Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Ryan S. Lin: Cyber Stalking, VPN’s and Digital Forensics

leave a comment »

          October 6, 2017 Sketch by Jane Flavell Collins

 

A minion of mine was tasked with choosing a new story about INFOSEC this week to talk about in our weekly threat intel calls and chose a story about a cyber stalker who was in the news this month. Ryan S. Lin, a graduate of RPI, has been charged with numerous counts that involve everything from cyber stalking, to child pornography, to wire fraud. Lin plead guilty on October 6th and the story featured the affidavit by the FBI special agent who worked the case. This is a long and twisted tale of stalking a former roommate online that spiraled out to numerous people around that target individual as well. The psychological damage to the parties involved must be pretty bad and the whole affair is quite messed up, but, I wanted to share this all with you in the INFOSEC field because of the work the FBI and local PD in Waltham, Newton, and other areas that these events took place in. I also wanted to cover some of the OPSEC and psychology as well concerning this case and the old school detective work done by the FBI.

Full Story:

Ryan Lin, the stalker in this case, seems to have been a mentally disturbed individual showing signs of that instability going all the way back to his high school years in Connecticut. His abuse of people online and off seems to stem mostly from his inability to form real relationships with people and likely has some sort of personality disorder. However, this is no excuse for his actions and as yet I have yet to hear that in his intake into prison has there been any kind of psychological evaluation of him. If indeed he does not have some mental disorders, then we can just chalk his actions from his teens on in this regard as just a malignant personality with a bent on what seems to border on “incel” behavior.

In the case that brought him to court he was charged with cyber stalking and what that consisted of is the following;

  • He accessed his female roommates Macbook and her Google drive
  • He began a campaign of abuse online that included
    • Impersonation of the roommate sending lewd and threatening texts to family, friends, and coworkers
    • Creating multiple persona’s online to directly harass the roommate
    • Sending child pornography
    • Sending threatening texts (rape, gangbang, death threats)
    • Sending threatening texts (bomb threats) as the target roommate)
    • Sending messages alleging as the roommate that she killed people’s pets
    • Wire fraud accessing the roommate’s bank accounts and transferring funds

Lin used the usual means to try to cover his trail online in that he used TOR, VPN services, and anonymous text services as well as cutout accounts online created using all these tools. All of these efforts though only delayed his discovery as the assailant because in the end, his actions directly led the FBI to him outside of the technological means of covering up his tracks. It is quite clear when you read the affidavit by the special agent involved in the case, that Lin, for all his security measures, was incapable of being sagacious enough to leave real doubt that he was in fact the attacker.

  • Lin used the roommates diary, which was on the google drive accessible from her unsecured laptop to send direct commentary AS HIMSELF citing the diary which she had not shared with anyone
  • Lin was incapable of acting out about this roommate and seemed fixated on her while in the house they shared
  • Lin’s actions started once she refused to sell him pot after the first time she did ended up with him accosting her in her room at 3am out of his mind from drugs
  • Lin was incapable of separating his dual lives/actions online where he had dialog about the very same VPN services he used to carry out the attacks as well as taunt slyly about the ongoing spate of bomb threats ongoing in Waltham and Newton where he lived

It is my belief that Lin, a student of RPI and a computer programmer was mentally impaired enough to be unable to separate these activities from the rest of his online and offline life in a manner that befits what is called in criminal profiling as “A disorganized personality” which led to his downfall. Overall, the problems of OPSEC today that we in the community often talk about with regard to online actors can be clearly seen failing in this case. I have said many times in my blog and elsewhere that OPSEC always will fail because of human nature and in some cases that human nature (or un-diagnosed mental illness) will eventually give you up to the dogged investigator.

 

 

In the Lin case, it is important to note that it wasn’t JUST the evidence collection of IP addresses that led to Lin in the end but instead it was good old fashioned gumshoe interviews and forensics that did. When the FBI went to Lin’s employer after it became clear just from circumstantial evidence that he was a prime suspect they learned that he had just been let go. It seems that Lin had been acting strangely at work as well and when he was let go, he asked if he could log out of “personal accounts” on the laptop. The company declined that and then turned over the laptop to IT for re-image.

Now I know what you are thinking… It got re-imaged and game over right?

Nope.

The FBI was able to get the laptop either by warrant, or I think more likely, was just handed over after being asked by the employer. The laptop had indeed been re-imaged but FBI forensics was able to pull incriminating evidence from the slack space even afterwards. What they found was a number of data points that showed Lin had been using the corporate asset for his attacks on the roommate.

  • VPN software and traffic
  • Browser cache data
  • Logins/software for the anonymous texting service used in the threats (bomb threats too)

It was this evidence that was key that led the FBI to marry up this information along with his online posts on Twitter and Facebook as well as the VPN logs that led to his arrest. See kids, if you use a VPN there is a high chance that your raw IP is going to be logged to your VPN pool address for the times you were online and used as evidence. Many Anon’s seemed to have learned that lesson but I guess everyone has yet to catch up. Lin, a computer science grad from RPI thought he could hide his traces but even he was wrong.

Take heed those who want to do bad things because eventually you will screw up and you will be caught.

I suggest you all read the affidavit for more detail.

Lin affidavit

In closing I just wanted to share this with you all as a lessons learned and as an appreciation of the world of digital forensics. As someone who does forensics as part of my daily job, I have to tell you all it is one of the more interesting parts of my day. I do love uncovering evidence and creating narratives that lead to wrongdoers getting their come-uppins as they say. I also wanted to once again point out that there are many avenues to investigation that even someone as a digital forensics practitioner, can employ in their day to day. Consider the psychology of the actor and their patterns of behavior. Often times I have a portion of my mind that is working that angle as I work on a forensic image in cases.

What actions would this person take given what I have seen so far?

What are the motives?

How would I do things were I them?

All questions that should be asked when performing work like this. It may lead you to some answers that you can back up with forensic evidence. All of this plays out as well with Threat Intelligence as well and intelligence analysis. Look at the larger picture kids, just don’t get buried in the bits and bytes.

K.

Written by Krypt3ia

2018/10/13 at 14:16

The Widening Gyre: Putin’s Asset Sets Multinational Norms On Fire and Begets Global Negative Actions

leave a comment »

We are beginning to reap the whirlwind in the news cycle from the election of Trump and his breaking of norms that this country and the world have come to rely on. This is exactly what Putin wanted, a country in the midst of a political and social rift that takes our eye off the global ball and allows for negative actions to be carried out without sanction. We have seen Trump set the constitution on fire, the Judicial body of the United States, the Economic norms, and generally break up the balance of power in the world. This has allowed Putin to have greater freedom to act and in turn now others feel empowered.  China, North Korea, Syria, and most recently Saudi Arabia have taken actions that would in normal times, possibly not been acted on were the nations not at odds generally due to America’s abdication of its role.

Let’s cover some of the things going on…

RUSSIA:

Putin is still working the levers of power and in so doing he is still making moves on Ukraine all the while leveraging the problems in Syria as well. His actions are two fold, first to annex Ukraine altogether if he can. If he can’t then he will continue to fight with disinformation and active measures campaigns until he has more control over the area even if he cannot all out annex them back into Russia proper. Meanwhile, in Syria, Putin is leveraging Erdrogan and the battle there with da’esh to gain a foothold in the region and have a friendly dictator he can someday use as a proxy against others in the world.

Meanwhile, Putin keeps having his enemies killed off in interesting ways. The list has been topped off as of yesterday with an oligarch who ran afoul of him being found in a park choked to death by a dog leash.

…. A dog leash….

Now that is a metaphor huh? Putin will continue on liquidating his problems with impunity because the norms have all been broken because of Trump. The U.N. NATO, all of the normative bodies have been rebuffed by Trump and weakened. All that is lacking now is an assassination of a Putin enemy on American soil for his win to be complete. Putin pulled a master stroke in helping Trump win. Even so, don’t believe for a second that Putin isn’t also waiting to not only use Trump more, but if Trump begins to fail him he will continue to perform flyovers in our air space like he has been with the BEAR FOXTROTS over Alaska and likely will become more aggressive. I have yet to hear anything about SSN activity but be assured they are there… Waiting.

CHINA:

China has upped it’s espionage games since Trump started his little trade war with them. Recent events have shown a rise in hacking and phishing campaigns that had slowed down since the Xi and Obama agreement. That’s over now though and with the trade war heating things up, and rankles the core ideal of China to be an economic superpower, we are going to see not only more hacking and phishing with a side of theft of IP but also now classical espionage tradecraft to carry out the same goals. All of this will only escalate against the US as we move forward and likely set more things on fire by Trumps economic disaster plan.

MEANWHILE…. China feels empowered too because of all the fractiousness in the world’s governing bodies and has made the ex INTERPOL chief disappear while in China. Gee, China is now feeling like they can just disappear the head of an international investigative body.

Nice.

As all of this is going on we also have coincidentally, the arrest of an MSS asset in Belgium for economic espionage against the US aerospace community. Hmmmm gee, what a coincidence that this happens as the INTERPOL chief is disappeared. As you can see, and perhaps make the connections yourselves, it may be that the MSS is reacting to the impending arrest and or extradition of their asset by grabbing another as a warning?

Hmmm….

Yes, expect more to come out of China with the worsening of the trade wars as well as the eroding of the worlds norms on illegality.

Thanks Putin and Trump!

Oh yeah, and I forgot to mention the whole South China sea thing too…

 

SAUDI ARABIA:

Next up, Saudi Arabia seems to have lured a Washington Post reporter to Saudi only to kill and perhaps dismember him in an embassy there. Saudi has never before been as bold and I directly point toward the breaking of all the norms and groups for this action too. It’s been pretty blatant and I suspect there will be no sanction over this. I mean, look, it’s Saudi right? OPEC, oil? Not to mention that Trump was basically setting himself up to be their stooge since the beginning. Nope, nothing will come of this and now the Saudi’s have killed an Saudi journalist working for an American news org.

I also want to mention the whole glossy magazine that was put out by Trump’s friend David Pecker back last summer. What was this all about? Well, it seems that that was a PR move to make the house of Saud more accessible to the US consumer? Put another way, the new crown prince wanted to look progressive and hip and with the help of Pecker they tried real hard. It’s just that this mark was missed with this publication. In fact it only made an already wary populace start asking questions as to why this happened and what kind of conspiracy was afoot. Expect more to come out of this Saudi reporters death and it will likely not be pretty. If they get away with this, and I think they will, then expect Saudi to pull some more stunts in the future as the crown prince get’s more bold.

TRUMP REPUBLICANS:

Finally, the TRUMP party, I really don’t consider them Republicans anymore, will continue to push the limits of the nations norms and laws until they are just removed from power. The events around the recent SCOTUS nomination and confirmation of Kavanaugh are a clear example of how the Trump party is abusing their control over the house and senate to get whatever they want over what the governed wants. The Kavanaugh thing is just the most naked misuse of their power though to date and I am sure more will be coming once Trump replaces Sessions with a minion under his control. This will set the trifecta into play; DOJ under his control, SCOTUS under his control, and Mueller with a new target painted on his back.

I fully expect that when this happens the Russia investigation will be liquidated and the Trump party will lock arms and say that this is not a constitutional crisis. Of course then the DOJ will agree and SCOTUS will concur. It will all disappear at least legally right? This is Trump’s greatest desire and it seems more and more likely that this can happen because of the Kavanaugh ascension. An alternate timeline to this would be that Trump allows the investigation to finish but then has Kavanaugh in his pocket to be the deciding vote on whether or not a sitting president can be indicted.

Either way, it seems that if Trump can replace Sessions with a partisan minion, we are all doomed.

Even more worrying is the upcoming mid term elections. If the Trump party continues to be in contol, expect to look fondly at the times of outrage over Trump’s mild bad actions because he will feel empowered to do even more bad things if he has total control.

Once again, thanks Putin.

We are at a tipping point here and not just with regard to climate change kids.

K.

Written by Krypt3ia

2018/10/11 at 13:38

Bellingcat: OSINT Playing Games Where People Tend To Get Burned and Dead

leave a comment »

 

Recently there has been a lot of hubbub about Bellingcat pivoting from tracking military movements and downed planes to exposing GRU operatives who have carried out poisoning operations in the UK. Personally I have watched with a mix of trepidation and angst over what they have been doing recently with the liquidators they have fingered for the Skripal poisonings. I have mixed feelings on all this because while I think they may in fact be right, they could also be being used by their “sources” in Russia as well as possibly be used in future to their detriment by Russia and other nation state services for disinformation operations. Even worse, this group and their OSINT could in fact get in the way of real operations by those same services of friendly nations and could endanger themselves if not others in the field by dropping these bits of intel.

OSINT is a new flavor of the day in the information security world but it has been a long standing practice in certain circles in the other community. The difference here is that the OSINT carried out before was by trained individuals within the intelligence community and not put out for general consumption for the world at large. Today, we have Bellingcat dropping all kinds of data that may or may not be correct that is messing directly with operations by a rogue nation (Russia) and a dictator (Putin) that has no compunction about just killing off the people who oppose him enough to cause him heartburn. This is the big difference here and I just want Bellingcat to take that into account as they do what they seem to be doing with regard to GRU ops. As far as I know, the people who work for Bellingcat are not former intel community, maybe there are some, someone can let me know, but you have to consider that the majority of the people there are not spooks and might be out of their depth in this regard.

Additionally, I would like to reiterate that these discoveries could be actually disinformation provided to you all by services like the SVR to hurt the GRU too. In the world of espionage you are forced to live in the wilderness of mirrors kids. Intelligence analysis is a real art and I am just not so sure your carrying it out completely with these dumps on the GRU carefully considering that fact. Just please consider that you are being played now and if not now, you will be in the future to your detriment by nation state actors for their own goals. That said, please take everything some group gives you so handily, even if the data is in fact correct, as a possible dangle or disinformation operation before you just dump it to the BBC.

Lastly, let me just say again in rather plain language, playing this game can get you dead. Russia is at a point with Putin that they just don’t give a fuck and if you are in their way, and enough of a problem, they will destroy you or kill you. Just look at Sergei and his daughter! Or for that matter, look at Anna Politkovskaya, Alexander Litvinenko, and more than a few other impediments that Putin got rid of. It may not happen now, but I can assure you if you piss them off too much, you will get their unwanted attention.

Just a caution….

Oh, and while I am talking about deaths, it seems that a relative of one of the assassins has been perhaps made missing or killed in Russia as well. So, you all have to consider the possibilities of your hubris in what you do in the form of innocent collateral damage to others.

Just sayin…

K.

Written by Krypt3ia

2018/10/09 at 20:18

Posted in .gov, .mil, OSINT, Spooks

GRU OPSEC Sucks Because They Don’t Care

leave a comment »

 

Recently there have been more revelations on GRU active measures campaigns being halted, agents being PNG’d, and a naming and shaming of operatives lack of OPSEC in general. Many people have been debating the reasons why the GRU has been so messy in their operations allowing so much to be dug up on them as well as allow for the compromise of ongoing operations like the attacks on the Porton Down facility. I myself am tired of all the debate but I have had a good running back and forth with Horkos @WylieNewmark on the matter and the gist of it is this;

“The Russians don’t care.”

Basically the Russians now are the honey badger of all things spooks. Tradecraft it seems is not really all that necessary when your targets (the rest of the world) are impotent to do anything about your actions other than name and shame. It’s really that simple! Of course I could go into a long diatribe on how the Russians a la Putin have pushed the envelope so much, succeeding with the Trump win in 2016. Along with Trumps successive fragmentation of the norms that attempted to hold Russia in check, we now have a world where no one can do much of anything against Putin and have a meaningful negative impact on Russia.

But hey, why bother huh?

Look, here’s the deal, When the world comes up with a concerted means to stop Putin and or inflict damage upon him by stopping all his operations as well as put sanctions on him and Russia, nothing will change… Ok ok ok, since Bellingcat and others have been able to throw sunshine on operations and operatives maybe they will change their modus operandi some. In fact I would say the Dutch operations against them recently and their being put on the world stage (name and shame) will be the one thing that will likely make the GRU change tactics. That change will be to mind their OPSEC and do a better job at operations to not get caught out in the middle of them and stop them.

That’s it.

The tempo will be the same if not accelerated because Putin needs to keep the pressure on to fracture the geopolitical world to allow him to do what he wants.

Sow chaos.

So there you have it. That’s all I have to say on it. Don’t expect them to stop, expect them to get better at it and continue to carry on.

K.

 

PS… Another reason they don’t care? Most of the targets are soft targets. DNC? DCCC? Come on…. Fish in a barrel kids.

Written by Krypt3ia

2018/10/05 at 12:21

Posted in GRU

Domain Games: Confirmation Domains for Candidates and The One Who Made It To Confirmation

leave a comment »

With the hearing debacle over Kavanaugh I decided to do a little digging around and specifically about a domain I had heard of called confirmkavanaugh.com I had seen go by in a tweet. In looking at the domain creation and subsequent site that popped up on it after the announcement I became circumspect about the timing of its purchase. Once I began to really look into this it also made me question the timeline about the choice of Kavanaugh as the Trump admin would have us all understand it.

Timeline:

  • Early 2016 before Trump is even nominated McGahn comes up with a list for supreme court picks
  • May 2016 Trump provides a list of candidates for supreme court that does not include Kavanaugh presented to him by Heritage Foundation and Federalist Society
  • June 27th Justice Kennedy announces his retirement to be July 31st 2018
  • July 9th Trump announces Kavanaugh
  • September 4th 2018 confirmation hearings start
  • Today… Well you know the story.

Right, so this all begins back in 2016 before Trump is even nominated and Kav is on the list that McGahn provided. Ok, so there you have it, they were thinking of him and about 11 others back even before they were in power. This is a but presumptous I think but hey, they do have to have a plan right if they get into the White House. What then takes place though seems to telegraph that the choice had already been made by Trump way earlier than most of us might think as to who he was going to put forward as his choice. It turns out, that if you look at the domains bought for all the candidates for the Supreme court only one is carried through to have an actual site on it while another one has a redirect to another site and domain (no longer online) for a site named “TheTrumpCourt.com” which should scare the everloving shit out of us all.

Domain Data:

  • ConfirmKavanaugh.com —- Creation date February 8th 2017

The domain was created by proxy so we don’t have a direct line linking to the Trump org but it’s more than probable it was in fact them that set this up. That is unless it was Kavanaugh himself or lackeys and supporters thereof. Note the date though, this domain was bought in February of 2017 BEFORE the fact that Kennedy was retiring became a public fact. My question then is this, did Donny know that Kennedy was retiring before he announced it? Was foreknowledge of the retirement given to the White House or did they know something was going to happen because, maybe, they helped it happen? While Snopes official ruling on that is “unproven” this does not mean there is no fire to that smoke. I would say that the fact that this domain was started WAY before the fact that Kennedy retired, adds some mystery to the picture that maybe some others out there should look into further.

Still, that one niggling fact that the domain was bought and all set to go back in February as being just a proactive thing kinda bugs be. To be specific though, there was no list, there was no empty seat to fill, and more to the point, Kavanaugh wasn’t even on any list that Trump had mentioned or added him to until much later. So who set this up? Who had the foresight to set up the domain and make the plans for the site back in February of 2017? I decided then I should look into Trumps other pick, Niel Gorsuch.

In looking back over the other Trump nominee Niel Gorsuch, I also found that his domain was created back in 2016 and was lit up on February 3rd 2017. That’s right kids, February, that magical time when everyone knew there would be a supreme court for Trump to fill with conservatives. REMEMBER that this was not even at the time when it is reported that McGahn started his little list for Trump before he even got the nomination.

What’s the deal here?

 

 

Screenshot from 2018-10-01 09-23-16

But wait, it gets better… Dig this, after Trump nominates Kavanaugh someone decides to set up an anonymously owned domain named TheTrumpCourt.com which even the sound of it should scare you. The site is not live and I had to go to the Wayback Machine to get a copy of the front page (see below) perhaps whoever it was thought better of it or maybe they are just re-vamping it for after they get Kavanaugh in, if they manage to do so. But this is all just more interesting when you do a historical WHOIS on the site and see that the domain was created, wait for it… Wait….

February 10th 2017.

 

 

I suppose that this is just a coincidence eh? I mean maybe they saw the Gorusch thing and thought shit, let’s make a site about the TRUMP COURT! But, how would they know there was an opening to come? Rather presumptuous of them… Maybe it’s just their way, but it is interesting.

All in all, I am wondering just what is planning for a rainy day and what is a plan already in motion. Was Kavanaugh always the choice? Was he the choice after a certain time where perhaps he and Donny had a chat? Maybe some communications on how one would rule in their favor and then machinations on their nomination were put into action back in February way before his name even came up on the public radar as a candidate?

I leave it all up to you to decide. I just did the digging around in the WHOIS dirt.

K.

UPDATE:

Thanks to @z3dster for pointing out that the site is run by the JCN for Kav and others. It seems perhaps that they are the group that created the domain as well as are running the content. This though begs more questions on the timing of Kavanaugh’s being a candidate and where that idea came from.

The JCN is the Judicial Crisis Network (see link) that is a dark money PAC entity that seems to have been perhaps behind a lot of the machinations between themselves and the Federalist Society to get Kav on the ticket. There are two stories by the Wasington Post that I was unaware of that Zed shared with me asking much the same questions but not about the timing of the domains being bought and sites created.

Washpo 1

Washpo 2

Both concern the dark money and how Kav became the choice here. There is still fuckery afoot here but we have to now contend with the idea that there are other forces at work other than just those inside the White House on this nomination.

This all brings me back to something I tweeted earlier as well. These sites need to be made transparently but it seems since SCOTUS ruled on Citizens United we have no hope of that happening. Dark money and fuckery rule.

K.

Written by Krypt3ia

2018/10/01 at 13:21

Posted in FUCKERY

Darknet Mystery Boxes and UN-Boxing: Buying Mystery Boxes on Ebay and CLAIMING They Came From the SCARY SCARY DARKNET for Ad Revenue!

leave a comment »

Spooky Darknet BOXES!!!

Lately I have become more of a YouTube junky than I ever have been. This means that I have been pluming the depths of the derp in the YouTubes as well as looking at cool documentaries that get posted there on History and the like. Lately though, I have been watching these “Top 5/10/15” channels with weird things like found footage posts and other oddities, ya know, the urban legends kind of shit. Well, once I started getting into that it was only fate that I would be presented with a whole bunch of videos around “Dark Net MYSTERY Boxes!”

Spoooooky!

If you are not familiar with this whole craze, the story is that in the deepest and darknets of darknets there are places where you can cough up cash (bitcoin) for mystery boxes that will be shipped to you and contain strange and spooky shit! This then, once delivered to you, the intrepid YouTuber will “unbox” that strange shit for you LIVE on cam! Often these people suit up in surgical gloves and masks and eagerly open these mystery boxes only to find random strange shit in them that often is supposed to make you think they have either been cursed or been sent a serial killers kit of tools.

WOOOO!

A prime example of this dipshittery is Ali H a YouTuber who claims to have spent one thousand dollars on a “darknet mystery box” for his channel and opened it on camera. While rummaging around in it he claims to have felt a stick and pinch only to pull out a syringe complete with needle! It’s here that I have to call out some things, first off, if this guy actually bought some rando box of stuff off of “the darknet” well, then where is he getting that kind of money to do stupid stuff like this? Second, what the hell is he doing sitting in front of the camera if this is indeed a random box of stuff he did not put in there himself and did not really get a needle stick on? I would think that he would have shut that camera down and went straight to the E.R. with that needle and the story to start some tests!

*swigs whiskey*

Which then makes me wonder, is this guy faking it all for clicks? Or is there some money to be made here with these kinds of stories? Now, in looking at his video there were no ads, so, he is not making money off of advertising on his channel that I can see. He does have some other channels like an instagram and such, but I am not seeing any other revenue streams here. Well, he does have a “business inquiries” email address though… Business? What business is that? Opening darknet boxes for profit? TV hosting? Being a millennial idiot?

So yeah, if this guy has a grand to drop on some darknet mystery box and is not making some money on this somehow I can easily show you a fool who was parted with his money as the old adage goes. But ok, so what if there is no money in it? What if he really did not spend ANY money on this box that he packed himself and opened on air? Well, then WHY is he doing it? Well, that’s a good question and in the age of social media I am going to go with likes, clicks, and internet fame! Yup, indeed we as a society have gone full reality TV online as well as on air. I mean, this one video here is even trying to imply that this guy could DIE from buying and intrepidly braving the darknet to buy and open this spooky box! In reality, if I were this guy and really got a box that gave me a needle stick that could potentially lead to life threatening illness I’d be on the phone toot suite with the USPS and the cops about an incident.

This guy, nah, he just looks like a stuck dull eyed cow into the YouTube machine hoping for clicks, comments, and “business inquiries”…

Ugh.

In fact while looking over the plethora of spooky mystery box channels I see many of them have no ads, but instead have other channels where they are asking for anything from bitcoin donations to hawking their own merch to keep their channels going. I mean, hell, YOU GOTTA have the bank to buy these $500, $600, $5000  mystery boxes man! What’s even more galling is that people on the other side of the screen believe this stuff! Honestly, have we devolved that much that we have an era where Slenderman and mystery boxes are “real” to people who watch a video online?

No wonder we are in the mess we are in with fake news and russian disinformation! We need to start teaching logic and ethics STAT!

There are no “Darknet Mystery Boxes”

Kids, listen close, get closer, sit by the cyber fire here… I have something to tell you. There is no such thing as a “darknet mystery box”

Trust me, I know, I live in the darknet…

*baleful stare*

In fact, I have searched high and low as others have done on the darknet forums and not one mystery box can be found for sale.

NO REALLY!

Don’t believe me? Well look above here and take it from a minion of the darknet on  a post IN THE DARKNET!!

 

 

So yeah, they don’t exit on the forums but they DO exist on Ebay! In fact while looking at these I do not even see any for sale for that alleged 5k… Hmmmm… Gee, I must not be in the right place huh? Maybe I need to go further down into the Marianas Web huh? If I do I better harden my system, I mean the pressure in the Marianas is a brazillion pounds per square inch right?

Nah, I shall just stay in the surface darknet I guess because THE DARKNET MYSTERY BOX IS A LIE KIDS! Don’t believe these numbnuts on YouTube and certainly don’t give them money for this fakery!

STAHHHHHHHHHHHP!

Ugh.. and I thought Russian disinfo was bad…

I’m gonna just go drink in the corner here kids.

K.

Written by Krypt3ia

2018/09/06 at 13:39

Posted in DARKNET

SADAQAHCOINS: Darknet Jihad Funding

leave a comment »

A few days ago the word got out that a new da’esh jihadi funding site had hit the darknet. Much of the reporting has been about the novelty around this idea which isn’t all that novel really. There was another site back in the day that was looking for bitcoin donations and was much more sketchy than this site is but who’s paying attention right? Anyway, this site is the next generation of jihobbyist funding by an unknown group of guys and it is novel in a couple of ways that in reading the other reports, was missed out on. In fact, one alleged expert just marked this site down as just another scam site when in fact, while it may in fact be a scam, it is much more nuanced than the usual fare you see in the darknet and thus, I judge it to be run by people who at least know the jihad well and understand the Hadiths.

The premise of the site is based on the Islamic notion of Sadaqah, which is misspelled for the jihobbyists on this site to make it catchy. Sadaqah, literally means charity or benevolence and is an apt name for this site because it is exactly that which they are seeking. It is an interesting area of Islam concerning your obligations for charity as well as public works and in this twist, the sadaqacoins crew is attempting, as others have, to manipulate the original intent of Sadaqah, for jihad and the furtherance of the war against the infidels. That this site is using trackable bitcoins and attempts to use a more opaque currency like Monero is novel only for the fact that this site is much more slick and put together than the others I have seen out there in the past. Honestly, much of the jihad has always been propped up on donations and the Hawala system since the beginning of the GWOT.

Of course this site not only wants to have the believers give them bitcoin for the jihad but they have funding programs for specific things like buying a sniper rifle or a truck that they can mount a gun on. Not much new here in the way of asking for donations like this inside the jihad. Now, what is new is that the site is open to “others” to suggest finding programs or “projects” as well so anyone could hit them up within different areas of the jihad to get this funding set up. This could be the big difference if this thing actually flies. Imagine more of the disparate cells asking for new projects and then setting up their own bitcoin wallets. This could mushroom a bit for the more savvy jihadi’s out there on the net looking to help but maybe not get blown up in the lands right?

In fact, the most interesting bit for me and for my old friend Onionscan, was the fact that these guys added an Eid celebration to the mix where you could donate for sacrifice. What this means is that you could help the jihadi’s celebrate Eid in country by funding their goat dinner. This is a bit that I think others missed in reporting this because of two reasons. First, these people who wrote about the site don’t understand the religion and the sociology, and two the site had been updated by the time I got to it with the Eid celebration. In fact, it was here that Onionscan puked out some interesting information about the mostly secure site. It seems that their Eid celebrations were in haste to be posted and they forgot to get rid of their EXIF data.

Oops.

Basically, the data that I managed to pull out of all these photos show that they are using a phone camera by Motorola and managed to not have their geolocation turned on. Of course this doesn’t mean they won’t mess up later and leave that kind of data in them for us to hoover up and use as coords for a hellfire visit. This all could be leveraged by the right players though to manipulate them to make a mistake in the future as well. I look forward to seeing where this all goes in the future. However as it stands now, their OPSEC is fair to medium. They did manage to give us a lot to work with though with all the email addresses to reach them on and their Telegram channels to infiltrate and get in their insides with.

 

 

Another point of interest for me on the OPSEC front was their choice of languages  for the site. It seems that these jihadi’s like to speak German, Turkish, and English. These three languages are of note because the site has no area that is strictly in Arabi and that is an oddity. This implies that the group who set this up are English speakers, Turks, and Germans but not really well equipped to write and read Arabic and this kind of tracks with some of the intelligence that comes out of the da’esh circles over the last couple years. There has been an influx of foreign fighters to the jihad but really guys, no Arabi? Shame on you as good Muslims not at least being able to have a page in Arabi!

I guess maybe we can see if they add some Arabic later on…

14gymFijxkFzbxbacbP9ioGndsqHRuJJTc —0 coins
1Dft8kgCWiuqRBLqgTuH2ZhVeUAxC8KGGi—0 coins
1KHDmXfqHJM9XqDHvGfCN4KVhsuReHDfLc—0 coins
1LGHotsLQF1evDXkt7DBTwvZ48SY3idTBL—0 coins
12QufGGoEoNUZN6aobofCoj9giNzCeHFP4—0 coins
184FNLi5aXGcurjEmUs7kgc7cYJ5gauduB—0 coins
1HABpbonuhGUL1woiQELuoDFXBEV6ZLpyG—0 coins
1Br6MtEQLgikLAQSFsrZKWxX6UPYzkAQz9—0 coins
15zbyqsq3q5s5ea5uEQz8xFkEpsPYAW3CE—0 coins
1KHmpHw8p7VGjQpftj2axdqq5NE3JYGT6C—0 coins
1MFeZbNsfWqBVytLmUjYcZoV3RhxJpQ3Kn—0 coins
17mwSmM6NzZTzoAiP3PHLAkooF9jd1xDY8—0 coins

Meanwhile, back to the bitcoins. This site has 12 bitcoin wallets at the time of my assessment and NONE of them have any coin in there at all. Nothing, nada, niente. Of course the site is fairly new so I can see why it wouldn’t have any coin in there yet. In fact the site only popped up on my link search in the darknet on the 24th of August so there is that. (see below) So we need to give it time to see what else they do and if anyone actually donates. Once they do, well then we can track the coins and see who did what huh?

Well, this was an interesting diversion for a while but I am still kinda meh about the whole thing. I am gonna keep an eye on it and maybe visit those Telegram channels to see what other OPSEC FAIL’s they make. Until then, hey, it’s out there and it’s novel.

BOOGA BOOGA BOOGA JIHAD IN THE DARKNET BOOGA!

Derp.

K.

Written by Krypt3ia

2018/08/27 at 18:22