Florida Darkweb Vendor Forfeits $34 Million in Crypto
According to an announcement from the U.S. Attorney’s Office for the Southern District of Florida, a judge entered a default judgment in favor of the United States against $34 million

The majority of Bitcoin sent to the defendant's wallet came from a darkweb market.
The forfeiture action results from an investigation into a prolific seller of hacked online account information on an unspecified darkweb marketplace. According to investigators, in January 2017, the vendor (identified only as “Moniker 1”) had completed more than 100,000 transactions. This number increased during the investigation. The completed transactions included several purchases by undercover law enforcement officers, including:
Court documents identified Alphabay as a market used by the defendant. The defendant admitted conducting “transactions using Bitcoin, Ethereum, and other cryptocurrencies” on Silk Road, Agora, Nucleus, AlphaBay, Dream Market, Abraxas, Sheep, and Evolution. I think only Alphabay and Dream meet the conditions for the market where investigators conducted undercover purchases.
[img=]The defendant transacted on several markets but specifically admitted selling only on AlphaBay.[/img]
“In or around 2016, law enforcement agents identified two residences in Florida linked to Moniker 1 after Moniker 1 provided the addresses as the shipping address when he or she previously purchased narcotics from Dark Web marketplaces,” according to court documents.
The person associated with the shipping addresses lived at a residence in Parkland, Florida. Investigators identified the resident. Then, presumably using a pen register, investigators monitored internet traffic to and from the Comcast I.P. address associated with the residence.
“Internet traffic to and from the Comcast I.P. address between in or around December 2016 and March 2017 revealed numerous internet connections from the Parkland Residence on the TOR network. In addition, the internet traffic data showed correlations between when the TOR network was accessed at the Parkland Residence and when messages were received from Moniker 1 by the law enforcement officer(s) making the undercover purchases.”
Police identified the defendant’s PNC bank account and obtained copies of their transaction history. The transactions made by the defendant were “consistent with that of a Dark Web vendor converting virtual currency into cash using LocalBitcoins.com,” according to court documents.

On May 16, 2017, law enforcement agents executed a federal search warrant for the defendant’s residence in Parkland. The items seized by police included a laptop owned by the defendant. The seizures of the defendant’s various cryptocurrency wallets took place from May 2017 through June 2017.
On May 16, 2017, police seized 919.30711258 ETH from the Ethereum wallet address <code>0x71949d87258c4ca6827730c337f80907d73c7800</code>. In June 2017, police seized 418.51177 BTC from the Bitcoin wallet address <code>12EZr5x8mFpxS6ypNobhPXmyj4BbRkm6GW</code> and 221.76 BTC “formerly held” in the same wallet.
Blockchain analysis revealed that approximately ninety-six percent of the Bitcoin in the defendant’s wallet came from darkweb marketplaces or exchanges. Over fifty percent of outgoing transfers were made to peer-to-peer exchanges, including LocalBitcoins.com.
“Individual 1 told law enforcement agents that he or she obtained the ether in the Ethereum 7800 Wallet by converting bitcoins earned from unlawful online Dark Web transactions involving the sale of hacked online account information. Individual 1 converted the bitcoins to ether using a virtual currency exchange that did not require users to provide personal identifying information until in or around 2019, thus, providing an additional layer of anonymity.”
Based on information from other court documents, ShapeShift appears to be the exchange referenced above.
“Law enforcement agents were able to confirm that Individual 1 exchanged bitcoins obtained from Dark Web marketplaces for the ether held in the Ethereum 7800 Wallet through an analysis of the blockchain history for both the Ethereum 7800 Wallet and Bitcoin m6GW Wallet, the transactional activity at Virtual Currency Exchange 1, and historical exchange rates for the transaction dates.”
“A review of the Ethereum blockchain history showed that approximately 919.30711258 ether was deposited into the Ethereum 7800 Wallet via nine (9) transactions between on or about March 16 and 17, 2017. These deposits were traced back to a known Ethereum address associated with Virtual Currency Exchange 1.
“Further, a review of the blockchain Bitcoin history showed that approximately thirty-two (32) bitcoins were sent via nine (9) transactions from the Bitcoin m6GW Wallet to other Bitcoin addresses, and from those addresses, transfers were made to Virtual Currency Exchange 1.”
“When these blockchain histories were compared with historical exchange rates, the same transfer amounts for the nine (9) transactions were shown on each respective blockchain, further confirming that bitcoins from the Bitcoin m6GW Wallet were converted to the ether coins eventually seized from the Ethereum 7800 Wallet.”
The defendant told investigators that they had “only sold hacked online account information on AlphaBay.” With the defendant’s cooperation, law enforcement officers withdrew 2.65995166 BTC from the defendant’s vendor account on AlphaBay.
In 2021, the defendant signed a consent to forfeiture. On November 3, 2021, the government published a notice about the action on forfeiture.gov. Nobody filed a claim against the action (the defendant was the only claimant). As a result, U.S. District Court Judge Rodney Smith entered a default judgment in favor of the United States, which forfeited the defendant’s right, title, and interest in the seized cryptocurrency.
According to the press release, this case was the result of a so-called “Operation TORnado,” which is apparently a “joint investigation that stems from the ongoing efforts by OCDETF.”
Verified Complaint for Forfeiture in rem: pdf
Comments (16)
jgagger2022-04-0521bb41d0
biggest proof LE can track tor! Desnake warned us about it on dread here real proof don't be stupid use proxy vpn put many of them fuck LE fuck noobs on reddit saying use tor only these are FEDS
ddos2022-04-0575209280
DeSnake is still using Tor to run all of his security features on alpha 2.0 that effectively amount to DDOSing himself, ironically the exact attack he is trying to avoid besides becoming compromised or getting robbed. Again for the paranoid folks on here, if Tor were majorly compromised they would shut down all illegal traffic on Tor and make wide sweeping arrests, another Holy Box argument from Dumb Nigga Live… things will never been the same after the Holy Box article…
fuckthis2022-04-060df7b010
They can't track Tor. If they have a "warrant" (which presumably needs some solid evidence beforehand), they will, with the help of your internet provider, monitor with which IP addresses your internet connection exchanges traffic. If those are Tor nodes (which isn't a secret at all), they will compare the times of day where you do Tor traffic with your activity on market places. For that THEY ALREADY NEED TO KNOW your residence, your vendor accounts and so on. They just compare patterns for which they already need a shitload of information on you obtained by other means. Read the article ffs.
I love shun2022-04-075a6798c0
Yeah? No shit the LE can view the outgoing connections you make? "Desnake" should not be responsible for you learning how the software you use works :|
a16670482022-04-2055afd570
This article does not prove LE can track Tor. ISP's can see when you visit tor (this is public information). The issue here is that he/she did not use a custome bridge to mask themselves from Comcast. However because of the massive purchasing of exit nodes by LE, the chances of LE exposing IP's has increased. Another possibility is that LE has Zero-Days which is also very likely.
fhrdf2022-04-06e94a9030
This is why people need to run tor relays and or use tor constantly for legal and illegal sites. If you constantly have tor traffic flowing thru your network the pen register would be much harder to compromise you. We should all assume we are under a pen register.
fgfg2022-04-068a3ec540
"“In or around 2016, law enforcement agents identified two residences in Florida linked to Moniker 1 after Moniker 1 provided the addresses as the shipping address when he or she previously purchased narcotics from Dark Web marketplaces,” according to court documents" This part is confusing to me. It says that the vendor provided their address to investigators in some way. I wonder if the vendor got caught ordering drugs and that ruined their digital vending opsec. In most cases digital only vendors are the safest type of vendor because most vendors get caught through the mail. This person was caught because of revealing their address but they may not have been convicted if they had used Tor much more often and not just when they were vending. Many people seem to make the mistake of only using Tor when they are doing something illegal instead of using Tor as a general browser for most of their web traffic.
hdhddgf2022-04-061ec56ce0
Tor has circuit padding for making onion site visits look like visiting a regular site on the clearnet. There used to be more of a difference in the traffic pattern. You should still use a mix of legal onion services, legal clearnet sites, and illegal onion sites. You should use multiple sites at once to help beat website fingerprinting attacks. You want a mix of traffic flowing through your network all the time and especially when you are fulfilling orders and communicating as a vendor. Use multiple devices with tor on them at the same time as well. If you use debian based distros you can use apt-transport-tor package to make your software updates go over tor too just to add more tor traffic to your network and also to keep the enemy from knowing what software you are using and what versions which can also be used against you. For example, if they know that you are using an unpatched version of software that has a public exploit, they could try to exploit it before update.
ffhgffftf2022-04-06e7021aa0
You need to use tor for hours daily. Dedicate many random hours for regular traffic and hours for your prohibited activitys. tor benefits thru constant use as a "mixnet"
ethbunny2022-04-0871192bf0
those 919 eth went to a series of 4 or 5 low-nonce wallets, then to coinbase. I sure hope the coinbase transfer was LE's work. if not, well...
11a9af8722022-04-090fb8b470
I'm surprised that he was able to deposit that much money into his bank per month. I thought most banks started asking a few questions at around $10,000/month of unknown deposits. But during April he deposited about $15,000 and the bank didn't give him a second look.
wtf2022-04-12b4c64450
How did they get his address from the markets? PGP issue, market issue, or did he order from undercover?
asd2022-04-12bffa6990
just a guess but probably had a vendor or market compromised, they prob ran his name and it popped up that he made an order as well as provide services there. sounds like it was just dumb OPSEC on his part, not hard to find more evidence once they knew it was him
Johnny POop2022-04-127afffc20
He ordered drugs with his address in plaintext and used the backdoored "Encrypt with vendor's PGP" checkbox while feds were already running the market. Ridiculous.
Dnl2022-04-06cb625bf0
Refreshing comment, thank you. Correlation attacks are a bitch and LE has to dedicate some serious computing power to back that shit up, which them tax dollars cannot afford that good. But I really like this comment because it shows just how far the US constitution protects cyber criminals, even dumb cyber drug dealers can ride that wave without having to worry about normal wear and tear on their mail pieces… “DNL”
Why Yoda broke?2022-04-0569959fb0
Ya man, should hav… but take it from DNM operators of the “past…,” life happens man…