{"id":19056,"date":"2019-10-28T12:00:11","date_gmt":"2019-10-28T12:00:11","guid":{"rendered":"http:\/\/ci027cfe65402026c3"},"modified":"2025-01-27T21:08:15","modified_gmt":"2025-01-27T21:08:15","slug":"darknet-markets-cant-live-with-or-without-bitcoin","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/culture\/darknet-markets-cant-live-with-or-without-bitcoin","title":{"rendered":"Darknet Markets Can\u2019t Live With \u2014 or Without \u2014 Bitcoin"},"content":{"rendered":"
<\/div>
<\/figure>\n

Earlier this month, the United States Department of Justice (DOJ) announced the seizure and takedown of Welcome to Video (WTV), one of the largest darknet marketplaces for child pornography in the world. The website was accessed through Tor Hidden services (.onion<\/a>) and transacted a total of $353,000 entirely in bitcoin from 2015 to 2018. <\/p>\n

It should come as no surprise that all bitcoin transactions in and out of WTV were traceable. Alongside undercover investigation techniques, Bitcoin\u2019s pseudo-anonymity became an integral part of how investigators were able to locate and seize the darknet marketplaces as well as its global user base.<\/p>\n

Further Reading: <\/em><\/strong>Is Bitcoin Anonymous?<\/em><\/strong><\/a><\/p>\n

Contrary to what one might consider FBI or NSA territory, U.S. involvement in the case was led by the IRS and Homeland Security Investigations (HSI) teams. In the DOJ announcement<\/a>, Chief Don Fort, head of the IRS investigation team, stated that through the use of \u201csophisticated tracing of bitcoin transactions,\u201d agents were able to identify the administrator of the WTV website and locate its server in South Korea. This is all true \u2014 and it makes for a great press release \u2014 but there\u2019s more to the story. <\/p>\n

A Follow-the-Money Style Blockchain Tool<\/h2>\n

In general, a variety of techniques are required and employed for this level of cyber investigation. During the case, law enforcement was, in fact, aided by blockchain analysis software created by Chainalysis. In an interview with Bitcoin Magazine<\/em>, Jonathan Levin, Chainalysis\u2019 co-founder and chief strategy officer, explained the role that Bitcoin played in this case.<\/p>\n

Chainalysis provides a specialized \u201cfollow-the-money\u201d style of data visualization for bitcoin transactions to government agencies, cryptocurrency exchanges and traditional financial institutions. But Levin emphasized that Chainalysis is never purely the architect for solving a case. Its software acts in a much more supplemental support role for law enforcement.<\/p>\n

\u201cWhat we provide really is the training and software to law enforcement agencies so that those agencies themselves and cryptocurrency exchanges can collaborate to build these types of investigations,\u201d said Levin. \u201cWe help identify the services that individuals are using to cash in and out of funds. Those exchanges themselves can then identify who those individuals are using KYC standards and then shed light on that information with law enforcement to go on and make arrests.\u201d<\/p>\n

Further reading: <\/em><\/strong>Bitcoin Is Not Anonymous and Tor Users Are Forgetting This<\/em><\/strong><\/a><\/p>\n

Using the Chainalysis Investigations product Chainalysis Reactor<\/a>, IRS-Criminal Investigations (IRS-CI), HSI and a cohort of other national agencies across the world were able to map the flow of transactions on the Bitcoin blockchain that transferred funds to WTV bitcoin addresses. <\/p>\n

The Reactor product essentially simplifies how people can see cryptocurrency transactions so that data from those insights can be more easily digested and understood. This bitcoin transaction information was subsequently disseminated as evidence for arrest to other law enforcement agencies in the United Kingdom, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia.<\/p>\n

<\/figure>\n

Through Chainalysis\u2019 mapping, law enforcement knew to target other darknet markets and cryptocurrency exchanges to further identify the WTV user base for subsequent arrests. U.S.-based cryptocurrency exchanges, at least, are required by law to follow KYC standards and comply with law enforcement. Many of these exchanges provided copies of identification, addresses and other transactional information, while open-source intelligence and \u201cstandard investigative techniques\u201d did the rest. <\/p>\n

\u201cThis is one of the most successful takedowns of a child pornorgraphy website in the last few years,\u201d said Levin, \u201cand it was enabled both through law enforcement effort and collaboration with cryptocurrency exchanges, and without that the case would not have been as successful.\u201d <\/p>\n

Given that Chainalysis positions itself in the cryptocurrency ecosystem as a data and compliance firm, providing analysis software to government agencies, financial institutions and cryptocurrency exchanges, Levin thinks fighting against the abusive use of cryptocurrency will create more trust in the market and bring more opportunities to more people. <\/p>\n

As cryptocurrencies become more mainstream, touching and integrating more traditional financial institutions into the cryptocurrency economy, there\u2019s a consistently growing demand to understand how and why people are using cryptocurrencies. As a result, Chainalysis is expanding across the board in all of its business lines. Levin said it will continue to add more cryptocurrencies to its platform and expand globally, particularly in the Asia-Pacific region.<\/p>\n

In contrast to more traditional anti-(fiat)money laundering services, Chainalysis has a clear advantage. <\/p>\n

\u201cThe difference between what they do and what Chainalysis does lies in the clear fact that blockchain analysis requires one publicly available immutable ledger,\u201d Levin explained. <\/p>\n

An obvious observation from a follow-the-money perspective, using one publicly immutable ledger makes it far less difficult and time consuming to analyze transactional data.<\/p>\n

Blockchain Analysis vs. CoinJoin<\/h2>\n

Research over the internet about the effectiveness of mixing services like CoinJoin yields a miasma of opinions. In the past, government officials and technologists have said it can be cracked. However, the technology for both mixing and unmixing cryptocurrency continues to get better. A Wired<\/em>article<\/a> gives some background on why revealing a detailed unmixing methodology to the public is not always in a public or private organization\u2019s best interest. <\/p>\n

Also, the true effectiveness of mixing coins<\/a> isn\u2019t likely a simple yes-or-no answer. Here\u2019s how Levin explains it:<\/p>\n

\n

\u201cThere have been instances where CoinJoin is relatively ineffective; there have been cases where it has been effective. So there\u2019s not a blanket answer to whether blockchain analysis does or does not get through mixing services like CoinJoin.\u201d <\/p>\n<\/blockquote>\n

The Other Major Operational Slip Up<\/h2>\n

Putting aside Bitcoin, another crucial break in the case can be found in the indictment<\/a> (explicit) for WTV\u2019s administrator, Jong Woo Son. The indictment shows another major security slip. In September 2017, investigators discovered that by right-clicking the WTV homepage and selecting \u201cview page source,\u201d anyone could view the website server\u2019s IP address.<\/p>\n

A month later, another IP address was exposed in the same way. These two IPs were used as evidence and tracked back to a single account hosted by a telecommunications provider in South Korea. The account was registered to Son. <\/p>\n

During the same time, an undercover agent repeatedly sent BTC to a bitcoin wallet address provided on the WTV website. Each time, the owner of this bitcoin address transferred funds to another address held on a \u201cBTC exchange.\u201d The signature card for the account was held in Son\u2019s name.<\/p>\n

With reasonable evidence to search Son\u2019s house, investigators found further indicators to corroborate Son as WTV\u2019s administrator, including four email accounts owned by Son linked to the same leaked IP address in WTV\u2019s homepage. <\/p>\n

So Why Use Bitcoin? <\/h2>\n

Between 2015 and its shutdown in 2018, WTV featured over a quarter of a million videos, over eight terabytes of perhaps some of the most vile content on the internet. It charged users as much as $350 in bitcoin for a subscription. The DOJ release states that this website was one of the first of its kind to monetize child exploitation videos using bitcoin. <\/p>\n

However, accepting only bitcoin for this level of criminal activity was not only unwise, it was also fairly uncommon. According to the nonacademic darkweb, crypto and drug market researcher Caleb<\/a> (@5auth), \u201cmarketplaces such as WTV do not typically require payment.\u201d <\/p>\n

Caleb has a much better understanding of the darkweb than the average person. His take on the significance of the WTV shutdown is fairly Austrian. After all, in anonymous \u2014 and in WTV\u2019s case, sinister \u2014 marketplaces, the invisible hand is always moving the market.<\/p>\n

\u201cWTV filled a spot that is now vacant,\u201d Caleb said. \u201cSomeone will create a site and fill the void. The new site will likely make fewer basic mistakes during its creation and practice better opsec. But I doubt they will drop support for bitcoin or enforce the use of more private cryptocurrencies.\u201d<\/p>\n

On this last point, Levin is in agreement: \u201cIt\u2019s going to take quite a long time for any other cryptocurrency to unseat bitcoin as the most used cryptocurrency on the darkweb,\u201d he said.<\/p>\n

And because bitcoin is the most tried-and-true method for payment in these illicit online markets, not accepting it would clearly be bad for business.<\/p>\n

\u201cThere has been a lot of research that has shown that darknet marketplaces have real competition, and from an academic perspective, I think there\u2019s an inevitability of those marketplaces to exist,\u201d said Levin. \u201cIf [talking about darknet platforms in general] is marketed at trying to get as many people as possible to participate in the marketplace, and that means transacting in bitcoin, then people might feel that it\u2019s worth the risk if it means getting a larger target market.\u201d <\/p>\n

This gets at the paradoxical nature of using bitcoin for criminal activity. From an operational security perspective, the WTV shutdown proves that it\u2019s probably one of the worst methods of payment for this level of criminal activity. <\/p>\n

However, at least generally speaking about darkweb economics, bitcoin is still by far the most widely used and accepted method for payment. According to Caleb, evidence shows that until a few months ago, almost all darkweb drug markets that only accepted monero ultimately failed or died due to lack of customers. <\/p>\n

<\/figure>\n

One or two XMR-only markets are generating income. However, Caleb points out that while Monero might seem better for illicit activity, the market still prefers bitcoin and not accepting it will limit growth.<\/p>\n

“\u2018Fly-by-night\u2019 markets can set up shop with one of the many scripts for creating a basic market that accepts only bitcoin and still make a killing,\u201d Caleb said. <\/p>\n

Sending a \u201cClear Message\u201d to Darknet Markets<\/h2>\n

Ultimately, bitcoin paid for WTV subscriptions, and that is what led investigators to the door of Jong Woo Song, a 23-year-old South Korean national, currently serving his sentence as the convicted administrator and service operator of WTV.<\/p>\n

An analysis of the server revealed that the website had more than one million bitcoin addresses, signifying that it had the capacity for at least one million users.<\/p>\n

In total, law enforcement agencies across the world have shared data collected from the seized website and cryptocurrency exchanges to identify and prosecute its customers. So far, this information has been sent to 38 countries and resulted in the arrest of more than 337 people across the globe. There have been searches of residences and businesses of 92 different individuals in the U.S., two of whom were former federal agents. <\/p>\n

In Washington, D.C., the seizure of WTV led to a particularly dramatic series of events, starting with \u201cthe execution of five search warrants and eight arrests of individuals who both conspired with the administrator of the site and were, themselves, users,\u201d according to the DOJ release. \u201cTwo of these users committed suicide subsequent to the execution of search warrants.\u201d<\/p>\n

The DOJ release also noted that the WTV takedown and follow-up investigations are \u201cresponsible for the rescue of at least 23 minor victims residing in the United States, Spain and the United Kingdom, who were being actively abused by users of the site.\u201d<\/p>\n

Today, the case is still alive and investigators are still pursuing WTV users. A Chainalysis blog post<\/a> was released in tandem with the DOJ announcement, which could be considered risky. <\/p>\n

Levin acknowledged the potential downside but stood by this decision, saying, \u201cRight, you might drive this kind of activity further underground, but I think this case sends a really clear message.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

Inside the darknet market seizure made possible by Bitcoin.<\/p>\n","protected":false},"author":3410,"featured_media":18580,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[544,1722,275,91,565,1528,857,291,1782,2197,311,299,200,1946,1224,3256,542,742,2198,3257,2610,2926,382,1955,262,255,492,1605],"class_list":{"0":"post-19056","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-culture","8":"tag-aml","9":"tag-arrest","10":"tag-australia","11":"tag-bitcoin-magazine","12":"tag-brazil","13":"tag-canada","14":"tag-chainalysis","15":"tag-coinjoin","16":"tag-czech","17":"tag-darknet","18":"tag-doj","19":"tag-fbi","20":"tag-germany","21":"tag-ireland","22":"tag-irs","23":"tag-jonathan-levin","24":"tag-kyc","25":"tag-mixing","26":"tag-monero","27":"tag-nsa","28":"tag-psuedonymity","29":"tag-saudi-arabia","30":"tag-south-korea","31":"tag-spain","32":"tag-uae","33":"tag-uk","34":"tag-united-states","35":"tag-washington"},"author_data":{"id":3410,"name":"David Hollerith","nicename":"david-hollerith","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/david-hollerith-promo-image-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/darknet-markets-cant-live-with-or-without-bitcoin.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/19056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/3410"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=19056"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/19056\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/18580"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=19056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=19056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=19056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}