Federal investigators identified a darkweb opioid dealer by linking Bitcoin transactions to the dealer’s home I.P. address.
Daren James Reid, 35, of Fort Lauderdale, used darkweb markets to distribute oxycodone, according to a recent plea agreement. Using the monikers “Oxyflight” and “Imperial Royalty,” Reid sold over 12,000 oxycodone pills on Silk Road, WallStreet Market, Apollon, Dream, and other markets. He also admitted selling between 3,000 and 10,000 kilograms of marijuana.The sales yielded more than $500,000 in gross profit, the government announced. During a raid of a storage facility used by Reid, police found over one kilogram of oxycodone, morphine, and other pills.
This month, Reid pleaded guilty to unlawful distribution and possession with the intent to distribute oxycodone.
The investigation into Reid began in April 2019, according to an affidavit by Special Agent Jacob Ellis with the Food and Drug Administration – Office of Criminal Investigations (FDA-OCI). In 2019, the Federal Bureau of Investigation conducted controlled purchases of oxycodone pills from one of the vendor accounts controlled by Reid. In 2020, the FDA-OCI conducted similar undercover purchases via an encrypted email address advertised on Reid’s “Imperial Royalty” vendor profile.
Federal investigators contacted Reid through the email address “ImperialRoyalty@secmail.pro” where the vendor advertised “direct deal” transactions. During the investigation, feds purchased oxycodone pills via a direct deal on several occasions. Special Agent Ellis described one such instance:
In February 2020, an undercover FDA-OCI agent ordered 22 Oxycodone pills from ImperialRoyalty via encrypted email address ImperialRoyalty@secmail.pro. This email address was previously listed on darkweb markets as a way to contact ImperialRoyalty. On or about February 5, 2020, ImperialRoyalty provided a bitcoin address ending Umgt as a payment address to the undercover FDA-OCI agent. On or about February 5, 2020, the undercover FDA-OCI agent sent bitcoin to the ImperialRoyalty First Direct Deal Address to purchase controlled substances.
On or about February 10, 2020, the FDA-OCI agent received 22 pills as ordered from ImperialRoyalty. These pills were white in color, bearing the letters “RP” on one side and “30” on the other. Based on my training and experience, these markings are consistent with the FDA approved Oxycodone Hydrochloride 30mg tablets produced by Rhodes Pharmaceuticals.
All of the transactions described in court documents involved a similar process.
The Bitcoin addresses sent from the vendor to the investigators provided law enforcement with a potentially simple route to identification of Imperial Royalty. Special Agent Ellis, who previously investigated money laundering with the Secret Service, described an analysis of the Bitcoin transactions that ultimately led to Reid’s identification and subsequent arrest.
The analysis was simple; investigators spotted “transfers” from the Bitcoin addresses provided by Imperial Royalty to Bitcoin addresses associated with Paxful, a popular Bitcoin exchange. Paxful, like any law-abiding establishment, provided the feds with information about the account associated with the transactions in question. The information from the exchange included a username, an email address (firstname.lastname@example.org), and at least three I.P. addresses used to access the Paxful account.
The first I.P. address was associated with a Verizon account. Feds tried to pull subscriber information from Verizon and succeeded in obtaining the number to which the I.P. address had been assigned. However, there was not any additional information linking the number to Reid. SA Ellis wrote that the number was likely the equivalent of a burner phone. Thse second I.P. address, an address associated with an Access Media Holdings account, also had no subscriber information identifying Reid directly. The account was registered to Nola Loft, Reid’s apartment complex in Fort Lauderdale but did not have a name on the account. SA Ellis noted that the same I.P. address had, however, accessed a Paxful account with the email address “email@example.com.”
The third I.P. address, a Comcast address, provided investigators with all the evidence they needed to link a name to the Paxful account:
- The subscriber’s name, Darren Reid;
- The subscriber’s service address in Hallandale, Florida;
- The subscriber’s billing address in Fort Lauderdale, Florida and;
- The subscriber’s phone number.
Feds obtained records from Google pertaining to the email address associated with the suspect’s Paxful account. One of the I.P. addresses used to access the email address matched one of the I.P. addresses provided by Paxful.
SA Ellis used an “public internet database” searches to match the email address “firstname.lastname@example.org” with the name “Daren Reid.”
Then the feds received a search warrant for both Gmail addresses associated with Reid. The warrants paid off. They found an email:
in the email@example.com email account showing a large collection of pills stamped “M” on one side and “30” on the other side (the same stamps as on pills purchased by the FDA-OCI undercover agent on or about April 8, 2020, as further described in Paragraph 16) and a printed image of the word “OxyFlight.” Based on my training and experience, the pills shown in this image are visually consistent with FDA approved genuine 30 mg Oxycodone Hydrochloride pills manufactured by Mallinckrodt Pharmaceuticals.
They also found a picture of a Bitcoin transaction involving the address “1PrswF8ENq55EvMZJTrh8BCBSuZ8q,” according to court documents (although this address does not appear to be a valid Bitcoin address, this article continues with the understanding that investigators did in fact work with a valid Bitcoin address).
This address, SA Ellis noted, received a total of $37,869.01 between August 2012 and November 2012 of which $37,212.90. The Bitcoin came directly from Silk Road. Investigators searched Silk Road servers for OxyFlight records. The vendor had approximately 2,500 sales totaling approximately $540,000. In addition, several bitcoin wallets associated as payment withdrawal addresses for funds from Silkroad Marketplace to OxyFlight referenced the email address firstname.lastname@example.org in some undescribed way.
In June 2020, law enforcement obtained authorization for a pen register/trap and trace (“PRTT”) device for the Access Media Holdings’ account. Investigators identified 10 connections between the I.P. address associated with the account and Tor relays. These connections took place between July 2 and July 28.
Before conducting physical surveillance, law enforcement served a 2703(d) order (required disclosure of customer communications or records) to Instagram for an account with the username “ying.yang1883” and two other accounts the investigators had linked to Reid through open-source intelligence gathering. In August, investigators visited the apartment where Reid lived and introduced themselves to the apartment manager. The apartment manager provided them with Reid’s contact information.
During the final stage of the investigation, law enforcement officers conducted physical surveillance at areas associated with Reid. They witnessed him drive from his apartment to a USPS Blue Box where he dropped off a Priority Mail envelope. Later, investigators took custody of the package, noted similarities between it and the packages law enforcement had received after conducting undercover purchases from Imperial Royalty
Reid pleaded guilty to unlawful distribution and possession with the intent to distribute oxycodone. He is scheduled to be sentenced on June 1 and faces a maximum penalty of 20 years in prison.