DarkNetGuard
Junior Contributor
VIP
- Joined
- Jan 21, 2023
- Threads
- 46
- Post Replies
- 49
- Status
- offline
- Last seen
Introduction
Here I have multiple theories while we are looking for what most likely happened and of course if you simply reply with "you are wrong / they would never do that" and other non-arguments, I will put you on my naughty list next to Paris.
Note: Paris & Hugbunter Dread admins.
----------------------------------------
Theory 1: Classic exit-scam with red herring "This is an LE action." to make everyone believe it was the police but it did not work because no-one checks / reads anything and everyone on the darknet is half ******** (I have to limit my powerlevel on this sub else my comment gets removed)
Removed, will be posted on a different sub
----------------------------------------
Theory 2: Classic exit-scam but by the police
So the theory that it's LeSnake, FEDSnake, etc. funny name game instead DeSnake and Alphabay was a honeypot. This is not unlikely imho as the market got busted and in the court documents you can read that the keys for Alpha02 and multiple other identities were obtained. (I do not remember if it was blacked out or simply written like "multiple other identities linked to the market" - it was not written which identities that is sure.)
IP collection, I2P push and general increase in busts after Alphabay
I try to explain this as simple as possible, as we know on dread are many many ******* so this should make it easy to understand. (Defense like "read the whitepaper", "that is impossible else paris would tell us", and other funny arguments will put you on my naughty list next to Paris)
Background knowledge to understand it
I2P:
- If you set it up default, you are also a "I2P router"
- I2P is small in comparison to Tor
- I2P was not used on DNM's at all prior to getting pushed by Alphabay / DeSnake and Dread when Alphabay launched (sure here and there you found it, but nothing major)
- P2P Network
I2P Routers:
- Are known to the entire I2P Network
- Details (like IP) can be fetched from the I2P netdb (https://geti2p.net/en/docs/how/network-database)
Alphabay / DeSnake:
- Got busted for bad OPSEC
- Admin killed himself
- Everyone thought DeSnake is the main admin Alpha02 but suddenly he is back from the dead (read old reddit threads or russian forums)
De anonymization of vendors
- Vendors who use I2P and do not adjust it, will be I2P routers, so visible in the network to anyone
- If you use a honeypot, (e.g. a market like Alphabay), they can record every request you perform (every site refresh when you are logged in, an example is this page on dread: /account/viewed/ where dread stores your requests)
- Over time they will have many records of you doing requests to the market, so they can know when you are usually online
- Alphaby was online for over a year, so they had plenty of time monitoring users
Theory and attack
- To perform this attack, you monitor I2P and the netdb, you scrape it. (Request every active netdb router and log the time + IP)
- You also like explained, monitor a site and scrape all timestamps (if you run a honeypot, it's very easy, as you can just log the requests)
Now that you have:
1. Vendors / Users and you know the time they are active (timestamps collected on the honeypot)
2. IPs of users who used I2P and were active as a router (Fetched from the I2P netdb, with timestamp of time of activity)
If you do this once, it's unlikely that you can get the real IP of a user, if you do this over weeks / months, it would be weird if you do not manage to de anonymize a user. Alphabay was active for more than a year, and in addition could scrape Dread timestamps (as they are at best public and at worst could work together with LE)
Honeypots / timestamp collection
- Can be public forums like Dread that offer an I2P mirror (any eepsite with timestamps publicly available)
- If you run a market as honeypot, it's perfect however, as you know every user is engaging in criminal activity and you can directly log their requests
Noise and signal:
- Noise: IPs that with 100% certainty do not belong to the vendors you want to identify
- Signal: IPs that are likely to be using your honeypot / likely to be vendors or users of darknet markets
Optimal attack?
This attack could be one of the best operations LE ever did, as it directly can bust multiple vendors and user (I would think only vendors would get busted though, as this would kill the supply for the DN).
Keep this in mind, why I think it can be the best operation ever: No-one used I2P prior to Alphabay pushing it. Why is this an advantage? Because you can prepare this attack, you can monitor I2P's netdb in advance for a couple months, this will give you: Almost all IPs of regular I2P users, who would otherwise be noise to be filtered out, now that you prepared your attack, you already identified all of the noise, so after pushing your honeypot, you are left with almost pure signal.
Even without noise filtered out, over months you can easily bust users, as you will have enough timestamps to correlate the user to it's IP. If you however remove the noise, it gets incredible easy to bust users.
The server resources to pull off this attack are minimal in comparison to an attack that targets to de anonymize Tor users.
----------------------------------------
Theory 3: Who was DeSnake? Exit by dread
Now this is something not many people think about, but literally who verified DeSnake? Paris and Hugbunter?
Who else, where are the many vendors who claim to vend ever since the first g of weed was sent back and forth via AOL Chatrooms?
There was a verification thread but literally no-one besides Paris gave trust to it, but is that enough? If Paris tells you that HugBunter is at your mothers house, would you believe that too? We need multiple vendors who are vending since back of the old Alphabay to verify that it was the legit DeSnake, because literally anyone can come and claim to be some dude from whenever, I can change the time on my computer to 2015 and generate a key with the name DeSnake, this does not make me DeSnake however.
tldr: Vendors who are in the game since Alphabay 1, can you verify that you got DeSnake's PGP Public Key, from before Alphabay 2 and it's the same key? I want multiple vendors not one or two and vendors who still vend not some fake ass users who come and claim, yes that's good.
In this theory, I assume that Paris and HugBunter are behind the exit-scam of Alphabay 2 and larped as DeSnake, maybe on their own or they work together with the police. In this theory dread is a honeypot. (I2P push to push the collection of IPs)
----------------------------------------
Final words
It's not easy, as we can all only speculate, in my opinion this is all shady, as multiple things are unknown. I have multiple reasons to not trust Paris so I might be biased, all reasons are perfectly valid however and not theories.
Here I have multiple theories while we are looking for what most likely happened and of course if you simply reply with "you are wrong / they would never do that" and other non-arguments, I will put you on my naughty list next to Paris.
Note: Paris & Hugbunter Dread admins.
----------------------------------------
Theory 1: Classic exit-scam with red herring "This is an LE action." to make everyone believe it was the police but it did not work because no-one checks / reads anything and everyone on the darknet is half ******** (I have to limit my powerlevel on this sub else my comment gets removed)
Removed, will be posted on a different sub
----------------------------------------
Theory 2: Classic exit-scam but by the police
So the theory that it's LeSnake, FEDSnake, etc. funny name game instead DeSnake and Alphabay was a honeypot. This is not unlikely imho as the market got busted and in the court documents you can read that the keys for Alpha02 and multiple other identities were obtained. (I do not remember if it was blacked out or simply written like "multiple other identities linked to the market" - it was not written which identities that is sure.)
IP collection, I2P push and general increase in busts after Alphabay
I try to explain this as simple as possible, as we know on dread are many many ******* so this should make it easy to understand. (Defense like "read the whitepaper", "that is impossible else paris would tell us", and other funny arguments will put you on my naughty list next to Paris)
Background knowledge to understand it
I2P:
- If you set it up default, you are also a "I2P router"
- I2P is small in comparison to Tor
- I2P was not used on DNM's at all prior to getting pushed by Alphabay / DeSnake and Dread when Alphabay launched (sure here and there you found it, but nothing major)
- P2P Network
I2P Routers:
- Are known to the entire I2P Network
- Details (like IP) can be fetched from the I2P netdb (https://geti2p.net/en/docs/how/network-database)
Alphabay / DeSnake:
- Got busted for bad OPSEC
- Admin killed himself
- Everyone thought DeSnake is the main admin Alpha02 but suddenly he is back from the dead (read old reddit threads or russian forums)
De anonymization of vendors
- Vendors who use I2P and do not adjust it, will be I2P routers, so visible in the network to anyone
- If you use a honeypot, (e.g. a market like Alphabay), they can record every request you perform (every site refresh when you are logged in, an example is this page on dread: /account/viewed/ where dread stores your requests)
- Over time they will have many records of you doing requests to the market, so they can know when you are usually online
- Alphaby was online for over a year, so they had plenty of time monitoring users
Theory and attack
- To perform this attack, you monitor I2P and the netdb, you scrape it. (Request every active netdb router and log the time + IP)
- You also like explained, monitor a site and scrape all timestamps (if you run a honeypot, it's very easy, as you can just log the requests)
Now that you have:
1. Vendors / Users and you know the time they are active (timestamps collected on the honeypot)
2. IPs of users who used I2P and were active as a router (Fetched from the I2P netdb, with timestamp of time of activity)
If you do this once, it's unlikely that you can get the real IP of a user, if you do this over weeks / months, it would be weird if you do not manage to de anonymize a user. Alphabay was active for more than a year, and in addition could scrape Dread timestamps (as they are at best public and at worst could work together with LE)
Honeypots / timestamp collection
- Can be public forums like Dread that offer an I2P mirror (any eepsite with timestamps publicly available)
- If you run a market as honeypot, it's perfect however, as you know every user is engaging in criminal activity and you can directly log their requests
Noise and signal:
- Noise: IPs that with 100% certainty do not belong to the vendors you want to identify
- Signal: IPs that are likely to be using your honeypot / likely to be vendors or users of darknet markets
Optimal attack?
This attack could be one of the best operations LE ever did, as it directly can bust multiple vendors and user (I would think only vendors would get busted though, as this would kill the supply for the DN).
Keep this in mind, why I think it can be the best operation ever: No-one used I2P prior to Alphabay pushing it. Why is this an advantage? Because you can prepare this attack, you can monitor I2P's netdb in advance for a couple months, this will give you: Almost all IPs of regular I2P users, who would otherwise be noise to be filtered out, now that you prepared your attack, you already identified all of the noise, so after pushing your honeypot, you are left with almost pure signal.
Even without noise filtered out, over months you can easily bust users, as you will have enough timestamps to correlate the user to it's IP. If you however remove the noise, it gets incredible easy to bust users.
The server resources to pull off this attack are minimal in comparison to an attack that targets to de anonymize Tor users.
----------------------------------------
Theory 3: Who was DeSnake? Exit by dread
Now this is something not many people think about, but literally who verified DeSnake? Paris and Hugbunter?
Who else, where are the many vendors who claim to vend ever since the first g of weed was sent back and forth via AOL Chatrooms?
There was a verification thread but literally no-one besides Paris gave trust to it, but is that enough? If Paris tells you that HugBunter is at your mothers house, would you believe that too? We need multiple vendors who are vending since back of the old Alphabay to verify that it was the legit DeSnake, because literally anyone can come and claim to be some dude from whenever, I can change the time on my computer to 2015 and generate a key with the name DeSnake, this does not make me DeSnake however.
tldr: Vendors who are in the game since Alphabay 1, can you verify that you got DeSnake's PGP Public Key, from before Alphabay 2 and it's the same key? I want multiple vendors not one or two and vendors who still vend not some fake ass users who come and claim, yes that's good.
In this theory, I assume that Paris and HugBunter are behind the exit-scam of Alphabay 2 and larped as DeSnake, maybe on their own or they work together with the police. In this theory dread is a honeypot. (I2P push to push the collection of IPs)
----------------------------------------
Final words
It's not easy, as we can all only speculate, in my opinion this is all shady, as multiple things are unknown. I have multiple reasons to not trust Paris so I might be biased, all reasons are perfectly valid however and not theories.