Home » Featured » 30.7.17 Dark Web and Cybercrime Roundup
Click Here To Hide Tor

30.7.17 Dark Web and Cybercrime Roundup

Fentanyl Vendor “NarcoBoss” Busted in Philadelphia

Although the arrest occurred in early July, details are still trickling down the wire as curious members of the community discover the vendor’s social media accounts. NarcoBoss, once known as DNMKingpin on a banned Alphabay account, landed amidst a high-profile FBI, HSI, and USPIS investigation. The feds ordered enough of NarcoBoss’s products to build a preliminary profile. They ordered, specifically, “China white synthetic heroin fentanyl mix.” Investigators knew the location that both DNMKingpin and NarcoBoss used for shipping products.

Eventually, and majority due to a concurrent investigation across the United States into a fentanyl overdose, investigators identified NarcoBoss. Described as a “top ten target” by HSI, Henry Koffie proceed fairly easy to take down. Once they had identified him, that is. Koffie posted on Twitter and Instagram under the username “CountStackula_.” And yes, he posted pictures of his *stacks” on a routine basis. He also posted pictures of his travel tickets when he took vacations; the vacations coincided with his Alphabay downtime.


Investigators nabbed an incoming package from a custom synth lab in China—he paid the price they required and that shipped him whatever, including fentanyl. Nowadays, the labs are rarely custom-synth exclusive. They sell in small quantities and frequently post pictures of the products ordered. Koffie’s package, although addresses to a different name, still used his home address.


The final step, before the feds rushed him, was a seemingly unique move; an agent compared the handwriting on a known NarcoBoss package with Koffie’s passport address. They looked similar enough that a judge signed a search warrant. Everything else was history. Notably, an investigator claimed an old divorce signature identified another fentanyl vendor via the same procedure: comparing the handwriting. DeepDotWeb

TheOtherPlace Child Porn Chat Room Admins Jailed

Darknet forums permitting, facilitating, or encouraging child abuse and the digital media associated with the crime have fared about as well as fentanyl dealers lately. Many still remain and the sites are rarely hard to find. But the child abuse related arrests, convictions, and sentencings seemingly aligned themselves. PlayPen members are getting sentenced, the German Federal Criminal Police are taking down forums and tracking members, and now lesser known targets are being hit.


This time, two UK based men—David Buckley, a 54-year-old and Brett McBain, a 51-year-old—landed in police custody for owning a particular chatroom. The hidden service—a now defunct chatroom under the name “TheOtherPlace,” launched in 2014. At the site’s peak, according to Benjamin Vitáris, only 60 members actively communicated and shared images or videos.

Yet, in 24 hours, members managed to share 2,500 images or videos depicting child abuse in one form or another. McBain shared 200,000 media files and pleaded guilty to ten charges related to the crime. His co-defendant, Buckley, only admitted to one charge. The men will serve five years and three years, respectively. DeepDotWeb.

Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts

After the bust that fragmented the darknet market “community” and shortened the list of viable markets, Dutch law enforcement promised that they had not finished wreaking havoc. A Reddit user noticed that some the PGP keys of some Dream Marketplace vendors had changed. The situation grew a little more odd upon examination of the key; the key‘s user ID was “Dutch National Police.” Grams, the darknet market search engine, allows users to search for a vendor based on the PGP key alone. Anyone with the inputted key appears in the search results.

Screenshot from 2017-07-30 14-20-21.png

And, in an unusual turn of events, several Dream vendors turned up. Between 12-14, at the time. The number changed as “vendors” changed their PGP key from the Dutch National Police’s key to a less conspicuous key. Two Hansa vendors came forward and verified themselves with one of the /r/darknetmarkets subreddit moderator—both were former Hansa vendors who lost control of their Dream account and found themselves on the list of vendors with the Dutch National Police PGP key. Why did the police make the move so obvious? BleepingComputer

The Hansa Dutch National Police Locktime File

Another user remembered that Hansa, on the final day of undercover ownership, changed the locktime TXT file to a locktime Excel file. Instead of containing details on one transaction, the excel file contained info on all transactions between X and Y time period. One clever individual noticed that the file was more than the usual locktime file + a nice spreadsheet of orders.

In a Reddit post titled “DON’T open the xlsx locktime file, beacon image confirmed in it with Hansa’s server IP address,” a user wrote the following:

I looked into the loctime xlsx file. it’s basic a zip file containing many plain text xml files, you can change the file name from .xlsx to .zip and open with your zip viewer. I looked into the xml files one by one and guess what I find, the IP address of the hansa server.”

In Hansa’s final Reddit update titled “HANSA Market Update [v3.0.3],” they announced the addition of a new locktime file for vendors:

  • VENDORS: We have improved the locktime transactions export. Besides locktime transactions, the export now also includes listings, orders and statistics.


For those confused as to the purpose of the locktime file, look no further than Hansa-market’s own Reddit post from the early days. Looking through the old “how to” guides goes into a little more depth, but this covers the basics:

In short: Locktime is a second transaction we provide the vendor with. Should Hansa go offline the vendor can still finalize the order with this transaction. This transaction only activates after 90 days of Escrow. To avoid abuse all disputes are settled within this time frame and we limit the volume of 2-2 orders.”

Greek Law Enforcement Arrest BTC-e Founder for Laundering Billions in Bitcoin

A 17-count grand jury indictment that charged Alexander Vinnik, a Russian citizen, with money laundering. Four billion dollars worth of money laundering, according to the indictment. Vinnik operated BTC-e, and unlike many US-based cryptocurrency exchanges, BTC-e never required identification from users.

Screenshot from 2017-07-30 14-33-12.png

Vinnik was arrested in Greece and the US State Department is making arrangements to have the Russian citizen extradited to the United States.


Within hours of the news, an independent investigative “group” or collective announced that BTC-e and Vinnik had connections to the Mt. Gox hack in 2011 and possibly 2014. The BTC-e case will be an interesting one to watch. As usual, the United States is rushing in to extradite Vinnik as rapidly as possible. However, according to The Associated Press, “under Greek law, he can be held for up to two months until the request is examined.” DeepDotWeb, Coindesk, CoinTelegraph

Additional Reading:


Marisa Sunthep Suwan

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *