Alleged Dark Web Kingpin Doxed Himself With His Personal Hotmail Address (vice.com) 62
Joseph Cox, reporting for Motherboard: On Thursday, US authorities announced the seizure of the largest dark web marketplace AlphaBay. Europol and Dutch police also claimed seizure of Hansa, another popular market. In their dark web investigations, law enforcement have increasingly turned to hacking tools, including the deployment of browser exploits on a mass scale. But tracking down the alleged AlphaBay administrator was much more mundane, officials said. Alexandre Cazes, who US authorities say used the handle alpha02 as administrator of the site, allegedly left his personal email in a welcome message to new AlphaBay members, according to the forfeiture complaint published on Thursday. The news echoes the arrest of Ross Ulbricht, the convicted creator of the original Silk Road, who made a similar security mistake. "In December 2016, law enforcement learned that CAZES' personal email was included in the header of AlphaBay's 'welcome email' to new users in December 2014," the complaint reads. Users received this message once they signed up to AlphaBay's forum and entered an email address. Cazes' email address -- Pimp_Alex_91@hotmail.com -- was also included in the header of the AlphaBay forum password recovery process, the complaint adds. From there, investigators found the address was linked to an Alexandre Cazes, and discovered his alleged front company, EBX Technologies.
Re: Like a pimp (Score:2)
He is dead.
It didn't take much detective work. (Score:3)
Re:It didn't take much detective work. (Score:4, Funny)
He Dohxed himself.
Re: (Score:3)
It's funny because it's true.
He also apparently hung himself.
Re: (Score:3, Interesting)
It's funny because it's true.
He also apparently hung himself.
Like this guy fell off a curb? http://i.imgur.com/VAm6wxO.jpg [imgur.com]
Re: (Score:2)
Re:It didn't take much detective work. (Score:5, Insightful)
Although the linked article doesn't mention the link between his email and his 'front' company, the Wired article says that police identified him because his Hotmail address was linked to a PayPal account which was linked to his company.
My head reels at the inept OpSec of this clown. He runs the largest illegal marketplace in the world, yet posts links to his real PayPal account. With no visible source of income, he lives a high profile lifestyle in Bangkok with 3 houses and the most expensive Lamborghini they make, while running the marketplace with an unattended decrypted laptop. Another demonstration that intelligence and common sense rarely go hand-in-hand.
Re: (Score:2)
The problem is greed. I'm sure when he started out he was careful. But after tha
Re: (Score:2)
proper opsec requires you to not get greedy, so remove all thought of making lots of money - just make enough to pay for itself.
Nonsense. What you need is plausible deniability. Invest in a wide portfolio of stocks, launch a startup company or two, invent three more that - on your CV - you sold for an undisclosed sum to an unnamed "big player". Become a regular at several casinos.
None of that will stand up to close scrutiny. But it will help avoid close scrutiny, because someone wondering where you get your money from has a couple possible answers to choose from.
Re: (Score:2)
The guy was brought up in the boonies, repairing computers from home was his business. In a town of 2,775 people, with a population density of 8 acres per person (78 per square mile), there's not much except farmlands and forests, so not exactly a goldmine for a computer repair business. It's something that someone who doesn't have a clue what they want to do after high school will drift into. After all, how hard is it to reformat and re-install?
And anything else more complicated - "you need a new computer
Re: (Score:3)
It amazes me that someone has the knowledge and skill and desire to run a dark web illegal market, something which many others have already been caught and sent to prison for decades for, and yet they don't bother to learn the most basic elements of security.
Somehow they read through all the documentation about setting up a dark web site, full of warnings about how seemingly minor mis-configuration can compromise the whole thing. They got systems in place to handle payments between users, with some sliced o
Re: (Score:2)
There is an old saying "just know enough to be dangerous" and that is exactly what applies here. Learned enough to set up a dangerous, if fact very dangerous network but don't bother to learn more to secure it. This applies across all professions, which is why there are so many licensing boards, idiots learn enough to do the job badly and then go ahead and do it, just very badly. This often ties in with another saying, greed driven stupidity, where greed overcomes common sense and people don't bother to loo
Re: (Score:2)
It still took them several years and millions of dollars to figure it out.
Re: (Score:2)
Re:Or is it really the right person? (Score:5, Informative)
His laptop wasn't encrypted, he had a file listing all his accounts (including bank accounts) and passwords, and he bought real estate and fancy cars under his name, as well as spending 2 million Euros to try to buy a property in Cypress to get citizenship there. And that's only the beginning.
He had been using that same email address for personal stuff for years, including as the email address for his business [theregister.co.uk]
And just in case you had any doubt that this was not a criminal mastermind at work, Cazes had also used his Pimp Alex Hotmail address as well as an email address from his own business – EBX Technologies – to set up online bank accounts and crypto-currency accounts. How did law enforcement know that Cazes was behind EBX Technologies? It was on his LinkedIn profile.
This is a guy who sold fake identities; he should have eaten his own dog food.
Re: (Score:1)
Agreed, but when first starting, that's a bit of a harder task... and clearly the damage was already done.
Your average email service is going to want a phone # or other email address to create one... and quite a few look for easy to forge spoof ones.
Hell, most burner phones want you to sign up with an account which ask for the same thing.
It's a chicken and egg problem which risks leaving too much info around if you aren't very ver
Re: (Score:2)
Re: (Score:3)
Opsec is hard.
It's harder if your stupid.
-- John Wayne
Re: Or is it really the right person? (Score:2)
Ironic, no?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So it comes down to.. (Score:2)
Dupes for those that don't RTFA? Or is to that slow a news day?
Something I've always wondered (Score:1)
Can you buy legal stuff on these sites? Or only illegal crap. I'd buy just to avoid Amazon tax.
Re: (Score:1)
There is a wide variety of legal goods sold on such sites. Mostly things that would be of interest to the same clientele.
Not the sharpest needle at the exchange... (Score:2)
You'd think these people would have a clue that there are going to be powerful people with a great deal of resources doing everything possible to track them down. Perhaps some sort of impairment was involved?
Oh, well, to quote Law Dog, "Are you listening? Quit guinea-pigging the product. Seriously."
Re: Uhmm... (Score:2)
Re: (Score:2)
Anyone stupid enough to list his AlphaWeb email address in his LinkedIn profile is going to be to stupid to learn from this. This is a guy who sold fake identities but didn't think he might need one, all the while engaging in spending serious coin for flashy cars and real estate in his own name without a cover story to explain where he got the money from. If you don't want to be noticed, don't be conspicuous.
Re: Uhmm... (Score:2)
Honestly this is hardly the first time a stupid criminal has made it this easy. These dumb ones don't learn crom anything, including the fates of their predecessors.
Re: (Score:3)
Parallel construction is a law enforcement process of building a parallel - or separate - evidentiary basis for a criminal investigation in order to conceal how an investigation actually began.
In August 2013, a report by Reuters revealed that the Special Operations Division of the U.S. Drug Enforcement Administration advises DEA agents to practice parallel construction when creating criminal cases against Americans that are based on NSA warrantless surveillance. The use of illegally obtained evidence is generally inadmissible under the fruit of the poisonous tree doctrine.
Source [wikipedia.org]
Anonymity is hard... (Score:2)
Ok, this guy was exceptionally stupid, or maybe he got arrogant over time, whatever. But there's a lesson to be learned here: Anonymity is actually hard.
Here, and on most sites, I use my real identity. On some sites, I post under a pseudonym with its own email address. For me, it's not critical, but I still try to keep the pseudonym separate. It's a lot harder than you suppose - it's easy to mix the two identities. If privacy were a serious concern, it would be essential to always use proxies for the pseudo
Re: (Score:2)
I too have a second "private" identity I use in a very small handful of places. It's hard to maintain, and I have no illusion that it would protect me from a government entity, only from random person who wants to link it to me.
A true private identity that could not be linked to me by a government agency? I think it would be possible, but it would be very difficult to both set up, and maintain long term. I do have an idea how to do it, but it's just too much effort to be practical.
Re: (Score:2)
Can anyone confirm receiving such an email? (Score:1)
Re: (Score:2)
> How would none of the thousands of Alphabay members
> not have noticed this email address and doxxed him earlier?
Think about this carefully... do you ***REALLY*** want law enforcement to know that you're a member of Alphabay? Guess what happens when they seize the servers and find what transactions you did there. A police undercover agent is the only guy who could admit to being on Alphabay, assuming that he was investigating it. Anybody else ends up in the slammer.