How to Build a Plausible Alibi and Testimony in Cybercrime Investigations

This could happen to anyone. Maybe you accidentally exposed your IP address, made a call from a compromised SIM card, or a neighbor recognized you—whatever the reason, you got caught. Now, law enforcement is at your door. Your main goal is to present investigators with a version of events that makes you look innocent and them look like they’re making a mistake by trying to pin a crime on the wrong person—namely, you.

To understand what you should and shouldn’t say, keep the following in mind:

• The only 100% proof of a computer crime is evidence found on your personal computer—nothing else.
• Most often, this means chat logs in messengers like ICQ or Skype, files with stolen data, bot builders, etc.
• Money transfers alone are not enough to convict you, though they are significant.
• If investigators find everything at once (chat logs, stolen data, financial transaction records), you won’t be able to talk your way out of it.
• If you were careful (using encryption like TrueCrypt/BestCrypt, portable software on removable drives, not accepting suspicious files), investigators will usually only have financial transactions and witness statements to go on. Witness statements are especially vulnerable.

Every crime consists of an object, a subject, objective, and subjective elements. The subjective element is key. If you remove it—if you didn’t intend to commit a crime and didn’t know your actions were illegal—then there’s no crime. If you genuinely believed you were acting legally and didn’t do anything punishable, you go from being a suspect to a witness.

The easiest way to present yourself is as an unwitting middleman or “drop” who was tricked by real criminals. You must believe this yourself and act genuinely outraged at being deceived. Play the part, but don’t overdo it.

Example Scenario

Suppose you’re accused of Western Union fraud and you personally picked up the money. Here’s how to act:

1. Don’t deny receiving the money or other easily verifiable facts. Yes, you picked up transfers. But is receiving money illegal? Is giving money to someone illegal?
2. Your role: a humble middleman. You received money and passed it to a client.
3. Method of transfer: for example, depositing cash at an ATM (think carefully!).
4. You got the card from a train conductor. You’ve already thrown it away and forgot the details.
5. You met the client on an online forum. All communication was on the forum—no phones, no other contacts. You discussed all details there, including where to send the card. Afterward, you deleted all messages.

That’s it. Your honest but modest help in catching the real criminal turns you from a suspect into a witness. In other cases, use the same approach—claim you were just a middleman and had no idea stolen credit cards were involved.

• If accused of Western Union fraud, say you started working in support for an exchange service.
• If accused of airline ticket fraud, say your partner claimed to work for an airline and had lots of certificates, which is why tickets were so cheap. Your job was to find clients.
• If accused of selling goods, say someone on a forum asked you to help sell unwanted laptops or goods they got for debts. You gave them your address, they brought the items, and you gave them part of the money. Later, you needed money and decided to sell unused items yourself.

And so on. Always plan your story before you do anything. Remember the objective facts investigators can easily check. Never deny them—prepare in advance and keep backups of your messages and chats.

Pay Attention To:

• Phone calls and SMS: numbers and message texts are recorded and easily checked.
• Your location: your movements are tracked and stored for a long time. For example, only an idiot would bring their real phone (which pings at home) when withdrawing money from a drop’s ATM card.
• Connections between phones: if you carry your real and burner phones together, it’s easy to track. Law enforcement has software for this.
• There should never be any transfers between your own wallet (WebMoney, Liberty, Alfa, Qiwi, etc.) and drop wallets.
• ATM cameras: wear heels or squat (to change your height), wear big glasses, a hat, etc. Cover your fingers with glue while withdrawing.
• Cameras near ATMs: don’t park your car or taxi nearby. Walk instead, and make sure your car isn’t caught on camera.
• Register SIM cards to fake identities. Don’t keep your phone on unless necessary.
• Don’t be greedy. Don’t use the same phone for long. Ditch it in a café so someone else picks it up and uses it.
• Prepare forum conversations in advance. Create fake accounts from different IPs.

Psychological Preparation

This is even more important. Remember, investigators won’t believe you for a second—they’ve seen plenty like you. Your job is to stick to your story. Be ready to withstand yelling, pressure, threats, beatings, or being put in a cell with hardened criminals. This is standard procedure.

If you’re beaten, try to get visible injuries. This can help your lawyer argue that any confession was obtained under duress. Make sure to document any injuries immediately. If you break under pressure, don’t hesitate to fake injuries.

They may try to cut a deal—give up your accomplices and they’ll make you a witness. Don’t believe it. No one will let you go or make you a witness. If you give up your partners, you’ll all get longer sentences—group crimes are punished more harshly than solo ones.

Your main goal is not to incriminate yourself. Investigators don’t have the full picture and don’t know all the details. If they act like they do, don’t believe them.

As you can see, it’s all in your hands. And the usual advice: don’t work in Russia or the CIS. It’s better to target the US or UK. Here’s why: Russia and CIS countries have agreements and good communication between agencies. But with the US, there’s no such agreement and there won’t be for a long time. That’s why US carding cases are rarely investigated thoroughly.

How to Avoid Leaving Technical Evidence

As mentioned above, the only solid proof of your guilt is evidence on your personal computer. To avoid leaving evidence, you need to know what traces exist, where they’re stored, and how to hide or erase them.

Common traces include:

• Databases of accounts, stolen data, servers, etc. (these take up little space)
• Messenger chats and emails (stored locally and on servers)
  • With your personal info
  • Without your personal info
• Hacking software (checkers, builders, crypters, framers, etc.)
  • Installed (usually a small amount)
  • Archives (often a lot of software here)
• Access logs (RDP, SSH, HTTP, FTP, etc.) (stored on servers)
• Wallet files for various payment systems (including those linked to phones)

Data can also be in the recycle bin, deleted files still recoverable with software like EasyRecovery, or on USB drives in plain view. Here are the basic rules:

1. Use separate (unlinked to your real identity) ICQ/Jabber/Skype/email/phones for work.
2. Never, under any circumstances, mention anything related to your real identity in work messengers, even indirectly.
   • Name, city, habits, past, even time zone—always use false info.
   • Wallets, accounts.
   • Info about people you worked with.
3. For email, use a fake hosting provider with a domain and webmail set up.
   • Set up automatic deletion of emails.
4. Use only portable messengers on encrypted drives with decoy partitions.
   • TrueCrypt or BestCrypt are recommended, ideally on a USB drive or hidden deep in system files.
   • SFTP + encrypted network drives are also good options.
5. Store your data archives the same way.
6. For large archives, use external storage—like an encrypted portable hard drive.
   • Don’t keep it connected all the time—plug it in only when needed and disconnect immediately after.
7. Disable logging on all your hosting/services.
8. Because of surveillance, keep your hosting in different countries (China, Singapore, Costa Rica are good choices).
9. Change all your hosting every 2-3 months.
10. Use utilities like CCleaner or similar (including wipe tools like BCWipe).
    • Clean recycle bin/logs/RDP profiles, etc.
    • Regularly overwrite deleted files with zeros (BCWipe does this).
11. Browsers: only use portable versions in private mode.
12. For convenience, use a portable password manager.
    • Keepass or Roboform Desktop are good choices.
13. Ideally, automate all standard operations with a scheduler so you don’t have to do everything manually.

Also, create the illusion of being a regular person with minor vices. Store decoy porn videos (but never child porn), keep a messy archive of music, videos, books, and useless software. Use lots of silly software, preferably licensed or free (so you don’t get caught on minor infractions). The more apparent mess in your system, the harder it is for investigators to find anything. You can even hide hacking tools in legitimate-looking folders like c:\windows\system32 where no one will look.

This way, nothing is stored permanently on your computer. All important data is on an encrypted USB drive or in the cloud—data, portable software, everything. If there’s a raid, just physically shut down your computer; when it’s turned back on, there will be no traces. This takes just a few seconds. But there’s a catch.

During a raid, law enforcement may use teams to block exits and stun grenades before entering. In such cases, you won’t have time to react—it all happens in seconds.

To buy yourself those precious seconds, set up an early warning system. For example, install a motion sensor and camera at your apartment entrance, connected to a small monitor inside. If someone approaches, the sensor beeps and shows who’s there. Those few seconds could save you.

And remember, no technical tool will save you if you’re careless. Security is about attention to detail and organization, not any specific software or encryption method. Prevention is always better than reaction.