Home » Featured » 20.8.17 Dark Web and Cybercrime Roundup
Click Here To Hide Tor

20.8.17 Dark Web and Cybercrime Roundup

Belgian Police Raiding Houses in BTC Money Laundering Bust

Although occurring shortly after the takedown of BTC-e for money laundering, the Belgian police’s raids connected to a completely different money laundering case. This time, according to local reports, along with an innocent party connected to the events, the raids involved so-called “suspicious” LocalBitcoins activity. Authorities were still looking into money laundering, thankfully not on behalf of the United States.

The activity—obviously suspected money laundering—involved three suspects and one named, but uninvolved party. Two of the three have been arrested by Belgian authorities: two brothers. Despite having a total of three suspects, Belgian Judicial Police raided nine addresses spread throughout Brussels, Jette, Sint-Jans Molenbeek, Laeken and Evere. The two brothers were arrested at addresses in Jette and Sint-Jans-Molenbeek. The third entity’s whereabouts are still unknown.


And the other party was a Bitcoin trader on LocalBitcoins known as Zhaodong1982, the self-proclaimed “biggest bitcoin OTC trader in China.” The investigation likely started after the suspects slipped up in some way, assuming they committed the crimes authorities accused them of committing. However, the same authorities made an effort to emphasize how suspicious Zhaodong1982’s had appeared to them. They pointed out that in one advertisement—an older one at that was not on his LocalBitcoins account—the cryptocurrency trader had offered Wickr and Telegram as methods of communication.

Also from this week, “How Did BTC-E (Allegedly) Process 95% of Bitcoin Ransom Payments” and “Public Thinks Bitcoin is Mainly for Darknet Use, Study Shows.

As with any method of communication that, in PM Theresa May’s words “[provides] safe places for extremists to broadcast their hate messages over the Internet,” authorities used the messengers to incriminate the LocalBitcoins traders. Authorities described the money laundering as “transactions in which bitcoins were exchanged for cash or vice versa.” The bitcoin trades for cash (“or vice versa”), combined with possible Wickr and Telegram, seemingly fit authorities profile for money laundering activity. Or, the narrative would hold until police successfully put their facts together. DeepDotWeb

Customs Intercepts California Man’s Packages of Live King Cobras

A US Customs and Border Protection officer flagged a package headed towards an address that had once before been flagged for drug activity. The activity, as described by law enforcement officers, was nothing more than mere drug importation. Until Customs officers scanned the package, they assumed the only reasonable thing—that the packages contained drugs. After the scan, though, the officers immediately called the United States Fish and Wildlife Service (USFWS). The scans, although nondescript at first glance, revealed cans of live king cobras upon a second look.

The presence of live and potentially venomous reptiles warranted the urgent call to the USFWS. And especially so for king cobras—one of the most venomous snakes known to humankind. USFWS arrived and confirmed the package contained three king cobras and three soft shelled turtles. Both reptiles are protected species. The intended recipient attempted to ship desert box turtles, three-toed box turtles, and ornate box turtles to Hong Kong on the very same day. USFWS intercepted that package.


USPIS and USPS aided the USFWS perform a controlled turtle delivery. They had removed the snakes from the package as their killing power was too high for a law enforcement operation. “Agents found the package that originated in Hong Kong in the children’s bedroom, in which, they also discovered a tank containing a live baby Morelet’s crocodile and tanks containing alligator snapping turtles, a common snapping turtle, and five diamond back terrapins – all of which are protected species.” The recipient also told authorities that he had received another 20 king cobras but they had died in the shipping process. He was arrested immediately. DeepDotWeb

Valhalla Market Compromised: Finnish Customs Allegedly Identified Hundreds of Valhalla Users

This one needs no explanation. Even if law enforcement had not collected information on hundreds of Valhalla users, they “exposed Valhalla” several times. Both internally and publicly. This time, Finnish law enforcement arrested three men who had involved themselves in Valhalla marketplace sales. They imported, produced, and sold steroids on Valhalla market. As with many of these arrests, Customs reportedly identified and arrested the suspects months ago. (Only one is currently in custody). Yet they did not announce the investigation until months had passed.

The strange aspect is the “how.” How did Customs receive information on hundreds of Valhalla users, assuming they identified the users after the investigation had started? The only way that does not involve the willing cooperation or forced coercion of one of the suspects would have been if, after being arrested, the men shipped packages to hundreds more steroid customers. It would not have been the first time a vendor sold drugs while under investigation. Finnish Customs reported that the men stopped selling after their arrest, though.


In August 2016, Customs reported the discovery of Valhalla. Wherein they coincidentally mentioned they had captured three men involved with Valhalla. Additionally, they reported a collaboration with “Dutch, US, German and Latvian authorities.” The cases seemed identical, save for the countries of origin of the three men and the money seized:

“Customs has investigated the case as a serious drug offense and smuggling. In the case of suspicion, there are three Finns who have been imprisoned since April 2016. The suspects are about 30 years of age and come from Southwest Finland and the Helsinki Metropolitan Area. Customs has cooperated with the Dutch, US, German and Latvian authorities and with Europol in investigating the case. During the pre-trial detention, customs have seized cash (euros), the virtual Bitcoin virtual assets and movable property for about one million euros. The case proceeds to prosecution at the end of September 2016 and will be dealt with during the autumn in the District Court of Southwest Finland.”

Customs also arrested Douppikauppa, Scandinavia’s biggest vendor, in September 2016.

Updated: List of Dark Net Markets (Tor & I2P)

With daily withdrawal issues, complaints everywhere, and major attention from law enforcement, user safety on the market rides at an all time low. DeepDotWeb

Reddit Actively Banning Darknet Subreddits

Similar to the law enforcement shutdown that drove darknet market drug buyers to Hansa market, Reddit admins banned numerous DNM subreddits and left the main one, /r/darknetmarkets. And then banned the “backup” copies that Reddit users created after the original got banned, indicating that a Reddit admin had actively sat down with a banhammer, killed darknet market related subreddits, and then played whack a mole with the new versions that surfaced.

Why /r/darknetmarkets avoided the ban is unknown. Many of the subs that received bans had allowed posts and activity that the /r/darknetmarkets subreddit moderators disallowed. On the aforementioned subreddit that survived the banhammer, the moderators pinned a new post. “As you may have seen/heard that more than a few subs and users have been banned,” it read. “Majority of these were actively and openly soliciting sales or promoting illegal activity.” And then a bit about the active banning:


Admins seem to be active an banning newly created subs (/r/thexanaxcartel2, /r/DarkNetCarpets , /r/totallylegitmarket) to keep anything from sprouting before sub gets large. If you intend on creating mirrors for banned subs, be smart and don’t advertise/mention it at least today.”

The admins banned reddit[dom]com/r/ TheXanaxCartel; dnmmegathread; codeinecowboys; dnmsmegathreads; bartardnation; thexanaxcartel2; DarkNetCarpets, and totallylegitmarket. They also banned several users but later unbanned them. Reddit.

Marcus Hutchins’ Code Used In Malware May Have Come From GitHub

The saga continues. Researchers may have found preliminary evidence that the programmer of the Kronos banking malware simply used a hooking engine from the blog and GitHub account of Marcus Hutchins aka MalwareTech. MalwareBytes labs published an analysis of the Kronos malware and concluded with the following:

An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions. The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but also connected them together in a logical and fitting way. The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster.


Much of the hooking engine used in Kronos could be seen as identical or nearly identical to MalwareTech’s code. Even MalwareBytes suspected that part of the Kronos malware could have been created by MalwareTech. However, a Twitter user pointed to a forum post from 2009 that revealed that both Marcus Hutchins and the creator of the Kronos malware learned from someone else. I.e., Hutchins himself did not create the malware without outside inspiration—the idea was not uniquely his. Additionally, MalwareBytes explained in a blog post, the hooking engine found in the Kronos malware was” overall more sophisticated [than the code on Malwaretech’s blog].” Slashdot, Malwarebytes, @hasherezade. That does still leave the question of why Marcus Hutchins admitted to selling the malware.


  1. Reddit is becoming more and more totalitarian. First the incel subs, some political subs, now this… scums demand to remove subs all the time, putting pressure and finally reddit caves in

    • Yes that’s true, but it is also a dumb idea to keep using them as a platform/gateway for the dark net these days. It’s not very safe and far too exposed.

      • murderhomelesspeople

        It’s relatively safe. MITM attacks are not very common or successful against the list and the exposure is why it is valuable.

    • murderhomelesspeople

      The incel subs had a habit of promoting rape and violence, seen it myself and was condoned by the community. The subs that were banned broke clearly laid out rules hence why the main sub stayed.

  2. murderhomelesspeople

    It’s no mystery why the main sub avoided a ban. The other subs promoted direct deals, did deals on Reddit, had loose rules and listed vendors on the sidebar.

  3. I built that system I will TAKE it back. Aaron Swartz


    -Aaron sWARTZ

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *