Wojciech

@woj_ciech

OSINT investigation based on GAO report about firearm sales in Dark Web + Bitcoin tracking with…

TL;DR Introduction

In November, last year, GAO (Government Accountability Office) and ATF (The Bureau of Alcohol, Tobacco, Firearms and Explosives) released report about firearm sales in Internet. Investigation has consisted of covered attempts to purchase a weapon on Surface Web and Dark Web. 2 of 7 attempts on Dark Web were successful. Based on different OSINT techniques, I was trying to find in which marketplace agents bought guns and track the transaction if possible. Spoiler alert — I think it’s not possible.

Photo by Jens Lelie on Unsplash

I really encourge you to read whole report, I’ve learned a lot of interesting things reading it.

https://www.gao.gov/assets/690/688535.pdf https://www.gao.gov/products/GAO-18-24

If you want to see how real trade in Dark Web looks like, read this article from Sam Biddle.

OSINT overview of the report

All of 72 tries on Surface Web have ended with agent’s empty hands. Because of different law obligations, no vendor agreed to sell illegally firearms to covered agents.

Let’s look what can we gather about Dark Web investigation, which can be helpful in further targeting.

  • When?
ATF Enforcement Efforts and Outcomes of GAO Covert Testing — page 3

Report states as above, but doesn’t point how much time was allocate for each task — Surface Web and Dark Web.

  • What?
ATF Enforcement Efforts and Outcomes of GAO Covert Testing — page 19

First weapon was semi automatic AR-15 and description mentions obliterated serial number and method of shipping.

ATF Enforcement Efforts and Outcomes of GAO Covert Testing — page 20

In this case, we can learn that purchased weapon was Israeli-made and was wrongly advertised. No words about serial number this time.

  • Where?
ATF Enforcement Efforts and Outcomes of GAO Covert Testing — page 19

Of course, there are no names of the markets. Only marketplaces and online auctions are mentioned by word. Having this information, we are sure that agents didn’t try to buy firearms on some forums or chans. Also second sentence is very interesting, ATF say that it’s impossible to track any individual on Dark Web and it’s designed to facilitate criminal activity.

  • How much money?

Numbers weren’t disclosed in any form as well as used cryptocurrency. I’m pretty sure that most popular cryptocurrency was used — Bitcoin. Only one mention about bitcoin refers to knowledge, which ATF analyst should be familiar with.

ATF Enforcement Efforts and Outcomes of GAO Covert Testing — page 15

Overview of the Dark Web markets

According the report, marketplaces and online auctions were used in order to purchase a firearm. Additionally it points to Dark Web websites which, I suppose, refer to standalone shops offering firearms and maybe other products like drugs. These websites are often consider as a scam but here we have confirmation from ATF.

ATF Enforcement Efforts and Outcomes of GAO Covert Testing — page 19

It’s worth to remind that only 2 of 7 attempts were successful. Remaining 5 have ended with a scam, but no information if money was remitted to vendor, or if agents were sure that product won’t be shipped and ended transaction.

ATF Enforcement Efforts and Outcomes of GAO Covert Testing — page 22

There are lot of markets over which everybody speculate if it’s a scam. In addition they have one public bitcoin address, but more about it later.

Second places where agents tried their luck were online auctions. It’s like an Ebay in Dark Web, you can register, become a seller and you are ready to go. Fairly system of feedbacks can easily exclude any scam there. The most popular Markets right now are DreamMarket, Tochka or Wall Street. In these types of markets you can get support, contact with seller or even open a dispute. Not only feedbacks decide if vendor can be trusted, additionally he should accept escrow payments.

Not on every marketplace gun trade is allowed, everything has started from Silk Road 1.0, where selling firearms was normality first but after some time admins decided to exclude it because of high risk and hence attention from law enforcement. Every market has their own terms and conditions, which states what is permitted to trade.

Left — Tochka (Point) Right — Serpent Market
Dream Market

Olympus Market, Wall Street, Majestic also banned weapons.

From top markets, following ones allow gun trades:

  • Berlusconi
  • Valhalla
  • Empire

So, I decided to look what they have and compare it to what ATF has bought.

Tracking an auction

Since we have excluded markets that don’t allow guns we can go deeper into other ones. I can assume that transaction was done in one (or more) of these marketplaces. Every market has different offers but on every of them I was able to find AR-15 or UZI, which more or less fits with ATF description.

Berlusconi and Valhalla have the biggest assortment, from tasers or grenades to golden AK-47. On Empire you can buy some guides and tutorials about firearms but I saw couple auctions with UZI or AR-15 as well. ATF in their report didn’t disclose any details regarding purchased guns, I had only one hint about UZI, which definitely was Israeli-made. So I started to browse hundreds of auctions to check for any similarities with ATF description, and what obvious, if someone sells any Israeli-made firearm. I was able to identify exactly this same model of UZI.

UZI auction on one of the marketplaces

With description very similar to what ATF claimed to buy.

Description matches AFT purchase

One different thing comparing to ATF purchase is that description here states, it is semi automatic. ATF reported that firearm was advertised as a fully automatic. It’s worth to highlight that, it is from Israel Military Industries indeed and has known serial number. In description of AR-15, report mentions about obliterated serial number but in UZI case it doesn’t, so I can assume that this serial number was given. Hovewer, this can be easily overthrow because vendor was registered at the beginning of this year, so he couldn’t sell any guns in specified timestamp, but he could migrate from another market, however no mentions about this on his account.

Based on this, I wouldn’t risk to say that ATF bought firearm from this vendor or someone connected to him, even looking at origin of the gun but he was the only one vendor, I could track, which sells Israeli weapons. I realize that it’s poor evidence of connecting ATF to this particular vendor but it’s only one that I’ve found based on description in the report.

I found also plenty of AR-15 but it was impossible to track or even suspect auction that was used by Bureau.

Tracking transaction

As previously said, there are two kind of places, where ATF could buy a firearm. First way, on markets like Berlusconi, Empire or Valhalla. It’s hard to be there scammed because most of the trusted sellers accept escrow payments. Different things happen on standalone markets, which are recognized as a scam by ATF — figure.

There is very subtle difference between Dark Web websites and Dark Web markets. Word „Websites” refers, in my opinion, to markets, which has it’s own websites instead of trading on auctions on Berlusconi, for instance. I found dozen of this kind of pages, some of them have one bitcoin address and we all know that BTC transactions are visible to everyone. Additionally, I suppose, they accept only FE (finalize-early) payments. I’ve gathered couple of BTC addresses of Dark Web websites, which allegedly sell firearms and wrote script for scanning incoming transactions.

I just wanted to check if someone really transferred proper amount of BTC in order to buy a firearm from these vendors. Of course I couldn’t trace transaction that was made by ATF from lot of reasons:

  • Report says about scam, but not precises if money was remitted or agents resigned,
  • Dark Web websites were not given so as bitcoin wallets, it wouldn’t have to be published on site,
  • Even if someone transferred money, it’s almost impossible to track wallet’s owner identity.

Of course, there are couple ways to deanonimyze bitcoin owners and one of them is by looking for pattern in transactions. Additionally websites like bitcoinwhoswho.com can help in further investigation, if one identity is known or publicly accessible, it’s possible to go deeper into other wallets and finally, with lot of luck, sometimes more conclusion can be drawn. It’s very time and resources consuming. Here you can read more about tracing and making connections in investigation.

I was wondering how could ATF’s wallet looked like when they made transaction. I suppose it had small amount of transactions and only one was used in whole investigation. Armed with this information, I gathered couple bitcoin addresses of popular Dark Web websites, which sell a firearms, and looked for payment from wallet with little transactions. Also, if only one wallet was used it would be repeated across sellers’ wallets.

Wallet watcher

I stumbled across this script, from automatingosint.com which is really good but it wasn’t exactly what I was looking for. So I decided to wrote my own small tool which detects all incoming transactions based on timestamp (hours). If we don’t know the day, month or even year of payment, we can go into details and look for specific hours like 9 AM to 5 PM. Script also retrieves information like total balance, sent and received money, first and last transaction. Additionally prices of payments are shown in USD at the time of being transferred thanks to historical data from Coindesk. Hovewer, API shares price once per day, not in specified hours, so accuracy may be little wrong. Another APIs which are used are blockchain.com and blockonomics.io.

I used it against my colleted wallets, exported results to json and then looking for any leads. I was paying attention if any of wallets repeats in vendors’ wallets or if any payment was made from 9AM to 5PM. Also transfers of exact amount of money as stated in firearm offers was on my watch list.

There are plenty of possibility to develop, for example, monitoring outgoing transactions, filtering based on specified period of time or based on paid bitcoins.

More technical details on github

Console output

Example addresses are random and not related to article.

Conclusion

Goals of this article were to increase awareness of firearm sales by sharing GAO report (which wasn’t so popular) and also how to handle very basics of bitcoin tracking and OSINT investigation. At the end of the article, I think my investigation failed in 99%, because one common thing that I found was Israeli-made UZI on Berlusconi market. Even at the beginning I knew I it can’t succeed but I hope I shed some light on simple OSINT stuff, bitcoin tracking and firearm sales in Dark Web.

Used tools:

More by Wojciech

Topics of interest

More Related Stories