OpSec Fails Compilation
#1
I just searched for an OpSec Fails thread and was surprised to find none. In my opinion, the best way to learn OpSec is to see how others got deanonymized, what their mistakes were and how to avoid them. This is a pretty straightforward process, the only thing that is hard about it is finding information on those exact fuckups. Back in the day the officials were sometimes even bragging about their success when they caught someone and these reports were great to learn for your own security, one example is the famous "Dread Pirate Roberts" who operated the silk road marketplace, the story of his capturing is documented in detail. He did a lot of very stupid things, like using a forum account tied to his personal email to promote the silk road, so there's not too much to learn from this.
Newer deanonymization tactics however are most often kept secret, see for example the recent Emotet botnet operator bust. There is no information whatsoever on how these people were found. Some paranoid fellows even suspect that one agency or another is already sitting on a bug in the tor network and secretly uses it without ever speaking about it to avoid any fixes.
Now the point of this thread is to share any news or information on how people got deanonymized due to bad OpSec. I encourage you to share anything you have got and will come back to this thread every once in a while to post something myself.
Reply
#2
https://www.dailydot.com/unclick/tor-har...b-suspect/

On the technical side this guy did everything correctly with regards to masking his identity, using Tor and an anonymous email account. It failed because he accessed Tor from the university network itself around the same time the threats were received and that flagged him as a suspect. On its own that might not have been enough to convict but I understand he folded like a wet paper bag under interrogation.
Reply
#3
Credits to /u/jeffreyepstein on Dread

How 'they' got caught (Episode One)


1.) Cthulhu (Admin on Silk Road 2.0)


Thomas White (Cthulhu), 24 (At the time of his arrest) was a hidden service developer and administrator of silk road 2.0.

I personally remember messaging him, but I can't remember that much about him. He used to lie out of his ass, most of what he said could not have been true, that's all I remember. It's been ages, was he the founder?

Anyway, he's attracted to underaged boys and his personal life revolved around grooming these boys. He setup a GTAV roleplay server and coaxed young boys in with offers of high staff positions.

I don't know how many boys he ended up abusing but he got caught when he asked a boy for indecent images in return for money. That boy then went and told the staff on the server, who then told the police.

Police raided Thomas' flat and found the evidence of his dark web career and also 500 indecent images of children. He was sentenced to five years and four months, which isn't that much to be honest. Big *oof*, little *ouch*.

Lesson to be learnt from this is obvious.

(I think he is out of jail now)



2.) SayNoToCustoms [aka. kakashisan](Vendor on Alphabay + Dream)


Matthew Witters (SayNoToCustoms) was a Vendor on Alphabay Market and Dream Market who sold only Fentanyl and Xanax. Some people on this forum might have knew him or have bought product from him. But, don't fear, you're probably fine. His downfall wasn't the fault of his own, but of someone else (speculated to be his suppliers).

Matthew Witters from Seattle was caught after "his contact information and dark web nicknames were found in houses linked to drug trafficking in California and Oklahoma".

It's suspected these people were his suppliers and had got into a bit of trouble with law enforcement. Anyway, they didn't take responsibity properly when it came to their clients information. No encrpyted drive, just a peice of paper with Matthews information on.

This is one of those stories where it's at no fault of the person themselves. He got caught because of other peoples stupidity. Data retention is important and those who keep data "just because" are a massive risk. Especially those who write sensitive information on paper! Unlucky.

Matthew had a safe deposit box he leased, police found "$165,000 in cash, a Glock handgun, suspected controlled substances, and mailing labels". So he was doing pretty well for himself, it's a shame someone tripped him up.

Lesson learnt. Be careful who you do business with.



3.) LulzSec (Hacking group)


LulzSec was a infamous black-hat hacking group responsible for the attack on Bethesda Game Studios (which they stole 200,000 accounts), also the Sony attack that downed PSN, and many other attacks.

The LulzSec leader was called Sabu (or his real name Hector Xavier Monsegur). Sabu was actually found out and his real identity was publicised by rival enemy hacker group TeaMp0isoN way before he was found by law enforcement. TeaMp0isoN's identification of Sabu was later shown to be accurate - I don't know how they found it out but it probably gave the feds a lead which led to sabus capture.

Sabu was under survailence (probably because of TeaMp0isoN) and his internet access was being monitored. He normally used Tor when connection to a IRC, but he wasn't consistent. Because of that one time he didn't use Tor to connect to the IRC the FBI found him out, and this was the start of the down fall for the whole of Lulzsec.

After Sabu was caught he started to collaborate with law enforcement. For some of the members in Lulzsec he only knew off bits of information. With the user sup_g for example, Sabu didn't know his real identity but he knew random things about his life. He knew he was arrested at a certain point, he knew he was involved with some political groups. With all this information the police did some 'guess who' forensics, as the more data-points you have the more you can narrow the suspect pool down.

When police corrolated the times sup_g was one they were able to get an approximate area of where he might live and combined all the other data sup_g was found out to be Jeremy Hammond.

You can learn so many lessons from the Lulzsec story. Number one; don't make enemies, number two; always use Tor, and three; don't leak random information.



4.) Paul Le Roux (Crime Boss)


I personally think this guy created Bitcoin, but that story is for another day (he had a passport with the name soloshi, and his arrest coinsides with Satoshi's dissappearance, among other things!). Anyway.

Paul Le Roux is probably by far one of the most far-reaching criminal bosses to have ever lived. He started out illegally selling perscription medicine in the US (fueling the the opoid epidemic), he funded militas in Somalia, and even had teams of hitmen running around south asia.

Le Roux wasn't around long enough to see the popularity of Tor blow up, but he did use VPNs, encrypted drives, and a temporary email system.

Everything started to fall apart for Le Roux when he angered too many people and made too many dumb decisions. Firstly, he angered the DEA and the company name he used to illegally infiltrate the US drugs market was named after him. The DEA had been on his tail for a long time, they were just trying to get enough proof to arrest him.

Paul Le Roux wasn't the best person, he was cocky, cheap, and a bit weird. When he wasn't beating the shit out of prostitutes he was being paranoid. Le Roux killed his right hand man; Dave Smith and after that everything came falling down. His men started to become paranoid that Le Roux would have them killed and they started to become informants. One of the informants set up a meeting, and Le Roux being cocky verbally leaked most of everything out to an undercover officer.

When he was arrested, he started to comply immediately (Simular to Lulzsec Sabu) and turned on all of his old employees. He signed a plea deal and is expected to have the time he spent being a snitch as 'time served'.

Lessons to learn. Don't be overly paranoid, don't name something after yourself, and don't stretch yourself too thin with criminal endevors.



5.) Hieu Minh Ngo (Hacker)


Hieu Minh Ngo was a Vietnamese hacker who in 2015 was charged with hacking into United States businesses’ computers and selling personal information. He ran multiple hacking forums on the dark web, I don't know what ones though.

He was actually a university Student studying english and had no background in hacking. But that didn't stop him from hacking his school’s network which allowed him to expose payment card data.

If you look at a lot of these hackers they don't have a background in software security. Thomas White from Silk Road 2.0 for instance, did Accounting at university and then dropped out.

Hieu Minh Ngo hacked and stole information and indentities of 200 million people and made upwards of $1.9 million (from what the department of justice could find).

His down fall was caused when he lost his head, and became gulible. An undercover agent lured him to Guam for a business deal and as soon as he landed he was arrested. Of course it looks bad in hindsight, I couldn't tell you what was going through his head.

Lesson to learn. Trust no one. I'm sure we have all fallen for a scam or two, but this was a major *oof*.



6.) Eldo Kim (Harvard Bomb Threat Maker)
This is the same case XUnit posted about already

Eldo Kim was a sophomore at Hardvard university and wanted to despirately get out of taking his final exams. His idea to get out of it, send a bomb thread to Harvard student news and some officials.

Eldo used Tor on campus and used Guerrilla Mail to send the threats to the people. Guerrilla Mail puts an `X-Originating-IP` property within the header on their emails.

This was quite unlucky for Eldo as all Tor nodes are publicly known. Someone was able to look at the originating IP in the header to see that it was a Tor node. And then from there the university looked at who was using Tor at that specific time on university campus.

Eldo was the only person at that time using Tor.

When police went to question him, he immediately admitted to creating to bomb threats to get out of his final exam. If he had kept quiet it's quite possible he may have gotten away with it.

Lessons to be learnt. When faced with the law, don't immediately admit to doing something. If youre on campus hide your Tor usage. And revise so you don't have to resort to making bomb threats to get out of exams.
Reply
#4
While most of the Lulzsec crew were sloppy, Kayla/lolspoon had quite good opsec and was only caught because of a freak accident. From his AMA on reddit


"I was going to leave the internet (before LulzSec) so I decided to write a script to login to the ‎@lolspoon account and post random sentences. At the time it wasn't written to pass though a proxy, it was going on a hacked box so there was no need to proxy it. Windows decided to freeze so I did what everyone else does when the computer freezes CLICK FUCKING EVERYWHERE AND BASH THE KEYBOARD. Sadly I accidentally executed the script which logged in to the ‎@lolspoon account leaving my real IP in twatters logs."

Moral of this story is use Tails or Whonix, any system where careless keyboard mashing won't reveal your real IP.
Reply
#5
(03-04-2021, 04:45 AM)XUnit Wrote: While most of the Lulzsec crew were sloppy, Kayla/lolspoon had quite good opsec and was only caught because of a freak accident. From his AMA on reddit


"I was going to leave the internet (before LulzSec) so I decided to write a script to login to the ‎@lolspoon account and post random sentences. At the time it wasn't written to pass though a proxy, it was going on a hacked box so there was no need to proxy it. Windows decided to freeze so I did what everyone else does when the computer freezes CLICK FUCKING EVERYWHERE AND BASH THE KEYBOARD. Sadly I accidentally executed the script which logged in to the ‎@lolspoon account leaving my real IP in twatters logs."

Moral of this story is use Tails or Whonix, any system where careless keyboard mashing won't reveal your real IP.


And avoid bashing the keyboard if you can, the hardware is your partner
Reply
#6
Just found this one really hilarious:

Quote:What’s especially interesting is that it seems that the attacker infected his own device, possibly for testing or troubleshooting purposes, but never actually removed the malware — so screenshots of their own device were also being sent back to the C2 server! This is a big failure in their operational security as it gives us direct insight into some of the attacker’s tactics and operation.

Read more here:
https://blog.sucuri.net/2021/03/trojan-s...tacks.html
Reply
#7
(03-04-2021, 06:39 PM)enmafia2 Wrote: Just found this one really hilarious:

Quote:What’s especially interesting is that it seems that the attacker infected his own device, possibly for testing or troubleshooting purposes, but never actually removed the malware — so screenshots of their own device were also being sent back to the C2 server! This is a big failure in their operational security as it gives us direct insight into some of the attacker’s tactics and operation.

Read more here:
https://blog.sucuri.net/2021/03/trojan-s...tacks.html


I always have a hard time understanding how presumably technical hackers, who can exploit web vuln and run a C&C server to exploit lot of machines, get the basic opsec so wrong, using discord, using windows, infecting themselves, etc.
Good opsec should be the foundation of everything we do online, especially when the things you want to do could lead you to prison
Reply
#8
(03-05-2021, 12:52 AM)Wipe_TS Wrote:
(03-04-2021, 06:39 PM)enmafia2 Wrote: Just found this one really hilarious:

Quote:What’s especially interesting is that it seems that the attacker infected his own device, possibly for testing or troubleshooting purposes, but never actually removed the malware — so screenshots of their own device were also being sent back to the C2 server! This is a big failure in their operational security as it gives us direct insight into some of the attacker’s tactics and operation.

Read more here:
https://blog.sucuri.net/2021/03/trojan-s...tacks.html


I always have a hard time understanding how presumably technical hackers, who can exploit web vuln and run a C&C server to exploit lot of machines, get the basic opsec so wrong, using discord, using windows, infecting themselves, etc.
Good opsec should be the foundation of everything we do online, especially when the things you want to do could lead you to prison

I remember reading that some con artists are surprisingly easy to scam, because they're so used to being in control that they can't get their head around the idea they could be a victim. Maybe it's something similar here, or just a general hubris, that kind of thing
Reply
#9
(03-05-2021, 03:31 AM)XUnit Wrote:
(03-05-2021, 12:52 AM)Wipe_TS Wrote:
(03-04-2021, 06:39 PM)enmafia2 Wrote: Just found this one really hilarious:

Quote:What’s especially interesting is that it seems that the attacker infected his own device, possibly for testing or troubleshooting purposes, but never actually removed the malware — so screenshots of their own device were also being sent back to the C2 server! This is a big failure in their operational security as it gives us direct insight into some of the attacker’s tactics and operation.

Read more here:
https://blog.sucuri.net/2021/03/trojan-s...tacks.html


I always have a hard time understanding how presumably technical hackers, who can exploit web vuln and run a C&C server to exploit lot of machines, get the basic opsec so wrong, using discord, using windows, infecting themselves, etc.
Good opsec should be the foundation of everything we do online, especially when the things you want to do could lead you to prison

I remember reading that some con artists are surprisingly easy to scam, because they're so used to being in control that they can't get their head around the idea they could be a victim. Maybe it's something similar here, or just a general hubris, that kind of thing

That's interesting, you never know when the hunter become the prey
Always keep your head cool and never trust you know everything, because you surely don't, no one does after all
Reply
#10
Really hard to believe when you know that some of these "hackers" do big things and get caught for really obvious mistakes, never neglect your opsec, it's what will save your life someday
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  What kind of opsec do you need for silent XMR mining? purpledevil 1 3,533 07-07-2021, 08:34 PM
Last Post: Lewis
   How To Be A Ghost - The 10 Rules Of Operational Security | OPSEC Wipe_TS 12 22,231 03-30-2021, 04:47 AM
Last Post: 139691296921
  Growing a Flower in the Dark (Mental health & OPSEC) Cypher 3 15,221 03-11-2021, 11:57 PM
Last Post: Wipe_TS
  General OPSEC Resources Cypher 11 54,750 12-15-2020, 02:27 PM
Last Post: F4d3z