Darkweb markets provide drug dealers with an anonymous platform to peddle their wares but cannot account for all forms of human error.
A group of federal law enforcement agents regularly identifies and arrests darkweb drug dealers and is well known for their investigations. The Task Force, known for their own onion service, consists of agents from the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA), Homeland Security Investigations (HSI), Internal Revenue Service Criminal Investigation Division (IRS), and the United States Postal Investigation Service (USPIS). This group is called the Northern California Illicit Digital Economy (NCIDE).
The Sacramento-based NCIDE Task Force has investigated at least 28 vendors and arrested (on their own or in conjunction with other law enforcement agencies) 24 vendors. They are surprisingly adept when it comes to efficiently identifying supposedly anonymous drug dealers. But not all of their investigations are as challenging as one might think. One of the best examples of a simple case is the investigation of the Empire Market vendor “chlnsaint."
Chlnsaint sold fentanyl, heroin, oxycodone, oxymorphone, and other opioids on the now-defunct Empire Market. The vendor opened the account on the marketplace in August 2019. Between the opening of the account and when Empire vanished, the vendor had a customer feedback rating of 98% and had completed more than 1,100 transactions. By all metrics, Chlnsaint was a popular vendor.
When the Feds Bought Drugs Online
During the week of April 12, 2020, the Task Force conducted an undercover purchase from the vendor. They bought five oxymorphone pills and provided the vendor with an address in the Eastern District of California controlled by law enforcement. When the package arrived, members of the Task Force noticed the handwritten return address on the package: Stephanie Smith 301 SW 7th Ave Delray Beach, FL 33444. The package had shipped from a USPS Self Service Kiosk (SSK) in Delray Beach, Florida.
The SSKs take pictures of the user which often aids law enforcement in identifying the party responsible for mailing any given package. The images taken by the kiosk identify the vendor or a party working for the vendor in many cases involving these kiosks. For example, law enforcement pulled surveillance footage from an SSK in Brooklyn, New York, where the Alphabay vendor “AREA51” purchased shipping labels. That footage identified Abdullah Almashwali as AREA51.
According to the criminal complaint, SSKs take surveillance images whenever someone drops off a package. The postal service’s tracking system allowed investigators to see the precise time Chlnsaint had mailed the package of oxymorphone pills received by law enforcement. Task Force agents checked the SSK surveillance images taken at the same time. Jason Bauwens, a Postal Inspector with USPIS, wrote that the Task Force compared the surveillance images with driver’s license pictures from the Florida Department of Motor Vehicles and booking photos from jails in Florida. They found a matching ID picture and “numerous” booking photos from prior arrests, including one for a marijuana charge and another for inciting a riot in West Palm Beach, Florida. Chaloner Saintillus, a 32-year-old from Delray Beach, Florida, had mailed the package of pills.
Investigators searched phone companies for an account associated with their new suspect. T-Mobile provided them with an account, an address, and another name: Shalam Ali. This name, they learned during their search of booking photos, was part of an alias Saintillus had used in the past. The full alias was Shalam Ali El Bey.
The USPS website allows users to create an account on their platform that simplifies various shipping-related activities. USPS.com provides a list of the uses of an account:
- print shipping labels.
- request a Package Pickup.
- buy stamps and shop.
- manage PO boxes.
- print customs forms online.
- file domestic claims.
- set a preferred language.
Agents with the Task Force searched USPS databases for accounts associated with the information they had about the suspected operator of the Chlnsaint account. This search returned three results:
USPS Account 1
- Username: Chlnsaint
- Name: Chaloner Saintillus
- Address: [Redacted, matches the address provided by T-Mobile]
- Phone: [Redacted, matches the T-Mobile number]
- Email: firstname.lastname@example.org
USPS Account 2
USPS Account 3
Two accounts associated with Saintillus also directly link him to Chlnsaint. One account was created with the username “Chlnsaint” and the email address “email@example.com” and another account was created with the same email address as the first as both the username and email address. The third account linked Saintillus to his alias; it was created with Saintillus' personal information and an email address that spelled out the name of his alias, Shalam Ali El Bey.
Investigators conducted searches for Saintillus' name on the internet. Inspector Bauwens, in the complaint, listed three results that helped connect the dots between Saintillus and Chlnsaint. The first two accounts–one on a chat site and one on a forum site–shared attributes. Both had profiles with the name Chaloner Saintillus and the email firstname.lastname@example.org. The third listed in the complaint, a dating profile, linked Saintillus, Chlnsaint, and his Moorish alias:
“case agents observed a dating profileShalame website, ConnectingSingles.com, under the username “Chlnsaint”, the same moniker utilized by VENDOR 1 on the Empire marketplace. The dating profile contained a photo of an African American male, with similar features and appearance to that of SAINTILLUS, and claimed to be a 32-year-old male located in Delray Beach, Florida. The individual in the dating profile introduced themselves stating, “…I’m shalam what’s ur name…”
We conducted similar searches. One identified Saintillus better than any of the profiles listed in the criminal complaint. There is a Twitter account with the username @chlnsaint. Someone, likely Saintillus, created the profile in 2009 and added the name Chaloner Saintillus to the profile.
More Drug Purchases
Most markets either warn against or prohibit advertising vendor accounts on other platforms. Markets do not get a cut of any transaction that takes place on Wickr or Telegram or any other platform outside of their control. There are reasons why other platforms, especially ones on the clearnet, present a risk to both buyers and sellers of drugs or other contraband. Like many vendors who disregard these warnings, chlnsaint listed a Wickr username in their profile on Empire Market where customers could place direct orders. The vendor controlled the username “showstill” as an interface for interacting with customers.
Task Force members conducted nine additional controlled purchases from chlnsaint through Empire Market as well as Wickr. The transactions resembled the first one in all but the product selection; the Task Force ordered a variety of drugs, including heroin, fentanyl, oxycodone pills, and oxymorphone pills. All nine packages were shipped from the Southern District of Florida. Using the same process described earlier in this article, investigators matched Saintillus to the person responsible for shipping chlnsaint packages in seven of the nine instances.
A check of USPS records revealed that Saintillus had purchased postage for the packages shipped to Task Force members using a Wells Fargo debit card. The debit card was used to purchase postage for four of the packages received by law enforcement. Wells Fargo provided the Task Force with bank records associated with the debit card. They learned the card belonged to Saintillus during a review of the transactions associated with the card.
Investigators learned that Saintillus made regular and large purchases from a certain SSK in Florida. Law enforcement conducted physical surveillance at Saintillus' last known address and watched him leave the house with a USPS envelope in his hand. Saintillus and an unidentified person entered a BMW registered to Saintillus. Law enforcement followed the vehicle to the Post Office commonly used by Chlnsaint. They watched him use the SSK to purchase postage and mail the package. After Saintillus left, law enforcement took custody of the envelope. The package had the same name and address written on the package as the packages law enforcement had previously seized.
After obtaining a warrant for the envelope, law enforcement opened it and determined that it contained seven grams of fentanyl.
Today, on January 28, a U.S. Postal Inspection Service notice was posted on forfeiture.gov continuing 0.22418282 Bitcoin that previously belonged to Saintillus.
His case is ongoing.