the servers were hosted in the country.

More information obtained in the computer codes revealed another crucial piece of evidence-Ross Ulbricht had a backup center in Pennsylvania.

Had there not been this form of cooperation among the two countries, Ulbricht likely would not have been identified and ultimately arrested.

The identification of the servers is one the most critical factors in a darknet investigation.

Once that part is done, the next step is to trace the actual location of the operators of said servers-a process that may take some few days to months, depending on the technicality of the setup.

Lengthy & Complicated Procedures Ahead

The seizure of a darknet market is just the first of the many more lengthy processes that follow.

After bringing down the site, the next step is to find individual suspects responsible for the management of the site. They are actually responsible for all revenue generated.

Because of that, authorities tend to use available resources including information obtained from servers to go after the culprit's process that may at times turn out as a success and in other instances, a wild goose chase.

For the case of Silk Road, we have a few individuals whom authorities caught up with some few years after the fall of the market for their alleged association with Ulbricht.

One notable example is that of Roger Thomas Clark (known under the alias "Variety Jones"), who was arrested in December 2015 in Thailand.

Clark was Ulbricht's right-hand man and a critical player in the operation of Silk Road, and despite the fact that the market fell in October 2013, it took another two years for authorities to catch up with him.

Now to make matters even more complicated, it took another nearly two years for authorities to have him extradited to the U.S. for a trial.

As it stands, there are likely even more persons of interest who were either directly or indirectly involved with the management of Silk Road, but they may never face the law due to insufficient evidence against them.

From there, investigators go down the line of possible suspects until they get down to the low-level offenders-the individual buyers and sellers.

Lessons from Other Markets

Apart from Silk Road, markets like AlphaBay and Hansa can be used as a case study to show how the efficiency and coordination of law enforcement agencies can be crucial in solving dark web-related operations.

Just after the fall of AlphaBay Market, authorities involved in investigating the two markets deliberately left Hansa open for some days to monitor trends in how the market's users operate.

By doing so, they were able to spot a trend in the users who joined Hansa. Those who did so registered accounts on the marketplace with the same username and passwords.

For the vendors, they went ahead to use the same product listings and even PGP keys, meaning that they have exposed matching information which can give a clue to their identification.

After seizing control of Hansa's server, Dutch police agents were able to analyze crypto transactions made on the market to eventually identify those involved.

More so, by putting together a team of highly qualified individuals with knowledge in different sectors, authorities can conduct investigations in a more effective manner.

Multidisciplinary collaboration means that problem-solving is done in a more productive way, due to the diversity of skillsets contributing to the task.

Tougher Times for Law Enforcement

While authorities are reportedly doing as much as they can to contain the situation, it seems they're making little headway in the long run.

The dark web industry is growing at a faster rate than the authorities can keep up with, when it comes to market seizures.

Despite a few notable successes, the growth rate is much higher in that more markets are sprouting-many of which tend to learn from the mistakes of their predecessors, creating stronger and more sophisticated infrastructure to prevent data leaks.

For example, in an interview last year, the admin of Empire Market told Dark Web News that the site's server setup "is not half-assed" like that of other markets which may leak the IP address of the server, giving third parties an easy job of infiltrating their systems.

Disclaimer: