A Bitcoin trader identified a darkweb vendor for the Federal Bureau of Investigation.
In a recent announcement, the United States announced the three arrests in connection with a darkweb drug trafficking case. The first two suspects, Luis Miguel Teixeira-Spencer and Olatunji Dawodu, allegedly operated the vendor account “johncarter7." The third suspect, Alex Ogando, allegedly operated the vendor account “PolarSprings.”
Court documents are publicly available for the US v. Ogando case but the documents for the other two cases are currently inaccessible to me.
During an investigation into darkweb opioid traffickers, law enforcement identified Spencer and Dawodu as the suspected operators of the johncarter7 vendor account. While investigating the operators of the johncarter7 account, according to a criminal complaint, investigators found “contacts” between Spencer, Dawodu, Ogando, and a person referred to as “Individual #1.” A review of the data stored in Dawodu’s iCloud account revealed a series of financial transactions between Dawodu and Ogando.
Law enforcement certainly knows the identity of Individual #1; they found the person’s fingerprint on a package sent by a different darkweb opioid vendor. The vendor, “PolarSprings,” was active on many markets, including Wall Street Market and Empire Market. On both markets, PolarSprings was selling pills pressed with fentanyl. On Empire alone, PolarSprings had 7,020 sales. PolarSprings also had accounts on Icarus Market, Deep Sea Market, and ToRReZ Market.
The FBI used data extracted from the Wall Street Market servers to identify records related to the investigation. These records included bitcoin addresses where vendors paid vendor bonds and other fees required by Wall Street Market (WSM). The records related to the PolarSprings account revealed the operator of the account had paid the bond of $200 on March 23, 2019. An unspecified fee was paid from the same Bitcoin wallet.
Using blockchain analysis, investigators identified an individual associated with the Bitcoin wallet described in the above paragraph. The FBI contacted the individual and learned that the person was a Bitcoin trader. The Bitcoin trader agreed to an interview with the FBI and later agreed to provide the investigators with information as a Confidential Human Source (CHS #1). Law enforcement had previously identified the source as part of a different investigation and stated that they had provided investigators with truthful and reliable information in the past. The individual “hopes to receive leniency regarding potential prosecution” in exchange for their cooperation with investigators.
CHS #1 reviewed text messages on their mobile device for information about transactions that occurred on the date of the PolarSprings vendor bond payment. They found a close match. The FBI provided CHS #1 with a picture of Ogando and the Bitcoin trader recognized Ogando as someone they had traded with in the past, including a transaction on March 22, 2019.
Based on the timing of the March 2019 in-person meeting between Ogando and the Bitcoin Trader, and the subsequent transfer approximately five hours later from the Bitcoin Trader’s wallet to pay for the PolarSprings’ vendor bond on Wall Street Market, it appears that the transaction with Ogando resulted in the payment for the PolarSprings vendor bond.
On February 2, 2021, law enforcement obtained authorization for a pen register/trap and trace (“PRTT”) device for Ogando’s Verizon service at his residence in Providence, Rhode Island. Two days later, law enforcement started receiving data from the PRTT. A review of the data from the PRTT revealed two connections between the IP address at the Ogando residence and Tor relays.
We covered another case involving a PRTT device (the investigation into the vendor OxyFlight) just days ago.
On February 23, 2021, law enforcement obtained a search warrant for Ogando’s residence. During the execution of the warrant, LEOs seized $350,000 in U.S. currency, “consistent with Ogando’s involvement in narcotics trafficking,” FBI Special Agent Evan Kalaher wrote in a statement of facts.
The building owner advised law enforcement that the apartment above Ogando’s was currently under construction. Law enforcement then conducted a so-called “protective sweep of the apartment to ensure the safety of law enforcement officers who were executing the warrant in the apartment below.” During the protective sweep, law enforcement observed evidence that someone had used the apartment as a staging area for drug distribution.
Specifically, officers observed:
- USPS flat rate packaging envelopes;
- latex gloves;
- a vacuum sealer;
- folded plates with a blue residue consistent with the color of pills sold by PolarSprings;
- 1,770 grams worth of pressed blue pills that tested positive for fentanyl;
- USPS Priority Mail envelopes containing pills that tested positive for fentanyl.
Various government officials had things to say about the investigation.
Acting U.S. Attorney Michael Sherwin:
“The use of sophisticated technology and virtual currency may raise unique challenges to investigating these cases, but this investigation demonstrates that law enforcement can nonetheless root out the sale of dangerous opioids on the darknet. We will not let the use of sophisticated cyber technology impair our ability to combat the problem of opioid abuse.”
James A. Dawson, Special Agent in Charge of the FBI’s Washington Field Office Criminal Division:
“The three co-conspirators charged today exploited those suffering through an opioid epidemic to enrich themselves. This case demonstrates the FBI’s commitment to working with our law enforcement partners around the country to show these criminals and others like them that they can no longer hide behind the dark web to operate their online, illicit marketplaces because we will infiltrate their networks, shut them down, and bring them to justice, no matter where they are.”
Inspector in Charge Peter R. Rendina, U.S. Postal Inspection Service, Washington Division:
“The U.S. Postal Inspection Service is committed to shining a light on that trafficking fentanyl and other illicit drugs on the dark web. Postal Inspectors, armed with advanced technology, digital forensics, and data analytics, continue to work closely with law enforcement partners to thwart those using the U.S. Mail in furtherance of their crimes.”
Kelly R. Jackson, IRS-CI Special Agent in Charge:
“As the opioid epidemic continues, IRS-CI will continue to lend our cyber expertise in tracing virtual currency transactions and dissolving the perceived anonymity of the dark web. We look forward to continuing to work with our law enforcement partners to get these dangerous drugs and those who are trafficking them off our streets.”
Special Agent in Charge Mark S. McCormack, FDA Office of Criminal Investigations Metro Washington Field Office:
“The tragedy of the opioid crisis continues to be fueled by those who use every method available, including the Dark Web, to sell their illicit pills to those with substance abuse addictions. The FDA will continue to work with its law enforcement partners to protect the public health by disrupting and dismantling counterfeit prescription drug manufacturing and distribution.”