The now-defunct Wall Street Market (WSM). Image: Dark Web Reviews.
Criminal complaint and arrest warrants for:
- TIBO LOUSEE, 22, from Kleve, also known as (“aka”) “coder420,” aka “codexx420”
- JONATHAN KALLA, 31, from Bad Vilbel, aka “Kronos”
- KLAUS-MARTIN FROST, 29, from Stuttgart, aka “TheOne,” aka “The_One,” aka “dudebuy”
(collectively known as “The Administrators”)
- MARCOS PAULO DE OLIVEIRA-ANNIBALE, 29, was arrested in Brazil and accused of being the site moderator known online as “MED3LIN” – he began blackmailing WSM vendors and buyers, asking for 0.05 Bitcoin (~$280), and threatening to disclose to law enforcement the details of WSM vendors and buyers
- German Plaza Market (“GPM”), which launched in approximately Spring 2015, was a darknet marketplace (through which users transacted in Bitcoin) and shut down due to an “exit scam” in approximately May 2016.
- the administrators of GPM likely transferred funds stolen from GPM to Wall Street Market (“WSM”), and then launched WSM in October 2016.
- the BKA identified the servers operating WSM and imaged a copy of the database of WSM (a SQL database named “tulpenland”).
- the WSM infrastructure that was located in Germany (production), and in the Netherlands, responsible for the development, testing, and updating of the WSM infrastructure (the “Gitlab server”)
- LOUSEE: the BKA noticed that on occasion, VPN Provider #1 connection would cease, but because that specific administrator continued to access the WSM infrastructure, that administrator’s access exposed the true IP address of the administrator. The individual utilizing the IP address to connect to the WSM infrastructure used a device called a UMTS-stick7 (aka surfstick). This UMTS-stick was registered to a suspected fictitious name. The BKA executed multiple surveillance measures to electronically locate the specific UMTS-stick. The specific UMTS-stick was used at a residence of LOUSEE in Kleve, Northrhine-Westphalia (Germany), and at his place of employment.
- KALLA: an IP address assigned to the home of this individual (the account for the IP address was registered in the name of the suspect’s mother) accessed VPN Provider #2. KALLA admitted that he was the administrator for WSM known as “Kronos.”
- FROST: the PGP public key for “TheOne” is the same as the PGP public key for another moniker on Hansa Market, “dudebuy”. A financial transaction connected to a virtual currency wallet used by FROST was linked to “dudebuy”. Investigators identified a wallet used by FROST that subsequently received Bitcoin from a wallet used by WSM for paying commissions to administrators. Records obtained from the Bitcoin Payment Processing Company revealed buyer information (connected to Hansa Market, seized in 2017) for a Bitcoin transaction as “Martin Frost,” using the email address firstname.lastname@example.org. A second link connecting FROST to the administration of WSM is based on additional Bitcoin tracing analysis.
- In or around April 2019, WSM experienced massive popularity and then commenced an “exit scam,” presumably in response to its increased popularity. On or about April 16, 2019, vendors on WSM could not withdraw funds from their escrow accounts; that is, they could not repatriate proceeds for contraband that was sold. Between April 22 and 26, 2019, members of the public shared that their own analyses of virtual currency transactions revealed that large amounts of virtual currency, estimated between $10 and $30 million, were being diverted from wallets believed to be associated with WSM to other virtual currency wallets.
By Brian Krebs, “Krebs on Security”:
Federal investigators in the United States, Germany and the Netherlands announced today the arrest and charging of three German nationals and a Brazilian man as the alleged masterminds behind the Wall Street Market (WSM), one of the world’s largest dark web bazaars that allowed vendors to sell illegal drugs, counterfeit goods and malware. Now, at least one former WSM administrator is reportedly trying to extort money from WSM vendors and buyers (supposedly including Yours Truly) — in exchange for not publishing details of the transactions.
A complaint filed Wednesday in Los Angeles alleges that the three defendants, who currently are in custody in Germany, were the administrators of WSM, a sophisticated online marketplace available in six languages that allowed approximately 5,400 vendors to sell illegal goods to about 1.15 million customers around the world.
“Like other dark web marketplaces previously shut down by authorities – Silk Road and AlphaBay, for example – WSM functioned like a conventional e-commerce website, but it was a hidden service located beyond the reach of traditional internet browsers, accessible only through the use of networks designed to conceal user identities, such as the Tor network,” reads a Justice Department release issued Friday morning.
The complaint alleges that for nearly three years, WSM was operated on the dark web by three men who engineered an “exit scam” last month, absconding with all of the virtual currency held in marketplace escrow and user accounts. Prosecutors say they believe approximately $11 million worth of virtual currencies was then diverted into the three men’s own accounts.
The defendants charged in the United States and arrested Germany on April 23 and 24 include 23-year-old resident of Kleve, Germany; a 31-year-old resident of Wurzburg, Germany; and a 29-year-old resident of Stuttgart, Germany. The complaint charges the men with two felony counts – conspiracy to launder monetary instruments, and distribution and conspiracy to distribute controlled substances. These three defendants also face charges in Germany.
Signs of the dark market seizure first appeared Thursday when WSM’s site was replaced by a banner saying it had been seized by the German Federal Criminal Police Office (BKA).
Writing for ZDNet’s Zero Day blog, Catalin Cimpanu noted that “in this midst of all of this, one of the site’s moderators –named Med3l1n— began blackmailing WSM vendors and buyers, asking for 0.05 Bitcoin (~$280), and threatening to disclose to law enforcement the details of WSM vendors and buyers who made the mistake of sharing various details in support requests in an unencrypted form.
In a direct message sent to my Twitter account this morning, a Twitter user named @FerucciFrances who claimed to be part of the exit scam demanded 0.05 bitcoin (~$286) to keep quiet about a transaction or transactions allegedly made in my name on the dark web market.
“Make it public and things gonna be worse,” the message warned. “Investigations goes further once the whole site was crawled and saved and if you pay, include the order id on the dispute message so you can be removed. You know what I am talking about krebs.”
I did have at least one user account on WSM, although I don’t recall ever communicating on the forum with any other users, and I certainly never purchased or sold anything there. Like most other accounts on dark web shops and forums, it was created merely for lurking. I asked @FerucciFrances to supply more evidence of my alleged wrongdoing, but he has not yet responded.
The Justice Department said the MED3LIN moniker belongs to a fourth defendant linked to Wall Street Market — Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil — who was charged Thursday in a criminal complaint filed in the U.S. District Court in Sacramento, California.
Oliviera-Annibale also faces federal drug distribution and money laundering charges for allegedly acting as a moderator on WSM, who, according to the charges, mediated disputes between vendors and their customers, and acted as a public relations representative for WSM by promoting it on various sites.
Prosecutors say they connected MED3LIN to his offline identity thanks to photos and other clues he left behind online years ago, suggesting once again that many alleged cybercriminals are not terribly good at airgapping their online and offline selves.
“We are on the hunt for even the tiniest of breadcrumbs to identify criminals on the dark web,” said McGregor W. Scott, United States Attorney for the Eastern District of California. “The prosecution of these defendants shows that even the smallest mistake will allow us to figure out a cybercriminal’s true identity. As with defendant Marcos Annibale, forum posts and pictures of him online from years ago allowed us to connect the dots between him and his online persona ‘Med3l1n.’ No matter where they live, we will investigative and prosecute criminals who create, maintain, and promote dark web marketplaces to sell illegal drugs and other contraband.”
A copy of the Justice Department’s criminal complaint in the case is here (PDF).
PDF (local copy) opens in new window
Accused operators of illicit ‘darknet’ market arrested in Germany, Brazil
FRANKFURT (Reuters) – Three German nationals accused of running one of the world’s largest dark web sites for selling drugs and other contraband have been arrested and charged in two countries following a two-year investigation, U.S. prosecutors said on Friday.
A fourth man who allegedly acted as a moderator and promoter for the site, Wall Street Market, was taken into custody in Brazil, according to federal prosecutors in California.
“Darknet” and “dark web” refer to networks and sites hidden from most internet visitors and accessible only to users shrouded in anonymity.
“While they lurk in the deepest corners of the internet, this case shows that we can hunt down these criminals wherever they hide,” U.S. Attorney Nick Hanna said in a written statement announcing the charges.
Tibo Lousee, Klaus-Martin Frost and Jonathan Kalla are accused of running Wall Street Market for nearly three years, providing a darknet platform for the sale of narcotics, counterfeit goods and hacking software to 1.1 million customers.
The men, known to U.S., Dutch and German investigators by the monikers “coder420,” “Kronos” and “TheOne,” also face charges in Germany.
Prosecutors in Frankfurt said that the country’s federal criminal investigation office, or Bundeskriminalamt, had secured the platform’s server infrastructure.
FLORIDA RESIDENT DIED
In December 2017, a Florida resident died from using a nasal spray laced with the opioid fentanyl sold by one of the roughly 5,400 vendors on Wall Street Market, according to the criminal complaint. That vendor was convicted in U.S. District Court in Wisconsin and sentenced to 12 years in prison.
Among the site’s top vendors were two people based in Los Angeles: “Ladyskywalker,” who sold opiates such as fentanyl, oxycodone and hydrocodone; and “Platinum45,” who dealt in methamphetamine, oxycodone and Adderall.
The people operating both of those accounts have also been arrested, according to the criminal complaint. Their names were not made public.
As investigators closed in last month the operators of Wall Street Market conducted an “exit scam” – making off with an estimated $11 million in virtual currency belonging to customers, prosecutors say, before they were taken into custody in Germany.
Cyber specialists at the Bundeskriminalamt started taking “operational measures” after the suspects switched the platform into maintenance mode on April 23 and started transferring the customer funds to themselves, German prosecutors said.
Marcos Paulo De Oliveira-Annibale, 29, was arrested in Brazil and accused of being the site moderator known online as “MED3LIN.”
Prosecutors say they were able to identify Oliveira-Annibale by connecting his online persona with forum comments and pictures he posted years earlier.
How German and US authorities took down the owners of darknet drug emporium Wall Street Market
The major darknet marketplace known as the Wall Street Market has been seized and its alleged operators arrested in a joint operation between European and U.S. authorities. Millions in cash, cryptocurrency and other assets were collected, and the market shut down. How investigators tied these anonymity-obsessed individuals to the illegal activities is instructive.
The three men accused of running Wall Street Market (WSM), one of the larger hidden service markets operating via the Tor network, are all German citizens: Tibo Lousee, Jonathan Kalla and Klaus-Martin Frost; several vendors from the market have also been charged, including one who sold meth on it by the kilogram.
The investigation has been ongoing since 2017, but was pushed to a crisis by the apparent attempt in April by WSM’s operators to execute an exit scam. By suddenly removing all the cryptocurrency held in escrow and otherwise stored under their authority, the alleged owners stood to gain some $11 million if they were able to convert the coins.
Until recently, Wall Street Market was a bustling bazaar for illegal goods, including dangerous drugs like fentanyl and physical items like fake documents. It had more than a million user accounts, some 5,400 vendors and tens of thousands of items available for purchase. It has grown as other darknet marketplaces have been cornered and shut down, driving users and sellers to a dwindling pool of smaller platforms.
Whether the owners sought simply to parley this growth to a quick cash grab or whether they sensed the law about to knock down their door, the exit scam was undertaken on April 16.
This action prompted investigators in the U.S. and Germany, and Europol, to take action, as this exit scam marked not only an opportunity for investigators to gather and observe fresh evidence of the trio’s alleged crimes, but waiting much longer might let them go to ground and launder their virtual goods.
The DOJ complaint details the means by which the three administrators of the site were linked to it, despite their attempts to anonymize their access. It isn’t unprecedented stuff, but it’s always interesting to read through the step-by-step forensics that lead to charges, since it can be very difficult to tie real-world actors to virtual entities.
For Frost, it was an unstable VPN connection, plus some sleuthing by the German federal police, the Bundeskriminalamt or BKA:
The WSM administrators accessed the WSM infrastructure primarily through the use of two VPN service providers. On occasion, VPN Provider #1 connection would cease, but because that specific administrator continued to access the WSM infrastructure, that administrator’s access exposed the true IP address of the administrator
The individual utilizing the above-referenced IP address to connect to the WSM infrastructure used a device called a UMTS-stick (aka surfstick) [i.e. a dongle for mobile internet access]. This UMTS-stick was registered to a suspected fictitious name.
The BKA executed multiple surveillance measures to electronically locate the specific UMTS-stick. BKA’s surveillance team identified that, between February 5 and 7, 2019, the specific UMTS-stick was used at a residence of Lousee in Kleve, Northrhine-Westphalia (Germany), and his place of employment, an information technology company where Lousee is employed as a computer programmer. Lousee was later found in possession of a UMTS stick.
Some other circumstantial evidence also tied Lousee to the operation, such as similar login names, mentions of drugs and cryptocurrencies, and so on. (“Based on my training and experience as an investigator, I am aware that ‘420’ is a reference to marijuana,” writes the special agent who authored the complaint.)
Kalla’s VPN held strong, but the metadata betrayed him:
An IP address assigned to the home of this individual (the account for the IP address was registered in the name of the suspect’s mother) accessed VPN Provider #2 within similar rough time frames as administrator-only components of the WSM server infrastructure were accessed by VPN Provider #2.
Hardly a hole in one, but Kalla later admitted he was the user agent in question. This is a good example of how a VPN can and can’t protect you against government snooping. It may disguise your IP to certain systems, but anyone with a bird’s-eye view can see the obvious correlation between one connection and another. It won’t hold up in court on its own, but if the investigators are good it won’t have to.
Frost, the third administrator, required a more subtle approach, but ultimately it was again poor opsec; this time an unwise cross-contamination of his cryptographic and cryptocurrency accounts:
The PGP public key for [WSM administrative account] ‘TheOne’ is the same as the PGP public key for another moniker on [another hidden service] Hansa Market, ‘dudebuy.’ As described below, a financial transaction connected to a virtual currency wallet used by FROST was linked to ‘dudebuy.’
[The BKA] located the PGP public key for ‘TheOne’ in the WSM database, referred to as ‘Public Key 1’.
Public Key 1 was the PGP public key for ‘dudebuy.’ The ‘refund wallet’ for ‘dudebuy’ was Wallet 2.
Wallet 2 was a source of funds for a Bitcoin transaction… Records obtained from the Bitcoin Payment Processing Company revealed buyer information for that Bitcoin transaction as ‘Martin Frost,’ using the email address klaus-martin.frost@…
Essentially A is B, and B is C, so A is C. This little deductive trick is handy, but bitcoin wallets used by Frost were also identified through analysis by the U.S. Postal Inspection Service, which, if you didn’t know, has “a highly trained, skilled and committed cyber unit.”
The United States Postal Inspection Service learned, through its analysis of Blockchain transactions and information gleaned from the proprietary software described above, that the funds from Wallet 2 were first transferred to Wallet 1, and then “mixed” by a commercial service; mixing services is described above at paragraph 4.m. Through thorough analysis, the United States Postal Inspection Service was able to “de-mix” the flow of transactions, to eventually ascertain that the money from Wallets 1 and 2 ultimately paid FROST’s account at the Product Services Company.
Here the blockchain’s indelible record clearly worked against Frost. Wallet 1, by the way, handled thousands of bitcoins during its use in association with another darknet marketplace, German Plaza Market — which the three charged today also allegedly ran and shut down via an exit scam.
In addition to the administrators, some vendors and others associated with the site were charged. They were identified via more traditional means and their activities linked to the market in such a way that defense seems a lost cause. The record for a Brazilian man who operated as a dealer and as a sort of representative for WSM on Reddit and forums is an interesting study in the web of suggestive accounts and names that produce a damning, if circumstantial, depiction of a person’s associations and interests, from the banal to the criminal.
“The prosecution of these defendants shows that even the smallest mistake will allow us to figure out a cybercriminal’s true identity,” said U.S. Attorney McGregor W. Scott in the DOJ press release. “We are on the hunt for even the tiniest of breadcrumbs.”
Cases against the alleged criminals will be held in multiple locations and under multiple authorities — it’s safe to say this is just the beginning of a long, complicated process for everyone involved.