Department of Justice Announces Wallstreet Market Seizure and Med3l1n Arrest
The United States Department of Justice announced the seizure of Wallstreet Market, the arrests of the three market administrators, the arrest of the support member Med3l1n, and the arrest of two of the most prolific vendors on Wallstreet Market.
Following a nearly two-year international investigation involving U.S. law enforcement and authorities in Germany and the Netherlands, federal prosecutors have charged three German nationals with being the administrators of Wall Street Market (WSM), which was one of the world’s largest dark web marketplaces that allowed vendors to sell a wide variety of contraband, including an array of illegal narcotics, counterfeit goods and malicious computer hacking software.
A criminal complaint filed Wednesday in United States District Court in Los Angeles alleges that the three defendants, who currently are in custody in Germany, were the administrators of WSM, a sophisticated online marketplace available in six languages that allowed approximately 5,400 vendors to sell illegal goods to about 1.15 million customers around the world. Like other dark web marketplaces previously shut down by authorities – Silk Road and AlphaBay, for example – WSM functioned like a conventional e-commerce website, but it was a hidden service located beyond the reach of traditional internet browsers, accessible only through the use of networks designed to conceal user identities, such as the Tor network.
For nearly three years, WSM allegedly was operated on the dark web by the three men who now face charges in both the United States and Germany. An “exit scam” was allegedly conducted last month when the WSM administrators took all of the virtual currency held in marketplace escrow and user accounts – believed by investigators to be approximately $11 million – and then diverted the money to their own accounts. Exit scams are common among large darknet marketplaces, which typically hold money in escrow while a vendor delivers illicit goods.
The three defendants charged in the United States were arrested in Germany on April 23 and 24. They are:
- a 23-year-old resident of Kleve, Germany;
- a 31-year-old resident of Wurzburg, Germany;
- and a 29-year-old resident of Stuttgart, Germany.
The complaint charges the men with two felony counts – conspiracy to launder monetary instruments, and distribution and conspiracy to distribute controlled substances. These three defendants also face charges in Germany.
A fourth defendant linked to Wall Street Market was charged yesterday in a criminal complaint filed in United States District Court in Sacramento, California. Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil, also faces federal drug distribution and money laundering charges for allegedly acting as a moderator on WSM, who, among other things, mediated disputes between vendors and their customers. Annibale, who used the online monikers “MED3LIN,” also acted as a public relations representative for WSM by, among others things, promoting WSM on websites such as Reddit, according to the complaint. The case naming Annibale was unsealed today when Brazilian authorities executed a search warrant at his residence.
United States Attorney Nick Hanna:
“We continue to keep pace with sophisticated actors on the dark web by increasing our technical abilities and working even more closely with our international law enforcement partners. While they lurk in the deepest corners of the internet, this case shows that we can hunt down these criminals wherever they hide.”
United States Attorney McGregor W. Scott for the Eastern District of California.:
“We are on the hunt for even the tiniest of breadcrumbs to identify criminals on the dark web. The prosecution of these defendants shows that even the smallest mistake will allow us to figure out a cybercriminal’s true identity. As with defendant Marcos Annibale, forum posts and pictures of him online from years ago allowed us to connect the dots between him and his online persona ‘Med3l1n.’ No matter where they live, we will investigate and prosecute criminals who create, maintain, and promote dark web marketplaces to sell illegal drugs and other contraband.”
Assistant Attorney General Brian Benczkowski:
“Just as international law-enforcement partners began dismantling Wall Street Market and taking action against its members, as alleged in the complaint, the site’s administrators decided to steal their customers’ money via an exit scam. This operation sends a crystal-clear message: dark markets offer no safe haven. The arrest and prosecution of the criminals who allegedly ran this darknet marketplace is a great example of our partnership with law enforcement authorities in Europe, with the support of Europol, and demonstrates what we can do when we stand together.”
Assistant Director Paul Delacourt of the FBI’s Los Angeles Field Office:
“Investigators from many countries overcame the national, legal and diplomatic challenges to hold accountable sophisticated actors who operated one of the largest known encrypted marketplaces in the shadowy environment of the Darknet. This case is an example of successful global collaboration among law enforcement entities who share the many challenges of prosecuting transnational criminal activity conducted by individuals who operate anonymously across borders.”
The affidavit in support of the criminal complaint filed in Los Angeles outlines how the defendants operated a sophisticated online marketplace that offered encrypted communications between buyers and sellers, as well as an online forum to discuss vendors and the quality of their wares. The affidavit also describes an international investigation that was able to identify the three administrators of WSM, show how they previously operated another German-based darknet marketplace that shut down in 2016, and link them to computer servers in Germany and the Netherlands that were used to operate WSM and process virtual currency transactions.
The three defendants allegedly created WSM, maintained the website, and operated the marketplace to ensure that buyers could access vendor pages and that financial transactions were properly processed. The investigation outlined in the complaint affidavit linked the three defendants to WSM in a number of ways, including their access to the WSM computer infrastructure. One defendant, for example, used virtual private networks to access WSM computers, but when a VPN connection would fail, his IP was revealed and authorities were able to identify his specific location.
The three defendants charged in Los Angeles were arrested in Germany after the WSM administrators conducted an exit scam in the wake of WSM recently becoming regarded as the world’s pre-eminent dark web marketplace and gaining a significant influx of new vendors and users, according to the affidavit. On April 16, vendors realized they could not collect the virtual funds that had been placed in escrow by their customers, which prompted German authorities to execute a series of arrest and search warrants.
The complaint affidavit identifies several cases that have been filed in the United States against WSM vendors. One darknet vendor who advertised on WSM is currently serving a 12-year federal prison sentence after being convicted in the Western District of Wisconsin for distributing a fentanyl analogue resulting in the overdose death of a Florida resident who ordered a nasal spray laced with the powerful opioid from the vendor.
Wallstreet Market Vendor Arrests
Two of the “top vendors” on WSM – identified by the online monikers Platinum45 and Ladyskywalker – were based in the Los Angeles area and were major drug distributors. One vender, “Ladyskywalker,” operated on several darknet marketplaces, where the individual advertised and sold opioids such as fentanyl, oxycodone and hydrocodone. The second top vendor – who used the moniker “Platinum45” and operated on at least two darknet marketplaces, including WSM – advertised and sold drugs such as methamphetamine, Adderall and oxycodone to customers in the United States and around the world, including in Germany and Australia. “Platinum45” also manufactured Adderall tablets and advertised the sale of up to 1 kilogram quantities of methamphetamine on WSM.
DEA San Francisco Special Agent in Charge Chris Nielsen:
“The dark web marketplace, Wall Street Market, was one of the largest operating hosts for vendors peddling illegal wares. Law enforcement is always adapting to changes in technology and this case sends a clear message to those breaking the law and attempting to hide behind the illusion of anonymity – we will identify and find you. The success of this case is due to the excellent cooperation between law enforcement agencies from around the globe who delivered another blow to criminal networks operating in the underground cyberspace.”
Inspector in Charge Michael Ray of the Postal Inspection Service:
“Anyone who thinks the dark web is a safe place to conduct illegal commerce should know they are not anonymous. They will be found and they will be brought to justice. The Postal Inspection Service has a highly trained, skilled and committed cyber unit that works tirelessly with other law enforcement agencies to disrupt marketplaces and stop vendors from using the U.S. mail to ship illegal goods and dangerous drugs.”
Chief Don Fort of IRS Criminal Investigation:
“Taking down this site is a huge win for past and future victims of crimes perpetrated due to the proliferation of illegal products and services being sold. We are committed to using our unique financial investigative abilities to tackle these kinds of threats head on to protect citizens, to promote cyber security and to inform the global community.”
HSI Acting Executive Associate Director Alysa D. Erichs:
“HSI and our partners are at the forefront of combating narcotics trafficking, financial crimes and illicit activities purveyed by online black markets. While criminal operators may continue to grow the reach of their businesses through these dark web marketplaces, ultimately they do not escape the reach of law enforcement. We continue to investigate, disrupt, and dismantle hidden illegal networks that pose a threat in cyberspace.”
A complaint contains allegations that a defendant has committed a crime. Every defendant is presumed innocent until and unless proven guilty beyond a reasonable doubt.
The charges against the three WSM administrators were announced today in conjunction with authorities in Germany and the Netherlands.
Source: US Department of Justice
The Criminal Complaint
The full complaint is available here. Below is the text contained in the Probable Cause Statement section of the document.
Based on my discussions with a United States Postal Inspector who has been conducting virtual currency analysis related to WSM, I am aware of the following:
a. German Plaza Market (“GPM”), which launched in approximately Spring 2015, was a darknet marketplace (through which users transacted in Bitcoin) and shut down due to an “exit scam” in approximately May 2016.
b. Based on analysis of the Bitcoin Blockchain, during the time GPM was operational, a wallet referred to as “Wallet 2” received approximately 3,374 Bitcoin from funds believed to be associated with GPM.2 Further analysis of the Bitcoin Blockchain reveals that, prior to the creation of GPM, in or around May 2015, Wallet 2 sent Bitcoin to another wallet, referred to as “Wallet 1.”
c. Additionally, the last known transfer from wallets associated with GPM went to Wallet 2. Thus, based on this information, Wallet 2 is believed to be associated with the operators of GPM.
d. Based on analysis of the Bitcoin Blockchain, between February 2015 and March 2016, during which time GPM was operational, approximately 206 Bitcoin3 was transferred from Wallet 2 to Wallet 1.
e. In or around August 2016, Wallet 2 sent Bitcoin to a third wallet, denoted here as Wallet 3, from which, in or around September 9, 2016, four transfers of Bitcoin were sent to a wallet associated with WSM, which constituted the first identifiable transactions on the Blockchain associated with WSM.
f. Therefore, based on the training, experience, and knowledge of the team investigating the virtual currency transactions described herein, I believe that the administrators of GPM are also the administrators of WSM. After GPM administrators conducted an exit scam in May 2016, the Bitcoin wallet associated with GPM (Wallet 2) funded Wallet 3, which in turn funded a wallet associated with WSM before WSM became operational in October 2016. Therefore, this pattern means that the administrators of GPM likely transferred funds stolen from GPM to WSM, and then launched WSM. This belief is supported by KALLA’s admission, discussed in paragraph 33 below, that he and “coder420” (LOUSEE) and “TheOne” (FROST) were the former administrators of GPM.
Dutch and German Authorities Identify and Review the Infrastructure of WSM
- In the course of this investigation, the U.S. government collaborated with law enforcement from countries where the infrastructure for WSM was believed to be operating. Pursuant to a request for multilateral assistance from the United States, in or around April 2018, the Netherlands imaged a server in its country, believed to be the server hosting and/or processing virtual currency transactions for WSM. I reviewed a copy of that server (the “WSM Virtual Currency Server”). Based on my review, I believe that this server was in fact part of the WSM infrastructure, because, among other reasons, I found the following references embedded in the code of various files:
a. “Wall Street Market // created by the talented, good-looking coder. #NoNameshere :P.”
b. “‘WSM_BTC,’ 32Eurp1…_]”
c. SQL $db_name=“tulpenland_”
- Further, based on my review of the configuration (“config”) file, which serves as a control file on the server, I identified IP addresses for the other servers that were a part of the WSM infrastructure, including multiple IP addresses in Germany.
- German law enforcement, specifically, the Bundeskriminalamt (“BKA”), which had been conducting its own investigation parallel to the investigations conducted by the United States and the Netherlands, had also reviewed the WSM Virtual Currency Server. The BKA then conducted an investigation into the IP addresses in Germany identified in paragraph 18 above, believed to be part of the WSM infrastructure.
- In the course of BKA’s investigation, and pursuant to valid legal process in Germany, the BKA identified the servers operating WSM.
Through valid legal process, the BKA imaged a copy of the database of WSM. The BKA has reviewed that database and confirmed that the database held information for WSM. I have also reviewed that database and confirmed that it is part of the infrastructure enabling WSM to operate. For example, in my review of the database imaged by the BKA, I observed that the SQL database was named “tulpenland.”
In reviewing the WSM database, I reviewed the settings table. Based on my review of the settings table, I learned that it included conversations between The Administrators using the monikers “coder,” “TheOne,” and “Kronos.” Those conversations are in German and discuss, among other things, WSM server maintenance, concerns regarding vendors, and payments between The Administrators. Further, the settings table reveals that payments from WSM are split into three equal parts, one for each of The Administrators and paid once a month.
22. Additionally, the BKA advised me that in its analysis of the WSM infrastructure that was located in Germany, it found another server, located in the Netherlands, responsible for the development, testing, and updating of the WSM infrastructure (the “Gitlab server”). The Dutch National Police, in the course of its own investigation, and pursuant to valid legal process in the Netherlands, obtained an image of the Gitlab server. I also reviewed a copy of the image of the Gitlab server, and confirmed that it was part of the WSM infrastructure because of, among other things, the server contained programming code language for design, functionality, and maintenance of WSM. Additionally, I noted that there were three administrator accounts for the Gitlab server, with the following monikers: “coder420,” “TheOne,” and “Kronos,” which are similar to the administrative accounts identified in the settings table of the WSM database described in paragraph 21 above. Based on my training and experience, I know that separate administrator accounts on a development server, like the Gitlab server, signify multiple administrators with administrative rights and operational control over the Gitlab server and likely over the entire server infrastructure.
The Administrators of WSM Are LOUSEE, KALLA, and FROST LOUSEE
23. During the BKA’s investigation, the BKA determined the WSM administrators accessed the WSM infrastructure primarily through the use of two VPN6 service providers. The BKA determined that one of the administrators (based on the fact that this individual was accessing control elements of WSM to which only an administrator had access) used VPN Provider #1. Based on the BKA’s analysis of the WSM server infrastructure, the BKA noticed that on occasion, VPN Provider #1 connection would cease, but because that specific administrator continued to access the WSM infrastructure, that administrator’s access exposed the true IP address of the administrator. The BKA then investigated the true IP address and relayed to me the following:
- a. The BKA learned that the uncovered IP address belonged to a broadband, landline and mobile telecommunications company in Germany.
- b. The individual utilizing the above-referenced IP address to connect to the WSM infrastructure used a device called a UMTS-stick7 (aka surfstick). This UMTS-stick was registered to a suspected fictitious name.
24. Between January 17, 2019 and February 7, 2019, the BKA executed multiple surveillance measures to electronically locate the specific UMTS-stick. The BKA has advised me of the following, based on its surveillance measures: BKA’s surveillance team identified that, between February 5 and 7, 2019, the specific UMTS-stick was used at a residence of LOUSEE in Kleve, Northrhine-Westphalia (Germany), and his place of employment, an information technology company where LOUSEE is employed as a computer programmer. As discussed in paragraph 33.a below, LOUSEE was later found in possession of a UMTS stick.
25. Investigators have also requested, through legal process, information related to LOUSEE and various internet service providers. This information corroborates LOUSEE’s role as an administrator of WSM. For example, I am aware of the following:
a. According to the Dutch National Police, which issued legal process from Github, a platform for software and coding development sharing, LOUSEE holds an account with the user name “codexx420” similar to the administrator account “coder420” found on the Gitlab server.
b. According to results from Twitter and Apple that I have reviewed, obtained pursuant to U.S. court orders requiring such disclosures that I obtained, I found the following items:
- i. Pictures referencing virtual currency such as Bitcoin and Monero;
- ii. A picture referencing “Gitlab”;
- iii. A picture of a computer logged into a Gitlab account (unrelated to WSM) but related to LOUSEE’s employment as a computer programmer;
- iv. Pictures of LOUSEE consuming marijuana;
- v. Numerous references to “420,” including a license plate of LOUSEE’s vehicle and a sign on a bedroom wall with “420.”
26. Based on the information above, I believe that LOUSEE was the administrator whose account was “coder420.” KALLA
27. The BKA also investigated a second individual suspected to be an administrator, who was using VPN Provider #2, to access certain administrator-only components of the WSM server infrastructure. The BKA advised me, based on its investigatory process, that it learned that an IP address assigned to the home of this individual (the account for the IP address was registered in the name of the suspect’s mother) accessed VPN Provider #2 within similar rough time frames as administrator-only components of the WSM server infrastructure were accessed by VPN Provider #2. Based on my training and experience, I believe that this individual, later determined to be KALLA, accessed VPN Provider #2 to access administrator-only components of WSM server infrastructure.
28. As referenced below at paragraph 33.b, KALLA admitted that he was the administrator for WSM known as “Kronos.”
29. The third administrator for WSM was known as “TheOne,” and as described below, the investigation has further revealed probable cause to believe that FROST is “TheOne” for two primary reasons. First, as described below (at paragraph 30), the PGP public key for “TheOne” is the same as the PGP public key for another moniker on Hansa Market, “dudebuy.” As described below, a financial transaction connected to a virtual currency wallet used by FROST was linked to “dudebuy.” As explained above in paragraph 4.l, a PGP public key, in the context of darknet investigations, is likely a unique identifier to an individual. Second, as described below (at paragraph 31), investigators have identified a wallet used by FROST that subsequently received Bitcoin from a wallet used by WSM for paying commissions to administrators.
30. As mentioned above, FROST is believed to be “TheOne” because of a link between him and the “dudebuy” moniker on Hansa.
a. The BKA advised me that they located the PGP public key for “TheOne” in the WSM database, referred to as “Public Key 1”.
b. Based on my conversation with the same United States Postal Inspector mentioned above in paragraph 16, I learned the following regarding FROST:
- i. As reflected on an image of the Hansa Market (which was seized by law enforcement in 2017), Public Key 1 was the PGP public key for “dudebuy.”9 The “refund wallet” for “dudebuy” was Wallet 2.
- ii. Wallet 2 was a source of funds10 for a Bitcoin transaction that ultimately paid for services on October 15, 2016 at a company engaged in digital marketing (“Product Services Company”) via a payment processing company (“Bitcoin Payment Processing Company”). Records obtained from the Bitcoin Payment Processing Company revealed buyer information for that Bitcoin transaction as “Martin Frost,” using the email address email@example.com
- iii. Prior to WSM opening in October 2016, FROST used funds from a Bitcoin wallet (referred to as “Wallet 4”) to pay for two accounts with a video game company (the “Gaming Company”), for accounts with email address firstname.lastname@example.org, via a Bitcoin Payment Processing Company. After these transactions, Wallet 4 was funded by Wallet 2.
31. A second link connecting FROST to the administration of WSM is based on additional Bitcoin tracing analysis. Based on my conversations with the United States Postal Inspector conducting virtual currency analysis, I am aware of the following:
- a. Prior to WSM opening in October 2016, on September 3, 2016, funds from a Bitcoin wallet (referred to as “Wallet 5”) were used14 to pay for another account with the Gaming Company, for an account with email address email@example.com,15 via the Bitcoin Payment Processing Company.16 After this transaction, Wallet 5 was later funded (for other transactions) by wallets “associated”17 with The Administrators of WSM, that is, wallets receiving commissions from WSM (which are unique to administrators, who receive commissions for transactions on the marketplace).
WSM Is Believed to Have Conducted an Exit Scam, Leading the BKA to Arrest Suspected Administrators LOUSEE, KALLA, and FROST in Germany
32. In or around April 2019, WSM experienced massive popularity and then commenced an “exit scam,” presumably in response to its increased popularity. Based on reviewing opensource commenting on darknet forums, I am aware of the following:
- a. On or about March 25, 2019, WSM became broadly regarded as the pre-eminent darknet marketplace because of the advertised shutdown of another competing darknet marketplace.
- b. Shortly thereafter, WSM experienced an influx of new buyers and vendors, and its management team stated publicly that it needed to account for the growth by expanding server capacity.
- c. On or about April 16, 2019, vendors on WSM could not withdraw funds from their escrow accounts; that is, they could not repatriate proceeds for contraband that was sold.
- d. Between April 22 and 26, 2019, members of the public shared that their own analyses of virtual currency transactions revealed that large amounts of virtual currency, estimated between $10 and $30 million, were being diverted from wallets believed to be associated with WSM to other virtual currency wallets.
33. In response to the suspected exit scam, the BKA obtained, pursuant to German laws, various search and arrest warrants related to LOUSEE, KALLA, and FROST. Based on my conversations with the BKA, I am aware of the following:
- a. On the day of LOUSEE’s arrest, before the BKA arrested LOUSEE, BKA observed a connection to WSM infrastructure (which is only done by administrators) from the UMTS-stick, and through electronic surveillance, determined that the UMTS-stick used to access the WSM infrastructure was at LOUSEE’s residence at the time. Upon the execution of LOUSEE’s arrest, the BKA noticed LOUSEE’s computer was unlocked and located a UMTS-stick that is believed to have been used to log into WSM, as described in paragraphs 23-24 above.
- b. KALLA was arrested, and, after being advised of his rights under German law, confessed to being an administrator of WSM, known as “Kronos.” He admitted that he maintained a technical role with respect to WSM and identified the location of the WSM forum. He also admitted that he was involved in the administration and operation of a prior darknet marketplace, GPM (described in paragraph 16.a), along with “coder420” and “TheOne.”
- c. FROST was arrested.