[ziddoap]

Which ones of my list had great opsec? I'm not denying what you said, it only takes one slip up, but in the cases I mentioned by name:

AlphaBay used their regular hotmail account to send password reset emails, and that email was tied to their LinkedIn.

Freedom Hosting was taken down because the operators used outdated FF with javascript enabled.

Silk Road's Ross Ulbricht posted his personal Gmail address, linking the identities.

All of these are profound opsec failures, not just an oopsie that led to getting caught by talented LEOs.

[jstarfish]

What sort of answer are you looking for? All of these proprietors are human. Humans make mistakes and act irrationally at times. Criminal enterprises are complex. Opportunity for mistakes increases with scale. The guy who ran Doxbin is the only high-profile case I can think of with apparent-flawless opsec, and that much only because he bailed before the long tail caught up to him.

The tightest opsec I've ever seen is maintained by disability fraudsters. Privacy laws protect the evidence anybody would need to present against you, so as long as you keep doctor-hopping and never admit to anything, nobody can touch you. These people tend to be reclusive and not public-facing, but with such low risk comes low reward-- there's no real money to be made in it.

(...unless you're the doctor knowingly signing off on false diagnoses. This increases scale, at which point, the more of those you write, the greater the chances of some mistake made by you or any single one of your patients bringing the whole enterprise down.)

[ziddoap]

>What sort of answer are you looking for?

They said that some of the 3 I listed by name had "great opsec". I am curious which one of those they thought was great, and laid out why I think the opsec in these cases was really far from "great".

Maybe when they said "those listed", they were referring to the list on the website and not my list. In that case, I misunderstood and obviously my comment doesn't make much sense. But I presumed they were referring to my list.

>Humans make mistakes and act irrationally at times. Criminal enterprises are complex.

Agreed on both fronts.

But I think that the severity of mistakes is a scale, and some of the really big players on the darknet have made mistakes that I argue is much closer to the "really dumb mistake, trivially avoided" end of the scale, such as using your LinkedIn email to run your multi-million dollar black market.

>Opportunity for mistakes increases with scale.

Agreed. But none of the three examples I listed by name were affected by scale. Using outdated software with known vulnerabilities, posting your own email, and using an email connected to your LinkedIn are all not issues of scale.

Edit to clarify, as I think people may be misunderstanding me (maybe? hard to tell from just downvotes and no replies):

Opsec is hard. 100%. You have to maintain it basically forever, which makes it really hard.

But, if I walk into a bank intending to rob it and start shouting out my full name and address (or, say, left my drivers license at the scene), people would have a jolly laugh at how bad of a robber I was. This is analogous to using the same email to run your multi-million dollar black market as well as sign up for a LinkedIn account. Most people would agree that in my hypothetical, the robber made some really trivial mistakes. I'm not sure why it's so hard to say that for these darknet operators that basically did the same thing, but in computer form.

[sacrosanct]

Compartmentation is the bedrock of good op-sec. Throwaway identities that are single use and then forgotten about.

Dwell time is important too. The longer you stay in the game, the greater chance you’ll slip up.

[gleenn]

The original Silk Road supposedly had amazing opsec but they caught him because one time he used the same, oblique username to register something many years previous IIRC.

[Closi]

It sounds pretty easy to inadvertently visit a site on an old laptop with javascript enabled. Is this what counts as a profound opsec failure these days?

Remembering that you only have to make an error like that once.

And if all these high-profile people manage to get caught (It seems like pretty much everyone that isn't a nation state ends up getting found eventually!) then maybe it's not that these people are terrible at Opsec, it's maybe that it's much harder than it looks, especially when the government has access to tools that you have no idea about, and maybe it's inevitable that you make an error if you are a human operating for a long time, regardless of 'opsec' skillz.

[ziddoap]

>And if all these high-profile people manage to get caught (It seems like pretty much everyone that isn't a nation state ends up getting found eventually!) then maybe it's not that these people are terrible at Opsec, it's maybe that it's much harder than it looks,

I tried to make it explicitly clear, over several different comments in this thread, that I'm not saying opsec in general is easy nor am I saying that everyone who has been caught has made these easy-to-avoid mistakes. I am struggling to think of yet another way to word it, but here I go one last time:

A robber goes into a store and steals a bunch of money. On the way out, they leave their drivers license on the counter. Can we agree this would be a dumb mistake? This doesn't mean that all robbers ever caught made dumb mistakes; some robbers are caught through extraordinary police work and with the help of several technologies (DNA, facial rec, whatever). Those robbers, while still potentially making mistakes that lead to their arrest, have not made extraordinarly dumb mistakes like leaving government-issued identification at the scene of the crime.

This concept applies to opsec and computers as well. You can slip up once and be caught through the smallest of mistakes. Or you can literally tell everyone who you are and be caught that way. Both are mistakes, but one is a trivially avoided stupid mistake, and the other is not.

Many other operators (of dark markets, ransomware gangs, etc.) have been caught, but I did not include them because the ways they were caught did not appear to be through dumb mistakes, but through intense technical means.

[yieldcrv]

Okay, how about that darknet market where their frontend got seized by the Feds with the big "website seized" plaster, and then the market operator seized it back, that was hilarious

the server was never seized and the operator was never sei

what about the currently existing markets still up? just one trip to dark.fail to check

[MikeDelta]

Maybe the dark web makes people feel safe and they let their guard down? I cannot imagine why else someone would use their own email address in any transaction or operation.