Written by scribe_TS NOT ME
.....1.1 Who am I
.....1.2 Definition of Operational Security
2 - Misinformation Warfare (Digital)
.....2.1 Ancient Misinformation
.....2.2 How are you being tracked
.....2.3 How to use misinformation in your favour
.....2.4 Compartmentalization
.....2.5 Security is not convenient
3 - D.U.M.B (Physical)
.....3.1 Prime Examples of OPSEC fails
.....3.2 Inevitable Fuck ups, Aftermath and Clean-up
1.1 - Who am I
"Im just another echo in the void."
1.2 - Definition of Operational Security
By definition operational security was derived from military term procedural security, originated as a term that described strategies to prevent potential adversaries from discovering critical operations-related data. Which is an analytical process that classifies information assets and determines the control required to provide these assets.
You might wonder why I choose to write about both physical and digital operational security? Simplest answer is theyre intertwined and cant be separated in my opinion. If you have one but not the other its just like you dont have any.
2 - Misinformation Warfare
2.1 - Ancient Misinformation
Since the dawn of men, misinformation has been used as weapon and the most effective on at that. If you are a book worm like me I suggest you read The Art of War by Sun Tzu, that book even after thousands of years since it was written has theories and practices that can be applied in the modern world. Why am I telling you this? Because we will kick this off with one of his quotes.
Quote: Sun Tzu
"All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near."
One of the most egregious examples of this takes us back to ancient Rome and to the very end of the Republic, when almost a century of civil war, chaos and political assassinations had led the Roman government to the brink of collapse. It was the time of the so-called Second Triumvirate. Around 2000 years ago, the Roman Republic was facing a civil war between Octavian, the adopted son of the great general Julius Caesar, and Mark Anthony, one of Caesars most trusted commanders. To win the war, Octavian knew he had to have the public on his side winning important battles helped, but if the people didnt like him, he would not be a successful ruler. To get public backing, Octavian launched a fake news war against Mark Anthony. He claimed Anthony, who was having an affair with Cleopatra, the Egyptian Queen, didnt respect traditional Roman values like faithfulness and respect. Octavian also said he was unfit to hold office because he was always drunk. Octavian got his message to the public through poetry and short, snappy slogans printed on to coins. Octavian eventually won the war and became the first Emperor of Rome, ruling for over 50 years. But, I digress so lets get back to what you came here for. Today its much easier to conduct misinformation warfare than 2000 years ago, obviously. Now, to skip history lessons and move to the modern era here is example of misinformation. Markets that want to conduct exit-scam will usually disable withdrawals due to some technical problems on their end meanwhile keeping deposits working while they siphon funds to some off-site wallet. 2.2 - How are you being tracked In dystopian society we live today, surveillance is major part of how governments keep the common folk in line. To understand how we can use misinformation against them we first must understand how are we being tracked. Entities that track us (government agencies, tech conglomerates and data mining companies) rely on you to leak little pieces of data which they use to profile you online and match the user-name to actual user. Its simple matter to match content in databases if there is some sort of index to the content. Most common pieces of data used to track you on clear-net and dark-net are: Names (both real and user-names)
IP addresses
Browser fingerprint
E-mail address
Location (exact or approximate)
Phone numbers
Date of birth (or any other PII)
Stylometry
Facial recognition
Its important to understand that just by using two elements out of all of these is enough for them to track you. So your job it to deny them from getting two pieces of real data if you wish to stay anonymous. 2.3 - How to use misinformation in your favour Okay, we know how were being tracked. Lets briefly talk about how can we use misinformation to make it much harder for these entities to track you. Names: Dont use your real name anywhere on the internet and avoid websites that require one. Rely on aliases, pseudo anonymous is better than being caught with your pants down. IP Address: Mask your IP address by using Tor, VPN, VPS, RDP or proxies. Depending on what youre actually doing you might want to combine some of these. The point being use whats at your disposal to make their lives harder. Browser fingerprint: This one is probably hardest to conceal if you are not tech-wizard. But, you can always use several browsers with different plug-ins to make it appear as if youre several persons. Phone Numbers: Stop linking your personal phone number to services such as instant messengers, social media applications and two-factor authentication on services. Either go ahead and purchase VOIP number with Crypto or use things such as Yubi Key for-two factor authentication. E-mail Addresses: Probably the easiest, use several e-mails under different names for different purposes. Keep things separate! Stylometry: Is the application of the study of linguistic style. For example I can say 10% or 10 percent or ten percent. Each of these are different and can be used to mask your true identity. Also, when I wrote this post, I could have easily gone to some translation service and done this. Translate from English to Russian, Russian to Spanish, Spanish to Finnish, Finnish to English. This will tumble the text and make it very different(Styleometry wise) from what you originally wrote, you just have to spell-check it. Deception and lies: Not the kind youre expecting. So lets say youre Dread user and you want to mention a pet you have for making some point in a discussion. Now, it considered bad OPSEC to say Hey, I have a black cat!, instead say you have a white dog. That way you can still say my pet has done X, Y or Z. But without divulging actual Intel about you. Making such subtle changes to details is crucial if you want to stay hidden. Quote: Sun Tzu "Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment that which they cannot anticipate."
Everything I said here is a type of misinformation in one way or another. Using these techniques makes you appear as several individuals instead of just one. But all of these wont help you if you dont make proper use of compartmentalization. 2.4 Compartmentalization Why is Qubes OS considered one of the most secure operating systems available today? Because it makes use of compartmentalization. Keeping things separate is probably the best way to avoid anyone from tracking you. What do I mean by that? Lets say you bought a burner phone and a SIM card, with cash, at location with no security cameras and you plan to use it as a trap-phone. You can safely assume that phone is anonymous as far as youre concerned. But, if you called your mother, spouse or child with that phone its instantly burnt. There is a log somewhere out there about that call and you can rest assured that its going to be found by law enforcement. Doesnt matter if youre a hacker, market admin, forum admin, regular user or just a privacy conscious individual, because this goes for everyone. Same way you dont tell youre family youre selling cocaine online, apply that to every aspect of your digital life. Quote: Sun Tzu "If your enemy is secure at all points, be prepared for him. If he is in superior strength, evade him. If your opponent is temperamental, seek to irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. If sovereign and subject are in accord, put division between them. Attack him where he is unprepared, appear where you are not expected."
Another example of compartmentalization is this. We all know all kinds of people, from junkies to guys with PhD and even everything in-between. Everyone has a friend who they smoke weed with, friend they go out drinking with, friends who they can bring home to meet your parents, etc. This is how its done. Some things in life simply dont mix. So dont mix your online identities, because if you do, sooner or later they will be tied together and back to you.
2.5 Security is not convenient
As you could have deducted from everything I wrote, security is not convenient and you cant have it both ways. But applying these or similar patterns to your digital life will exponentially improve your operational security.
Keep in mind I havent even scratched the surface, but said enough to get you thinking on your own OPSEC. Evade single point of failure, enforce the usage of PGP when transmitting important information, use full-disk encryption, change your passwords on regular basis, dont mix crime and personal life, use open-source software opposed to closed-source and most important thing keep your fucking mouth shut!
Nobody needs to know what you have done, what are you going to do, where your stash-house is, how much money or drugs you have and so on. A wise man once said, A fish with its mouth closed never gets caught.
3 D.U.M.B.
This part is about physical operational security and you might wonder what does D.U.M.B. stand for? Its quite simple, Deep Underground Military Bases. I used the as a reference of impenetrable building that your OPSEC should be. Because, doesnt matter how good your digital OPSEC is if you physical is horrendous and vice versa.
Before I dive into this section anyone who has love for safe-cracking and lock-picking like me should definitely check out books written by Jayson Street called Dissecting the Hack: F0rb1dd3n Network and Dissecting the Hack: STARS (Security Threats Are Real) he does quite good job of explaining the importance of both digital and physical security and consequences disregarding any of the carries. Also, The Complete Book of Locks and Locksmithing, Seventh Edition and Master Locksmithing: An Experts Guide are fun reads filled with trove of information.
What is physical OPSEC (commonly referred to as analouge) and why is it so much important? Well, analouge OPSEC is like when youre using markets to order some drugs, you dont leave that device logged in, and unattended, you dont leave your doors unlocked when you leave the house, all of that is analouge OPSEC. People usually tend to disregard it as less important, but make no mistake its as important as digital one.
Just like in digital, I can only give you suggestions and make you think, as every situation and threat model is different.
Lets make an assumption youre a dealer, you dont do markets, prefer the old fashioned way. Ill list some advices you might find usable:
Dont talk too much where your safe-house is, how much weight you have, are you armed or not, etc. All of these things can be a reason why youll be abducted, tortured or killed.
Dont shit where you eat dont slang dope in your own hood. Thats just bad practice overall, move your business across town.
Dont be friends with clients you cant be friend with addicts. They can be one or another, not both. Because addicts will roll over and sing if theyre caught. Having an addict as a friend is a great way to ensure long vacation at any correctional facility worldwide.
Know when to give up this is probably the most important, if something feels wrong, thats because it probably is. Trust your gut, know that stepping back isnt always a bad thing. As Frank Lucas was told by his supplier; Giving up and giving up while youre ahead is not the same Frank.
Dont work with friend of a friend of a friend, theyre probably undercover cops.
Think ahead Always, and I mean always have an exit plan. Whether its a forged passport, 50k in cash and a ticket to some South African island that doesnt have an extradition treaty with anyone. Or down-payment of couple hundred thousands to the most expensive lawyer in the city. Just make sure you have a plan.
These are just several things, to keep an eye out for. There is literally tons of more advice for various professions, but if I keep this up, I wont get to post it in time. Just keep in mind that anything can be broken into, hacked, lock-picked or exploited.
3.1 Prime Examples of OPSEC fails
Lets talk about some OPSEC fails. Because, smart people learn from others mistakes not their own. Due to the fact that in lines of work on dark-net that might be your first and last one.
DreadPirateRoberts (Ross Ulbricht) was a revolutionary, extremely intelligent but not necessary smart at all. Among many stupid things he did are; using a miss configured CAPTCHA server extensive period of time, shipping contraband to his home address, advertising Silk Road on Shroomery using his own gmail address, befriending former undercover (corrupt) DEA agent (who later extorted him for money), keeping logs of all of his conversations and down to detail diary of this Silk Road adventures. But, the most fatal one was him not being aware of his surroundings. For the most part he operated Silk Road form the comfort of San Forensics Public Library, where he went wrong was sitting at a table with his back turned to the room. While two FBI agents staged a couple fighting, their colleagues swooped in from behind and grabbed the lap top before he could shut it off and trigger the encryption process. He basically documented all of his crimes among others so dont be DPR.
Shiny Flakes (German Vendor) 20 year old who created one of the biggest cocaine trafficking operations in Germany at the time. Police confiscated more than half a million in various currencies and ungodly amount of drugs, all stored in his bedroom. And his biggest OPSEC failure was he sent all his shipments from the same DHL outpost. He also stored everything in plain-text (orders, customers, financials, login credentials, etc.) on unencrypted drive.
Sabu (Hector Xavier Monsegur) LulzSEC forgot to use TOR to connect to IRC server monitored by FBI. They got his IP address from his ISP, one correlation attack later he was cuffed and gave up his friends in exchange for a plea deal. Dont be a snitch, own up to your fuck-ups.
nCux / BulbaCC / Track2 (Roman Seleznev, Russain Carder) among many stupid thing he did, was renting servers with e-mail address he used to open PayPal account, then used that PayPal to pay for his wifes flowers. But, thats not all. He travelled with his work laptop which contained hundreds of thousands credit cards, but thats not bad since he had encryption. Unfortunately, his password Ochko123 was guessed by law enforcement as it was the same on his e-mail I believe. So, dont carry your work when you travel, dont mix crime and love life, dont fucking re-use passwords. Dont be BulbaCC.
Willy Clock (Ryan Gustefson, Ugandan Counterfeiter) reused personal e-mail he used to apply for a US citizenship for a Face-book account he used to sell fake notes from. Also, uploaded his own picture to that account. I dont even have anything to say for this one.
FrecnhMaid aka nob (DEA Agent from DRP case) used his work laptop to extort Ross Ulbricht, you can guess how that went. Among other things he moved that money to bank accounts under his own name, in countries with non-strict banking secrecy laws. He got what was coming to him.
Alexandre Cazes (AlphaBay Admin) used personal e-mail address for AlphaBay password reset e-mails, kept all data stored in un-encrypted format on his device, hosted Alphabay servers in Quebec, Canada under his own name.
3.2 - Inevitable fuck up, Aftermath and Clean-up
This is the last chapter of this post touching the inevitable fuck up and what to do after. We are all human, which means sooner or later you will make a mistake. Will it be the end of you? It depends, but the main thing is knowing how to clean up your own mess.
Here is a recurring example of fuck up and how you may proceed afterwards, but keep in mind this is speculated situation and you must know I cant predict every possible outcome.
Controlled Delivery - is the situation when law enforcement seizes your order, but allow the post to go ahead with delivering your parcel in order to catch you in the act. Usually, to try and force you to flip. There are usually two outcomes to such situation, if you have couple of orders under your belt, its taking suspiciously long for the parcel to be delivered and it was stationed for days at the same place.
You can either not know, sign for the package and get busted within seconds. Or you can deny the receiving the package in which case they have nothing. Now, if you think its a controlled delivery the best course of action is to remove any evidence of such activity from your devices and your home. Because, you can be certain that address is burnt and so are you.
What do I mean by purging evidence? Good old data shredders are always the way to go, but if you had some critical information that must never fall in enemy hands, the best course of action is always getting rid of the SSD/HDD in question. First, shred the data (recommended is at least 7 passes), then shred the disk. Usually, burning it crisp will do the job. Its always best to destroy device so nobody can do forensics and dig up the data. Because no new shiny device (laptop, computer, hdd, ssd, etc.) is worth more than your freedom.
The point being, if something feels wrong its because it probably is! Be vigilant, dont order to your home address, play the game dont let the game play you.
.....1.1 Who am I
.....1.2 Definition of Operational Security
2 - Misinformation Warfare (Digital)
.....2.1 Ancient Misinformation
.....2.2 How are you being tracked
.....2.3 How to use misinformation in your favour
.....2.4 Compartmentalization
.....2.5 Security is not convenient
3 - D.U.M.B (Physical)
.....3.1 Prime Examples of OPSEC fails
.....3.2 Inevitable Fuck ups, Aftermath and Clean-up
1.1 - Who am I
"Im just another echo in the void."
1.2 - Definition of Operational Security
By definition operational security was derived from military term procedural security, originated as a term that described strategies to prevent potential adversaries from discovering critical operations-related data. Which is an analytical process that classifies information assets and determines the control required to provide these assets.
You might wonder why I choose to write about both physical and digital operational security? Simplest answer is theyre intertwined and cant be separated in my opinion. If you have one but not the other its just like you dont have any.
2 - Misinformation Warfare
2.1 - Ancient Misinformation
Since the dawn of men, misinformation has been used as weapon and the most effective on at that. If you are a book worm like me I suggest you read The Art of War by Sun Tzu, that book even after thousands of years since it was written has theories and practices that can be applied in the modern world. Why am I telling you this? Because we will kick this off with one of his quotes.
Quote: Sun Tzu
"All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near."
One of the most egregious examples of this takes us back to ancient Rome and to the very end of the Republic, when almost a century of civil war, chaos and political assassinations had led the Roman government to the brink of collapse. It was the time of the so-called Second Triumvirate. Around 2000 years ago, the Roman Republic was facing a civil war between Octavian, the adopted son of the great general Julius Caesar, and Mark Anthony, one of Caesars most trusted commanders. To win the war, Octavian knew he had to have the public on his side winning important battles helped, but if the people didnt like him, he would not be a successful ruler. To get public backing, Octavian launched a fake news war against Mark Anthony. He claimed Anthony, who was having an affair with Cleopatra, the Egyptian Queen, didnt respect traditional Roman values like faithfulness and respect. Octavian also said he was unfit to hold office because he was always drunk. Octavian got his message to the public through poetry and short, snappy slogans printed on to coins. Octavian eventually won the war and became the first Emperor of Rome, ruling for over 50 years. But, I digress so lets get back to what you came here for. Today its much easier to conduct misinformation warfare than 2000 years ago, obviously. Now, to skip history lessons and move to the modern era here is example of misinformation. Markets that want to conduct exit-scam will usually disable withdrawals due to some technical problems on their end meanwhile keeping deposits working while they siphon funds to some off-site wallet. 2.2 - How are you being tracked In dystopian society we live today, surveillance is major part of how governments keep the common folk in line. To understand how we can use misinformation against them we first must understand how are we being tracked. Entities that track us (government agencies, tech conglomerates and data mining companies) rely on you to leak little pieces of data which they use to profile you online and match the user-name to actual user. Its simple matter to match content in databases if there is some sort of index to the content. Most common pieces of data used to track you on clear-net and dark-net are: Names (both real and user-names)
IP addresses
Browser fingerprint
E-mail address
Location (exact or approximate)
Phone numbers
Date of birth (or any other PII)
Stylometry
Facial recognition
Its important to understand that just by using two elements out of all of these is enough for them to track you. So your job it to deny them from getting two pieces of real data if you wish to stay anonymous. 2.3 - How to use misinformation in your favour Okay, we know how were being tracked. Lets briefly talk about how can we use misinformation to make it much harder for these entities to track you. Names: Dont use your real name anywhere on the internet and avoid websites that require one. Rely on aliases, pseudo anonymous is better than being caught with your pants down. IP Address: Mask your IP address by using Tor, VPN, VPS, RDP or proxies. Depending on what youre actually doing you might want to combine some of these. The point being use whats at your disposal to make their lives harder. Browser fingerprint: This one is probably hardest to conceal if you are not tech-wizard. But, you can always use several browsers with different plug-ins to make it appear as if youre several persons. Phone Numbers: Stop linking your personal phone number to services such as instant messengers, social media applications and two-factor authentication on services. Either go ahead and purchase VOIP number with Crypto or use things such as Yubi Key for-two factor authentication. E-mail Addresses: Probably the easiest, use several e-mails under different names for different purposes. Keep things separate! Stylometry: Is the application of the study of linguistic style. For example I can say 10% or 10 percent or ten percent. Each of these are different and can be used to mask your true identity. Also, when I wrote this post, I could have easily gone to some translation service and done this. Translate from English to Russian, Russian to Spanish, Spanish to Finnish, Finnish to English. This will tumble the text and make it very different(Styleometry wise) from what you originally wrote, you just have to spell-check it. Deception and lies: Not the kind youre expecting. So lets say youre Dread user and you want to mention a pet you have for making some point in a discussion. Now, it considered bad OPSEC to say Hey, I have a black cat!, instead say you have a white dog. That way you can still say my pet has done X, Y or Z. But without divulging actual Intel about you. Making such subtle changes to details is crucial if you want to stay hidden. Quote: Sun Tzu "Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment that which they cannot anticipate."
Everything I said here is a type of misinformation in one way or another. Using these techniques makes you appear as several individuals instead of just one. But all of these wont help you if you dont make proper use of compartmentalization. 2.4 Compartmentalization Why is Qubes OS considered one of the most secure operating systems available today? Because it makes use of compartmentalization. Keeping things separate is probably the best way to avoid anyone from tracking you. What do I mean by that? Lets say you bought a burner phone and a SIM card, with cash, at location with no security cameras and you plan to use it as a trap-phone. You can safely assume that phone is anonymous as far as youre concerned. But, if you called your mother, spouse or child with that phone its instantly burnt. There is a log somewhere out there about that call and you can rest assured that its going to be found by law enforcement. Doesnt matter if youre a hacker, market admin, forum admin, regular user or just a privacy conscious individual, because this goes for everyone. Same way you dont tell youre family youre selling cocaine online, apply that to every aspect of your digital life. Quote: Sun Tzu "If your enemy is secure at all points, be prepared for him. If he is in superior strength, evade him. If your opponent is temperamental, seek to irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. If sovereign and subject are in accord, put division between them. Attack him where he is unprepared, appear where you are not expected."
Another example of compartmentalization is this. We all know all kinds of people, from junkies to guys with PhD and even everything in-between. Everyone has a friend who they smoke weed with, friend they go out drinking with, friends who they can bring home to meet your parents, etc. This is how its done. Some things in life simply dont mix. So dont mix your online identities, because if you do, sooner or later they will be tied together and back to you.
2.5 Security is not convenient
As you could have deducted from everything I wrote, security is not convenient and you cant have it both ways. But applying these or similar patterns to your digital life will exponentially improve your operational security.
Keep in mind I havent even scratched the surface, but said enough to get you thinking on your own OPSEC. Evade single point of failure, enforce the usage of PGP when transmitting important information, use full-disk encryption, change your passwords on regular basis, dont mix crime and personal life, use open-source software opposed to closed-source and most important thing keep your fucking mouth shut!
Nobody needs to know what you have done, what are you going to do, where your stash-house is, how much money or drugs you have and so on. A wise man once said, A fish with its mouth closed never gets caught.
3 D.U.M.B.
This part is about physical operational security and you might wonder what does D.U.M.B. stand for? Its quite simple, Deep Underground Military Bases. I used the as a reference of impenetrable building that your OPSEC should be. Because, doesnt matter how good your digital OPSEC is if you physical is horrendous and vice versa.
Before I dive into this section anyone who has love for safe-cracking and lock-picking like me should definitely check out books written by Jayson Street called Dissecting the Hack: F0rb1dd3n Network and Dissecting the Hack: STARS (Security Threats Are Real) he does quite good job of explaining the importance of both digital and physical security and consequences disregarding any of the carries. Also, The Complete Book of Locks and Locksmithing, Seventh Edition and Master Locksmithing: An Experts Guide are fun reads filled with trove of information.
What is physical OPSEC (commonly referred to as analouge) and why is it so much important? Well, analouge OPSEC is like when youre using markets to order some drugs, you dont leave that device logged in, and unattended, you dont leave your doors unlocked when you leave the house, all of that is analouge OPSEC. People usually tend to disregard it as less important, but make no mistake its as important as digital one.
Just like in digital, I can only give you suggestions and make you think, as every situation and threat model is different.
Lets make an assumption youre a dealer, you dont do markets, prefer the old fashioned way. Ill list some advices you might find usable:
Dont talk too much where your safe-house is, how much weight you have, are you armed or not, etc. All of these things can be a reason why youll be abducted, tortured or killed.
Dont shit where you eat dont slang dope in your own hood. Thats just bad practice overall, move your business across town.
Dont be friends with clients you cant be friend with addicts. They can be one or another, not both. Because addicts will roll over and sing if theyre caught. Having an addict as a friend is a great way to ensure long vacation at any correctional facility worldwide.
Know when to give up this is probably the most important, if something feels wrong, thats because it probably is. Trust your gut, know that stepping back isnt always a bad thing. As Frank Lucas was told by his supplier; Giving up and giving up while youre ahead is not the same Frank.
Dont work with friend of a friend of a friend, theyre probably undercover cops.
Think ahead Always, and I mean always have an exit plan. Whether its a forged passport, 50k in cash and a ticket to some South African island that doesnt have an extradition treaty with anyone. Or down-payment of couple hundred thousands to the most expensive lawyer in the city. Just make sure you have a plan.
These are just several things, to keep an eye out for. There is literally tons of more advice for various professions, but if I keep this up, I wont get to post it in time. Just keep in mind that anything can be broken into, hacked, lock-picked or exploited.
3.1 Prime Examples of OPSEC fails
Lets talk about some OPSEC fails. Because, smart people learn from others mistakes not their own. Due to the fact that in lines of work on dark-net that might be your first and last one.
DreadPirateRoberts (Ross Ulbricht) was a revolutionary, extremely intelligent but not necessary smart at all. Among many stupid things he did are; using a miss configured CAPTCHA server extensive period of time, shipping contraband to his home address, advertising Silk Road on Shroomery using his own gmail address, befriending former undercover (corrupt) DEA agent (who later extorted him for money), keeping logs of all of his conversations and down to detail diary of this Silk Road adventures. But, the most fatal one was him not being aware of his surroundings. For the most part he operated Silk Road form the comfort of San Forensics Public Library, where he went wrong was sitting at a table with his back turned to the room. While two FBI agents staged a couple fighting, their colleagues swooped in from behind and grabbed the lap top before he could shut it off and trigger the encryption process. He basically documented all of his crimes among others so dont be DPR.
Shiny Flakes (German Vendor) 20 year old who created one of the biggest cocaine trafficking operations in Germany at the time. Police confiscated more than half a million in various currencies and ungodly amount of drugs, all stored in his bedroom. And his biggest OPSEC failure was he sent all his shipments from the same DHL outpost. He also stored everything in plain-text (orders, customers, financials, login credentials, etc.) on unencrypted drive.
Sabu (Hector Xavier Monsegur) LulzSEC forgot to use TOR to connect to IRC server monitored by FBI. They got his IP address from his ISP, one correlation attack later he was cuffed and gave up his friends in exchange for a plea deal. Dont be a snitch, own up to your fuck-ups.
nCux / BulbaCC / Track2 (Roman Seleznev, Russain Carder) among many stupid thing he did, was renting servers with e-mail address he used to open PayPal account, then used that PayPal to pay for his wifes flowers. But, thats not all. He travelled with his work laptop which contained hundreds of thousands credit cards, but thats not bad since he had encryption. Unfortunately, his password Ochko123 was guessed by law enforcement as it was the same on his e-mail I believe. So, dont carry your work when you travel, dont mix crime and love life, dont fucking re-use passwords. Dont be BulbaCC.
Willy Clock (Ryan Gustefson, Ugandan Counterfeiter) reused personal e-mail he used to apply for a US citizenship for a Face-book account he used to sell fake notes from. Also, uploaded his own picture to that account. I dont even have anything to say for this one.
FrecnhMaid aka nob (DEA Agent from DRP case) used his work laptop to extort Ross Ulbricht, you can guess how that went. Among other things he moved that money to bank accounts under his own name, in countries with non-strict banking secrecy laws. He got what was coming to him.
Alexandre Cazes (AlphaBay Admin) used personal e-mail address for AlphaBay password reset e-mails, kept all data stored in un-encrypted format on his device, hosted Alphabay servers in Quebec, Canada under his own name.
3.2 - Inevitable fuck up, Aftermath and Clean-up
This is the last chapter of this post touching the inevitable fuck up and what to do after. We are all human, which means sooner or later you will make a mistake. Will it be the end of you? It depends, but the main thing is knowing how to clean up your own mess.
Here is a recurring example of fuck up and how you may proceed afterwards, but keep in mind this is speculated situation and you must know I cant predict every possible outcome.
Controlled Delivery - is the situation when law enforcement seizes your order, but allow the post to go ahead with delivering your parcel in order to catch you in the act. Usually, to try and force you to flip. There are usually two outcomes to such situation, if you have couple of orders under your belt, its taking suspiciously long for the parcel to be delivered and it was stationed for days at the same place.
You can either not know, sign for the package and get busted within seconds. Or you can deny the receiving the package in which case they have nothing. Now, if you think its a controlled delivery the best course of action is to remove any evidence of such activity from your devices and your home. Because, you can be certain that address is burnt and so are you.
What do I mean by purging evidence? Good old data shredders are always the way to go, but if you had some critical information that must never fall in enemy hands, the best course of action is always getting rid of the SSD/HDD in question. First, shred the data (recommended is at least 7 passes), then shred the disk. Usually, burning it crisp will do the job. Its always best to destroy device so nobody can do forensics and dig up the data. Because no new shiny device (laptop, computer, hdd, ssd, etc.) is worth more than your freedom.
The point being, if something feels wrong its because it probably is! Be vigilant, dont order to your home address, play the game dont let the game play you.
