Extracting Intelligence From Criminal Complaints
On May 3rd, law enforcement agencies announced that they had seized the servers that hosted the Wall Street darknet illicit market. They also arrested the market’s administrators. A copy of criminal complaint is now published publicly. Criminal complaints like these hold intelligence that is of high interest for many security professionals. As such, reading criminal complaints should be integrated in the intelligence generation processes of information security teams.
Lesson 1: Organizational Structure
Criminal complaints are valuable because of the information they provide on the structure of criminal organizations. In the case of the Wall Street, we now know how big the organization was, what was the business model and how the owners benefited from illicit activities. Organizations may differ somewhat in size, shape and form but very often, they are small, ephemeral, specialized and located in a single geographical location.
Wall Street was run by three individuals located in Europe. The owners of the market collected a commission fee of 2% to 5% on all the transactions facilitated through the market and therefore earned millions of dollars through illicit activities. The profit, received monthly through cryptocurrency, was shared equally. Thus, regular large deposits of money coming from cryptocurrencies should therefore raise the attention of anti-money laundering teams at financial institutions.
Lesson 2: Integration Between Markets
Criminal complaints also explain how online illicit markets integrate with each other. In this case, multiple markets were used in sequence and in parallel to sell illicit goods and services. This means that offenders sometimes are serial offenders. They launch one criminal enterprise after the other, using the profits from the previous enterprise to fund new ventures. These serial offenders are likely to be the most interesting actors in the cybercrime ecosystem.
Wall Street administrators used to run a small darknet illicit market called GermanPlaza. The administrators stole the market’s participants deposits in bitcoin and made out with millions of dollars. Rather than retiring, the administrators launched a new market called Wall Street. They convinced independent vendors to advertise their illicit products and services on this market, even though these vendors were active on other darknet markets at the same time. This shows that security teams do not have to monitor ALL darknet markets to understand the threats that are targeting them. A small subset of these markets should be enough to capture most of the ongoing activities.
Lesson 3: Law Enforcement Methods
Criminal complaints disclose information about the tools and methods used by law enforcement to identify offenders. These tools and techniques can help security teams improve their own methods. Law enforcement officers have years of experience in studying offenders and have developed methods that quickly and efficiently eliminate noise in the vast amounts of data. For example, from this case, we are able to learn that the officers performed blockchain analysis to follow the money flow using a clustering tool such as BitCluster.
To identify the Wall Street administrators, law enforcement agents used the time-tested method of following the money. They purchased commercial software that analyzes the blockchain to follow the payments made. They guessed for example that since the administrators took a commission on all of the transactions, the largest flows of bitcoins should be going to the administrators’ personal bitcoin wallets. This provided them with the first lead in an otherwise opaque darknet organization.
Lesson 4: The Identity of the Offenders
Finally, criminal complaints provide personal identification that can be used to search for traces of interactions with offenders. Many offenders believe that they can use their real name once they have laundered their money because they think they will never get caught. However, once identified, their names can be used to find companies they banked with and if any of their customers received a transfer from them. This can help banks with their anti-money laundering efforts. Flare Systems has developed Plasma, a fraud and anti-money laundering detection tool, that helps fraud teams detect attempts of money laundering and illicit activities.
The criminal complaint presents the email address of one of a Wall Street administrator, as well as full names of all three administrators. It also shows the first characters of the bitcoin wallet that was used to receive the commissions and the Github account of an administrator. This information can be used to search for connections between offenders and a company’s employees or subsidiaries. Self-reporting illicit activities can lower their legal consequences. Analyzing them can also help prevent further interactions with offenders through better pattern recognition.
Criminal complaints do not always make headline news but are almost always made public after offenders have been arrested. When a botnet operator or a malware writer is arrested, security professionals should look for the criminal complaints and seek to better understand how the offender’s organizations worked, what online resources the offender was connected to, what tools and methods lead to the offender’s arrest and who that offender was. This is, after all, one of the rare occasions when law enforcement is providing us with free intelligence on offenders. Why not take advantage of it?
Subscribe to our blog to stay up to date on the darknet and cybersecurity.
- The criminal complaint (United States Department of Justice)