Dark Web Site Taken Down without Breaking Encryption

The US Department of Justice unraveled a dark web child-porn website, leading to the arrest of 337 people in at least 18 countries. This was all accomplished not through any backdoors in communications systems, but by analyzing the bitcoin transactions and following the money:

Welcome to Video made money by charging fees in bitcoin, and gave each user a unique bitcoin wallet address when they created an account. Son operated the site as a Tor hidden service, a dark web site with a special address that helps mask the identity of the site's host and its location. But Son and others made mistakes that allowed law enforcement to track them. For example, according to the indictment, very basic assessments of the Welcome to Video website revealed two unconcealed IP addresses managed by a South Korean internet service provider and assigned to an account that provided service to Son's home address. When agents searched Son's residence, they found the server running Welcome to Video.

To "follow the money," as officials put it in Wednesday's press conference, law enforcement agents sent fairly small amounts of bitcoin­ -- roughly equivalent at the time to $125 to $290­ -- to the bitcoin wallets Welcome to Video listed for payments. Since the bitcoin blockchain leaves all transactions visible and verifiable, they could observe the currency in these wallets being transferred to another wallet. Law enforcement learned from a bitcoin exchange that the second wallet was registered to Son with his personal phone number and one of his personal email addresses.

Remember this the next time some law enforcement official tells us that they're powerless to investigate crime without breaking cryptography for everyone.

More news articles. The indictment is here. Some of it is pretty horrifying to read.

Posted on October 25, 2019 at 6:14 AM • 38 Comments

Comments

SeanOctober 25, 2019 7:24 AM

@Chris, ehm, no. Should have not dealt in child porn.

And Monero wouldn't help him if he wanted to exit from crypto

PanopticonOctober 25, 2019 8:50 AM

I'd be careful with "Remember this the next time some law enforcement official tells us that they're powerless to investigate crime without breaking cryptography for everyone", since the techique they used is based on having financial data being all public. Looks like one of those "careful what you wish for" moments. Mass surveillance based techniques is not a good go-to here (although there may be varying degrees of "unwantedness" among those bases).

chrisOctober 25, 2019 9:54 AM

@Panopticon

How does "mass surveillance" play into this case? While I've only read the articles' abstract in the blog, it seems to me that the case was broken by two things: 1. targeting blockchain transactions through knowing the way Bitcoin transactions are logged which is described as an operational feature of that system (or, at least, one particular implementation of it). 2. Good police work which allowed them to link the Bitcoin transactions back to the suspect who was identified from public IP addresses. Again, from the description, this appears to have been targeted.

Neither of these things required any intrusive government actions affecting anyone beyond the suspects of a legitimate investigation; Law Enforcement simply used the underlying operating principles of the systems. So I think Bruce's warning is appropriate -- governments don't need to violate everyone's right to privacy in order to "keep us safe."

WinterOctober 25, 2019 10:00 AM

"Dark Web Site Taken Down without Breaking Encryption"

My understanding of how they break Onion hidden services is that these tend to run on servers with less than stellar security hardening.

That is, Security is Hard and it is easier to simply break in to an onion web server than to break the encryption.

In this case, they were not so much after the operator of the site, but after the clients that up- and downloaded the materials. Those might have used "Good Security Practices", except that they paid in Bitcoin, and bitcoin is NOT private. You can almost always trace back where the bitcoins were bought and sold.

Impossibly StupidOctober 25, 2019 10:48 AM

Law enforcement learned from a bitcoin exchange that the second wallet was registered to Son with his personal phone number and one of his personal email addresses.

This is not about "financial data being all public" as @Panopticon suggests. This is about setting up accounts with third-party services, and possibly even using your phone number for 2FA. Criminals really should spring for people who have even the slightest awareness about information technology security. I mean, running a kiddie porn server from your own house? Really?

Some of it is pretty horrifying to read.

And so I won't. Just like I don't watch terrorist snuff videos. I can't even imagine willingly being a content moderator on a social media site.

PanopticonOctober 25, 2019 11:03 AM

@chris:

Because the transactions on the Bitcoin blockchain are exposed to all, forever.
There's no "law enforcement goes to a judge to approve a warrant to get those particular transaction data" step that would serve as an obstacle to trying this on anyone on a whim.

I think your use of "targetted" is possibly correct, but we have no way to know because all that information is public, and all it takes is looking. Similar to a camera trained on a public space and feeding directly to some party. That party can target a particular person of interest (for example someone they just observed assaulting someone), but they can also look at everyone in the camera feed (for example, running face recognition on all the people passing through). There is no "get a warrant" check on what they do with the footage. One difference (which can be either good or bad, I'm not sure what's my view on that yet) is that the use of the camera footage would be limited to the party operating it (which can be large, if it's a governmental agency), whereas the Bitcoin blockchain is exposed to all, including people in the future with data analysis capabilities we do not yet have.

AndersOctober 25, 2019 12:04 PM

What i read from the indictment is that first they found home
IP address from the web page source. Later they followed
the money too, but the first flaw was still the unmasked
IP. So for me this is wrong:

"This was all accomplished not through any backdoors in communications systems, but by analyzing the bitcoin transactions and following the money:"

Following the money in this case wasn't breakthrough but just
an confirmation and complement to IP.

DohOctober 25, 2019 12:46 PM

If we just make all money information public, we wouldn't need to break encryption to catch all crimes, as long as any money is involved in every crime...

It's kind of like saying, "we don't need encryption if we just erase the concept of there being any privacy"... But is that a net win or a net loss for security?

This is what @Panopticon is getting at I think.


On a related but different note... you see how I used a lot of superlatives there? Here's the issue with this: Isn't it better to ensure a safe and secure society (defined as: safe from an overbearing over-intrusive totalitarian government), even if that means that a certain low "tolerable" amount of criminals get away with it? This has been the norm in the "free world" for a long time...

But here's how things have shifted: Modern governments all seem to believe they must ensure that NOT A SINGLE "REALLY REALLY BAD CRIMINAL"[1] EVER MANAGES TO COMMIT A CRIME... or they will be overthrown (existential threat). i.e. if a certain class of "really bad criminals"[1] commits a single crime, even their very first crime ever... this shifts the power so far over into totalitarianism, it's not possible to accomplish this without complete control of every minutiae of every life.

[1] "really bad criminal" is the definition of "terrorist"... I've chosen the words "really bad" to point out that this has a very loose definition. It can at some point come to mean virtually anything, as long as you can make anyone frightened ("terrified") by it. This finally brings us to: People in leadership have realized they are incentivized to make people more scared of things, because that gives them more power, because they seem to need more power to "take care" of those scary things...

The solution? calm down, stop being yanked around. Have some peace. This probably means banning yourself from watching the news or reading the internet though...

DohOctober 25, 2019 12:48 PM

I meant "we don't need to break encryption if..." not "we don't need encryption if..." sigh.

lurkerOctober 25, 2019 1:57 PM

Did this bust also take down Tor? No, just lawyerspeak all in the past tense, altho I got a little thrill at the first line of the indictment:
The Tor network was a computer network...

Clive RobinsonOctober 25, 2019 2:26 PM

@ Bruce, All,

Remember this the next time some law enforcement official tells us that they're powerless to investigate crime without breaking cryptography for everyone.

It's not just "cryptography", it applys equally as well against "anonymity" systems such as Tor.

The real lesson is "OpSec counts" it is an important part of not being traced. Whilst we might think that these people deserve to be caught, we have to remember technology is agnostic to use, thus journalists and whistleblowers are eqially as vulnerable as are many others we would not wish to have harmed such as women standing up for womens rights in oppressive societies.

OpSec is hard because much of it goes against most peoples human nature. An obvious part of which is not trusting people you have no control over. In this case the site operator made several mistakes, for which they are going to pay but also 337 people so far.

Make no mistake though, this takedown only happened because it was technically possible, and the nature of the activities involved.

Society moves in many directions and what might be tolerated today might become significantly socially unaceptable tomorrow or in just a few years. Because of "record it all" and that it's "technically possible" what you might be doing today that is socially acceptable but not legally so, might become the FBI's or DoJ's number one crime to target.

The one thing that is clear as is being discussed "on the hill" is digital vigilantism. Whilst the argument is about political adverts, the real story is the battle for your eyes to make marketing revenue. Both Google and Facebook's managment know that the way to get and keep eyes thus the money rolling in is to trigger peoples "fight or flight" primal responses. It is these responses that also cause extreamism of which vigilantism in it's various forms including cyber-bullying and "going postal" are the more visable. More frequently but less realised by many is neo-tribalism, which has a very strong "them and us" motive underlying it, which alows all forms of "group think" to become acceptable for what they see as being "for the greater good" by their value of good which is almost certainly not yours if you are not part of the tribe.

European history from the 1920's through to the 1990's showed what sectarianism and tribalism effectively alowed to happen. Such activating of "fight or flight" creates a beast which needs to be sated, often with blood, be it on the streets or through the courts.

Remember "the beast cares not" for justice, just for blood, and any blood will do, thus any excuse to let blood will do, thus any difference will do, and we are all different to some one.

DurkOctober 25, 2019 3:03 PM

Maybe we should provide all government aid for disaster recovery in Bitcoin. Perhaps then we could see where it all goes.

David LeppikOctober 25, 2019 4:51 PM

I just can't get over the irony that so many people tout anonymity as the main feature of Bitcoin and other cryptocurrency.

Sheilagh WongOctober 25, 2019 5:24 PM

This is a serious problem with blockchain crypto-currencies for all you civil libertarians. Bitcoin is not fungible, but cash is.

IronManOctober 25, 2019 5:35 PM

As it was already suggested here, if the criminals:
1) configured properly and hardened the .onion services and
2) used Monero (or similar cryptocurrencies like ZCash for instance) instead of Bitcoin and
3) didn't use their exchange-connected wallets for payments
- law enforcement agencies would have had much, much more problems with taking down the horrible content and arresting suspects.

I am against backdooring encryption for reasons obvious to every cryptographer and security engineer. At the same time I acknowledge that its use may hinder investigation of serious crimes. I believe that we still don't have enough data to build reliable statistics, though.

DysnomiaOctober 25, 2019 6:05 PM

@Clive,

I think you bring up an important point. Technology isn't truly neutral (it's developed in the context of certain power imbalances, and can tend to exacerbate those power imbalances unless we're vigilant), but it is "agnostic to use." The same technology that helps child pornographers distribute their material online and not get caught (as well as drug traders, "terrorists," etc.) also helps journalists, whistleblowers, human rights defenders, dissidents, etc., report information or communicate their ideas online without being persecuted by the state or other powerful institutions.

There's no way to develop anonymity systems that can protect one category but not the other. Which means either both categories can get away with it, or neither can, and I think it should be both. While these people might have been taken down by stupid mistakes by the site operator (though there might also be some misdirection here about how they were caught), I think this case only further illustrates the importance of systems like Tor, and the importance of supporting their improvement to make it easier for people to avoid being tracked. Because when the shit hits the fan (and it will), if genuine anonymity is not possible, then dissent will also be impossible.

SpaceLifeFormOctober 25, 2019 6:25 PM

@Dysnomia

"There's no way to develop anonymity systems that can protect one category but not the other."

Objection! Assumes facts not in evidence.

DavidOctober 26, 2019 12:21 AM

This one got solved by good methodical policing and because the offence is something that all the jurisdictions involved will actually agree as being a crime.

A lot of the requests for backdoors are for political reasons that don't translate across borders well

PanopticonOctober 26, 2019 5:20 AM

@SpaceLifeForm:

Well, it would seem to assume such a system would have to understand the semantics of the data it is asked to keep private, and decide whether or not to allow it (presumably without there being a third party "escrow" human censor to make the decision). This is at least plausibility for the claim.

Impossibly StupidOctober 26, 2019 11:40 AM

@Dysnomia

There's no way to develop anonymity systems that can protect one category but not the other.

That's not entirely true. The key difference is that "distribution" is a one-way problem (solved by any number of dead drop methods), but trying to then profit from that act makes it a two-way problem. It's the act of trying to collect money that gets these sorts of criminals caught, because getting paid means giving a way for the money to find you, and the cops can trace the same path. That's why crooks launder money or, in the case of Bitcoin, use mixers.

Because when the shit hits the fan (and it will), if genuine anonymity is not possible, then dissent will also be impossible.

Only secret dissent. In most cases, when the cause is just, there is greater value in having an identifiable person be the face of a movement. The history books aren't full of anonymous martyrs.

DysnomiaOctober 26, 2019 6:26 PM

@Impossibly,

I think it's not just dissent but organization that can be rendered impossible by unavoidable mass surveillance. If a tyrant (or tyrannical bureaucracy) has eyes everywhere, such that secret communication is impossible (in other words, there's no right to whisper), then opponents of that tyranny cannot communicate with each other without being caught and suppressed, which means they can't organize. There's a possibility that any organization of people outside the umbrella of the state, or at least without the approval of the state, will become impossible.

And it's true that anonymity (outsiders can't tell who's speaking) and privacy (outsiders can't tell what's being said) aren't the same thing, but they're related, and I think genuinely secret communication (both anonymous, at least to outsiders, and private) is essential for people to be able to organize dissent in the face of continually expanding state power.

SteveOctober 26, 2019 9:47 PM

Perhaps the take away message here is (other than stay away from kiddie porn -- always a good idea) is there is no such thing as privacy, only self-imposed inconvenience.

WeatherOctober 27, 2019 1:33 AM

@Legal lay
Probably to put pressure on Korea for a tuffer penalty, to also say we back you.

lurkerOctober 27, 2019 1:51 AM

@Legal Layperson: the charges are right there on the cover sheet of the indictment. Note the hot button item Conspiracy to Advertise, that's an order of magnitude more serious in the DoJ book than merely Advertising. The conspiracy will be with anyone who uploaded, even if it was only a DoJ stool pigeon. The allegation is that the material was

produced, transported, mailed, shipped or received in violation of Title 18 United States Code, Chapter 110
which is quite easy to do if any TCP packets pass thru any machine on US soil, or anywhere else on the planet under the control of a US company. Just because the perp is already serving time in Korea doesn't stop DoJ from making an effort to look like they are doing something about it.

Clive RobinsonOctober 27, 2019 2:37 AM

@ Legal Layperson,

What authority or jurisdiction does the US have in prosecuting or attempting to prosecute a South Korean national committing crimes in South Korea?

The simple answer is,

    Might is right doctrine

The problem with cyber-crime is there is no "locality" in the real world tangible physical sense. With the problem that there is not yet any real international law dealing with the myriad of issues. Worse is the use of "non-human entities" of software agents/malware and the potential of an "army of one" due to unconstrained "force multipliers" using such agents to bring real world economic and physical harm to sovereign nations.

All of which has emboldened the US to say cyber-crime is an existential threat and/or primary act of war. Thus alowing them to claim actual kinetic primary acts of war / war crimes as a secondary act of self defence... Which is the excuse the US Government uses to claim it's writ applies wherever in the world it sees fit, even when something is not a crime or seen as a crime in the foreign juresdiction (such as online gambling).

Which would kind of be ironic if not so hypocritical when you consider the alleged and actual reasons why the US became the US (super power England/France proxie wars, English Monarch making the states pay for that and other wars via taxation, curtailing civil and political rights, the use of oppressive surveillance via unlimited warrants and pushing spys/guards into homes unwaranted imprisonment ot individual etc).

But as I said originally the real underlying issue that nobody is dealing with is "locality".

Let's say you live in the famed state of "Elbonia" and your computer gets attaked by malware that you analyse to find out it's originator and penetration methods. You then write a self modifying software agent around those methods that can take money out of bank accounts of US-Bigbank because they have bad client software and credential security.

In Elbonia there are no laws regarding such actions or any crimes commited abroad as they are outside of Elbonian jurisdiction, which is a well established international norm going back hundreds of years.

An associate of you also opens a numbered account in another famed state of "Gnomonia" which is where the software agent sends the money taken from US-Bigbank accounts. Such numbered accounts can only have withdrawals made at the bank counter in Gnomonia. You release a single copy of your self modifying software agent in Elbonia where nobody has a US-Bigbank account.

So far you as an individual in Elbonia have not committed any crime, and importantly your actions were entirely within Elbonia's geographical jurisdiction.

The software agent you designed "copies it's self" from computer to computer "modifying it's self" as it copies. It then destroys it's self on the computer it is on causing no harm to the computer. It can do this because US-bigcorp had security vulnarabilities in it's product that it has chosen not to fix or tell anyone about. That you and others in Elbonia only became aware of because US-Gov had used it to attack your and other Elbonian's computers to download information that used the flawed US-bigcorp software.

The software agent using the resources of the computers it copied it's modified self to, spreads out doing no harm to those or any other computers. On landing on a computer that has US language settings it then again without making any changes to the computer scans for US-Bigbank software and credentials. If found it uses them to access US-Bigbank computers via the US-Bigbank client software and credentials. Once in the software copy checks the balance and if over 500USD it tells the US-bigbank computers to send 10USD of that to the numbered account in Gnomonia and then the software agent destroys it's self having done no harm to the computer.

You have not committed any crime in Elbonia, and you have never been in Gnomonia or US jurisdictions. It was US-Bigbank computers that sent the money, instructed by US-Bigbank client software and credentials under the instructions of a software agent. Which is most definitely different to the one that you released in Elbonia. Further it was only viable for this software agent to spawn other different software agents due to the failings of US-Bigbank, US-Bigcorp and the US-Gov that alerted you to the US-Bigcorp failings by using them to steal from you and many others by exploiting those failings...

All you have done is copied the US-Gov lead and RSVP'd.

So what makes US-Gov actions to steal by which they hope to profit greatly legal, but your copy-cat "return to sender" actions to profit illegal?

It would make an interesting philosophical consideration if such things were not already happening.

The US Gov default position is "We are the Good Guys" thus what we do "Is for the greater good", "You are not US Gov" so be default "You are the bad guys" and because "We are too powerfull to stop", "Can do what we like". Hence the,

    Might is right doctrine

Is in play.

MarkHOctober 27, 2019 1:29 PM

@Legal Layperson:

With the usual disclaimer that I am not a lawyer (or anything close) ...

The term for this is "extraterritorial jurisdiction" (not to be confused with universal jurisdiction). I first became aware of the scope of such U.S. claims since 2000, but in one form or another it is asserted by numerous states, and goes back at least a couple of centuries.

In general, no state has veto power over the laws of another state ... nor does any international body, except to the extent that states might agree to be bound by treaties.

To construct a playful example, there's nothing to prevent Mongolia from enacting a statute that all commercial transactions in Uruguay must be governed by Mongolian law, with fines and other sanctions to apply in case of violations. Presumably, such a statute would be nearly impossible to enforce, and be devoid of practical significance.

Claims of extraterritorial jurisdiction have practical effect in a few cases:

1. Affairs of defendants whose alleged offenses occurred in some foreign (or non-state) locale are connected to the state claiming jurisdiction.

For large and wealthy states, the exposure to this is high. For the U.S. in particular, an awful lot of international financial transactions touch in one way or another on U.S. institutions, so there's a "hook".

2. Defendants subject to such charges might wish to enter the territory of the state claiming jurisdiction, or even arrive there without intention.

The latter situation, while rare, might arise when (for example) an international flight makes an unscheduled landing in a third country.

3. Foreign states choose to honor extradition requests, whether pursuant to treaty or by specific discretion, from the state claiming jurisdiction.

4. The state claiming jurisdiction is able to independently take custody of the defendant outside of its own territory.

This might occur if the alleged offense takes place on board a vessel in (or over) international waters, or on a foreign battlefield.
_____________________________________________

It's worth noting that not all extraterritorial jurisdiction has overtones of power-mania. For example, some states assert jurisdiction over violations of their laws committed by their own nationals while abroad.

In this way, they can sanction crimes by their citizens which went unpunished (or insufficiently punished) by the states in which those crimes were committed. Persons wishing to sexually exploit children while abroad had better be aware of this ...
_____________________________________________

@Clive:

So far, the only publicly reported case of military violence (to my knowledge) based on technical attribution of a cyber attack is one made by Israel, during a larger military operation. That was discussed right here on the Schneier blog.

Whether the selection of that target had any corroborating basis in human intelligence, I don't know.

Notwithstanding much emotional hand-wringing, the first such U.S. attack remains in the speculative future.

SpaceLifeFormOctober 27, 2019 1:30 PM

@Panopticon, @Dysnomia

Consider a brain-dead system, that does not care about any semantics. It just moves encrypted chunks around, for the intended recipient to 'find'.

name.withheld.for.obvious.reasonsOctober 28, 2019 12:48 AM

@ Dysnomia

We are there...we witness this in a normative fashion nearly everywhere public commentary exists. The shallows have become the deep end, what was once marginal is now cast out as unacceptable.

So dissent can be suppressed simply by a level of "group think" or a collective acting from a position of perceived righteousness or correctness.

BrandonOctober 28, 2019 9:33 AM

3. Foreign states choose to honor extradition requests, whether pursuant to treaty or by specific discretion, from the state claiming jurisdiction.

That sounds interesting!

I thought that having an extradition treaty is a necessary condition of honoring an extradition request. Otherwise surrendering the suspect would be illegal.

Please correct me if I am wrong.

DictatorOctober 28, 2019 3:20 PM

@Brandon

First, not all states in the world have their leader(s) subject to laws. In some states the leader is the law. This is commonly called a dictatorship. Obviously in this state, the leader can do whatever he wants (including extradite someone, if he is convinced to), and it can never be deemed "illegal" (except of course if he's conquered by someone else, who then becomes the new dictator and puts the old one in prison... well such regimes are not "safe" for anyone I guess)

Second, there's nothing stopping any state (even a non-dictatorial one) from passing laws that just say they can extradite someone even without a treaty, under specific circumstances, or leaving the choice up to some person or group...

To say the least, there's a wide variety of forms of government in this world...

AnonCowOctober 31, 2019 7:11 PM

@Brandon an extradition treaty is a promise between states to say that "we'll extradite people you want for crimes A, B, C, D..., if you extradite people we want for crimes A, C, D, E...", sometimes with caveats like "and we promise no to sentence them to more than X" (Council of Europe members may not extradite anyone to face death or torture, for example, so their extradition treaties always include a requirement that those sentences cannot be imposed, or exclude capital offences).

Extradition itself is an operation of the internal police and judicial powers. In Monist systems a ratified treaty inherently created domestic legislation enacting whatever it requires the country to do (though it might need expanding and clarifying by national law), so the treaty itself creates the authorisation in domestic law. In dualist countries that doesn't happen, so separate legislation is required.

1&1~=UmmNovember 1, 2019 4:36 AM

@Brandon:

Whilst an extradition treaty is a promise between states as @AnonCow has pointed out, how it is implemented "is an operation of the internal police and judicial powers" which depends on if the country is monist or dualist in the implementation of such legislation.

As far as I'm aware there are no pure monist or dualist legal systems in Western Nations and likewise no nation is purely Sovereign in nature.

This gives rise to a complex system when it comes down to individual cases in most countries, and can give rise to legislation being out of step between nations that have jointly signed a treaty.

As the following article observers,

"The role of the state in the modern world is a complex one. According to legal theory, each state is sovereign and equal. In reality, with the phenomenal growth in communications and consciousness, and with the constant reminder of global rivalries, not even the most powerful of states can be entirely sovereign."

Before it goes on to describe monism and dualism and it's implications in a little more depth,

https://bmusota.blogspot.com/2015/09/monism-and-dualism.html

But remember the usual IANAL rules apply, thus treat it as accademic, not particular in what it says, as YMMV in any given case.

MarkHNovember 1, 2019 12:04 PM

@Brandon et al:

From the wikipedia article on extradition, "codes of penal procedure in many countries contain provisions allowing for extradition to take place in the absence of an extradition agreement." [This language is followed by a citation footnote.]

My non-lawyer reasoning is that an extradition treaty prescribes circumstances under which an extradition process is required; the absence of a treaty does not prohibit extradition.

Presumably, in many states the response to an extradition request would depend on whether the targeted person holds citizenship in that state.

From a political rather than legal standpoint, the targeted person might seem to be an extremely nasty piece of work, a "hot potato," or some other kind of embarrassment. In such cases, governments may choose to exercise such discretion as their laws afford to facilitate extradition.

@Umm:

It seems to often be the case with opposed "isms" that pure instances don't exist. For example, no functioning economy is purely capitalist or purely socialist: in each country, some more-or-less pragmatic division is in effect.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.