A darkweb researcher published an analysis of information that allegedly identified Speedstepper, the notorious owner and operator of Dream market. Another individual, based on original research, claimed to have taken the identification of Speedstepper even further.
The following text is the article published by Sh1ttykids. It has been translated from Japanese to English.
While I was doing research the other day, I found something interesting. Someone hacked the Dream Market and published its database on “Pastebin” (a storage and publishing service for text data such as source code). It contains account information for 10,000 Dream Markets, and the original has already been deleted, but the data remains in “archive.is” of the web archive site.
It turned out that the roster had several well-known vendors and users of the former SilkRoad. The existence of part of the account has been confirmed.
If you look further, you will find things that bother you. This data was posted on September 20, 17th. A week before that, Dream Market was down. Around that time, in addition to the above three leaked IP addresses, I was finding suspicious IP addresses from the Dream Market. There are also articles related to mysterious site down and IP address in related media .
Regarding the site down, SpeedStepper also officially issued a statement that “the HDD was crashing” later.
From these pieces of information you can guess: Someone hacks Dream Market based on that IP address and gets database information. SpeedStepper noticed this and shut down the site and repaired it. A week later, some of the stolen data was attached to pastebin as evidence, as a hacked criminal threatened SpeedStepper in some way. The third party who found it archives the data, and then the pastebin page is deleted.
Although it is unknown who the hacker is and what kind of transaction has been made with SpeedStepper, it seems that some kind of transaction has been concluded that Dream Market is currently in operation.
Although the purpose of the IP address leak suspicion was to be abusive, in the hacking case the user information was clearly leaked and the site was temporarily down, which would be a serious failure for SpeedStepper.
However, SpeedStepper may have made a more fatal failure. There has been a suspicion that it may be related to a certain person in the real world.
One of the American researchers who found out about it is that he came to the information from the official Dream Market bulletin board.
In February 18th, Dream Market has created a “DeepWeb Network” bulletin board on Clearnet (the Internet, which can be accessed with a regular browser, “Surface Web”). It is not clear why the Dark Web Market, which places emphasis on anonymity, purposely created a bulletin board on ClearNet.
If you refer to Whois information from the URL of this bulletin board, you can see that the registrar who has registered the domain is GoDaddy, which provides the domain registrar rental server service of the domain registration number in the world.
Next, take a look at Whois information on the “Buyoxytocinnow.com” site listed in SpeedStepper’s profile on DeepWeb Network. Then, this site is also hosted by GoDaddy, and it is further linked to personal information such as “Registration: ○○○○ (temporarily A Mr.), organization: □□□□ (C company)”. I understand that.
Whooxys information on Buyoxytocinnow.com Describes the registrant and organization
When I examined the relationship between Company C and Mr. A, I found some things. Company C was established by Mr. A, and was mainly engaged in site development and VPN services.
There were 64 domains linked to Mr. A, and most of these were GoDaddy. There was one thing that bothers me. The “Add to Cart” button posted on the site is similar to that of Dream Market.
He also seemed to have a Twitter account, and when he looked at it, he had an interesting description in his profile.
It is called “Net Freedom”. This probably means that you believe in the freedom of the Net. Los Ulbrichit (arrested in 2013), who once managed the world’s largest dark web market, “Silk Road,” was also thought libertarian (liberalist), Ron who ran for president in the US Libertarian Party. I was supporting Paul.
By the way, once Ulbricht was arrested and his real name was revealed, he could easily find his social account from that name.
We will summarize the information so far.
- Mr. A is a registrant of the site SpeedStepper has published in his profile
- The registrar of the site and the registrar of DeepWeb Network which is a bulletin board of Dream Market are the same company
- The site operated by Mr. A with his registrar uses parts similar to those of Dream Market
- From Mr. A’s Twitter account, I can guess that it is the owner of the thought similar to the manager of Silk Road
From the above, the researcher who contacted us suspects that “Mr. A is not a SpeedStepper.”
Since SpeedStepper has been using various hands in addition to IP address leaks to disrupt investigations, I think it might be possible to expose information that is linked in real by such mistakes, but also in the case of Ulbricht If you think about it, you can not say that it is completely misguided
-=- OPSEC BY EXAMPLE - EPISODE 3 -=-
-=- MARK DECARLO, FOUNDER AND DEVELOPER OF DREAM MARKET -=-
Hello, dearest reader! I hope you all had a great holiday season. Even if you didn’t, don’t worry - I’ve got a very special present for you today. This is going to be a wild ride, so pack a bowl, buckle your seatbelts, and get ready for some of the biggest opsec failures that you’ve ever seen.
Now, I’m sure that once I post this, there will be dozens of people coming out of the woodwork to call me out and say that this is fake, that I’m 100% wrong, that these are simply red herrings and I’ve been on a wild goose chase for weeks. I urge you to keep in mind that people who run darknet markets don’t necessarily need to be strategic geniuses or opsec masters to make it to the top, though they do need to be smart to stay at the top. The truth of the matter is, until Mark DeCarlo is taken away in cuffs (which will hopefully be soon), I really can’t be 100% positive about the facts of this case. But I’m going to present all the facts as accurately as possible, and the conclusions you make about them are up to you.
I’d also like to give a huge thanks to my new friend BlueBoxFox who has been an absolutely invaluable part of this research. I found the initial leads, and I’ve helped BlueBoxFox connect some dots along the way, but the majority of our findings here have been because of his laser-focus on finding the facts. You’re the best, BBF.
The initial leads
A while back, I started working on a darknet market data scraper for a project I’ve had in the works for quite some time. I was looking at the data Dream was giving me when I noticed something strange. Every request that one makes to Dream has a strange and uncommon return header - X-Forwarded-For = 126.96.36.199. As of the time of this release, you can still see that return header in every response you get from Dream. I’m not positive, but my theory is that Dream’s public onions are running Varnish cache server and using that to speak to the back end server that has all the real goods on it. Occasionally, when Dream breaks down, you can see errors from Varnish cache server, so it makes sense that Varnish may have been misconfigured and set to show the real IP address this whole time.
That IP address, 188.8.131.52, belongs to a hosting company in Florida called HostDime. HostDime offers high end servers in a very high-security environment, and they accept bitcoin, so my interest was immediately piqued. I considered that maybe this was a red herring but decided to continue anyway. BlueBoxFox and I called and emailed HostDime numerous times, trying everything we could think of to trick them out of even a single modicum of information about the account holder, but we were entirely unsuccessful. (It sucked not being able to squeeze anything out of their staff, but I have to say - two thumbs up to the HostDime employees. Next time I need a place to host some shady content, I know who I’m going with.)
After failing to trick HostDime out of any useful information, we decided to look elsewhere. We found all of Speedstepper’s public postings that we could, figuring that if he had messed up the configuration of Varnish, it was likely he had made other serious mistakes. We found what we were looking for on Speedstepper’s profile on deepwebnetwork.com. In his profile information, he listed his personal website as buyoxytocinnow.com. While we initially thought that this was a red herring, because finding this detail was just too easy, we investigated further and found more than we ever bargained for.
Mark DeCarlo - the present
That website, buyoxytocinnow.com, was a website hosted via HostGator that was suspended after some time, presumably because HostGator isn’t interested in helping people push shady pharma products. The current whois information for buyoxytocinnow.com is private, but historical records show that it was previously registered to one Mark DeCarlo of Innerconx, Inc. Mark DeCarlo is a 63 year old man from Florida, so we were a bit disappointed, thinking that there was no way this was our guy, simply because he’s so far off of the standard profile for a computer criminal. However, Mark does own a web design business, so we kept looking into him, thinking that maybe there was a link after all.
Mark’s company, Innerconx, is a small web hosting and design company based in Florida. As far as we were able to tell, he has no employees. The address listed on his business filing records is 32 Cedar Way, Hollywood, Florida, which is just his old house, not an office. Innerconx’s website, innerconx.net, is a small site running Wordpress that lists some details about what Innerconx does, but it’s a far cry from a modern webhost’s website. Innerconx didn’t seem particularly shady to us. It just seemed like a small web design company, and maybe that’s what it was at one point, but this was just the beginning of the rabbit hole.
Innerconx.net had a contact number listed - (954) 547-8976 - which turned out to just be Mark’s personal phone number. When I called him, I made the mistake of calling at about 6 AM in my timezone, which turned out to be about midnight for him. I asked him a couple of questions about his web design business, pretending to be an interested potential customer, but he was extremely evasive and demanded that I “call the office” but wouldn’t give me the phone number for his “office.” Now, in all fairness to Mark, I did call him at midnight, so I can see why he wouldn’t want to take a business call, but his tone gave me a gut feeling that there was more to this than just him being upset about me calling so late.
I called later in the day (or rather, the next day, in Mark’s timezone) and tried asking him questions about his business again. He answered the phone rather angrily and demanded to know who I was and what I wanted. He didn’t seem to buy the story that I was an interested customer - maybe because my phone’s area code was rather far away from Florida, or maybe because I just didn’t sell my story very well. After I realized that pretending to be a customer was getting me nowhere, I started asking him more broad questions about his business and the sites I knew he hosted. He claimed that his hosting company hosted “thousands of websites,” which is patently untrue. He denied knowing whether Innerconx was related to oxytocincentral.com or buyoxytocinnow.com, and later in the call, he explicitly denied being related to those websites. I decided to push further and ask if he knew anything about anyone named “Speedstepper” and at this point, he locked up and demanded that I “call corporate” but refused to give me a different phone number. He gave me the email firstname.lastname@example.org instead, so I sent him the following email:
Subject line: To Mark - questions about oxytocin
Hi, I was told to follow up at this email address after my phone conversation with Mark DeCarlo. I presume that Mark will be the one reading this, given his role in the company, but if someone else is reading, please bring this email to Mark’s attention immediately.
As I said over the phone, I have several questions about Mark’s apparent involvement with illicit and/or counterfeit pharmaceuticals.
1.) What involvement did you (Mark DeCarlo/Innerconx) have with the websites OxytocinCentral and BuyOxytocinNow? 2.) You said on the phone that you weren’t responsible for purchasing the domains or hosting the content on these websites. With that being said, how do you explain historical whois records like the one here? 3.) Have you or Innerconx ever done business with HostDime.com? 4.) What connection do you have to SpeedStepper and his various web design projects? 5.) On SpeedStepper’s profile on DeepWebNetwork, why is BuyOxytocinNow.com listed as his website, when the registration details show that it was yours? 6.) Are you SpeedStepper? 7.) Are you responsible for hosting 184.108.40.206, either through Innerconx or another company? 8.) If this is all unrelated to you, why does everything about this point towards you being responsible for these projects?
I look forward to reading your answers. Again, I apologize for calling you so late - I’m not currently in the US and I didn’t realize how late it was in your timezone. Thanks for your time.
Unsurprisingly, he didn’t reply.
Mark DeCarlo - the past
We still had our suspicions, but we didn’t have anything in the way of hard evidence. We decided to look into Mark’s background as much as we could to see if there was any non-circumstantial evidence connecting him to Dream. The first thing we did was look into the various different domains that Mark has registered, to see if he had inadvertently left some clues sitting around for us to find. There are a lot of them, so I’m not going to go in depth on every one. I’m just going to focus on what seems relevant to me. If you’re interested, you can find a full list of Innerconx domains here and a full list of Mark’s personal domains here.
The first thing that sticks out to me about these domains, both Mark’s personal ones and the ones he registered with Innerconx, is that Mark is a serial entrepreneur. If you look at the registration dates on the domains, it seems that Mark gets an idea for a business, starts it up, sees that it isn’t immediately blowing up and making him rich, and then moves on to his next idea. However, there’s a curious change in his pattern of domain registrations here.
2002 - 1 domain registered
2008 - 1 domain registered
2010 - 1 domain registered
2013 - 12 domains registered
2014 - 67 domains registered
2015 - 14 domains registered
2016 - 3 domains registered
2017 - 1 domain registered
2018 - 0 domains registered
It seems to me that Mark hit peak entrepreneurship in 2014, while Dream was still a small fry competing with much larger marketplaces. As Dream grew bigger and bigger, his domain registrations dwindled as he didn’t need to make money through legitimate sources anymore. Throughout the last couple of years, Mark has seen considerable financial gain (more on this later) and it would reasonably follow that if Mark was getting richer, we should be able to see Mark registering more domains as his web hosting business grew. However, that simply isn’t the case.
Following the money
We did some digging on the Facebook accounts of Mark, his wife Colleen, and their daughter, Erica. We figured that if Mark was really in charge of Dream, he’d have some money, and it turns out that he’s been flexing his cash quite a bit on social media.
First, there’s the cars. Based off of Mark’s public Facebook posts, he clearly likes old and fast cars. Now, before Dream market was all set up and making huge cash, Mark still had an interest in cars. In fact, he was even a regular on a few Corvette forums. But the cars he had were simply old, and very cheap. After Dream Market became the top name in the DNM game, Mark purchased three brand new cars. A Corvette Z06 Supercharged, which goes for a cool $160k. Mark purchased it brand new from the dealership. A month previously, Mark also purchased a Cadillac Escalade, which goes for up to $100k, brand new. This data all comes from Mark’s Facebook page, where he repeatedly shows off his cars. He also made reference to purchasing a new car for his mom, but we were unable to find details about the make and model of that car.
And even more notably, there’s Mark’s house. Up until recently, Mark lived at 32 Cedar Way, Hollywood, Florida. The Zillow information about this house states that it’s a 1,729 square foot, single story home that is worth somewhere in the neighborhood of $379,000. It’s a nice, modest home, and it very much fits in with the amount of money Mark should be making with his business.
BlueBoxFox made a couple calls to Comcast with the information we already had on Mark and was able to find out his new address. As of October 25th, 2018, Mark is the proud new owner of 641 Ranch Road, Weston, Florida, and wow, what an upgrade it was. The Zillow information about this house states that it’s a 5,099 square foot Italian-style mansion with a heated pool, a view of the lake, 6 bedrooms, and 4.5 bathrooms. Mark paid a cool $1.075 million for it.
We wondered how Mark was washing his money, and BBF was able to find information about what appear to be shell companies registered in Mark’s name. Here’s a list:
Officer/RA Name Entity Name Entity Number
DECARLO, MARK TRINITY INSURANCE SERVICES, INC. F10000000804
DECARLO, MARK MDC ASSOCIATES CLAIMS ADJUSTERS, PLLC L12000115869
DECARLO, MARK VANTAGE POINT CLAIMS MANAGEMENT, PLLC L16000182207
DECARLO, MARK BESTBANG4THEBUCK.COM, INC. P06000134799
DECARLO, MARK SILKY HOSTING SOLUTIONS, INC. P14000054182
DECARLO, MARK SILKY HOSTING SOLUTIONS, INC. P14000054182
DECARLO, MARK RENEWAL HOLDINGS, INC. P14000097703
DE CARLO, MARK INNERCONX, INC. P99000021224
I’ll go through each one of these in order, with the exception of Innerconx, which, if you’ve read this far, you already know about.
First, Trinity Insurance Services. There is a Trinity Insurance Services that operates in Florida (website at trinityins.net) but there is no indication anywhere on their website that they have any connection to Mark DeCarlo. I’m inclined to believe that he just reused the name of a legitimate company to hide his business goings-on a little better.
MDC Associates Claim Adjusters has absolutely no public presence. There’s no website, no office, no phone number, nothing.
Vantage Point Claims Management seems very shady, but might be a real company. There is a website - vantagepointclaims.com - but it’s down. It seems there’s another Vantage Point Claims Management in New Orleans, which Mark filed a Freedom of Information Act request against in late 2018, and based on that information I think that Mark took another legitimate business’s name to hide what he was doing. You can view info about that FOIA request here.
BESTBANG4THEBUCK.COM is also clearly fake. The website is down (and as far as I know, Mark was never involved with hosting that website) and there’s no information about it anywhere, other than websites listing business filing records.
Silky Hosting Solutions is definitely associated with Mark, but if you go to any of the domains relating to Silky VPN or other “Silky” products that Mark has made, it’s abundantly clear that nobody uses them. There is no talk about the quality of the services anywhere, no customer testimonials, nothing but business filing records and a few apparently abandoned websites. Interestingly, the business filing records for this one include a “Dragan Zlatanovic” and a “Simon Zekar” but I wasn’t able to find anything substantial about them or their connection to Mark.
“Renewal Holdings” seems to be another intentionally confusing name for a shell company. There is nothing but business filing records available online for Renewal Holdings, but it looks like this company might have been named like it is to confuse people looking, as there is a legitimate “Lucayan Renewal Holdings” also in Florida.
Setting the trap & tightening the noose
Despite how incredibly shady Mark DeCarlo looked to us, none of this was truly hard evidence. We decided to lay a beautifully simple mathematical trap for Mark. We encrypted a message with Dream’s current PGP key that contained a link to a URL on a throwaway box I’ve had for a while. The URL was specific enough that no web scraper or curious visitor would ever come by it accidentally, and Mark was the only one we sent it to. If we got a hit on that URL, we’d know for sure that Mark held the PGP private key corresponding to Dream’s public key.
Subject line: WE KNOW WHO YOU ARE
Pre-encryption body text: We know who you are, and now we have undeniable proof. We don’t want to ruin you - we just want to talk business with you. If you don’t believe that we have the proof we say we have, check this out: https://[redacted]/DeCarlo/proof.txt
Just a few hours later, I find this in my log files:
“GET /DeCarlo/proof.txt HTTP/1.1” 404 142 “-“ “Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0”
At this point, if you’re not convinced by what you’re reading, I don’t know what would convince you. Mark is the only person who had this URL and the only person who could’ve decrypted the message we sent to find that URL.
A (possible) connection to the feds
Full disclosure: I’m not positive about this part. Again, come to your own conclusions and don’t take anything we say to be absolute, indisputable truth.
Starting off, Dream Market has seen many big busts, as has any other large darknet market. One of the largest busts was of “Oxymonster”, a vendor and moderator on Dream market. For those of you who frequently check out DNM news, you may remember how Oxymonster was caught. For those of you who don’t, he was captured in Atlanta Georgia after exiting a plane. His reason to be in the USA, visiting, was for a “beard growing competetition” in Miami. It seems very possible that Mark could have setup a meeting with him, as bait for the FBI. The suspicions arise because the direct route to Miami Florida from Atlanta Georgia is on I-75, which passes directly through Hollywood Florida, coincidentally where Mark lives.
This doesn’t prove anything per se, but consider how strange the route that OxyMonster planned to take was. The beard competition was in Miami. There is an airport in Miami. If you were going to Miami for a contest, why not just fly directly there? Why fly into Atlanta and travel south? The most plausible explanation, at least to us, is that flying into Atlanta would mean that OxyMonster could make his stop at a meeting place with Mark and then continue on to Miami instead of going to Miami, driving out to meet up, and doubling back to go to the contest.
Keep in mind, this could just be a coincidence, but Oxymonster lived in France, and it’s very odd he would take an obscure trip to the states just for a little beard growing competition that happened to require him passing through the immediate location of Mark.
After calling Mark, his family, his friends, and his neighbors, many, many times, it seems we finally spooked him. For more than a week prior to this article’s publication, DeepWebNetwork.com has been down with the excuse that it was down for “site maintainence.” As of the time of this writing, as BBF and I are finishing up the final touches, Dream has been down for more than 18 hours, with nobody able to log in to withdraw funds.
Also worth noting is the fact that, shortly after sending the email with the trap in it, Mark’s phone line, and the phone lines of his immediate family members were cancelled. Calling from new numbers went straight to voicemail too, so it wasn’t that he had just blocked our phone numbers. In addition to this, we discovered (almost accidentally) that Mark’s Comcast accounts, both for his old house and his new house, were cancelled shortly after we sent the trap email to Mark.
Given these facts, it seems very likely that Mark will exit scam soon.
Miscellaneous suspicions and oddities
This is a list, in no particular order, of various other things that we found suspicious but that we were not able to directly connect to other parts of the narrative.
The proximity of Mark’s home to HostDime’s headquarters. Individually I would chalk this fact up to random chance, but given all the other pieces that fit together, I doubt that this is a coincidence.
The buttons on one of Mark’s old (and now defunct) websites, oxytocinfactor.co, look eerily similar to the buttons used on Dream. Here is a set of buttons on oxytocinfactor.co, and here is a button from Dream’s website.
It’s very likely that Speedstepper isn’t just Mark, but is a small team of people. The spelling for the name alternates between “Speedstepper” and “Speedsteppers” and in a couple of Speedstepper(s)’s public postings, the English used is very poor. However, we were unable to find anything out about who the other Speedsteppers in the Speedstepper team might be, or how many of them there are.
Darknetmarkets.org, one of the top search results for “darknet markets,” is a site that pushes phishing links to unsuspecting users. In the article by itmedia.co.jp about Mark, there’s a bit about how Mark is supposedly in cahoots with people phishing Dream. On the same day that DeepWebNetwork went down, so did Darknetmarkets.org. Darknetmarkets.org is back now, while DeepWebNetwork is still down, so maybe this is just a strange coincidence, but I think it’s worth noting.
Lessons to be learned
Everybody knows that your actions can endanger you - that much is a given. What many people, Mark DeCarlo included, do not seem to realize is that inaction can also indicate involvement. For example, Mark slowing down with his domain registrations was evidence of his involvement via inaction. Make sure that, if you strike gold with your criminal activity, you do the work to keep up appearances in your normal life.
If you’re going to be a career criminal, don’t flex your cash on social media. If you’re a local weed dealer getting a couple grand from selling product off the darknet, it’s still a stupid decision, but you’re probably fine. But if you’re an international drug kingpin, you should show more restraint.
In the same vein as #2, you should be humble with your ill-gotten gains, even off of social media. Other internet personalities are not your only worry. I imagine that, had the government been a little more competent, the IRS would have taken note of Mark’s purchases quite a while ago. If they haven’t already, I bet they will now.
As always, remember that all it takes is one little strand of truth to unravel all of your lies. The people looking for you don’t have to find you the first time they look, but you do have to maintain perfect opsec at all times to avoid being busted. One slip-up and it’s curtains for you.
If possible, share a name with others. “Speedsteppers” being multiple people was a confusing twist to the story, and we’re still not sure how much we’re missing here, or how many people “Speedsteppers” really are. This was one of the few examples of Mark DeCarlo doing something right.
I’m really excited to hear what you all think of this, as is BBF. Please, poke as many holes in our narrative as you can - we’re just as interested in the truth as everyone reading this is. Hopefully none of you have lost any substantial amounts of money on Dream. If it does come back up, I hope you’ll all take your business elsewhere, as Dream reeks of trouble at this point.
Thanks for reading, and stay safe out there.
http://www.itmedia.co.jp/news/articles/1808/08/news016_2.html - Japanese article that came to many of the same conclusions we did, but didn’t dig quite as deep