Methods Used to Catch Darknet Users (International Practices)

Dark web users are shielded by a veil of technological anonymity. This has given most users a sense of safety and confidence that they are out of reach of law enforcement. However, numerous cases have proven the opposite, with users still being arrested by authorities. Here are some of the main methods used internationally to catch darknet users:

1) Postal System

Even with advanced technology to guarantee user anonymity, dark web market vendors still rely on the postal system or regular couriers (so-called “drops”) to deliver their products, such as drugs or weapons. Even if customs officials are vigilant to prevent products from being seized, law enforcement can investigate where a package is coming from or going to, and which routes it takes. In some cases, post offices provide federal agents with excellent opportunities for surveillance.

A prime example is Chukwuemeka Okparaeke, a fentanyl dealer on Alphabay, a darknet market. According to the U.S. Department of Justice (DOJ), Okparaeke was spotted at several post offices in Midtown Manhattan. He also preferred to pay for bulk priority shipping, which required him to present identification at the post office—employees checked his driver’s license. His biggest mistake, however, was storing large numbers of packages at U.S. post offices and constantly wearing latex gloves, which drew the attention of postal workers.

Law enforcement became doubly interested: both in the fentanyl source and the postal operation itself. Police simply placed an order for fentanyl from Okparaeke on Alphabay, and after receiving the product, were able to prove his connection to the goods with both direct and circumstantial evidence.

During his arrest, Okparaeke’s phone was seized, which had a paid VPN, the Orbot TOR proxy app, and a Bitcoin wallet installed. He also failed to clear his browsing history in other browsers, where investigators found indirect evidence of his involvement in drug sales.

Shipping products through the postal system remains a serious problem for most darknet market vendors.

• Comment: It’s much easier to use transport companies, but in that case, you need to ensure proper packaging and disguise of the goods.
• Comment: Okparaeke’s problem was also that he didn’t use drops, which could have protected him, though it comes with its own risks. In any case, human error—carelessness or overconfidence—is often what gets people caught. Didn’t clear your history? Big mistake.

2) Analyzing Seized Data

The arrest of a vendor or the takedown of a market can provide investigators with a large amount of data, revealing connections to other darknet market users.

Operation “Onymous,” targeting darknet markets and other services operating on the TOR network, led to the seizure and shutdown of markets like Silk Road 2.0, Hydra (not the Russian one), and Cloud 9. The operation uncovered various types of information, resulting in 17 arrests in different countries. One such arrest was the Durham couple, who ran a marijuana shop on Silk Road 2.0.

3) Open Source Information

Darknet market users may leave digital traces on open forums or public documents, which can eventually reveal their identities to investigators. (Again, this comes down to human error—using the same nickname or avatar on a shady forum and a social network, or the same email address. It sounds unbelievable, but it happens often.)

A classic example is the arrest of Ross Ulbricht (a.k.a. Dread Pirate Roberts), founder of Silk Road. How was he caught? Gary Alford, a criminal investigator with the IRS, decided to Google Silk Road addresses on the clearnet and found a post on the Bitcoin.org forum where Ross, under the nickname “altoid,” was advertising his darknet market. A few months later, another post on the same forum included Ulbricht’s personal email, [email protected]. A search for this email confirmed he had created an account on bitcoin.org with his personal address. The presence of his personal information played a major role in his arrest and conviction, which resulted in a life sentence without parole. A simple Google search brought down Ross Ulbricht, a key figure in the development of all dark web markets.

4) Undercover Operations

Because of the anonymity tools available, it’s impossible to know who’s on the other end of a conversation. Law enforcement has taken advantage of these anonymity tools, posing as vendors, buyers, or even market administrators without other users’ knowledge. This has allowed them to shut down some markets and catch administrators, buyers, and even vendors.

Dutch law enforcement took control of Hansa on June 20 of that year, after arresting two of its administrators in Germany. They secretly ran the site while monitoring user activity, obtaining addresses and identification data for most users.

The undercover operation led to the arrest of several Hansa users. In the Netherlands, authorities arrested a 28-year-old man for allegedly selling cannabis both domestically and internationally through Hansa under the nickname “Quality Weeds.” Other arrests related to the Dutch undercover operation at Hansa were made in Australia.

5) Hacking

Authorities have tried to bypass TOR by attacking the exit node, which is typically used by people accessing darknet markets. Hacking can be the most effective way to identify users, as a successful attack can expose a large number of computers and reveal users’ IP addresses.

Back in November 2015, the FBI seized the Playpen child pornography darknet site during an operation called “Pacifier” and ran the site from a government facility in Virginia for two weeks. During this time, the agency created a hacking tool called “Network Investigative Technique” (NIT). This tool was used to reveal the IP addresses of people accessing the site, based on the assumption that they were either distributing or accessing child pornography.

Using NIT, the FBI obtained data on more than a thousand users in the U.S. As a result of the hacking operation, over 135 people were arrested in 18 U.S. states on child pornography charges.