Friday, February 3, 2023

Feds Tracked BTC Addresses and LocalBitcoins to Bust Dark Market ‘Kingpin’

Feds Tracked BTC Addresses and LocalBitcoins to Bust Dark Market ‘Kingpin’

The recent arrest of alleged online drug vendor Gal Vallerius isn’t your routine dark market bust. As well as claiming they’ve caught another “kingpin”, federal authorities used basic Bitcoin addresses analysis, a LocalBitcoins account and social media posts to track their man.

Also read: Google Allows Phishing Sites to Steal Your Bitcoins Through Ads

Join the Bitsonline Telegram channel to get the latest Bitcoin, cryptocurrency, and tech news updates:

French resident Vallerius, who feds say is Dream Market’s “OxyMonster”, was arrested at Atlanta airport on 31st August, while he was traveling to a beard-growing contest in Austin. He is currently in Miami where he faces indictment for multiple charges and (if found guilty) up to life in prison.

Connecting the Dots Between Dark Markets, Social Media Posts

Dream Market is currently the top-ranked darknet market, according to DeepDotWeb, followed closely by Traderoute. However many suspect Dream may have been seized and infiltrated by law enforcement after takedowns of previous user favorites AlphaBay and Hansa in July 2017.

pills drugsAlso according to DeepDotWeb, feds originally investigated Dream’s regular vendors. However closer examination of the site’s forum section revealed “OxyMonster” as a senior moderator and vendor of “Schedule 11 controlled substances”.

They soon connected OxyMonster to Vallerius. Dream’s official staff posted a “tip jar” with a vanity Bitcoin address — which never changed. That address regularly sent coins to a LocalBitcoins P2P trading account called “vallerius”. Feds then cross-checked against social media accounts with the same name.

They allegedly noticed similarities in writing styles between OxyMonster and Vallerius’ online presences, including frequent use of the word “cheers”, double exclamation and quote marks and some posts in French. Vallerius’ online profiles have since been deleted.

OxyMonster’s Traderoute vendor profile also claimed to have been an admin on Dream and moderator on the now-defunct Evolution Market.

Suspect Took Several Security Risks

Maintaining a common pseudonym and reputation across market platforms can be essential for vendors and admins (especially when they’re routinely shut down), but it also makes life easier for investigators to connect the dots.

Vallerius’ arrest should also be a lesson in “operational security” (OpSec) — and the perils of crossing borders with laptops. Border guards searched the machine and allegedly found: his login credentials for Dream Market, a PGP private key used by a Dream Market and Traderoute vendor, $500,000 USD worth of bitcoin… and a copy of the Tor browser.

Though not illegal, some claim merely having Tor browser installed is enough to arouse suspicion.

By the time he arrived in Atlanta Vallerius was already a target, though.

The Perils of Re-Using Bitcoin Addresses

The hazards of using the same Bitcoin address for multiple transactions (and/or over a prolonged period) has long been cited as a privacy risk. Even for those not engaging in illegal activity, the more transactions an analyst can link to a particular address helps build a data profile — which can be cross-referenced with purchases, login times and other behavioral patterns.

Most modern Bitcoin wallets use a new sending and receiving address for each BTC transaction. There are more technically advanced ways to connect these, though it’s far tougher than just searching on

It seems OxyMonster didn’t consider the tip jar address to be a security hole, though. OpSec, as information security professionals often warn, is a full time job and it only takes one slip to unlock a new trove of information.

Will Feds Make Gal Vallerius the Next Ross Ulbricht?

When investigating Ross Ulbricht as part of the Silk Road investigation, the FBI reportedly jumped on an early lapse where Ulbricht revealed his email address — and a brief window when the site’s real IP address was accidentally exposed.

Ross Ulbricht
Ross Ulbricht

With that small but useful puzzle piece, they were able to start tracking down Silk Road’s server location and identifying who operated it.

A marquee catch in the U.S. federal government’s battle against e-commerce on the dark web, Ulbricht is currently incarcerated at Florence High high-security federal prison in Colorado.

Despite never selling illicit substances himself, Ulbricht was sentenced to life imprisonment with no possibility of parole in 2015. Appeals against the conviction and harshness of the sentence have been fruitless so far.

The authorities may wish to set a similar example with Vallerius, who may also hold useful information on other dark market operators.

Is law enforcement winning the war against dark markets? Let’s hear your opinions.

Images via Washington Post, Pixabay,

Bitsonline Email Newsletter