Unmasking dark net drug dealers

Unmasking dark net drug dealers

Organisation: The Times & The Sunday Times (London) (United Kingdom)

Publication Date: 04/05/2017


Size of team/newsroom:large


Using publicly available backups of several popular dark net markets, Louis Goddard and Robin Henry identified individuals in the UK selling hacking equipment and illegal drugs. Among the dealers unmasked by The Sunday Times was a government contractor linked to an account selling high-tech tools for breaking into cars. Another was an employee at a Liverpool hospital who had sold thousands of pounds worth of steroids and prescription painkillers. The dealers were identified forensically through clues left in their profile pages on dark net markets. These included photographs containing location data and PGP encryption keys containing personal email addresses. All this information was obtained from backups published by an independent security researcher known as Gwern Branwen: https://www.gwern.net/DNM%20archives. The investigation involved combing through more than 1.5 terabytes of data comprising millions of individual images and HTML pages.

What makes this project innovative? What was its impact?

This project represents an innovative combination of computational investigation, forensic analysis and traditional doorstep journalism. In its first stage, Louis Goddard wrote a number of scripts to programmatically trawl through dark net market archives, picking up potentially identifying information on buyers and sellers. Once a long-list had been produced, it was filtered down to users likely to be operating in Britain, and further details were painstakingly pieced together from social media profiles and the LexisNexis TraceIQ database. Finally, Robin Henry drove around the country putting our findings to the dealers in person. The Sunday Times's investigation provides a revealing glimpse into the murky world of the dark net, showing how seemingly ordinary people lead double lives online. In many cases, photographs of Class A drugs were geolocated precisely to users' home addresses. In others, email addresses used in dark net encryption keys were re-used to register for Facebook and other social media services, providing direct links to real individuals.

Technologies used for this project:

Gwern Branwen's dark net backups are packaged as large .tar.xz archives containing all the publicly-facing content of each market, downloaded at periodic intervals. The volume of data is huge, so the first task was to identify the parts which would be most relevant to unmasking users. Acting on a tip from Data Editor Tom Wills, we focussed initially on users' PGP keys, writing a Python script to programmatically trawl through the backups searching for the telltale 'BEGIN PGP PUBLIC KEY BLOCK' string. For each key, the script ran the GNU 'gpg' tool to extract its fingerprint, including the associated name and email address, saving these in a large CSV file. Our second line of attack involved EXIF data -- specifically, latitude and longitude information embedded in photographs. We replicated the methodology of Harvard researchers Paul Lisker and Michael Rose (https://medium.com/@roselisker/illuminating-the-dark-web-d088a9c80240), searching each market for unique photographs and testing each one for EXIF data. To provide further flexibility, we re-implemented Lisker and Rose's shell scripts in Python and fed the output into a Google Fusion Table, resulting in a zoomable map of dark net locations across the UK.
Follow this project

Comments (0)

You have to be connected to contribute

You have to be connected to follow

Leave this project and no longer be informed about this project

By joining this project, you will be informed by email when an update or a new contribution is posted on the website.

Thank you for your active participation !

The GEN Community Team