Advertisement
Guest User

For Andrew

a guest
Jan 29th, 2019
4,515
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.89 KB | None | 0 0
  1. -=- OPSEC BY EXAMPLE - EPISODE 3 -=-
  2.  
  3. -=- MARK DECARLO, FOUNDER AND DEVELOPER OF DREAM MARKET -=-
  4.  
  5. Preface
  6.  
  7. Hello, dearest reader! I hope you all had a great holiday season. Even if you didn’t, don’t worry - I’ve got a very special present for you today. This is going to be a wild ride, so pack a bowl, buckle your seatbelts, and get ready for some of the biggest opsec failures that you’ve ever seen.
  8.  
  9. Now, I’m sure that once I post this, there will be dozens of people coming out of the woodwork to call me out and say that this is fake, that I’m 100% wrong, that these are simply red herrings and I’ve been on a wild goose chase for weeks. I urge you to keep in mind that people who run darknet markets don’t necessarily need to be strategic geniuses or opsec masters to make it to the top, though they do need to be smart to stay at the top. The truth of the matter is, until Mark DeCarlo is taken away in cuffs (which will hopefully be soon), I really can’t be 100% positive about the facts of this case. But I’m going to present all the facts as accurately as possible, and the conclusions you make about them are up to you.
  10.  
  11. I’d also like to give a huge thanks to my new friend BlueBoxFox who has been an absolutely invaluable part of this research. I found the initial leads, and I’ve helped BlueBoxFox connect some dots along the way, but the majority of our findings here have been because of his laser-focus on finding the facts. You’re the best, BBF.
  12.  
  13. The initial leads
  14.  
  15. A while back, I started working on a darknet market data scraper for a project I’ve had in the works for quite some time. I was looking at the data Dream was giving me when I noticed something strange. Every request that one makes to Dream has a strange and uncommon return header - X-Forwarded-For = 198.49.70.33. As of the time of this release, you can still see that return header in every response you get from Dream. I’m not positive, but my theory is that Dream’s public onions are running Varnish cache server and using that to speak to the back end server that has all the real goods on it. Occasionally, when Dream breaks down, you can see errors from Varnish cache server, so it makes sense that Varnish may have been misconfigured and set to show the real IP address this whole time.
  16.  
  17. That IP address, 198.49.70.33, belongs to a hosting company in Florida called HostDime. HostDime offers high end servers in a very high-security environment, and they accept bitcoin, so my interest was immediately piqued. I considered that maybe this was a red herring but decided to continue anyway. BlueBoxFox and I called and emailed HostDime numerous times, trying everything we could think of to trick them out of even a single modicum of information about the account holder, but we were entirely unsuccessful. (It sucked not being able to squeeze anything out of their staff, but I have to say - two thumbs up to the HostDime employees. Next time I need a place to host some shady content, I know who I’m going with.)
  18.  
  19. After failing to trick HostDime out of any useful information, we decided to look elsewhere. We found all of Speedstepper’s public postings that we could, figuring that if he had messed up the configuration of Varnish, it was likely he had made other serious mistakes. We found what we were looking for on Speedstepper’s profile on deepwebnetwork.com. In his profile information, he listed his personal website as buyoxytocinnow.com. While we initially thought that this was a red herring, because finding this detail was just too easy, we investigated further and found more than we ever bargained for.
  20.  
  21. Mark DeCarlo - the present
  22.  
  23. That website, buyoxytocinnow.com, was a website hosted via HostGator that was suspended after some time, presumably because HostGator isn’t interested in helping people push shady pharma products. The current whois information for buyoxytocinnow.com is private, but historical records show that it was previously registered to one Mark DeCarlo of Innerconx, Inc. Mark DeCarlo is a 63 year old man from Florida, so we were a bit disappointed, thinking that there was no way this was our guy, simply because he’s so far off of the standard profile for a computer criminal. However, Mark does own a web design business, so we kept looking into him, thinking that maybe there was a link after all.
  24.  
  25. Mark’s company, Innerconx, is a small web hosting and design company based in Florida. As far as we were able to tell, he has no employees. The address listed on his business filing records is 32 Cedar Way, Hollywood, Florida, which is just his old house, not an office. Innerconx’s website, innerconx.net, is a small site running Wordpress that lists some details about what Innerconx does, but it’s a far cry from a modern webhost’s website. Innerconx didn’t seem particularly shady to us. It just seemed like a small web design company, and maybe that’s what it was at one point, but this was just the beginning of the rabbit hole.
  26.  
  27. Innerconx.net had a contact number listed - (954) 547-8976 - which turned out to just be Mark’s personal phone number. When I called him, I made the mistake of calling at about 6 AM in my timezone, which turned out to be about midnight for him. I asked him a couple of questions about his web design business, pretending to be an interested potential customer, but he was extremely evasive and demanded that I “call the office” but wouldn’t give me the phone number for his “office.” Now, in all fairness to Mark, I did call him at midnight, so I can see why he wouldn’t want to take a business call, but his tone gave me a gut feeling that there was more to this than just him being upset about me calling so late.
  28.  
  29. I called later in the day (or rather, the next day, in Mark’s timezone) and tried asking him questions about his business again. He answered the phone rather angrily and demanded to know who I was and what I wanted. He didn’t seem to buy the story that I was an interested customer - maybe because my phone’s area code was rather far away from Florida, or maybe because I just didn’t sell my story very well. After I realized that pretending to be a customer was getting me nowhere, I started asking him more broad questions about his business and the sites I knew he hosted. He claimed that his hosting company hosted “thousands of websites,” which is patently untrue. He denied knowing whether Innerconx was related to oxytocincentral.com or buyoxytocinnow.com, and later in the call, he explicitly denied being related to those websites. I decided to push further and ask if he knew anything about anyone named “Speedstepper” and at this point, he locked up and demanded that I “call corporate” but refused to give me a different phone number. He gave me the email admin@innerconx.net instead, so I sent him the following email:
  30.  
  31. Subject line: To Mark - questions about oxytocin
  32.  
  33. Email body:
  34.  
  35. Hi, I was told to follow up at this email address after my phone conversation with Mark DeCarlo. I presume that Mark will be the one reading this, given his role in the company, but if someone else is reading, please bring this email to Mark’s attention immediately.
  36.  
  37. As I said over the phone, I have several questions about Mark’s apparent involvement with illicit and/or counterfeit pharmaceuticals.
  38.  
  39. 1.) What involvement did you (Mark DeCarlo/Innerconx) have with the websites OxytocinCentral and BuyOxytocinNow? 2.) You said on the phone that you weren’t responsible for purchasing the domains or hosting the content on these websites. With that being said, how do you explain historical whois records like the one here? 3.) Have you or Innerconx ever done business with HostDime.com? 4.) What connection do you have to SpeedStepper and his various web design projects? 5.) On SpeedStepper’s profile on DeepWebNetwork, why is BuyOxytocinNow.com listed as his website, when the registration details show that it was yours? 6.) Are you SpeedStepper? 7.) Are you responsible for hosting 198.49.70.33, either through Innerconx or another company? 8.) If this is all unrelated to you, why does everything about this point towards you being responsible for these projects?
  40.  
  41. I look forward to reading your answers. Again, I apologize for calling you so late - I’m not currently in the US and I didn’t realize how late it was in your timezone. Thanks for your time.
  42. Unsurprisingly, he didn’t reply.
  43.  
  44. Mark DeCarlo - the past
  45.  
  46. We still had our suspicions, but we didn’t have anything in the way of hard evidence. We decided to look into Mark’s background as much as we could to see if there was any non-circumstantial evidence connecting him to Dream. The first thing we did was look into the various different domains that Mark has registered, to see if he had inadvertently left some clues sitting around for us to find. There are a lot of them, so I’m not going to go in depth on every one. I’m just going to focus on what seems relevant to me. If you’re interested, you can find a full list of Innerconx domains here and a full list of Mark’s personal domains here.
  47.  
  48. The first thing that sticks out to me about these domains, both Mark’s personal ones and the ones he registered with Innerconx, is that Mark is a serial entrepreneur. If you look at the registration dates on the domains, it seems that Mark gets an idea for a business, starts it up, sees that it isn’t immediately blowing up and making him rich, and then moves on to his next idea. However, there’s a curious change in his pattern of domain registrations here.
  49.  
  50. 2002 - 1 domain registered
  51.  
  52. 2008 - 1 domain registered
  53.  
  54. 2010 - 1 domain registered
  55.  
  56. 2013 - 12 domains registered
  57.  
  58. 2014 - 67 domains registered
  59.  
  60. 2015 - 14 domains registered
  61.  
  62. 2016 - 3 domains registered
  63.  
  64. 2017 - 1 domain registered
  65.  
  66. 2018 - 0 domains registered
  67.  
  68. It seems to me that Mark hit peak entrepreneurship in 2014, while Dream was still a small fry competing with much larger marketplaces. As Dream grew bigger and bigger, his domain registrations dwindled as he didn’t need to make money through legitimate sources anymore. Throughout the last couple of years, Mark has seen considerable financial gain (more on this later) and it would reasonably follow that if Mark was getting richer, we should be able to see Mark registering more domains as his web hosting business grew. However, that simply isn’t the case.
  69.  
  70. Following the money
  71.  
  72. We did some digging on the Facebook accounts of Mark, his wife Colleen, and their daughter, Erica. We figured that if Mark was really in charge of Dream, he’d have some money, and it turns out that he’s been flexing his cash quite a bit on social media.
  73.  
  74. First, there’s the cars. Based off of Mark’s public Facebook posts, he clearly likes old and fast cars. Now, before Dream market was all set up and making huge cash, Mark still had an interest in cars. In fact, he was even a regular on a few Corvette forums. But the cars he had were simply old, and very cheap. After Dream Market became the top name in the DNM game, Mark purchased three brand new cars. A Corvette Z06 Supercharged, which goes for a cool $160k. Mark purchased it brand new from the dealership. A month previously, Mark also purchased a Cadillac Escalade, which goes for up to $100k, brand new. This data all comes from Mark’s Facebook page, where he repeatedly shows off his cars. He also made reference to purchasing a new car for his mom, but we were unable to find details about the make and model of that car.
  75.  
  76. And even more notably, there’s Mark’s house. Up until recently, Mark lived at 32 Cedar Way, Hollywood, Florida. The Zillow information about this house states that it’s a 1,729 square foot, single story home that is worth somewhere in the neighborhood of $379,000. It’s a nice, modest home, and it very much fits in with the amount of money Mark should be making with his business.
  77.  
  78. BlueBoxFox made a couple calls to Comcast with the information we already had on Mark and was able to find out his new address. As of October 25th, 2018, Mark is the proud new owner of 641 Ranch Road, Weston, Florida, and wow, what an upgrade it was. The Zillow information about this house states that it’s a 5,099 square foot Italian-style mansion with a heated pool, a view of the lake, 6 bedrooms, and 4.5 bathrooms. Mark paid a cool $1.075 million for it.
  79.  
  80. We wondered how Mark was washing his money, and BBF was able to find information about what appear to be shell companies registered in Mark’s name. Here’s a list:
  81.  
  82. Officer/RA Name Entity Name Entity Number
  83.  
  84. DECARLO, MARK TRINITY INSURANCE SERVICES, INC. F10000000804
  85.  
  86. DECARLO, MARK MDC ASSOCIATES CLAIMS ADJUSTERS, PLLC L12000115869
  87.  
  88. DECARLO, MARK VANTAGE POINT CLAIMS MANAGEMENT, PLLC L16000182207
  89.  
  90. DECARLO, MARK BESTBANG4THEBUCK.COM, INC. P06000134799
  91.  
  92. DECARLO, MARK SILKY HOSTING SOLUTIONS, INC. P14000054182
  93.  
  94. DECARLO, MARK SILKY HOSTING SOLUTIONS, INC. P14000054182
  95.  
  96. DECARLO, MARK RENEWAL HOLDINGS, INC. P14000097703
  97.  
  98. DE CARLO, MARK INNERCONX, INC. P99000021224
  99.  
  100. I’ll go through each one of these in order, with the exception of Innerconx, which, if you’ve read this far, you already know about.
  101.  
  102. First, Trinity Insurance Services. There is a Trinity Insurance Services that operates in Florida (website at trinityins.net) but there is no indication anywhere on their website that they have any connection to Mark DeCarlo. I’m inclined to believe that he just reused the name of a legitimate company to hide his business goings-on a little better.
  103.  
  104. MDC Associates Claim Adjusters has absolutely no public presence. There’s no website, no office, no phone number, nothing.
  105.  
  106. Vantage Point Claims Management seems very shady, but might be a real company. There is a website - vantagepointclaims.com - but it’s down. It seems there’s another Vantage Point Claims Management in New Orleans, which Mark filed a Freedom of Information Act request against in late 2018, and based on that information I think that Mark took another legitimate business’s name to hide what he was doing. You can view info about that FOIA request here.
  107.  
  108. BESTBANG4THEBUCK.COM is also clearly fake. The website is down (and as far as I know, Mark was never involved with hosting that website) and there’s no information about it anywhere, other than websites listing business filing records.
  109.  
  110. Silky Hosting Solutions is definitely associated with Mark, but if you go to any of the domains relating to Silky VPN or other “Silky” products that Mark has made, it’s abundantly clear that nobody uses them. There is no talk about the quality of the services anywhere, no customer testimonials, nothing but business filing records and a few apparently abandoned websites. Interestingly, the business filing records for this one include a “Dragan Zlatanovic” and a “Simon Zekar” but I wasn’t able to find anything substantial about them or their connection to Mark.
  111.  
  112. “Renewal Holdings” seems to be another intentionally confusing name for a shell company. There is nothing but business filing records available online for Renewal Holdings, but it looks like this company might have been named like it is to confuse people looking, as there is a legitimate “Lucayan Renewal Holdings” also in Florida.
  113.  
  114. Setting the trap & tightening the noose
  115.  
  116. Despite how incredibly shady Mark DeCarlo looked to us, none of this was truly hard evidence. We decided to lay a beautifully simple mathematical trap for Mark. We encrypted a message with Dream’s current PGP key that contained a link to a URL on a throwaway box I’ve had for a while. The URL was specific enough that no web scraper or curious visitor would ever come by it accidentally, and Mark was the only one we sent it to. If we got a hit on that URL, we’d know for sure that Mark held the PGP private key corresponding to Dream’s public key.
  117.  
  118. Subject line: WE KNOW WHO YOU ARE
  119. Pre-encryption body text: We know who you are, and now we have undeniable proof. We don’t want to ruin you - we just want to talk business with you. If you don’t believe that we have the proof we say we have, check this out: https://[redacted]/DeCarlo/proof.txt
  120. Just a few hours later, I find this in my log files:
  121.  
  122. “GET /DeCarlo/proof.txt HTTP/1.1” 404 142 “-“ “Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0”
  123. At this point, if you’re not convinced by what you’re reading, I don’t know what would convince you. Mark is the only person who had this URL and the only person who could’ve decrypted the message we sent to find that URL.
  124.  
  125. A (possible) connection to the feds
  126.  
  127. Full disclosure: I’m not positive about this part. Again, come to your own conclusions and don’t take anything we say to be absolute, indisputable truth.
  128.  
  129. Starting off, Dream Market has seen many big busts, as has any other large darknet market. One of the largest busts was of “Oxymonster”, a vendor and moderator on Dream market. For those of you who frequently check out DNM news, you may remember how Oxymonster was caught. For those of you who don’t, he was captured in Atlanta Georgia after exiting a plane. His reason to be in the USA, visiting, was for a “beard growing competetition” in Miami. It seems very possible that Mark could have setup a meeting with him, as bait for the FBI. The suspicions arise because the direct route to Miami Florida from Atlanta Georgia is on I-75, which passes directly through Hollywood Florida, coincidentally where Mark lives.
  130.  
  131. This doesn’t prove anything per se, but consider how strange the route that OxyMonster planned to take was. The beard competition was in Miami. There is an airport in Miami. If you were going to Miami for a contest, why not just fly directly there? Why fly into Atlanta and travel south? The most plausible explanation, at least to us, is that flying into Atlanta would mean that OxyMonster could make his stop at a meeting place with Mark and then continue on to Miami instead of going to Miami, driving out to meet up, and doubling back to go to the contest.
  132.  
  133. Keep in mind, this could just be a coincidence, but Oxymonster lived in France, and it’s very odd he would take an obscure trip to the states just for a little beard growing competition that happened to require him passing through the immediate location of Mark.
  134.  
  135. Fallout
  136.  
  137. After calling Mark, his family, his friends, and his neighbors, many, many times, it seems we finally spooked him. For more than a week prior to this article’s publication, DeepWebNetwork.com has been down with the excuse that it was down for “site maintainence.” As of the time of this writing, as BBF and I are finishing up the final touches, Dream has been down for more than 18 hours, with nobody able to log in to withdraw funds.
  138.  
  139. Also worth noting is the fact that, shortly after sending the email with the trap in it, Mark’s phone line, and the phone lines of his immediate family members were cancelled. Calling from new numbers went straight to voicemail too, so it wasn’t that he had just blocked our phone numbers. In addition to this, we discovered (almost accidentally) that Mark’s Comcast accounts, both for his old house and his new house, were cancelled shortly after we sent the trap email to Mark.
  140.  
  141. Given these facts, it seems very likely that Mark will exit scam soon.
  142.  
  143. Miscellaneous suspicions and oddities
  144.  
  145. This is a list, in no particular order, of various other things that we found suspicious but that we were not able to directly connect to other parts of the narrative.
  146.  
  147. The proximity of Mark’s home to HostDime’s headquarters. Individually I would chalk this fact up to random chance, but given all the other pieces that fit together, I doubt that this is a coincidence.
  148.  
  149. The buttons on one of Mark’s old (and now defunct) websites, oxytocinfactor.co, look eerily similar to the buttons used on Dream. Here is a set of buttons on oxytocinfactor.co, and here is a button from Dream’s website.
  150.  
  151. It’s very likely that Speedstepper isn’t just Mark, but is a small team of people. The spelling for the name alternates between “Speedstepper” and “Speedsteppers” and in a couple of Speedstepper(s)’s public postings, the English used is very poor. However, we were unable to find anything out about who the other Speedsteppers in the Speedstepper team might be, or how many of them there are.
  152.  
  153. Darknetmarkets.org, one of the top search results for “darknet markets,” is a site that pushes phishing links to unsuspecting users. In the article by itmedia.co.jp about Mark, there’s a bit about how Mark is supposedly in cahoots with people phishing Dream. On the same day that DeepWebNetwork went down, so did Darknetmarkets.org. Darknetmarkets.org is back now, while DeepWebNetwork is still down, so maybe this is just a strange coincidence, but I think it’s worth noting.
  154.  
  155. Lessons to be learned
  156.  
  157. Everybody knows that your actions can endanger you - that much is a given. What many people, Mark DeCarlo included, do not seem to realize is that inaction can also indicate involvement. For example, Mark slowing down with his domain registrations was evidence of his involvement via inaction. Make sure that, if you strike gold with your criminal activity, you do the work to keep up appearances in your normal life.
  158.  
  159. If you’re going to be a career criminal, don’t flex your cash on social media. If you’re a local weed dealer getting a couple grand from selling product off the darknet, it’s still a stupid decision, but you’re probably fine. But if you’re an international drug kingpin, you should show more restraint.
  160.  
  161. In the same vein as #2, you should be humble with your ill-gotten gains, even off of social media. Other internet personalities are not your only worry. I imagine that, had the government been a little more competent, the IRS would have taken note of Mark’s purchases quite a while ago. If they haven’t already, I bet they will now.
  162.  
  163. As always, remember that all it takes is one little strand of truth to unravel all of your lies. The people looking for you don’t have to find you the first time they look, but you do have to maintain perfect opsec at all times to avoid being busted. One slip-up and it’s curtains for you.
  164.  
  165. If possible, share a name with others. “Speedsteppers” being multiple people was a confusing twist to the story, and we’re still not sure how much we’re missing here, or how many people “Speedsteppers” really are. This was one of the few examples of Mark DeCarlo doing something right.
  166.  
  167. Conclusion
  168.  
  169. I’m really excited to hear what you all think of this, as is BBF. Please, poke as many holes in our narrative as you can - we’re just as interested in the truth as everyone reading this is. Hopefully none of you have lost any substantial amounts of money on Dream. If it does come back up, I hope you’ll all take your business elsewhere, as Dream reeks of trouble at this point.
  170.  
  171. Thanks for reading, and stay safe out there.
  172.  
  173. Outside sources
  174.  
  175. http://www.itmedia.co.jp/news/articles/1808/08/news016_2.html - Japanese article that came to many of the same conclusions we did, but didn’t dig quite as deep
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement