An Italian citizen’s apparent attempt to hire a hitman on the Dark Web has been undone by clever analysis of his Bitcoin transactions. The man, who is reported to be an IT worker employed by a major corporation, is alleged to have paid the hitman to assassinate his former girlfriend.
What happened?
According to a news article published by European policing entity Europol on April 7, they assisted Italian communications crime law enforcement Polizia Postale e Delle Comunicazioni in arresting a local citizen suspected of paying about $12,000 USD worth of bitcoin (at the moment of writing) to a Dark Web hitman to kill his ex-girlfriend. The Europol report states that the timely investigation had prevented any harm against the potential victim. The spiteful ex was detained before he paid the entire sum on the verge of the attack.
The agencies
The Polizia Postale e Delle Comunicazioni is a federal department of the Italian police force that is, among others, responsible for solving cybercrimes.
Europol is the European Union Agency for Law Enforcement Cooperation. Headquartered in The Hague, the Netherlands, they assist the EU member states in their fight against serious international crime and terrorism.
The investigation
After being asked for assistance, Europol reportedly carried out an urgent analysis of the Bitcoin transactions to trace the origin. They were able to identify the crypto-asset service provider from which the suspect had acquired the funds. The company that sold the assets confirmed the information provided by the investigators and offered more information about the suspected man.
Unmasking Bitcoin transactions
Europol managed to track down the local cryptocurrency service provider that facilitated the suspect’s Bitcoin purchases to uncover more information about him.
In their press release Europol states:
Europol carried out an urgent, complex crypto-analysis to enable the tracing and identification of the provider from which the suspect purchased the cryptocurrencies.
It was able to do this because Bitcoin transactions are all recorded in a public ledger called a blockchain. The Bitcoin blockchain records every transaction ever made using the currency in its blockchain, making it a perfect source for big data investigations. With the proper tools investigators can follow and back-track payments. Although Bitcoin transactions don’t record the names of the people involved, they do record the wallet addresses that sent or received money. If police can link a wallet address to a real individual, they can trace that individual’s credits and debits.
Exchanges where non-digital money and crypto-currencies get exchanged are an established weak spot in the chain for criminals, since users often have to hand over personally identifiable information before they can use one. If the police can trace bitcoin payments back to a bitcoin purchase at a legitimate exchange they can subpoena the exchange for the bitcoin owner’s personal details.
Unmasking Dark Web activity
The story is a useful reminder that the Dark Web is not as hidden and unconnected as many people think. Connections to the regular web, and the real world, can reveal the things its users are trying to keep hidden. In this case, the arrested man seems to have been unmasked by his connections to currency transactions on the regular web, but there are numerous other pathways from one to the other.
For example, Dark Web sites can reveal their links to hosting companies or regular websites through misconfigured SSL certificates or leaky server-status pages, among other things. And real people can accidentally unmask themselves through any number of mistakes, from EXIF data in photos to reusing their Reddit account username on a Dark Web market.
Investigation tools
There are existing tools and new ones under development that enable investigators to find the type of information that can connect Dark Web operators to a real world identity. Interpol is working with great interest on a Dark Web Monitor to help in criminal investigations that involve Crypto-currencies, PGP, the Dark Web, and other related fields, and the US Defense Advanced Research Projects Agency (DARPA) revealed the existence of its Deep Web search project, Memex, several years ago.
Anonymity and privacy researcher Sarah Jamie Lewis has written a tool called OnionScan to help Dark Web site operators identify the kind of operational security leaks or software misconfigurations, like shared SSH keys, which can connect Dark Web sites to each other, or to clear web sites. You can find information about her work on onionscan.org.
The hitman
It is unknown whether the hitman that offered to carry out the crime has been identified and will be prosecuted. As we have seen in the past, not every hitman on the Dark web does what they were paid for. Obviously we do not condone what this suspect was doing, but there is another lesson to be learned here. It is not safe to assume that you are private on the Dark Web, nor that you will get what you paid for.