Michael Richo, 34, of Wallingford, Connecticut, is accused of posting links to fake darknet marketplaces to various online forums. Like any other phishing scheme, the links take the victim to a login page similar to the intended destination. The pages may be indistinguishable from the original marketplace login.
The FBI began looking into the man regarding his involvement in a darknet marketplace. During the course of the investigation, FBI agents discovered Richo was running a phishing scheme. No connection has been made between the initial investigation and the subsequent phishing investigation.
The cybercrime squad of the New Haven Division of the FBI conducted the investigation and interviewed Richo. According to the complaint, Richo admitted to the entire phishing scheme. He admitted posting the links, harvesting logins, and depositing money.
He started by posting the phishing links on unnamed forums.
After a user clicked a phishing link and entered their credentials, Richo harvested the username and password. Richo then checked the accounts for a Bitcoin balance; any bitcoins held in the account would be drained. The accounts were monitored over a period of time as well. If any incoming deposits were detected, Richo would steal those funds in a similar fashion.
Richo used another method to steal bitcoins, the criminal complaint describes. The second method involved posting links on similar forums. However, when clicked, the links would “port forward” the users through RIcho’s own server. The victims would land at the correct marketplace but Richo was able to monitor their keystrokes. He used this method to monitor all activity on the compromised account.
Authorities say Richo traded the stolen bitcoins to others in exchange for U.S. currency. The criminal complaint states that Richo tumbled the coins with “Bitcoin Fog.” He would then deposit the coins into his own wallet. Coins would be sold through LBC in exchange for USD, money orders, or Green Dot cards.
The newly converted US dollars would then be deposited in Richo’s bank account. Richo admitted to being the owner of a business titled MediaPen LLC. FBI agent Michael Morrison obtained a warrant for the MediaPen bank account upon making the connection. The bank account had numerous deposits that correlated to bitcoin sales.
When authorities arrested the man, he was in possession of 10,000 usernames and passwords.
Fraudulent links to darknet marketplaces are especially difficult to notice. They are often seemingly nonsensical and filled with “random” letters.
For instance, here is the .onion.top link that leads to the Alphabay registration page, One should rarely, if ever, trust a login link posted on an unofficial forum. DeepDotWeb maintains an updated market list with both registration links and links to the marketplace forum.
Juha Nurmi, a security researcher and founder of a deepweb search engine, noticed similar activity in a study. “I noticed a while ago that there is a clone onion site for Ahmia,” he writes. After doing some follow-up research, he posted his findings on a Tor mailing list: “Now I realized that someone is actually generated similar onion domains to all popular onion sites and is re-writing some of the content.”
Nurmi then published a Pastebin drop that contained the .onion.top links to 255 fraudulent phishing sites.
It seems that the situation is this: The unknown attacker tries to direct users to these fake sites. The attacker is running multiple onion addresses similar to the popular onion addresses. These sites are actually working as a transparent proxy to real sites. However, the attacker works as MITM and rewrites some content. It is possible that the attacker is gathering information, including user names and passwords.
Richo was officially charged with access device fraud, computer fraud, wire fraud, identity theft and money laundering.
According to the DoJ:
Money laundering carries a maximum term of imprisonment of 20 years, wire fraud carries a maximum term of imprisonment of 20 years, access device fraud carries a maximum term of imprisonment of 10 years, computer fraud carries a maximum term of imprisonment of five years, and aggravated identity theft carries a mandatory term of imprisonment of two years.
Richo has been released on a $100,000 bond. No further information has been released by official channels.