Darkweb Shakeup: Leaked FBI Document Creates Panic


7 min read
Darkweb Shakeup: Leaked FBI Document Creates Panic

A couple of days ago there were some revelations passed on to the darkweb community by virtue of a few "leaks" from the FBI, which were shared on the site, 'Distributed Denial of Secrets'.

Nature of the 'Leak'

The document dump in question appeared to be a leaflet / information packet targeting an audience of other federal agents.

Based on the overall nature of the document, the gist that I got reading it was that this was a briefing to bring new agents (or ones unfamiliar with the darkweb) up to speed on the order and progression of things.

Pointing Out the Obvious

The obvious anxiety here pertains to the revelations that the FBI made regarding the structure of the darkweb markets.

In specific, 'darknetlive' (a well-known publisher on all things darkweb-related) posted a closer analysis of the dumped documents with some clarification on the more granular details of the document in order to assuage the paranoia running rampant in the community.

What Created the Panic?

In specific, the FBI's specific mentions of:

  1. dark.fail
  2. darknetlive (ironically where the coverage article was published)

Why Were They Mentioned?

As mentioned prior, darknetlive is considered by many to be a reputable source of information in the darkweb community.

Likewise, dark.fail holds that same relationship among those that frequent Tor.

One feature of their websites (respectively) that has garnered traffic is their published .onion directory.

Importance of the .Onion Directory

One of the biggest issues that users on the Tor network must deal with is coming up with reliable ways to authenticate whether the site that they're visiting is owned by the individuals they intended to visit or simply an illegitimate copy / clone.

Onion Addresses / Tor Network Make This Task Harder Due to Fundamental Differences

On the 'clearnet', its much easier to identify the legitimate owners of websites due to a robust system of:

  1. Domain name registrations
  2. Certificate Issuance
  3. Recognizable Names

"Surface-level" businesses that are able to freely and widely promote their points of contact.

On the contrary, on the Tor Network, .onions are limited in this regard because:

  • Addresses are generated cryptographically (rather than chosen by availability from a registrar). Typically the result is a random alphanumeric string that gets spit out. The benefit of this setup is that the name is cryptographically secure (i.e., there should be no 'collisions' or someone that is able to manifest the same name or control that website without the private key - same principle as a certificate). But this comes with the drawback of an alphanumeric name versus a human-readable one that's easy to pronounce and remember. The end result is that users will rarely be able to validate a correct .onion link on the basis of its name alone.
  • Many entities on the Tor Network would prefer to keep to limit promotion / advertising of their business (perhaps due to the nature of whatever that business is). However, for those that do use these services, it is imperative that they reach the correct source. This creates an inherent dichotomy in the setup of the dark markets that's difficult to resolve.

Where Darknetlive and Dark.fail Come in

Many users have transitioned to relying on these sources as an authoritative point of knowledge for all those looking to validate / authenticate the exact address of a darkweb site.

The site admins of both sites (dark.fail and darknetlive) have made it abundantly clear that neither accept or receive donations, benefits, gifts or any other patronage for providing this service and it appears that this information was corroborated by the FBI report as well.

Why This is Important

Believe it or not - accepting payment from these darkweb vendors in exchange for listing their market's .onion address is something that can get you indicted.

Cautionary Tale of DeepdotWeb

Once upon a time (not long ago), there was a site called 'deepdotweb'.

It was a popular informational site that provided content, links to other .onion sites and published general news about the darkweb space.

With such an innocuous and detached role in the community, many were showed to learn that the Department of Justice had decided to move forward with their indictment of the site's operators in 2019.

Details of the Federal Indictment

On May 8th, 2019, the Department of Justice's website published a press release detailing their shutdown of the Deepdotweb site and subsequent indictment, titling the release,

"Administrators of DeepDotWeb Indicted for Money Laundering Conspiracy, Relating to Kickbacks for Sales of Fentanyl, Heroin and Other Illegal Goods on the Darknet"
source = https://www.justice.gov/opa/pr/administrators-deepdotweb-indicted-money-laundering-conspiracy-relating-kickbacks-sales

Yes, They Were Indicted on Federal Charges Over Referral Codes

In specific, it appears that the DOJ's main qualm with the actions of the site operators was that they were passing off referral codes in their .onion directory.

This seemingly innocuous means of sustaining their website resulted in its demise as well as the subsequent indictment of each of the site's operators.

And with the charges they received, it seemed to many that the DOJ was treating the operators as if they were running these darkweb markets directly.

This Indictment Changed the Face of Knowledge Distribution on the Darkweb

Since that indictment, users all over (that were providing any source of information - which were far and few in between to begin with), scrambled to scrub their websites of any and all referral links & codes.

Dark.fail & Darknetlive Have Been Clean

As far as public record is concerned (and in the opinion of the federal law enforcement as well), dark.fail and darknetlive have operated above board (in terms of their legal standing).

Excerpts From the Report

The excerpts contained below are merely reposts from the original darknetlive report covering the same 'FBI leak' (in other words, do not consider me to be a primary source for said leak; I didn't do it, don't know about it & I really don't want that kind of smoke with them).

Excerpts Below:

"    The FBI assesses administrators operating on the Darknet likely are relying on legal gateways to route users to Darknet marketplaces, facilitating the trafficking of illicit products and services by legitimate means. This assessment is based on reporting indicating the administrator of Darknet marketplaces, forums, and websites rely on services via communication through email or Jabber provided by Dark.Fail, DarknetLive, and other legal gateways for visitor traffic. In addition, the administrator of Empire Market indicated Dark.Fail was the preferred method of obtaining Uniform Resource Locators (URLs) to access Empire Market; and the administrator of Dread engaged with Dark.Fail to prove authenticity to keep the site listed on the Dark.Fail gateway."
"According to a human source with direct access who has been reporting over the last two years, as of 20 March 2020, Darknet administrators used personal connections with gateway administrators to get the Darknet market URLs listed on the gateway. As of 28 November 2019, Darknet administrators and moderators engaged with DarknetLive and Dark.Fail to provide advice and opinions on the existing Darknet markets. A known moderator for several Darknet markets interacted with DarknetLive to provide a list of markets to display on DarknetLive.com and advised on adding and removing markets when given proper information about them from other Darknet market administrators and moderators, according to the same source."
"According to a human source with direct access who has been reporting over the last four years, as of 30 March 2020, the administrators of gateways to the Darknet posed as journalists or news sites and were contacted directly by Darknet marketplace administrators using email or Jabber. As of 4 February 2020, Darknet marketplaces relied on gateways to function as a phishing solution to avoid scammers and to serve as a repository for reputable links to each site, according to the same source."
"According to a human source with direct access, as of November 2019, the administrator of Dark.Fail did not accept payments for marketplace listings in order to stay within legal boundaries. According to another human source with direct access, as of December 2019, Dark.Fail was different from previous gateways in order to be 100 percent legal. According to a post on the Darknet forum Dread by the administrator of DarknetLive, as of 25 May 2019, sites dedicated to information and news were legal as long as the sites avoided the modus operandi employed by DeepDotWeb, which was to receive money from marketplaces in exchange for listing the URLs to the markets, which is a violation of US laws."

Conclusion / Most Important Takeaways

The gist of the report is that:

The FBI has noticed an increasing reliance on .onion directories ; specifically the named ones in the report - dark.fail & darknetlive

While there doesn't appear to be any evidence of these .onion directory site admins taking any payments, the FBI is essentially hedging a small bet that they will take payment at some point in the future.

This belief that these operators may take payment in the future seems to be premised on the age-old understanding that money is the ultimate motivator. Essentially, the report implies that as the reliance on these .onion directories increases, so too will the offers from various darkweb vendors looking for a spot on their site. Following from that line of reasoning, the report implicitly suggests that this could serve as a catalyst to get these .onion directory admins to 'crack'.

What I stated in the preceding bullet point is corroborated by portions of the report that state that they will spend the next couple of years closely monitoring the activity of these darkweb information "gateways" (specifically they referred ot them as gateways).

The FBI does not have a favorable opinion of these .onion 'gateway' directories. In fact, they explicitly state that their presence is an issue. The allusions to DDW (DeepDotWeb) imply that the FBI and other related law enforcement agencies felt that they were able to significantly hamper the efforts of darkweb exchange operators by the taken of said site.

Despite noting dark.fail + darknetlive's adherence to the law (this was emphasized much more for dark.fail than darknetlive), it doesn't appear that the FBI is content to simply allow their existence. As to how they'll be able to legitimately remove these sites w/o any concrete evidence of them breaking the law remains to be seen.

More than likely, we'll see an escalation in the tactics that the FBI uses on the darknet from this point going forward (although its likely that escalation has already occurred since the report indicates that this darkweb report was disseminated to other related agencies / authorities around March 2020; roughly 5 months has passed since then at the time of writing)

GO TOP