Over the years there has been an on-going battle between law enforcement and those who use technology-based anonymity to perform their illegal deeds. Some of the FBI's tricks to break through the anonymity have created interesting challenges, such as the "Operation Pacifier
" case, where the FBI used court orders to allow them to use hacking tricks to expose the true locations of members of a child sexual exploitation site with 150,000 members, leading to 350 US arrests and 548 international arrests. In that case the FBI deployed "Network Investigative Techniques" (NITs) to learn the IP addresses of top members of a TOR protected .onion server. To clarify the legality of that situation, Rule 41 of the Federal Rules of Practice and Procedure was amended in 2016 under some controversy, as we blogged about in "Rule 41 Changes: Search and Seizure when you don't know the Computer's location
In the current case, "Operation: Dark Gold", perhaps as a demonstration that the old "Follow the Money" rule can work even in these modern times, law enforcement posed as cryptocurrency exchangers, offering attractive conversion rates to USD even for those clearly involved in criminal activity. After Alexander Vinnik's BTC-e exchange was shuttered, with the owner accused of facilitating the laundering of $4 Billion in illicit funds, Dark Market vendors had a real problem! How do you turn a few million dollars worth of Bitcoin into money that you can spend in "the real world?"
That's just the kind of problem that the Department of Justice's Money Laundering and Asset Recovery Section is happy to help criminals solve. In a major operation, Special Agents from Homeland Security Investigations in New York posed as money launderers on various TOR-protected dark markets. As the money launderers were able to drive conversations "off platform" they had the opportunity to refer cases around the nation and around the world. So far, more than 90 cases have been opened, leading to investigations by ICE's HSI, the US Postal Inspection Service, and the US Drug Enforcement Agency. 65 targets were identified and 35 Darknet vendors have been arrested so far. At least $20 million in Bitcoin and other cryptocurrencies was seized, as well as 333 bottles of liquid opioids, 100,000 tramadol pills, 100 grams of fentanyl, 24kg of Xanax, 100 firearms, including assault rifles and a grenade launcher, five vehicles, and $3.6 million in cash and gold bars. They also seized 15 pill presses, and many computers and related equipment.
Powell and Gonzalez (BonnienClyde)
The case against Nicholas Powell and Michael Gonzalez really explains the background of some of these cases well.
"In or about October 2016, HSI NY, USPIS, the USSS, and the NASA Office of Inspector General, apprehended a Cryptocurrency Exchanger/Unlicensed Money Remitter herein rferred to as Target Subject-1. With TS1's cooperation, agents began investigating TS1's customers. From the limited subset of customers for whom TS1 saved any kind of personal information (such as the names and addresses to which TS1 had shipped the customers' cash), agents identified a number of vendors selling illegal goods and services on the dark net." (Gar-note: NASA OIG has one of the coolest most proactive cybercrime teams in Federal government. Little-known FACT!)
"With TS1's permission, agents took control of TS1's online accounts and identity, initiating an undercover operation using that identity to create new accounts (the "UC Vendor Accounts") targeting dark net drug vendors who utilized TS1's services to launder their illicit proceeds. Since January 2017, agents have advertised the UC Vendor Accounts' services on AlphaBay, HANSA, and other dark net marketplaces, which has led to hundreds of bitcoin-for-cash exchanges. Because TS1's original business model involved sending cash to physical addresses, each UC Vendor Account transaction has provided agents with leads on the identities and locations of their counterparties. Individuals who used the UC Vendor Account were charged a fee notably higher than the fee charged by Bitstamp or other exchanges with Know Your Customer protocols. This and other evidence helped establish that many of these "customers" were likely dark net vendors or controlled substances or other illicit goods. Furthermore, and as explained below, in some instances, agents have successfully utilized undercover buyer accounts on dark net marketplaces to conduct undercover drug buys from vendors believed to be the UC Vendor Accounts' customers."
In this case, Law Enforcement first caught up with Michael Gonzalez in Parma, Ohio. He claimed Nicholas Powell was the mastermind, and the only got paid to help with shipping and packaging of "a few orders." His job was to measure out 500 gram bags of Xanax powder and handle the shipping. Powell was found and interviewed in his home at 5283 Bevens Ave, Spring Hill, Florida on May 22, 2018. Powell confirmed that he had begun selling steroids and weed on the dark net. Later he became a drop shipper, arranging shipments from China to be delivered domestically. Powell started on Silkroad 2, using the name BCPHARMA, selling steroids and GHB that he purchased from China. He sold on Agora and AlphaBay as BONNIENCLYDE or BNC. Later he also used that alias on Evolution Markets. He also shifted later to selling Xanax and steroids on AlphaBay. He claimed he physically destroyed the computer he used for this work, and later also destroyed two Apple computers.
Powell confirmed that he used TS1 to convert between $10,000 and $40,000 in crypto currencies to cash at a time, and would receive the packages via USPS Express. He claims a Canadian vendor wanted to buy his online identity, and that he made $100,000 by transferring the "BONNIENCLYDE" id to the Canadian.
Powell willingly signed over to agents $438,000 worth of cryptocurrencies.
TrapGod was an online vendor alias shared by Antonio Tirado, 26 and Jeffrey Morales, 32, of Bronx, New York. An affidavit from Antonio's search warrant shows he was growing marijuana and packaging and shipping both LSD and Cocaine.
Here's a photo of some of TrapGod's goods for sale on one dark market.
The 2050 means that 2,050 people have rated this vendor's services, giving an average review of 4.79 out of 5 stars. Even the "bad" reviews, show that Trapgod was good to do business with. One says "Vendor has been top notch. Then got some really sub-par stuff. Contacted vendor. He said he'll take care of me next time. Will post again..." Comments include things like "Great shipping, good stealth." and "Stealth was good, my package was well hidden and secure. Quality is good, after testing I found that the product is about a 80/20 cut as described! I like honesty, plus seller put a little extra in my order!!" "Shipment was delayed, quality not so good. However vendor sent an additional shipment to make up for it. The price is good, but I'd rather pay more for higher quality."
Unfortunately, Morales and Tirado either weren't the only ones behind the Trapgod alias, or they are continuing to sell while out on bail. Morales and Tirado's homes both got hit July 20, 2018, but there were fresh reviews posted yesterday (July 3, 2018).
The next group were worked as a single case (1:18-mj-05193-UA) also in New York, and involved raids on three houses in Flushing and Mt. Sinai, New York. Charges are brought against Jian Qu, Raymeond Weng, Kai Wu, Dimitri Tseperkas
, and Cihad Akkaya
Kai Wu and Jian Qu were in one home, where $200,000 in cash, 110 kg of marijuana, and "680 grams of unidentified powders" were seized.
Residence-2 yielded 12kg of Alprazolam, 10kg of marijuana vape cartridges, 570 grams of ecstasy, "12kg of unidentified powder" and four pill presses, used to press powders into ecstasy tablets. There were also at least 2 kg of THC gummies.
Residence-3 was the home of Dimitri Tseperkas and Cihad Akkaya, where law enforcement recovered $195,000 in cash, 30kg of marijuana, and three loaded shotguns and 100 shotgun shells.
Videos recovered from the cell phones of Wu and Weng (who was not home, but has been observed repeatedly at Residence-1) reveal they also have at least two marijuana grow houses.
Ryan Farace, who the indictment makes clear "has no known medical education, qualifications, or licensing in the State of Maryland or elsewhere", yet he and his partner were manufacturing and distributing serious amounts of Xanax. So much so that the indictment calls for them to forfeit $5,665,000 in cash as well as a Lincoln Navigator, a GMC pick-up truck, and 4,000 Bitcoins (which currently would be the USD equivalent of more than $26 MILLION dollars!
Not bad for the former parking lot attendant of a Home Depot ... according to Ryan's Facebook, where both of the named vehicles are featured:
The indictment charges the pair with "Conspiracy to Manufacture, Distribute, and Possess with Intent to Distribute Alprazolam" (aka Xanax) (21 USC section 846) as well as "Maintaining Drug-involved Premises" (21 USC section 856) and "Conspiracy to Commit Money Laundering" (18 USC section 1956).
Jose Robert Porras III and his girlfriend, Pasia Vue
, were selling marijuana and crystal meth, as well as Xanax and Promethazine-codeine cough syrup (Lean). The HSI agent noticed on their Dream Market account that they shared their rating from Hansa. Big mistake. The Dutch High Tech Crimes Unit has the seized servers from Hansa and is happy to do lookups for law enforcement. This revealed that "CANNA_BARS" had earned about 56 bitcoins on Hansa, selling crystal meth in quantities as large as 1 pound bars! They described the product there as "this crystal is directly from manufacturers in mexico so it is made with the highest qaulity products that cant be found in the us. expect the highest qaulity on hansa for the cheapest." The same criminal also couldn't spell "qaulity" right on Dream Market, which was further confirmation this might be the same guy. From Dream Market "whats up we are canna_bars a vendor of top qaulity weed we offer qps to multiple pounds we are operating out of northern california and have direct relationships with many growers so expect good qaulity for cheap prices."
By searching for this signature typo, "qaulity" for "quality", the agent was also able to confirm that CANNA_BARS was the same person that sold as THEFASTPLUG on Wall Street Market, another dark net marketplace. They completed 60 orders there between Feb 2018 and May 13, 2018.
One of his loyal customers, y***h, is apparently wishing him well after learning of the arrest ... in the comments section for THEFASTPLUG on Wall Street Market, they made this July 2, 2018 comment:
In one photograph shared by CANNA_BARS, his hands are shown, palms up, holding marijuana buds. The fingerprints of the open palms were so clear that they could easily be used to run a fingerprint match:
The HSI Forensic Document Laboratory returned a fingerprint match confirming that the image showed the fingerprints for Jose Robert Porras III, who had prints on file.
CANNA_BARS offered "free samples" of marijuana, which the agent asked for and had shipped to another state. The package arrived and was confirmed to contain marijuana. (The inner package was wrapped in fabric softener sheets, presumably to stop drug-sniffing dogs?)
HSI surveillance was used to follow Porras and Vue to a US Post Office where they shipped packages, a Bank of America branch where they had accounts, and to a storage unit, where they maintained their inventory. Undercover purchases from CANNA_BARS of two pounds of marijuana, and THEFASTPLUG of three pounds of "og kush" marijuana were able to be observed in the gathering and shipping end of the surveillance, providing "end-to-end" proof of the identity of the criminals.
Some of the bitcoin that was used by CANNA_BARS was able to be linked via blockchain analysis to accounts that had a bit of KYC information attached. This revealed four accounts at one exchanger, including one each for VUE (using the email "firstname.lastname@example.org" and (916) 228-1506) and PORRAS. These further linked to several bank accounts, two in the name of Pasia Vue, one in the name of Marcos Escobado
(a brother(?) of Porras, and another in the name of Julie Hernandez. Escobado was arrested in Oregon for possession of methamphetamine and had received $11,000 from the bitcoin exchanger in four transactions.
After TS1's money exchanger service was taken over by the feds, the couple did four more transactions, receiving $56,000 in cash shipped from New York to their drops in Live Oak and Sacramento, California.
In addition to the Drugs and Money laundering charges, Porras was charged with Felon Possessing a Firearm:
Sam & Djeneba Bent
Less details are revealed in the Vermont indictment against Sam & Djeneba Bent. Same used dark markets to sell Ecstasy (MDMA), LSD, marijuana, and cocaine, and used the TS1 money exchanging service to cash out more than $10,000 from bitcoin to USD.
They are charged with using a false return address on a package shipped through the postal service.
(Just joking, I know this got long and I wondered if anyone had read this far, haha.)
Daniel Boyd McMonegal
McMonegal became a dark market vendor in or around December 2016, which might be how he chose his vendor name, Christmastree. McMonegal, according to the affidavit by Homeland Security Investigations, incorporated a "medical marijuana delivery dispensary" in December 2, 2016 under the name "West Coast Organix" in San Luis Obispo, California, and almost immediately started selling the drugs via interstate postal delivery via Dream Market using his Christmasstree vendor name.
From June 15, 2017 to May 12, 2018, Christmastree sold 2,800 packages and earned a 4.98 rating on Dream Market!
The rave reviews from buyers make it clear Christmastree really knew his stuff with high ratings on his Blue Dream, OG Kush, Super Silver Haze, Blackberry Kush, and many others.
Like the others, McMonegal's downfall was getting his Bitcoin turned into cash. After the time the federal agents controlled TS1's exchange business, McMonegal used it to cash out at least $91,000 which was shipped to him in Mariposa, California in six shipments between April 2017 and March 2018.
IMMIGRATIONS AND CUSTOMS ENFORCEMENT
For all the crap that is in the news recently about ICE, Homeland Security Investigations, the team that was at the lead of many of these investigations, are using technology and brilliant investigators to help shut down some of the worst crimes on the Internet. If you know an ICE or HSI agent, make sure to let them know you appreciate what they are doing for us all!