The authorities have busted prolific dark web drug marketers who operated the major dark web marketplace known as the Wall Street Market (WSM), in a joint operation between European and U.S. authorities.
And with that, the authorities also seized loads of narcotics, €550,000, six-figure amounts of Bitcoin and Monero cryptocurrency, and other assets such as vehicles and related data storage.
Having its operators seized, the police shuts down the market.
The three men accused for running WSM, are all German citizens: Tibo Lousee, Jonathan Kalla and Klaus-Martin Frost; several vendors from the market have also been charged, including one who sold one kilogram of methamphetamineon.
“[The Wall Street Market] was the world’s second largest dark web market, enabling the trade in drugs (including cocaine, heroin, cannabis and amphetamines), stolen data, fake documents and malicious software,” said the Europol.
“The illegal platform was exclusively accessible via the Tor network in the so-called Darknet and aimed at international trade in criminal goods.”
The investigators noted WSM had more than 1 million registered accounts, with some 5,400 vendors and tens of thousands of items available for purchase.
WSM was a bazaar for illegal goods, including for drugs like fentanyl and physical items like fake documents.
It has grown as other darknet marketplaces have been cornered and shut down, driving users and sellers to a dwindling pool of smaller platforms.
The police started to had an eye on the market since 2017, but the investigation was pushed to a crisis by the apparent attempt in April by WSM’s operators to execute an exit scam, when they suddenly removed all cryptocurrency assets held in escrow and otherwise stored under their authority.
The alleged owners stood to gain some $11 million if they were able to convert the coins.
This action prompted investigators in the U.S. and Germany, and Europol, to take action, as this exit scam marked not only an opportunity for them to gather and observe evidence, but to also catch the culprits red-handed.
The U.S. Department of Justice followed the trace, and found that the WSM administrators accessed the WSM infrastructure primarily through the use of two VPN service providers. But here, they also discovered that the operators were using unstable VPN connections.
On occasion, when one of the two VPN providers' connection would cease, the administrator continued to access the WSM infrastructure, making that administrator’s access exposed the true IP address of the administrator.
Analyzing the IP address, the authorities found that it was to connect to the WSM infrastructure using a device called a UMTS-stick (or surfstick; a dongle for mobile internet access). Unfortunately for the authorities, the UMTS-stick was registered to a suspected fictitious name.
After further analysis using multiple surveillance measures to electronically locate the specific UMTS-stick, the authorities identified that between February 5 and 7, 2019, that specific UMTS-stick was used at a residence of Lousee in Kleve, Northrhine-Westphalia, Germany.
This led to Lousee's arrest, after he was found in possession of the UMTS stick.
Some other evidence also tied Lousee to the operation, included similar login names, mentions of drugs and cryptocurrencies, and so on.
As for the other suspect, Kalla, the VPN was strong. But here, the authorities managed to identify him by the metadata.
An IP address assigned to the Kalla's home was registered in the name someone else (his mother). The authorities found that he used another VPN provider within similar rough time frames as administrator-only components of the WSM server infrastructure.
But making things easier for the police, Kalla quickly admitted of his wrongdoing after an agent questioned him.
And for last, Frost as the third administrator, required the police to do more subtle approach. He was identified due to using an poor opsec, a cross-contamination of his cryptographic and cryptocurrency accounts:
In addition to the administrators, some vendors and others associated with the site were also charged. They were identified via more traditional means.
"The prosecution of these defendants shows that even the smallest mistake will allow us to figure out a cybercriminal’s true identity," said U.S. Attorney McGregor W. Scott in the DOJ press release. "We are on the hunt for even the tiniest of breadcrumbs."
Cases that involve alleged criminals like there, are usually held in multiple locations and under multiple authorities.
The operation to take down WSM was supported by the Dutch, Finnish, and French national police, several US government agencies including the FBI, DEA, IRS, the Department of Justice, and even the postal inspections service.