Skip to content
Naked Security Naked Security

Dark web marketplace Wall Street Market busted by international police

It went down in flames, with a rogue admin blackmailing vendors and buyers and leaking login credentials and the IP address.

An international bust has led to the shuttering of two dark web marketplaces for drugs, weapons, hacked data, hacking tools and other illegal goods: the Wall Street Market (WSM) and the Valhalla Market (better known by its Finnish name, Silkkitie).

Europol and German police announced the “double blow” to dark web marketplaces on Friday, saying that German authorities have arrested three suspects and seized over €550,000 in cash, along with cryptocurrencies Bitcoin and Monero in “6-digit amounts,” several vehicles, computers and data storage, and at least one firearm.

An investigation by the Attorney General in Los Angeles also led to the arrest of two suspects who are alleged to be among the markets’ biggest drug sellers.

On Friday, Finnish Customs said that they’d seized the Silkkitie web server earlier this year and seized a “significant” amount of Bitcoin. They said that after shutting down Silkkitie, some of the Finnish drug dealers moved to other illegal sites on the Tor network, including WSM.

German investigators had their eye on the three suspects since March – a 31-year-old from Bad Vilbel, a 29-year-old from the district of Esslingen and one 22-year-old from Kleve, all three of whom are German nationals.

The stench of exit scam

WSM had been stinking of exit scam for a while. The admins switched the platform into maintenance mode on 23 April, then began transferring customers’ funds to themselves. Customers and buyers responded by howling about the “Sorry guys we are currently redesigning WSM” message, which the admins posted on Friday, 26 April, and which said that the “maintenance” would last a week.

Here’s one of the less offensive comments on the MSW market listing at the DeepDotWeb, a site devoted to covering dark web markets. It was posted on 26 April:

Administrators are trying to steal all the money flee this .onion right now and pls DEEPDOT ban this from “topmarkets”

Rogue admin attempts blackmail, then doxxes IP address

Police moved in, seizing the marketplace’s servers on Thursday, 2 May. But first, chaos and desperation had apparently set in, as one of the site’s moderators – Med3l1n – started blackmailing WSM vendors and buyers, demanding 0.05 Bitcoin (~$280) in payment. Otherwise, Med3l1n threatened, they’d tell authorities information about vendors and buyers who’d slipped up and shared their details in unencrypted support requests.

https://twitter.com/5auth/status/1119710378504728578

A few days after that, Med3l1n went rogue and leaked login credentials and the IP address (located in the Netherlands) for the WSM backend on Dread, a Reddit-like community for dark web users.

Beyond exposing the physical location of WSM’s server, this enabled anyone to log in to the marketplace’s administrative section and gain the data necessary to strip anonymity from the market’s vendors, buyers, orders and more.

Six days later, on 30 April, WSM’s site started showing an error. Police took it down on 2 May. It’s not known how much the rogue admin’s disclosure helped the investigation, but German police had apparently already been watching the suspects as far back as March.

This was a big one

Europol called Silkkitie one of the oldest and internationally best-known dark web marketplaces. It’s been running on the Tor anonymity system since 2013, Europol says.

A press conference in Wiesbaden on Friday included representatives of the US attorney’s office, the FBI, and Europol. According to DW, the president of Germany’s Federal Criminal Police (BKA), Holger Münch, described the case as “extraordinary,” involving security services from the US and Netherlands, as well as Europol and Germany’s ZIT internet crime agency.

It had to be that complex and had to be an international effort, he said, given that it’s initially impossible to ascertain where such platforms are run from. One of the clues was the languages used on the market: the common language was English, but German was also an option. By piecing together various clues like that one, the international team eventually traced the server infrastructure to not just Germany and the Netherlands, but also to Romania.

During the press conference, Ryan White, the US federal prosecutor who heads cybercrime prosecutions in Los Angeles, announced the arrest of “two major drug traffickers” in Los Angeles who had used Wall Street Market.

This investigation will continue to bear fruit, they said, given that it’s spawned secondary investigations now ongoing in Germany. White’s response to a reporter:

It should be no surprise that we are very interested in pursuing additional actions based on this case, so stay tuned.

5 Comments

They thing this was big. WOW they have a LONG way to go before they even make a dent in the dark web. I kinda feel a bit foolish for them. The dark web is bigger than they know or probably anyone else except for those that are on it. Just speaking the truth as I know it. xo
Kind regards
Malika

They’ve actually made a pretty massive dent with this seizure. It remains to be seen whether Dream Market has also been seized (remember the Agora –> Hansa honey pot trap they orchestrated a couple of years ago), but either way, the dark web is darker and more untrustworthy now more than ever with the vast majority of remaining marketplaces turning out to be scams. I’m sure it won’t be long until the next silk road/agora/dream rises to the task, however, at this moment in time, LE have absolutely made a dent in dark web crime.

I wonder how long before the next iteration of a ‘Silk Road’ springs to life ? How many have gone before ?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?