Let‘s talk about some OPSEC fails. Because smart people learn from others’ mistakes not their own. Due to the fact that in lines of work on the darknet that might be your first and last one.
- DreadPirateRoberts (Ross Ulbricht) – was a revolutionary, extremely intelligent but not necessarily smart at all. Among many stupid things he did are; using a misconfigured CAPTCHA server extensive period of time, shipping contraband to his home address, advertising Silk Road on Shroomery using his own Gmail address, befriending former undercover (corrupt) DEA agent (who later extorted him for money), keeping logs of all of his conversations and down to detail diary of this Silk Road adventures. But, the most fatal one was him not being aware of his surroundings. For the most part, he operated Silk Road from the comfort of San Francisco Public Library, where he went wrong was sitting at a table with his back turned to the room. While two FBI agents staged a couple of fighting, their colleagues swooped in from behind and grabbed the laptop before he could shut it off and trigger the encryption process. He basically documented all of his crimes among others – so don‘t be DPR.
- Shiny Flakes (German Vendor) – 20-year-old who created one of the biggest cocaine trafficking operations in Germany at the time. Police confiscated more than half a million in various currencies and an ungodly amount of drugs, all stored in his bedroom. And his biggest OPSEC failure was he sent all his shipments from the same DHL outpost. He also stored everything in plaintext (orders, customers, financials, login credentials, etc.) on the unencrypted drive.
- Sabu (Hector Xavier Monsegur) LulzSEC – forgot to use TOR to connect to the IRC server monitored by the FBI. They got his IP address from his ISP, one correlation attack later he was cuffed and gave up his friends in exchange for a plea deal. Don‘t be a snitch, own up to your fuck-ups.
- nCux / BulbaCC / Track2 (Roman Seleznev, Russain Carder) – among many stupid things he did, was renting servers with e-mail address he used to open a PayPal account, then used that PayPal to pay for his wife’s flowers. But, that‘s not all. He traveled with his work laptop which contained hundreds of thousands of credit cards, but that‘s not bad since he had encryption. Unfortunately, his password „Ochko123“ was guessed by law enforcement as it was the same on his e-mail I believe. So, don‘t carry your work when you travel, don‘t mix crime and love life, don‘t fucking re-use passwords. Don‘t be BulbaCC.
- Willy Clock (Ryan Gustefson, Ugandan Counterfeiter) – reused personal e-mail he used to apply for US citizenship for a Facebook account he used to sell fake notes from. Also, uploaded his own picture to that account. I don‘t even have anything to say for this one.
- FrecnhMaid aka nob (DEA Agent from DRP case) – used his work laptop to extort Ross Ulbricht, you can guess how that went. Among other things, he moved that money to bank accounts under his own name, in countries with non-strict banking secrecy laws. He got what was coming to him.
- Alexandre Cazes (AlphaBay Admin) – used personal e-mail address for AlphaBay password reset e-mails, kept all data stored in unencrypted format on his device, hosted Alphabay servers in Quebeck, Canada under his own name.
