SHARE
TWEET

So, you want to be a darknet drug lord...

th3j35t3r Apr 13th, 2015 25,688 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. So, you want to be a darknet drug lord...
  2. by nachash
  3. nachash@observers.net
  4.  
  5. [The advice in this article can be adapted to suit the needs of other
  6. hidden services, including ones which are legal in your jurisdiction.
  7. The threat model in mind is that of a drug market. The tone is that of a
  8. grandfather who is always annoyingly right, who can't help but give a
  9. stream-of-consciousness schooling to some whippersnapper about the way
  10. the world works. If this article inspires you to go on a crime spree and
  11. you get caught, don't come crying to me about it.]
  12.  
  13. You've decided that you're bored with your cookie-cutter life of working
  14. at a no-name startup, getting paid in stock options and empty promises.
  15. You want a taste of the good life. Good for you, kid. I used to run a
  16. fairly popular hidden service (DOXBIN) that was seized by the FBI after
  17. 3 1/2 years of spreading continuous butthurt, then subsequently
  18. repossessed from the feds. Because I managed to not get raided, I'm one
  19. of the few qualified to instruct others on hidden services and security,
  20. simply because I have more real-world experience operating hidden
  21. services than the average tor user. In other words, very little of this
  22. advice is of the armchair variety, as you'll often find in abundance the
  23. Internet. But enough about me. Let's talk about your future as an
  24. internet drug lord.
  25.  
  26. 1. Legal/Political
  27.  
  28. First things first, you need to cover the legal, historical and
  29. political angles. Read up on various drug kingpins and cartels from the
  30. 20th century. Learn everything you can about how they rose and fell (
  31. you can safety ignore all the parts about intelligence agencies backing
  32. one drug cartel over another, because that's not going to happen to
  33. you). Once you've got a good command of that, read everything you can
  34. about busted drug market operators and branch out into cybercrime
  35. investigations as well. It wouldn't hurt to make yourself familiar with
  36. law enforcement and intelligence agency tactics either. You'll find that
  37. virtually all drug kingpins either get murdered or go to prison. Let
  38. those lessons sink in, then find a good drug lawyer and make plans for
  39. being able to pay them when The Man seizes everything you own. While
  40. you're dreaming big about making fat stacks of fake internet money, do
  41. some research on Mutual Legal Assistance Treaties and extradition treaties.
  42.  
  43. Mutual Legal Assistance Treaties (MLATs) are self-explanatory. Country A
  44. will help Country B do whatever it takes to aid a cybercrime
  45. investigation should some aspect of the crime bleed over into Country A.
  46. Figure out which countries don't provide legal assistance to your
  47. country in these cases, then find hosting services that are based there.
  48. You'll shorten this list by determining which hosts allow tor, or at
  49. least don't explicitly forbid it in their Terms of Service (you don't
  50. care about exit bandwidth. You just want relays. Remember this for later
  51. in the article). Last but not least, sort out which hosts accept payment
  52. options that don't make you sweat bullets over the fact that the NSA has
  53. been monitoring global financial transactions since at least the 1970s.
  54. You will want to avoid any host that advertises itself as bulletproof --
  55. they'll probably kit your box and siphon everything of value, in
  56. addition to overcharging you for the privilege of running on older
  57. hardware -- and any host which sells a cheap VPS and promises to
  58. guarantee your privacy.
  59.  
  60. Extradition treaties mean that if you're in Country A and do something
  61. that makes Country B want to prosecute you, Country A is most likely
  62. going to give you a one way ticket to Country B. If or when your box
  63. gets seized and you know the heat is on, you're going to want to beat it
  64. to a place that won't send you back, where you will presumably live out
  65. the rest of your days. Just make sure you've made enough money to grease
  66. all the right palms in your new life, or the road ahead may be extremely
  67. bumpy. If you're smart, you'll permanently move to this country well
  68. before you have any trouble with law enforcement.
  69.  
  70. One last thing before moving on: Don't be so stupid as to attempt to
  71. hire a hitman to kill anyone. Murder-related charges have no statute of
  72. limitations, which means you won't get to write a tell-all book about
  73. what a sly bastard you are when this wild ride is a distant memory. If
  74. you've reached a point in your new career where murdering people makes
  75. sense, it's time to walk away. Don't get corrupted like Dread Pirate
  76. Roberts.
  77.  
  78. 2. Technical
  79.  
  80. This section tries to be as operating system independent as possible.
  81. You'll want to consult the documentation of your OS for specifics. The
  82. technical side of running a hidden service and not getting owned by cops
  83. is a lot harder than just installing stuff and crossing your fingers.
  84. The recommendations in this section WILL NOT protect you from 0days in
  85. the wild, but should help somewhat with damage control. Remember, if
  86. they want to own your hidden service, it will probably happen eventually.
  87.  
  88. Before you even think about installing bitwasp and tor, you need to
  89. really understand how tor works. Go to freehaven.net and read the white
  90. papers until your eyes glaze over, then continue reading until you're
  91. out of papers to read. Pay particular attention to the hidden service
  92. papers. If you feel like you didn't understand something, come back to
  93. that paper again when you have more knowledge. A lot of the papers
  94. explain some of the same concepts with slight differences in the intros.
  95. Don't skim over them, because you might read someone's rewording that
  96. will clarify an idea for you. Check back with freehaven regularly. Once
  97. you're up to speed, a good next step is to keep up with the tor
  98. project's mailing lists. [1]
  99.  
  100. While you're doing all of this reading, it's (mostly) safe to go ahead
  101. and install tor on a box on your local network, purely for
  102. experimentation. Keep in mind that the NSA will start scooping up all of
  103. your packets simply because you visited torproject.org. That means don't
  104. post code questions related your drug market on Stack Exchange, if you
  105. want to avoid giving The Man morsels he can use for parallel
  106. construction. Once you've gotten hidden services working for http and
  107. ssh, you're going to take the first baby step towards evading casual
  108. discovery: Bind your hidden services to localhost and restart them.
  109.  
  110. The next step in your journey towards changing the drug business forever
  111. is to grab the transparent proxying firewall rules for your operating
  112. system to make sure they work. [2] They will guard against attacks that
  113. cause your box to send packets to a box the attacker controls, which is
  114. useful in thwarting attempts to get the box IP. You may wish to have a
  115. setup similar to an anonymous middle box, preferably without public IPs
  116. where possible, so if your application gets rooted tor isn't affected.
  117.  
  118. Speaking of applications, do everything you can to ensure that the
  119. application code you use to power your hidden service isn't made of
  120. Swiss cheese and used bandaids. To protect against other types of
  121. attacks, you will want to identify any pre-compiled software that your
  122. users will touch and compile it yourself with hardening-wrapper or it's
  123. equivalent, plus any custom flags you want to use. If you keep
  124. vulnerabilities from the application and server to a minimum, your
  125. biggest worries will be tor-related.
  126.  
  127. You will only connect to your production box via a hidden service. It's
  128. a good idea to get into that habit early. The only time deviating from
  129. this pattern is acceptable is when you have to upgrade tor, at which
  130. time you'll want to have a script ready that drops your firewall rules
  131. and unbinds ssh from localhost just long enough for you to login, do the
  132. upgrade, re-apply the firewall rules and bind ssh to localhost again. If
  133. you're not ready to deal with the latency, you're not ready to do any of
  134. this. Don't forget to transparently proxy the machine you use too, so
  135. you don't slip up by mistake.
  136.  
  137. On the subject of the machine, you need to automate the process of both
  138. setting up your hidden service and of destroying it. Proactively change
  139. servers every few months, in order to frustrate law enforcement attempts
  140. to locate and seize your site. Your creation script should install
  141. everything your site needs as well as all configuration files. Your
  142. clean-up script needs to destroy all evidence, preferably with a tool
  143. like srm.
  144.  
  145. Regarding time-related issues: Always select either UTC or a time zone
  146. that doesn't match the box's location. You will also do this to the box
  147. you use to interact with your hidden service every day. If you read the
  148. whitepapers, you will probably note a recurring theme of clock
  149. skew-related attacks, mostly directed at clients, in some of the older
  150. papers. Tor won't even start if the clock skew is off by too much.
  151.  
  152. If you want to have some fun at the expense of business in the short
  153. term, intentionally take your service offline periodically in order to
  154. mess up attempts to match your downtime with public information. If
  155. you're the kind of person with access to botnets, you could DDoS
  156. (Distributed Denial of Service) some provider at the same time on the
  157. off chance that someone might connect the dots. This counter-measure
  158. will only work on researchers looking at public info, not nation state
  159. actors with an ax to grind.
  160.  
  161. I've saved some of the hardest stuff for the last part of this section.
  162. It's hard because you have to make choices and it's unclear which of
  163. those choices are the best. It's a bit like a Choose Your Own Adventure
  164. book. In that spirit, all I can do is lay out the possibilities in as
  165. much of a Herodotus-like way as possible.
  166.  
  167. One thing you have to consider is whether you want to run your hidden
  168. service as a relay or not. If it's a relay, you'll have extra cover
  169. traffic from other innocent tor users. But if your relay goes down at
  170. the same time as your hidden service, it will be far more likely to be
  171. noticed. Federal criminal complaints make a big deal of seized hidden
  172. services not being relays, but three relays were taken down at around
  173. the same time as Operation Onymous, so that's not a guaranteed defense.
  174. The choice is yours.
  175.  
  176. Remember when I said to take note of hosts that don't ban tor outright?
  177. This is the part where you give back to the community in the form of tor
  178. relays or bridges. [3] The feel-good aspects of this move are along the
  179. same lines as drug barons who build schools and hospitals, but this is
  180. more immediately self-serving. You're going buy several servers to set
  181. up strictly as relays or bridges, then configure your hidden service box
  182. to use only those relays or bridges to enter the tor network. Here's
  183. where things start to get theoretical.
  184.  
  185. If an adversary is running a guard node discovery attack -- in which an
  186. attacker is able to determine the node you're using to enter the tor
  187. network -- against your service and you're using your own relays as
  188. entry nodes, the damage they can do will be limited to DoS (Denial of
  189. Service) if your relays are not linkable to your identity. However, if
  190. you're entering the tor network with bridge nodes, an attacker will
  191. probably say "WTF?" at first unless they determine they've found a
  192. bridge node. Bridge nodes don't use nearly as much bandwidth as relays
  193. because there is not a public list of them, so an intelligence agency
  194. would have less traffic to sift through, which makes correlation easier.
  195. On the other hand, using bridge nodes also allows you to run obfsproxy
  196. [4] on both the bridges and your hidden service. obfsproxy allows you to
  197. make tor traffic appear to be another type of traffic, which is a good
  198. defense against non-Five Eyes entities. For example, your hosting
  199. provider may decide to monitor for tor traffic for their own reasons.
  200. Just make sure your relays/bridges aren't linkable to you or to each other.
  201.  
  202. One last thing about guard node discovery attacks: The Naval Research
  203. Lab published a paper in July 2014 about the "Sniper Attack," [5] which
  204. in short works like this: The attacker discovers your guard nodes, then
  205. uses an amplified DoS trick to exhaust the memory on all of your nodes.
  206. The attacker keeps doing this until your hidden service uses guard nodes
  207. that they control. Then it's game over. If your hidden service's entry
  208. nodes are all specified in your torrc file and they get DoSed, your
  209. service will go offline. In this situation, if all of your relays are
  210. down, you essentially have an early warning canary that you're being
  211. targeted. In other words: This is the best possible time to book your
  212. one-way ticket to your chosen non-extradition country. For those of you
  213. with a background in writing exploits, this is similar in principle to
  214. how stack smashing protection will render some exploits either unable to
  215. function or will turn them into a DoS. Personally, I recommend an
  216. ever-changing list of relays or bridges. Add a few new ones at a
  217. pre-determined interval, and gradually let old ones go unpaid.
  218.  
  219. 3. Operational Security
  220.  
  221. This section is critical, especially when things start to break down. If
  222. everything else goes bad, following this section closely or not could be
  223. the difference between freedom and imprisonment.
  224.  
  225. This is important enough to re-state: Transparently proxy your tor
  226. computer. This is a good first line of defense, but it is far from the
  227. only way to protect yourself.
  228.  
  229. Do not contaminate your regular identity with your Onion Land identity.
  230. You're an aspiring drug kingpin. Go out and pay cash for another
  231. computer. It doesn't have to be the best or most expensive, but it needs
  232. to be able to run Linux. For additional safety, don't lord over your new
  233. onion empire from your mother's basement, or any location normally
  234. associated with you. Leave your phone behind when you head out to manage
  235. your enterprise so you aren't tracked by cell towers. Last but not least
  236. for this paragraph, don't talk about the same subjects across identities
  237. and take counter-measures to alter your writing style.
  238.  
  239. Don't log any communications, ever. If you get busted and have logs of
  240. conversations, the feds will use them to bust other people. Logs are for
  241. undercover cops and informants, and have no legitimate use for someone
  242. in your position. Keep it in your head or don't keep it at all.
  243.  
  244. At some point, your enterprise is going to have to take on employees.
  245. Pulling a DPR move and demanding to see ID from high-volume sellers and
  246. employees will just make most people think you're a fed, which will
  247. leave your potential hiring pool full of dumbasses who haven't even
  248. tried to think any of this out. It will also make it easier for the feds
  249. to arrest your employees after they get done arresting you. If your
  250. enterprise is criminal in nature -- whether you're selling illegal goods
  251. and services or you're in a repressive country that likes to re-educate
  252. and/or kill dissidents -- an excellent way of flushing out cops is to
  253. force them to get their hands not just dirty, but filthy, as quickly as
  254. possible. Don't give them time to get authorization to commit a crime
  255. spree. If there's a significant amount of time between when they're
  256. given crimes to commit and the commission of those crimes, you need to
  257. assume you've got an undercover cop on your hands and disengage. If they
  258. commit the crime(s) more or less instantly, you should be fine unless
  259. you've got the next Master Splynter on your trail. [6]
  260.  
  261. Disinformation is critical to your continued freedom. Give barium meat
  262. tests to your contacts liberally. [7] It doesn't matter if they realize
  263. they're being tested. Make sure that if you're caught making small talk,
  264. you inject false details about yourself and your life. You don't want to
  265. be like Ernest Lehmitz, a German spy during World War II who sent
  266. otherwise boring letters about himself containing hidden writing about
  267. ship movements. He got caught because the non-secret portion of his
  268. letters gave up various minor personal details the FBI correlated and
  269. used to find him after intercepting just 12 letters. Spreading
  270. disinformation about yourself takes time, but after a while the tapestry
  271. of deceptions will practically weave itself.
  272.  
  273. Ensure that your communications and data are encrypted in transit and at
  274. rest whenever applicable. This means PGP for e-mail and OTR for instant
  275. messaging conversations. If you have to give data to someone, encrypt it
  276. first. For the tor-only box you use for interacting with your hidden
  277. service, full disk encryption is required. Make a password that's as
  278. long and complex as you can remember ("chippy1337" is not an example of
  279. a good password). Last but not least, when you're done using your
  280. dedicated tor computer, boot into memtest86+. Memtest86+ is a tool for
  281. checking RAM for errors, but in order to do that it has to write into
  282. each address. Doing so essentially erases the contents of the RAM.
  283. Turning your computer off isn't good enough. [8] If you're planning to
  284. use TAILS, it will scrub the RAM for you automatically when you shut
  285. down. Once your RAM is clean, remove the power cord and any batteries if
  286. you're feeling extra paranoid. The chips will eventually lose any
  287. information that is still stored in them, which includes your key. The
  288. feds can do a pre-dawn raid if they want, but if you follow this step
  289. and refuse to disclose your password, you'll make James Comey cry like a
  290. small child.
  291.  
  292. Use fake info when signing up for hosting services. Obfuscate the money
  293. trail as much as possible and supply fake billing info. I prefer
  294. registering as criminals who are on the run, high government officials,
  295. or people I dislike. If your box gets seized and your hosting company
  296. coughs up the info, or if a hacking group steals your provider's
  297. customer database (It happens more often than you'd think), your hosting
  298. information needs to lead to a dead end. All signs in Operation Onymous
  299. point to operators being IDed because they used real info to register
  300. for hosting service and then their box got decloaked.
  301.  
  302. Speaking of money, you're going to have to figure out how to launder
  303. your newfound assets, and we're not talking about using a couple bitcoin
  304. laundering services and calling it a day. You also shouldn't go out and
  305. buy a Tesla. Living beyond your means is a key red flag that triggers
  306. financial and fraud investigations. Remember, money is just another
  307. attack vector. Washing ill-gotten gains is a time-honored drug business
  308. tradition and one that you would be a fool not to engage in. You can
  309. only use your hard-won profits to send shitexpress.com packages to
  310. people you don't like so many times.
  311.  
  312. Take-away: If you rely only on tor to protect yourself, you're going to
  313. get owned and people like me are going to laugh at you. Remember that
  314. someone out there is always watching, and know when to walk away. Do try
  315. to stay safe while breaking the law. In the words of Sam Spade, "Success
  316. to crime!"
  317.  
  318.  
  319.  
  320. Sources:
  321. [1] https://lists.torproject.org/cgi-bin/mailman/listinfo
  322. [2] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
  323. [3] https://www.torproject.org/docs/bridges
  324. [4] https://www.torproject.org/projects/obfsproxy.html.en
  325. [5]
  326. http://www.nrl.navy.mil/itd/chacs/biblio/sniper-attack-anonymously-deanonymizing-and-disabling-tor-network
  327. [6] http://www.pcworld.com/article/158005/article.html
  328. [7] https://en.wikipedia.org/w/index.php?title=Canary_trap&oldid=624932671
  329. [8]
  330. https://freedom-to-tinker.com/blog/felten/new-research-result-cold-boot-attacks-disk-encryption/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top