Saturday, August 04, 2018

Fin7 and the Perfect Phish

For the past twenty years, one of the main pieces of advice our industry gave to people regarding their email was "don't open attachments from people you don't know."  But what if your JOB is opening attachments from people you don't know?

On August 1st, the US Attorney for the Western District of Washington, Annette Hayes, and the FBI Seattle Special Agent in Charge, Jay Tabb, along with main Justice's head of the Computer Crimes and Intellectual Property Section (CCIPS), Deputy Attorney General Downing, gave a fascinating press conference about the FIN7 or Carbanak Group case.  (The link shows the 31 minute press conference on YouTube, where closed captioning is available.)

As AG Downing explained it, the FIN7 group would use a combination of emails and telephone calls to encourage people involved in catering or group reservations to open their malicious emails.  Imagine that your job is booking hotel rooms for group travel, or handling large catering deliveries for business meetings from your restaurant.  A new potential customer calls and says "I'd like to book forty hotel rooms for our sports team that is coming to play in a tournament in your town next month.  What email should I send the details to?"  Or "We're having an event at my office and need to order lunch for sixty people.  I know that I could use the online order form, but would you mind if I just sent you an email with the details?"  (I've done the latter myself when ordering FIFTY pizzas from Dominos!)

What sales person is NOT GOING TO OPEN THAT ATTACHMENT?  Right.  Every single one will do so!  Here's the flow of the attack that was shared at the Press Conference:

Depiction of one of the schemes used by cybercrime group FIN7.
(Image from FBI Seattle FBI Office)
Although the schemes I suggested sound complex, some of the emails shared during the press conference were quite simple:

Spear-phishing Email Image from

Spear-phishing Email Image from

Three criminals were arrested in this scheme, each on their own indictment.  The first two were actually arrested in January 2018, but their arrest and information about their case remained secret as law enforcement continued to hunt for additional members of the FIN7 team.

Also appearing at the press conference were representatives from Visa and Master Card. Marie Russo, SVP of Cards and Franchise at MasterCard.  Marie praised their participation in the NCFTA (the National Cyber Forensics Training Alliance) who offers a service that helps send stolen credit card information to the . Dan Schott, Senior Director of Visa. Both Ms. Russo and Mr. Schott talked about their proactive means of identifying crime trends and coordinated with banks.  Mr. Schott reminded that every Visa card service in the United States offers "Transaction Alerts" that will notify you when your card is used in a transaction. (Unfortunately Schott also quoted the mythical $600 Billion annual cost of cybercrime.)  

Is This Joker's Stash?

We don't know.  Although many of the victim companies have been anonymized, the indictment does reveal that "Victim-1" was the Emerald Queen Hotel and Casino (EQC) in Pierce County, Washington, "Victim-3" was Chipotle Mexican Grill, Victim-5 was the Boeing Employee Credit Union, Victim-6 was Jason's Deli, Victim-8 was Red Robin Gourmet Burgers and Brews, Victim-9 was Sonic Drive-in, and Victim-10 was Taco John's.  Trend Micro has previously published that FIN7 was also involved in breaches at Trump Hotels, Whole Foods, Saks Fifth Avenue and Lord & Taylor.  That latter group of cards is known to have been trafficked on the criminal card market "Joker's Stash", and TrendMicro actually equates the groups.  Their April 2, 2018 press release, "Bank Card Data of Five Million Stolen in Saks and Lord & Taylor Data Breach," begins with the sentence:  "A hacking syndicate known as JokerStash (also identified as Fin7 and Carbanak) announced the sale of five million payment cards on the dark web last March 28.

Trend Micro (click for full article)
Brian Krebs was one of the journalists who has written extensively about Joker's Stash.  In this image from his blog post "Will the Real Joker's Stash Come Forward", he shares an image of the card "base" "FIRETIGERRR" associated with the Sonic Drive-In databreach, showing a screenshot of the September 26, 2017 announcement on Joker's Stash about the availability of 5 million credit cards:

Image result for joker's stash carbanka
Sonic Drive-In cards being sold on Joker's Stash (image from

The indictments do not make the ties between FIN7 and Joker's Stash quite so strongly.  For example, in the Hladyr indictment:

"between approximately March 24, 2017 and April 18, 2017, FIN7 harvested payment data from point-of-sale devices at certain Victim-3 restaurant locations.  FIN7 stole millions of payment card numbers, many of which have been offered for sale through vending sites, including but not limited to, Joker's Stash, thereby attempting to generate millions of dollars of illicit profits.

Three Ukrainian mastermind arrested

Three Ukrainians, Fedor Gladyr (age 33), Andrey Kolpakov (age 30), and Dmytro Fedorov (age 44) were arrested in the current round of actions, although prosecutors made it clear that there will be more arrests in the future.  They also make clear that the top leader of this scheme  has not yet been arrested.

Fedorov is said to have been the first to be arrested, in January 2018, in Poland.  A KyivPost article in February about a 44-year old Ukrainian hacker being detained in Poland on an Interpol warrant is certainly about him ==> "Ukrainian Hacker detained, Faces 30 years in Prison."  

It is unknown how or if this is related to the Spanish Police arrest of "Dennis-K" said at the time to be the leader of the Carbanak Group when he was arrested on March 26, 2018 in Alacante, Spain.  (A YouTube video about that arrest (in Spanish) is available as "Detenido hacker 1000 millones (Denis-K)"  The Times of London called Denis-K a 30-year old Russian-born Ukrainian citizen, living in Spain, whose malware used in cyber attacks in more than 40 countries, and who owned two million dollar houses.  At the time, Europol said this was the end of a 5-year cybercrime spree that had stolen $1.2 Billion. This does NOT seem to be the same person, despite the age match and the "K" last name, as the US case states that Kolpakov was arrested in "late June" in Lepe, Spain.

It is also unknown how or if this is related to the Ukrainian Police's arrest of members of the COBALT game earlier this year.  Europol says that COBALT and CARBANAK are the same group.  It is believed by this author that the current FBI action in Seattle is targeting CUSTOMERS of the malware author group known as Cobalt/Carbanak.  Hopefully this will get sorted out in the near future.  

(Related stories:  

The superseding indictment of Fedor Gladyr
Fedor Gladyr, aka das, aka Fyodor, aka AronaXus, "served as a high-level systems administrator for FIN7 who maintained servers and communications channels used by the organization.  For example, FIN7 members requested Gladyr grant them access to servers used by FIN7 to facilitate the malware scheme.  He also played a management role in the scheme by delegating tasks and by providing instruction to other members of the scheme.  Gladyr used Jabber and HipChat to communicate with his teams.  The team used a JIRA server, usually used to track long software development projects, to communicate about the infiltration of their victims. As a few examples:

07SEP2016 - Gladyr opens an "issue" for Victim-6 for his conspirators to upload files of internal credentials for the company network.
JAN2017 - Dmytro Fedorov opens an "issue" for Victim-7 credentials to be posted.
05APR2017 - Fedorov opens an "issue" for Victim-9 credentials to be posted.

Some of the malicious infiltration of the victim networks came by emailing those malware-laden requests for quotes to companies.  Some examples include:

08AUG2016 - Victim-1, email from
08AUG2016 - Victim-1, email from
25AUG2016 - Victim-6, email from 
21&23FEB2017 - Victim-2 two emails
24-25MAR2017 - Victim-3 six emails 
05APR2017 - Victim-9 emails from 
11APR2017 - Victim-4 email from 
10MAR2017 - Victim-5 email 
27MAR2017 - Victim-8 email from 
25MAY2017 - Victim-4 email from (Subject: "takeout order")
12JUN2017 - Victim-10 email from (Attachment:

In the case of Victim-1, firewall logs indicate that between August 8,  2016 and August 31, 2016, there were at least 3,639 communications between their organization and "" addresses hosted on an IP address in Russia.

Not all of the emails were the "customer wanting a quote" type.  On 21FEB2017, pen-testers working for the scheme sent emails purporting to be to Victim-2.  The email contained a Microsoft Word attachment and alleged that an important filing was due and that the details for the filing were in the attached document.

Sometimes the stolen information targeted not only the business accounts, but also the personal information of the victims.  One FIN7 member posted a Victim-2 employee's information to their JIRA server, showing screenshots from the employee's computer and including a text file with userids and passwords of their personal email account, LinkedIn account, and personal investment and banking accounts.

Once inside an organization, it was trivial for the FIN7 "pen-testers" to expand.  Some documents posted in JIRA included userids and passwords for more than 1,000 employees, and in the case of Victim 3, point-of-sale malware was planted on many cash register computers nationwide, including 33 locations just in the Western District of Washington.

Victim-8 had an associated JIRA "issue" posted that included screenshots and usernames and passwords for the point-of-sale software management solution used by their restaurant chain.   Hundreds of userids and passwords for employees in at least 798 different locations were also stolen from Victim-8 and posted in the JIRA server.

Kolpakov indictment
Andrey Kolpakov, aka santisimo, aka sanisimoz, aka AndreyKS, participated in the scheme from at least September 2015 until June 20, 2018.  In communications to and from Kolpakov, someone in the group referred to Fedir Hladyr and an individual still at large were the "main directors" of the group.  That other individual was also called the "chief manager" of the team.  Kolpakov was introduced to new recruits to the team as their supervisor.  Kolpakov and Dmytro Fedorov had discussions about how to trigger the phishing emails, and which file types would be most effective.  Kolpokov explained to Fedorov on 18SEP2017 that they now had a means to deploy a malware file without requiring the recipient to double-click on it.  Kolpakov's account on the JIRA server was frequently the one that uploaded stolen data in response to the "issues" created by Gladyr.  Many of the uploads mentioned in the Kolpakov indictment are about the particulars of exfiltrated files from password management systems, infrastructure management systems, and in one case an "employee only" web page that the team had altered to gather passwords. Team members regularly communicated on the JIRA server about recommendations for attack vectors to be used against targeted infrastructure.

Dmytro Fedorov Indictment
Dmytro Fedorov's account on the JIRA server was involved in technical exploitation details.  For example, in response to an "issue" created for Victim-7,  Fedorov posted the results of data created by network mapping tools, including IP addresses and network, that helped to explain to the team what addresses should be targeted for further exploitation.

According to his indictment, Fedorov "served as a high-level pen-tester (one tasked with finding vulnerabilities that an attacker may exploit) who managed other pen-testers responsible for breaching the security of victims' computer systems. He specifically created and managed "issues" on the FIN7 JIRA server related to intrusions of multiple companies, including Victim-7 (an automotive retail and repair chain) and Victim-9 (Sonic Drive-Ins).
Fedorov's communications on Jabber seem to indicate that he was controlling the data exfiltration panels associated with malware planted on victim company computers and point-of-sale terminals.  

Combi Security 

Although the current indictments only name ten victim companies, the documentation presented by the US Attorney's office makes it clear that more than 100 companies were attacked by FIN7 hackers working for Combi Security.

FIN7 Attacked at least 3600 locations of 100+ US businesses
If you wanted to have a team of the best hackers available, one option is recruiting people from the dark corners of the Internet, whose names and locations you may not know, and who may have been involved in every sort of trouble.  The other option would be to stand up a cyber security company with offices in Moscow and Haifa, Israel, and advertise for the best trained White Hat hackers to come work for your Penetration Testing (Pen-Testing) team.  FIN7 did the latter.  Using hackers who applied in their real name, showed credentials and certifications, and were in some cases formerly the employees of their respective governments, Combi Security told their hackers that they had been hired to hack various companies, and then those hackers got to work penetrating systems.

Job ads found on a Ukrainian job board indicate that Combi Security had between 21-80 employees.
Google-translation of the ad:

Combi Security is one of the leading international companies in the field of information security. Its headquarters are located in Moscow and Haifa.
We are a team of leading professionals in the field of information security for various organizations working around the world.Our main specialization is a comprehensive audit of projects of any complexity, the supply of software and hardware.
Our main mission is to ensure the security of your activities, minimize the risks of using information technology. Every appeal to us for help is considered with the utmost thoroughness on an individual basis, offering an optimal solution within the framework of the tasks set and the specific needs expressed. offered their website in Russian, English, and Hebrew:

Their "Contacts" page listed three addresses and telephone numbers:

  • Moscow , Presnenskaya naberezhnaya, 10, block C, tel. +7 (495) 3083827
  • Haifa , 15-A Palyam St. (36 HaAtzmaut St) tel. +9 (724) 6328732
  • Odessa , ul.Uspenskaya, 65 of office 23, 65011 phone. + 38 (048) 7002409
What services did they claim to provide?  Below is their "The Services" page (Google-translated to English), retrieved from's Wayback machine entry for

The services

A qualitatively working security service guarantees an indispensable stability in the operation of your technologies.
Thanks to the active assistance of our technical experts, all the irregularities in the operation of your devices will certainly be detected, analyzed and eliminated. With our professional support, the disrupted monitoring of the security system will turn into a stable process, managed in accordance with established principles and rules.
We provide services:
Penetration test (Pentest)
  • Technological penetration test.
    This penetration test is conducted to identify existing vulnerabilities in the elements of the IT infrastructure, practical demonstration of the possibility of using vulnerabilities (by the example of the most critical ones) and the formation of recommendations for the removal of identified vulnerabilities.
    A penetration test can be conducted for the perimeter of the corporate network (external test) and for internal resources (internal test). Work can be conducted with notification to administrators and users of the system under test, or without it. During internal testing, both the auditor's laptop and the customer's standard workplace can be used.
    In the testing process, both tools and manual analysis methods are used.
  • Socio-technical penetration test.
    This penetration test is conducted using social engineering techniques. The main purpose of the test is to identify the level of awareness of the Customer's personnel about the requirements for information security. In the process of testing, the response of users and personnel responsible for information security to the organizational methods of penetration used by attackers is determined.
    Methods of social engineering are often used by intruders and are directed, as a rule, to end users. As a result of a successful attack, an attacker can gain control over workstations, obtain confidential Customer documents, use the Customer's resources to organize attacks on the systems of other companies, send out spam, etc.
    The organizational aspects of information security are an important part of the protection system and, often, ordinary users are the weakest link. The given service will allow to reveal those organizational aspects of information security, on which the Customer should pay attention first of all.
    The results obtained during the provision of this service can form the basis for the development of the Security Awareness Program, which is maximally focused on the problem areas identified during the testing. This service can also be useful for checking the effectiveness of the current Customer Awareness Program.
  • Integrated penetration test.
    Complex penetration test is closest to the real actions of intruders. Using various technical and socio-engineering methods, auditors try to bypass existing protective mechanisms in order to fulfill the tasks set by the Customer (increasing privileges, gaining access to confidential information, modifying data from DBMS, etc.).
    During testing, the approaches described in the sections "Technological penetration test" and "Sociotechnical penetration test" are used, and the security of the customer's wireless networks is assessed.
The result of the work will be a report containing :
  • Methods of testing.
  • Conclusions for management, containing an overall assessment of the level of security.
  • Description of the identified deficiencies of the ISMS.
  • Description of the testing process with information on all identified vulnerabilities and the results of their operation.
  • Recommendations for the elimination of identified vulnerabilities.
Controlling the level of security
Due to the rapid detection of vulnerabilities and the introduction of changes to the network infrastructure, the results of a one-time verification of the level of security of the corporate network quickly lose their relevance. The need for new inspections arises after several months, and in companies with a dynamically developing IT infrastructure and a large-scale representation on the Internet, this period can be weeks or even days.
The emergence of new vulnerabilities, the change in the structure of the network perimeter, the modification of the settings of servers, network equipment and security equipment, all this requires in-depth analysis on the effect on the resistance to external unauthorized influences.
In this regard, Combi Security Company offers to your attention services aimed at constant monitoring of the state of information security. These include:

  • Monitoring the perimeter security of the corporate network
  • Designing and implementing a security management system
  • Development of corporate security policy
Evaluation of the level of security
Penetration testing works are aimed at overcoming existing protective mechanisms, but not at a deep assessment of the level of security of a specific information system or technology. The penetration approach of the black box analysis often prevents the auditor from detecting some vulnerabilities that are easily detected by other methods, for example, by analyzing firewall settings.
The work to assess the level of security is aimed at a deep assessment of one or another aspect of information security, or a comprehensive analysis of the entire ISMS in general.
Combi Security offers the following services to assess the level of security of various aspects of information security:

  • Integrated audit of information security
  • Assessing the security of Web applications
  • Analysis of application security on mobile platforms
  • Assessing the security of wireless networks
  • The effectiveness of the awareness-raising program in the field of information security
 Raising awareness of users
 Preparing for audit in accordance with international standards, for example ISO 27001
Consultations of experts in the field of it- security.
In addition to these services, sometimes there is a need for solving non-standard tasks. If you did not find something that will help you solve the problem before you, you can contact the experts of Combi Security. Perhaps our specialists have already dealt with similar problems.
Our company offers only those services that we can really carry out with very high quality, services where we can fully utilize the rich practical experience of our specialists.

Sunday, July 22, 2018

Porn Extortion Email tied to Password Breach

(An update to this post has been made at the end)

This weekend I received an email forwarded from a stranger.  They had received a threatening email and had shared it with a former student of mine to ask advice.  Fortunately, the correct advice in this case was "Ignore it."  But they still shared it with me in case we could use it to help others.

The email claims that the sender has planted malware on the recipient's computer and has observed them watching pornography online.   As evidence that they really have control of the computer, the email begins by sharing one of the recipient's former passwords.

They then threaten that they are going to release a video of the recipient recorded from their webcam while they watched the pornography unless they receive $1000 in Bitcoin.  The good news, as my former student knew, was that this was almost certainly an empty threat.   There have dozens of variations on this scheme, but it is based on the concept that if someone knows your password, they COULD know much more about you.  In this case, the password came from a data breach involving a gaming site where the recipient used to hang out online.  So, if you think to yourself "This must be real, they know my password!" just remember that there have been  HUNDREDS of data breaches where email addresses and their corresponding passwords have been leaked.  (The website "Have I Been Pwned?" has collected over 500 Million such email/password pair leaks.  In full disclosure, my personal email is in their database TEN times and my work email is in their database SIX times, which doesn't concern me because I follow the proper password practice of using different passwords on every site I visit.  Sites including Adobe, which asks for you to register before downloading software, and LinkedIn are among some of the giants who have had breaches that revealed passwords.  One list circulating on the dark web has 1.4 BILLION userids and passwords gathered from at least 250 distinct data breaches.)

Knowing that context, even if you happen to be one of those millions of Americans who have watched porn online.  DON'T PANIC!  This email is definitely a fake, using their knowledge of a breached password to try to convince you they have blackmail information about you.

We'll go ahead and share the exact text of the email, replacing only the password with the word YOURPASSWORDHERE.

YOURPASSWORDHERE is one of your passphrase. Lets get directly to the point. There is no one who has paid me to investigate you. You don't know me and you are most likely wondering why you are getting this mail?
In fact, I actually installed a malware on the X video clips (porn) web site and do you know what, you visited this site to experience fun (you know what I mean). When you were watching video clips, your browser initiated functioning as a RDP that has a key logger which provided me accessibility to your display screen and also cam. after that, my software obtained your entire contacts from your Messenger, Facebook, and email . After that I made a double-screen video. 1st part shows the video you were viewing (you've got a nice taste omg), and next part shows the view of your web cam, & its you. 
You have got not one but two alternatives. We will go through these choices in details:
First alternative is to neglect this email message. In such a case, I will send out your very own videotape to all of your contacts and also visualize about the embarrassment you will definitely get. And definitely if you happen to be in a romantic relationship, exactly how this will affect?
Latter solution is to compensate me $1000. Let us describe it as a donation. In such a case, I will asap delete your video. You can go forward your daily life like this never occurred and you surely will never hear back again from me.
You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google). 
BTC Address: 192hBrF64LcTQUkQRmRAVgLRC5SQRCWshi[CASE sensitive so copy and paste it]
If you are thinking about going to the law, well, this email can not be traced back to me. I have taken care of my moves. I am not attempting to charge a fee a huge amount, I simply want to be rewarded. You have one day in order to pay. I have a specific pixel in this e-mail, and now I know that you have read through this mail. If I do not receive the BitCoins, I will definately send your video to all of your contacts including family members, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the video right away. If you really want proof, reply with Yes & I definitely will send out your video recording to your 5 friends. This is the non-negotiable offer and thus don't waste mine time & yours by responding to this message.
This particular scam was first seen in the wild back in December of 2017, though some similar versions predate it.  However, beginning in late May the scam kicked up in prevalence, and in the second week of July, apparently someone's botnet started sending this spam in SERIOUS volumes, as there have been more than a dozen news stories just in the past ten days about the scam.

Here's one such warning article from the Better Business Bureau's Scam Tracker.

One thing to mention is that the Bitcoin address means that we can track whether payments have been made to the criminal.  It seems that this particular botnet is using a very large number of unique bitcoin addresses.  It would be extremely helpful to this investigation if you could share in the comments section what Bitcoin address (the "BTC Address") was seen in your copy of the spam email.

As always, we encourage any victim of a cyber crime to report it to the FBI's Internet Crime and Complaint Center by visiting

Please feel free to share this note with your friends!
Thank you!


The excellent analysts at the SANS Internet Storm Center have also been gathering bitcoin addresses from victims.  In their sample so far, 17% of the Bitcoins have received payments totalling $235,000, so people truly are falling victim to this scam!

Please continue to share this post and encourage people to add their Bitcoin addresses as a comment below!

Tuesday, July 10, 2018

Chinese arrest 20 in major Crypto Currency Mining scam

According to Chinese-language publication Legal Daily police in two districts of China have arrested 20 people for their roles in a major crypto currency mining operation that earned the criminals more than 15 million yuan (currently about $2M USD).

The hackers installed mining software developed by Dalian Yuping Network Technology Company ( 大连昇平网络科技有限 ) that was designed to steal three types of coins.  Digibyte Coins (DGB, currently valued at USD$0.03 each),  Siacoin (SC, currently valued at $0.01 each) and DeCred coins (DCR coins, currently valued at $59.59 each).

It is believed that these currencies were chosen for the dual reason that they are easier to mine, due to less competition, and that they are less likely to be the target of sophisticated blockchain analysis tools.

The Game Cheat Hacker

The investigation began when Tencent detected the presence of a hidden Trojan horse with silent mining capabilities built into a cheat for a popular first person shooter video game. The plug-in provided a variety of cheats for the game, including "automatic aiming", "bullet acceleration", "bullet tracking" and "item display."  
Tencent referred the case to the Wei'an Municipal Public Security Bureau, who handled the case extremely well.  As they learned more about the trojans, they identified first the social media groups and forums where the trojan was being spread, and traced the identity of the person uploading the trojaned game cheat to a criminal named Yang Mobao. Mobao participated as a forum moderator on a site called the "Tianxia Internet Bar Forum" and members who received the cheat from him there widely shared it in other forums and social media sites, including many file shares on Baidu.
Mobao was popularizing the cheat program by encouraging others to make suggestions for new functionality.  The users who were using the tool did not suspect that they were actually mining crypto-currency while using the cheat.  More than 30,000 victims were using his cheat software and secretly mining crypto-currency for him.
Yang Mobao had a strong relationship with gamers from his business of selling gaming video cards to Internet cafes.  He installed at least 5,774 cards in at least 2,465 Internet cafes across the country, preloading the firmware on the cards to perform mining.  It turns out that these cards ALSO were trojaned!  As a major customer of Dalian Yuping, Moubao was offered a split of the mining proceeds from the cards he installed, earning him more than 268,000 yuan.
Yang is described as a self-taught computer programmer who had previously worked management Internet cafes.  After experiencing some profit from the scheme above, he modified the malware embedded in some of the video cards and installed his own miner, mining the HSR coin and transferring the proceeds to a wallet he controlled.

The Video Card Maker

After Yang Mobao confessed to his crimes, the cybercrime task force sent 50 agents to Dalian, in Liaoning Province.  The Task Force learned that Dalian Yuping Network Technology had been approached by advertisers, who paid them embed advertising software on their video cards, which were then installed in 3.89 million computers, mostly high-end gaming systems installed in video cafes.  The company's owner, He Mou, and the company's Financial Controller, his wife Chen Mou, had instructed the company's head of R&D, Zhang Ning, to investigate mining software and to experiment with various mining trojans.  In addition to the illegal advertising software embedded in those 3.89 million video cards, their crypto currency mining software was embedded into 1 million additional video cards which were sold and deployed in Internet cafes across the country.
Each time one of those machines successfully mined a coin, the coin was transferred to a wallet owned by He Mou.  Chen Mou could then cash them out at any time in the future.
 16 suspects at the company were interrogated and 12 criminally detained for the crime of illegally controlling computer information systems.  Zhao was sentenced to four years himself.
(I learned of this story from CoinDesk's Wolfie Zhao, and followed up on it from the Legal Daily story he links to as well as a report in Xinhuanet, by Reporter Xy Peng and correspondent Liu Guizeng Wang Yen.) (记者 徐鹏 通讯员 刘贵增 王艳)

Wednesday, July 04, 2018

Dark Markets' Weakness? Cashing out the Bitcoin to USD!

Over the years there has been an on-going battle between law enforcement and those who use technology-based anonymity to perform their illegal deeds.  Some of the FBI's tricks to break through the anonymity have created interesting challenges, such as the "Operation Pacifier" case, where the FBI used court orders to allow them to use hacking tricks to expose the true locations of members of a child sexual exploitation site with 150,000 members, leading to 350 US arrests and 548 international arrests.  In that case the FBI deployed "Network Investigative Techniques" (NITs) to learn the IP addresses of top members of a TOR protected .onion server.  To clarify the legality of that situation, Rule 41 of the Federal Rules of Practice and Procedure was amended in 2016 under some controversy, as we blogged about in "Rule 41 Changes: Search and Seizure when you don't know the Computer's location."

In the current case, "Operation: Dark Gold", perhaps as a demonstration that the old "Follow the Money" rule can work even in these modern times, law enforcement posed as cryptocurrency exchangers, offering attractive conversion rates to USD even for those clearly involved in criminal activity.  After Alexander Vinnik's BTC-e exchange was shuttered, with the owner accused of facilitating the laundering of $4 Billion in illicit funds, Dark Market vendors had a real problem!  How do you turn a few million dollars worth of Bitcoin into money that you can spend in "the real world?"

That's just the kind of problem that the Department of Justice's Money Laundering and Asset Recovery Section is happy to help criminals solve.  In a major operation, Special Agents from Homeland Security Investigations in New York posed as money launderers on various TOR-protected dark markets.  As the money launderers were able to drive conversations "off platform" they had the opportunity to refer cases around the nation and around the world.  So far, more than 90 cases have been opened, leading to investigations by ICE's HSI, the US Postal Inspection Service, and the US Drug Enforcement Agency.  65 targets were identified and 35 Darknet vendors have been arrested so far.  At least $20 million in Bitcoin and other cryptocurrencies was seized, as well as 333 bottles of liquid opioids, 100,000 tramadol pills, 100 grams of fentanyl, 24kg of Xanax, 100 firearms, including assault rifles and a grenade launcher, five vehicles, and $3.6 million in cash and gold bars.  They also seized 15 pill presses, and many computers and related equipment.

Powell and Gonzalez (BonnienClyde)

The case against Nicholas Powell and Michael Gonzalez really explains the background of some of these cases well. 

"In or about October 2016, HSI NY, USPIS, the USSS, and the NASA Office of Inspector General, apprehended a Cryptocurrency Exchanger/Unlicensed Money Remitter herein rferred to as Target Subject-1. With TS1's cooperation, agents began investigating TS1's customers.  From the limited subset of customers for whom TS1 saved any kind of personal information (such as the names and addresses to which TS1 had shipped the customers' cash), agents identified a number of vendors selling illegal goods and services on the dark net." (Gar-note: NASA OIG has one of the coolest most proactive cybercrime teams in Federal government.  Little-known FACT!)

"With TS1's permission, agents took control of TS1's online accounts and identity, initiating an undercover operation using that identity to create new accounts (the "UC Vendor Accounts") targeting dark net drug vendors who utilized TS1's services to launder their illicit proceeds.  Since January 2017, agents have advertised the UC Vendor Accounts' services on AlphaBay, HANSA, and other dark net marketplaces, which has led to hundreds of bitcoin-for-cash exchanges.  Because TS1's original business model involved sending cash to physical addresses, each UC Vendor Account transaction has provided agents with leads on the identities and locations of their counterparties.  Individuals who used the UC Vendor Account were charged a fee notably higher than the fee charged by Bitstamp or other exchanges with Know  Your Customer protocols.  This and other evidence helped establish that many of these "customers" were likely dark net vendors or controlled substances or other illicit goods.  Furthermore, and as explained below, in some instances, agents have successfully utilized undercover buyer accounts on dark net marketplaces to conduct undercover drug buys from vendors believed to be the UC Vendor Accounts' customers."

In this case, Law Enforcement first caught up with Michael Gonzalez in Parma, Ohio.  He claimed Nicholas Powell was the mastermind, and the only got paid to help with shipping and packaging of "a few orders."  His job was to measure out 500 gram bags of Xanax powder and handle the shipping.  Powell was found and interviewed in his home at 5283 Bevens Ave, Spring Hill, Florida on May 22, 2018.  Powell confirmed that he had begun selling steroids and weed on the dark net. Later he became a drop shipper, arranging shipments from China to be delivered domestically.  Powell started on Silkroad 2, using the name BCPHARMA, selling steroids and GHB that he purchased from China.  He sold on Agora and AlphaBay as BONNIENCLYDE or BNC.  Later he also used that alias on Evolution Markets.  He also shifted later to selling Xanax and steroids on AlphaBay.  He claimed he physically destroyed the computer he used for this work, and later also destroyed two Apple computers. 

Powell confirmed that he used TS1 to convert between $10,000 and $40,000 in crypto currencies to cash at a time, and would receive the packages via USPS Express.  He claims a Canadian vendor wanted to buy his online identity, and that he made $100,000 by transferring the "BONNIENCLYDE" id to the Canadian. 

Powell willingly signed over to agents $438,000 worth of cryptocurrencies.


TrapGod was an online vendor alias shared by  Antonio Tirado, 26 and Jeffrey Morales, 32, of Bronx, New York.  An affidavit from Antonio's search warrant shows he was growing marijuana and packaging and shipping both LSD and Cocaine.

Here's a photo of some of TrapGod's goods for sale on one dark market.

The 2050 means that 2,050 people have rated this vendor's services, giving an average review of 4.79 out of 5 stars.  Even the "bad" reviews, show that Trapgod was good to do business with.  One says "Vendor has been top notch. Then got some really sub-par stuff.  Contacted vendor. He said he'll take care of me next time. Will post again..."  Comments include things like "Great shipping, good stealth." and  "Stealth was good, my package was well hidden and secure.  Quality is good, after testing I found that the product is about a 80/20 cut as described!  I like honesty, plus seller put a little extra in my order!!"  "Shipment was delayed, quality not so good. However vendor sent an additional shipment to make up for it.  The price is good, but I'd rather pay more for higher quality."

Unfortunately, Morales and Tirado either weren't the only ones behind the Trapgod alias, or they are continuing to sell while out on bail.  Morales and Tirado's homes both got hit July 20, 2018, but there were fresh reviews posted yesterday (July 3, 2018).


The next group were worked as a single case (1:18-mj-05193-UA) also in New York, and involved raids on three houses in Flushing and Mt. Sinai, New York.  Charges are brought against Jian Qu, Raymeond Weng, Kai Wu, Dimitri Tseperkas, and Cihad Akkaya.

Kai Wu and Jian Qu were in one home, where $200,000 in cash, 110 kg of marijuana, and "680 grams of unidentified powders" were seized.

Residence-2 yielded 12kg of Alprazolam, 10kg of marijuana vape cartridges, 570 grams of ecstasy, "12kg of unidentified powder" and four pill presses, used to press powders into ecstasy tablets.  There were also at least 2 kg of THC gummies.

Residence-3 was the home of Dimitri Tseperkas and Cihad Akkaya, where law enforcement recovered $195,000 in cash, 30kg of marijuana, and three loaded shotguns and 100 shotgun shells.

Videos recovered from the cell phones of Wu and Weng (who was not home, but has been observed repeatedly at Residence-1) reveal they also have at least two marijuana grow houses.


Ryan Farace, who the indictment makes clear "has no known medical education, qualifications, or licensing in the State of Maryland or elsewhere", yet he and his partner were manufacturing and distributing serious amounts of Xanax.  So much so that the indictment calls for them to forfeit $5,665,000 in cash as well as a Lincoln Navigator, a  GMC pick-up truck, and 4,000 Bitcoins (which currently would be the USD equivalent of more than $26 MILLION dollars!

Not bad for the former parking lot attendant of a Home Depot ... according to Ryan's Facebook, where both of the named vehicles are featured:

The indictment charges the pair with "Conspiracy to Manufacture, Distribute, and Possess with Intent to Distribute Alprazolam" (aka Xanax) (21 USC section 846) as well as "Maintaining Drug-involved Premises" (21 USC section 856) and "Conspiracy to Commit Money Laundering" (18 USC section 1956).


Jose Robert Porras III and his girlfriend, Pasia Vue, were selling marijuana and crystal meth, as well as Xanax and Promethazine-codeine cough syrup (Lean).  The HSI agent noticed on their Dream Market account that they shared their rating from Hansa.  Big mistake.  The Dutch High Tech Crimes Unit has the seized servers from Hansa and is happy to do lookups for law enforcement.  This revealed that "CANNA_BARS" had earned about 56 bitcoins on Hansa, selling crystal meth in quantities as large as 1 pound bars!  They described the product there as "this crystal is directly from manufacturers in mexico so it is made with the highest qaulity products that cant be found in the us. expect the highest qaulity on hansa for the cheapest."  The same criminal also couldn't spell "qaulity" right on Dream Market, which was further confirmation this might be the same guy.  From Dream Market "whats up we are canna_bars a vendor of top qaulity weed we offer qps to multiple pounds we are operating out of northern california and have direct relationships with many growers so expect good qaulity for cheap prices."

By searching for this signature typo, "qaulity" for "quality", the agent was also able to confirm that CANNA_BARS was the same person that sold as THEFASTPLUG on Wall Street Market, another dark net marketplace.  They completed 60 orders there between Feb 2018 and May 13, 2018.

One of his loyal customers, y***h,  is apparently wishing him well after learning of the arrest ... in the comments section for THEFASTPLUG on Wall Street Market, they made this July 2, 2018 comment:

In one photograph shared by CANNA_BARS, his hands are shown, palms up, holding marijuana buds.  The fingerprints of the open palms were so clear that they could easily be used to run a fingerprint match:

The HSI Forensic Document Laboratory returned a fingerprint match confirming that the image showed the fingerprints for Jose Robert Porras III, who had prints on file.

CANNA_BARS offered "free samples" of marijuana, which the agent asked for and had shipped to another state.  The package arrived and was confirmed to contain marijuana. (The inner package was wrapped in fabric softener sheets, presumably to stop drug-sniffing dogs?)

HSI surveillance was used to follow Porras and Vue to a US Post Office where they shipped packages, a Bank of America branch where they had accounts, and to a storage unit, where they maintained their inventory.  Undercover purchases from CANNA_BARS of two pounds of marijuana, and THEFASTPLUG of three pounds of "og kush" marijuana were able to be observed in the gathering and shipping end of the surveillance, providing "end-to-end" proof of the identity of the criminals.

Some of the bitcoin that was used by CANNA_BARS was able to be linked via blockchain analysis to accounts that had a bit of KYC information attached.  This revealed four accounts at one exchanger, including one each for VUE (using the email "" and (916) 228-1506) and PORRAS.  These further linked to several bank accounts, two in the name of Pasia Vue, one in the name of Marcos Escobado (a brother(?) of Porras, and another in the name of Julie Hernandez.  Escobado was arrested in Oregon for possession of methamphetamine and had received $11,000 from the bitcoin exchanger in four transactions.

After TS1's money exchanger service was taken over by the feds, the couple did four more transactions, receiving $56,000 in cash shipped from New York to their drops in Live Oak and Sacramento, California.

In addition to the Drugs and Money laundering charges, Porras was charged with Felon Possessing a Firearm:

Sam & Djeneba Bent

Less details are revealed in the Vermont indictment against Sam & Djeneba Bent.  Same used dark markets to sell Ecstasy (MDMA), LSD, marijuana, and cocaine, and used the TS1 money exchanging service to cash out more than $10,000 from bitcoin to USD.

They are charged with using a false return address on a package shipped through the postal service.

(Just joking, I know this got long and I wondered if anyone had read this far, haha.)

Daniel Boyd McMonegal 

McMonegal became a dark market vendor in or around December 2016, which might be how he chose his vendor name, Christmastree.  McMonegal, according to the affidavit by Homeland Security Investigations, incorporated a "medical marijuana delivery dispensary" in December 2, 2016 under the name "West Coast Organix" in San Luis Obispo, California, and almost immediately started selling the drugs via interstate postal delivery via Dream Market using his Christmasstree vendor name.

From June 15, 2017 to May 12, 2018, Christmastree sold 2,800 packages and earned a 4.98 rating on Dream Market!

The rave reviews from buyers make it clear Christmastree really knew his stuff with high ratings on his Blue  Dream, OG Kush, Super Silver Haze, Blackberry Kush, and many others.  

Like the others, McMonegal's downfall was getting his Bitcoin turned into cash.  After the time the federal agents controlled TS1's exchange business, McMonegal used it to cash out at least $91,000 which was shipped to him in Mariposa, California in six shipments between April 2017 and March 2018.


For all the crap that is in the news recently about ICE, Homeland Security Investigations, the team that was at the lead of many of these investigations, are using technology and brilliant investigators to help shut down some of the worst crimes on the Internet.  If you know an ICE or HSI agent, make sure to let them know you appreciate what they are doing for us all!

(For more of this press conference, please see this YouTube video: "Officers arrest 35 in dark web bust, seize guns and drugs")