An international bust has led to the shuttering of two dark web marketplaces for drugs, weapons, hacked data, hacking tools and other illegal goods: the Wall Street Market (WSM) and the Valhalla Market (better known by its Finnish name, Silkkitie).
Europol and German police announced the “double blow” to dark web marketplaces on Friday, saying that German authorities have arrested three suspects and seized over €550,000 in cash, along with cryptocurrencies Bitcoin and Monero in “6-digit amounts,” several vehicles, computers and data storage, and at least one firearm.
An investigation by the Attorney General in Los Angeles also led to the arrest of two suspects who are alleged to be among the markets’ biggest drug sellers.
On Friday, Finnish Customs said that they’d seized the Silkkitie web server earlier this year and seized a “significant” amount of Bitcoin. They said that after shutting down Silkkitie, some of the Finnish drug dealers moved to other illegal sites on the Tor network, including WSM.
German investigators had their eye on the three suspects since March – a 31-year-old from Bad Vilbel, a 29-year-old from the district of Esslingen and one 22-year-old from Kleve, all three of whom are German nationals.
The stench of exit scam
WSM had been stinking of exit scam for a while. The admins switched the platform into maintenance mode on 23 April, then began transferring customers’ funds to themselves. Customers and buyers responded by howling about the “Sorry guys we are currently redesigning WSM” message, which the admins posted on Friday, 26 April, and which said that the “maintenance” would last a week.
Here’s one of the less offensive comments on the MSW market listing at the DeepDotWeb, a site devoted to covering dark web markets. It was posted on 26 April:
Administrators are trying to steal all the money flee this .onion right now and pls DEEPDOT ban this from “topmarkets”
Rogue admin attempts blackmail, then doxxes IP address
Police moved in, seizing the marketplace’s servers on Thursday, 2 May. But first, chaos and desperation had apparently set in, as one of the site’s moderators – Med3l1n – started blackmailing WSM vendors and buyers, demanding 0.05 Bitcoin (~$280) in payment. Otherwise, Med3l1n threatened, they’d tell authorities information about vendors and buyers who’d slipped up and shared their details in unencrypted support requests.
So apparently WallStreet Market is threatening customers who sent addresses in cleartext. pic.twitter.com/vLMAPfiQIg— Caleb (@5auth) April 20, 2019
A few days after that, Med3l1n went rogue and leaked login credentials and the IP address (located in the Netherlands) for the WSM backend on Dread, a Reddit-like community for dark web users.
Of much greater concern to users: The same mod has posted his login credentials to Dread. This gives anyone the ability to sign in to WSM as the mod and access all information pertaining to users and their orders that isn't encrypted. He also gave the server IP address up. pic.twitter.com/YD3kuBAYk5— Patrick Shortis (@Patrick_Shortis) April 24, 2019
Beyond exposing the physical location of WSM’s server, this enabled anyone to log in to the marketplace’s administrative section and gain the data necessary to strip anonymity from the market’s vendors, buyers, orders and more.
Six days later, on 30 April, WSM’s site started showing an error. Police took it down on 2 May. It’s not known how much the rogue admin’s disclosure helped the investigation, but German police had apparently already been watching the suspects as far back as March.
This was a big one
Europol called Silkkitie one of the oldest and internationally best-known dark web marketplaces. It’s been running on the Tor anonymity system since 2013, Europol says.
A press conference in Wiesbaden on Friday included representatives of the US attorney’s office, the FBI, and Europol. According to DW, the president of Germany’s Federal Criminal Police (BKA), Holger Münch, described the case as “extraordinary,” involving security services from the US and Netherlands, as well as Europol and Germany’s ZIT internet crime agency.
It had to be that complex and had to be an international effort, he said, given that it’s initially impossible to ascertain where such platforms are run from. One of the clues was the languages used on the market: the common language was English, but German was also an option. By piecing together various clues like that one, the international team eventually traced the server infrastructure to not just Germany and the Netherlands, but also to Romania.
During the press conference, Ryan White, the US federal prosecutor who heads cybercrime prosecutions in Los Angeles, announced the arrest of “two major drug traffickers” in Los Angeles who had used Wall Street Market.
This investigation will continue to bear fruit, they said, given that it’s spawned secondary investigations now ongoing in Germany. White’s response to a reporter:
It should be no surprise that we are very interested in pursuing additional actions based on this case, so stay tuned.