9.1.18 Dark Web and Cybercrime Roundup
Woman Sentenced to Six Years for Hiring a Hitman on the Darknet
The 58-year-old woman who paid a “hitman” on the darknet to have her love/ex-lover killed received a six year prison sentence. Danish police kept the case quiet for the greater part of 2017. Towards the end of the year, the public learned that the authorities had locked up a suspect for attempting to pay for a hit on CrimeBay, a darknet ‘hitman-for-hire’ service purportedly owned by the Chechen mob. The woman lived in Denmark and paid the operator of CrimeBay to kill (or have an “operative” kill) a man in Italy who she claimed deserved to die. He allegedly did something that hurt the woman’s feelings.
The UK’s National Crime Agency somehow found out about the hit and notified Italian authorities. Danish police, with assistance from Italian police and the NCA, found and arrested the 58-year-old. Authorities kept her stashed away since March 2017. Her defense council argued that the site likely never functioned as a “proven legitimate dark web marketplace operated by the Chechen Mob.” The general consensus is that the NCA and possibly other law enforcement agencies have access to the site, but some believe the site itself is a honeypot. Or both, combined with being a complete scam. DeepDotWeb
Alphabay Vendor ‘Courvoisier’ Pleaded Guilty to UK Hacking Charges
Former Alphabay marijuana and “fullz” vendor Grant West admitting selling stolen identities on darknet marketplaces. He admitted that he had hacked almost 20 major websites to get customer data. He collected data from Uber, T-Mobile, Groupon, AO.com, among many other sites. Investigators accused West of bruteforcing login forms on some of the sites.
The 25-year-old, in Southwark Crown Court, pleaded guilty to conspiracy to defraud Just Eat, an internet-based food delivery company. Between July and December 2015, West harvested information on more than 165,000 Just Eat customers and users. Even after getting arrested for hacking Just Eat, West continued to steal customer information from various websites and sell that information on the darknet under the name “Courvoisier.” DeepDotWeb
Ex Cop Sentenced for Buying a Gun on the Darknet
An former officer of the Police Service of Northern Ireland named Allan Kennedy received a five and a half year prison sentence for purchasing a 9mm pistol and silencer from an undercover cop on the darknet. The gun purchase led to the former officer’s arrest, but his arrest for the gun purchase led current officers to discover that Kennedy had been selling drugs in the Belfast area. He recently pleaded guilty to both offenses.
Kennedy took to the darknet to find a firearm for self defense and accidentally stumbled into a PSNI sting. Maybe Kennedy had a stroke of bad luck and arranged a deal with the one undercover firearms dealer on the darknet. Maybe the PSNI had targeted Kennedy specifically. Or maybe 90 percent of darknet vendors claiming to sell weapons are actually cops. Either way, Kennedy’s run came to an end after arranging a $670 deal with the undercover PSNI officer on the darknet. The vendor wanted to meet in person and Kennedy seemingly saw nothing wrong with the plan. Officers arrested him at the meet and charged him for purchasing the gun and silencer. Thet later charged him for drug distribution.
Kennedy pleaded guilty late last year. His sentencing hearing came around and Kennedy’s actions resulted in a stern warnings from the court and a five and a half year prison sentence. DeepDotWeb
Updated tutorial: Running a Monero(XMR) fullnode and remote connection through Tor
A Reddit user under the name “kic0” wrote a guide on easily setting up and running a full Monero node over Tor. The user’s guide focuses on Ubuntu/Debian, but the process is simple and straightforward for almost any Linux distribution. Anyone with the ability to edit torrc, use torsocks, and download the Monero client can follow the guide. However, the guide is not for running a private node in Tails; the guide details setting up and running a node that people can connect to without knowing the real I.P address of the node. Similarly, the node owner would be unable to see the I.P. addresses of Monero users connected to the node. (Medium)
As Bitcoin transaction times grow longer and longer, Monero’s appeal only increases. Running a private node on Tails is an equally trivial process but the steps are not the same, given that the purposes are also different. The Monero Project goes into some details in the Readme.md.
NSA Exploits Used to Create Monero Mining Malware
The threat research team at F5 Networks discovered a new Monero mining campaign that leverages two NSA-attributed exploits: EternalBlue and EternalSynergy. The campaign, dubbed “Zealot” by F5 researchers, targets servers exploitable by the Apache Struts Jakarta Multipart Parser attack (CVE-2017-5638) and the DotNetNuke (DNN) content management system vulnerability (CVE-2017-9822). Once Zealot exploits a server, it executes a shell in the background and downloads a Monero miner and other dependencies.
Zealot then propagates the internal network by scanning for port 445. It checks if other machines are 32-bit or 64-bit. And then it injects shellcodes to exploit exploit EternalBlue and EternalSynergy. Zealot is capable of much more than simply Monero mining, but so far Monero mining has proven fairly lucrative; the specific address analyzed by the F5 researchers contained more than $8,500 in it. And due to the nature of Monero, the researchers are unable to know the total amount of Monero mined by the actor(s) behind Zeolot. DeepDotWeb