[HN Gopher] De-anonymizing ransomware domains on the dark web ___________________________________________________________________ De-anonymizing ransomware domains on the dark web Author : auiya Score : 65 points Date : 2022-06-28 18:15 UTC (4 hours ago) (HTM) web link (blog.talosintelligence.com) (TXT) w3m dump (blog.talosintelligence.com) | ziddoap wrote: | #1 and #2 really should just be a part of #3: catastropic opsec. | | I don't know what it is about people who run these criminal | enterprises on the darknet, but they constantly seem to be | failing even the most basic of opsec. Re-using identities across | multiple services, using e-mail addresses with real names, | posting photos with identifiable information (and before websites | stripped metadata for them, often posted with metadata), etc. I | mean it's nice that they are making it easier to catch | themselves, but at the same time I can only wonder how some | genius can invent some novel and complex ransomware operation | just to turn around and use the email they've had since they were | 13 to register the services that operate it. | number6 wrote: | You only catch those who make those mistakes | ziddoap wrote: | Yes, thanks for that. | | My point is that those mistakes are made by plenty of | ransomware gangs, some of the largest dark markets to ever | exist (AlphaBay, Silk Road, etc.), Freedom Hosting, and more. | All of which were, at some point, major entities on the | darknet making absolutely rudimentary opsec mistakes. | Closi wrote: | You only have to slip up once to get caught. | | Some of the people caught on those listed examples had | great Opsec... until that one time where they messed up and | then suddenly ended up in jail. | ziddoap wrote: | Which ones of my list had great opsec? I'm not denying | what you said, it only takes one slip up, but in the | cases I mentioned by name: | | AlphaBay used their regular hotmail account to send | password reset emails, and that email was tied to their | LinkedIn. | | Freedom Hosting was taken down because the operators used | outdated FF with javascript enabled. | | Silk Road's Ross Ulbricht posted his personal Gmail | address, linking the identities. | | All of these are profound opsec failures, not just an | oopsie that led to getting caught by talented LEOs. | jstarfish wrote: | What sort of answer are you looking for? All of these | proprietors are human. Humans make mistakes and act | irrationally at times. Criminal enterprises are complex. | Opportunity for mistakes increases with scale. The guy | who ran Doxbin is the only high-profile case I can think | of with apparent-flawless opsec, and that much only | because he _bailed_ before the long tail caught up to | him. | | The tightest opsec I've ever seen is maintained by | disability fraudsters. Privacy laws protect the evidence | anybody would need to present against you, so as long as | you keep doctor-hopping and never admit to anything, | nobody can touch you. These people tend to be reclusive | and not public-facing, but with such low risk comes low | reward-- there's no _real_ money to be made in it. | | (...unless you're the doctor knowingly signing off on | false diagnoses. This increases scale, at which point, | the more of those you write, the greater the chances of | some mistake made by you or any single one of your | patients bringing the whole enterprise down.) | ziddoap wrote: | > _What sort of answer are you looking for?_ | | They said that some of the 3 I listed by name had "great | opsec". I am curious which one of those they thought was | great, and laid out why I think the opsec in these cases | was really far from "great". | | Maybe when they said "those listed", they were referring | to the list on the website and not my list. In that case, | I misunderstood and obviously my comment doesn't make | much sense. But I presumed they were referring to my | list. | | > _Humans make mistakes and act irrationally at times. | Criminal enterprises are complex._ | | Agreed on both fronts. | | But I think that the severity of mistakes is a scale, and | some of the really big players on the darknet have made | mistakes that I argue is much closer to the " _really_ | dumb mistake, trivially avoided " end of the scale, such | as using your LinkedIn email to run your multi-million | dollar black market. | | > _Opportunity for mistakes increases with scale._ | | Agreed. But none of the three examples I listed by name | were affected by scale. Using outdated software with | known vulnerabilities, posting your own email, and using | an email connected to your LinkedIn are all not issues of | scale. | | Edit to clarify, as I think people may be | misunderstanding me (maybe? hard to tell from just | downvotes and no replies): | | Opsec is hard. 100%. You have to maintain it basically | forever, which makes it really hard. | | But, if I walk into a bank intending to rob it and start | shouting out my full name and address (or, say, left my | drivers license at the scene), people would have a jolly | laugh at how bad of a robber I was. This is analogous to | using the same email to run your multi-million dollar | black market as well as sign up for a LinkedIn account. | Most people would agree that in my hypothetical, the | robber made some really trivial mistakes. I'm not sure | why it's so hard to say that for these darknet operators | that basically did the same thing, but in computer form. | Closi wrote: | It sounds pretty easy to inadvertently visit a site on an | old laptop with javascript enabled. Is this what counts | as a profound opsec failure these days? | | Remembering that you only have to make an error like that | once. | | Besides you were talking about all the silkroad arrests, | not just Ross - and I mean some of the people arrested in | conjunction with Silk Road WILL have had good opsec but | when a nation state is coming after you, the tiniest | mistake will cost you! | gleenn wrote: | The original Silk Road supposedly had amazing opsec but | they caught him because one time he used the same, | oblique username to register something many years | previous IIRC. | MikeDelta wrote: | Maybe the dark web makes people feel safe and they let | their guard down? I cannot imagine why else someone would | use their own email address in any transaction or | operation. | FredPret wrote: | The genius is the one selling the shovels to the gold diggers | auiya wrote: | Not sure why there's a mystique over the "dark web", they're all | still just websites, and suffer the same types of | vulnerabilities. | mirntyfirty wrote: | Yea, it would be rather unfortunate terminology to call | websites outside the realms of Google and bing as "dark web" as | if somehow these services legitimize the internet itself. | nuccy wrote: | I would personally call telegram/viber/whatsapp/et al. | groups/chats/channels "dark web", since information is not | indexed there and is basically decaying over time. In about a | decade or decade and a half ago, forums flourished, it was | really easy to find and share relevant information with | relevant group of interested people. I particularly was | interested in car's DIY service & retrofit topics. | Unfortunately everything is mostly in messengers these days, | which won users by offering real-time responses, but | providing no real way of topic sorting or proper history. | Duplicates of questions and answers of different topics and | threads mixed together into an information garbage bin. | tete wrote: | > I would personally call telegram/viber/whatsapp/et al. | groups/chats/channels "dark web", since information is not | indexed | | That's a really odd way of naming thing. | | They are not web, and "not indexed" usually is referred to | as "deep web", not "dark web". | smegsicle wrote: | the term 'deep web' refers to the subset of internet- | connected information that is not widely published eg on | search engines, where as the 'dark web' is specifically sites | that hide their hosting information behind tor i2p etc | | as unfair as it may be, a huge part of the usefulness of | information is its accessibility, and these search engines | currently hold a near-monopoly on which sites can generally | be considered readily accessible, ie the 'surface web' above | the deep web | dpapai wrote: | orthoxerox wrote: | This should come in handy if I ever have to run a website on the | dark web | aaron695 wrote: | ipaddr wrote: | So certificates do not enable privacy they take it away. | | SSL may stop your roommate or isp but they provide another vector | for linking to other entities. | | I wonder how many are using this technique to link web properties | together. | no_time wrote: | This is not a big deal really. Getting an SSL cert only | requires you provide proof of ownership of your domain and has | no KYC. You can get as many certs as you want, or sign it | yourself. | | Right now, SSL(or PKI to be precise) is a very privacy | respecting technology. For both the server and the client. | [deleted] | nick__m wrote: | If you follow the best practices and do not bind your onion | service on 0.0.0.0 and use selfsign and don't reuse key, they | do provide privacy against snooping exit node. | miloignis wrote: | Certificates enable privacy _for the user_ - fundamentally, | they are about proving the identity of the server, which is at | least somewhat at odds with privacy of the server. | | Anyway, these all seem like pretty obvious opsec fails where | the darknet website is also served over the regular internet, | which is just atrocious. | kmeisthax wrote: | Anonymity of the origin server is not at all a design goal of | SSL/TLS: in fact, the whole point is to tie a web host to a | particular identity. Originally it was supposed to be legal | identity, but that is actually fairly useless, so now it's just | a domain name. | | For end-users TLS and Tor both provide privacy; since you don't | need to identify _yourself_ in order to use https. In fact, | with ESNI and DoH the only thing anyone snooping wire traffic | can see is that you 're connecting to whatever data center is | owned by the company hosting the website. | | The sites in the original article are criminal enterprises, | which means they have the unique problem of needing the origin | server to remain anonymous so that their _hosting provider_ can | 't find out what they are doing. This is the one thing Tor does | that TLS doesn't; and they _were_ deanonymized by them | insisting on providing a self-signed cert anyway. However, this | is a particularly unusual threat model that is far harder to | maintain. Even the whole anticensorship thing is usually just | hiding what sites you 're visiting from, say, the Great | Firewall - we don't care that China can also use Tor to learn | where Google's servers are. ___________________________________________________________________ (page generated 2022-06-28 23:01 UTC)