Dark Web Forensics: The Chemsusa Case

When drug dealers operating over of the dark web practice good operational security, it becomes almost impossible for federal investigators to find them. In order to access the dark web one has to use a program called TOR. Once on the TOR network, your real IP address is essentially hidden, enabling a higher level of privacy for the users. On the dark web, a web server is unable to track which IP address any visitors come from and the ability to monitor site activity is completely obscured.

Due to the nature of anonymity over the TOR network, the use of advanced encryption, the ubiquity of VPNs, and the fact that transactions are made using relatively untraceable cryptocurrencies like Bitcoin or Monero, buyers and sellers can operate within black markets with near immunity in the shadows of the deep web. As a result, it takes a serious forensic effort for authorities to track Bitcoin wallet transactions and analyze TOR exit nodes to link any of these illicit activities to an individual.

These marketplaces are massive in scale and predominately feature drugs, firearms, child pornography, or hacker services. One of the first large dark web marketplaces was the Silk Road, created by Ross Ulbricht. He established this marketplace based on his extreme libertarian ideals where users from around the world could purchase and sell illegal drugs.

In February 2015, a jury convicted Ross Ulbricht of drug trafficking (among other crimes) linked with his role in creating and operating the now infamous Silk Road. He was convicted and sentenced to life in prison without the possibility of parole.

One of the ways the government managed to link Ulbricht to his administrative role within the Silk Road operation was through monitoring IP address traffic from his home router. The government sought authorization to do so, not with a warrant, but under the Electronic Communications Privacy Act justified what is known as the “third-party doctrine”. They employed what’s known as a pen register to record Ulbricht’s outgoing data and a trap and trace device to collect incoming data (collectively known as a pen/trap). With the Silk Road being taken down in 2013 and Ulbricht being convicted in 2015, this case marked the beginning of the US Government putting considerable resources into pursuing dark web marketplaces and drug dealers. 

After each dark market was shut down, others would show up to fill in the void. After the Silk Road, there was AlphaBay. After AlphaBay, came Dream Market and Wall Street Market. The rise in popularity of these dark markets is carefully followed by federal agencies like the FBI and DEA, which closely track these marketplaces and its users. It is commonplace for federal agents to operate undercover within these markets posing as buyers and vendors, using the anonymity of the dark web to their advantage.

In the following case, we will be looking at one of the more prolific vendors that sold some of the most dangerous and addictive of drugs: opioids.

The “Chemsusa” Case

Richard Castro, who often operated under the alias names “Chemsusa” or “Jagger109” sold heavy opioids over the dark web for many years. He sold carfentanil, fentanyl, and fentanyl analogues to customers all over the United States on AlphaBay and Dream Market. On the Dream Market alone, Castro boasted of conducting over 3,200 transactions. Fentanyl is a powerful synthetic opioid that is 50 to 100 times more potent than morphine and is the most common drug involved in overdose deaths. It is common for fentanyl to be mixed into other drugs such a heroin, methamphetamine, or cocaine.

Just how potent is fentanyl? This is the drug which has claimed the lives of thousands of people due to overdose. The same drug that Prince and Tom Petty died from – a drug that is extremely difficult to tell how much is too much, and extremely easy to overdose on. Even the smallest pinch of fentanyl is lethal. As an example, the typical single dose of Advil contains 200mg of ibuprofen. The lethal dose of fentanyl is 1mg. Fentanyl is responsible for killing over 95,000 people in the last 5 years, or 60% of all opioid deaths. And what about the primary drug that Richard Castro, or “Chemsusa,” was selling, Carfentinal? Well, Carfentanil, a fentanyl analogue, is approximately 100 times stronger than fentanyl.

In June 2018, Castro informed his customers that he would be moving his business operations away from dark web marketplaces and would instead be conducting all transactions through encrypted e-mail (Protonmail). In order to gain access to the off-market e-mail address customers would need to first pay a fee. Once the encrypted e-mail address was obtained, orders could be placed with Castro, and his associate, Luis Fernandez, would package and ship the narcotics on behalf of him.

Fernandez managed the stash house, packaged all the narcotics, and shipped them using USPS from the New York City metroplex all throughout the United States. From November 2015 through March 2019, Castro and Fernandez operated in this way.

During his time on AlphaBay, Castro unwittingly made 5 sales to undercover agents. From these sales, law enforcement learned about a Bitcoin exchange where “Chemsusa” had an account. They linked one of Chemusa’s e-mail addresses with the exchange account. Once Castro moved away from the dark web, undercover federal agents, posing as buyers, paid the fees ($104) required to gain access to Castro’s Protonmail address.

With law enforcement accumulating e-mail addresses associated with Castro they were able to identify even more accounts at several different Bitcoin exchanges, some of which contained elements of Castro’s real identity. His regular use of the number ‘104’ in e-mail addresses, social media accounts, as well as the fee to access his private shop alluded to his birthday, April 10th, written in the European format of day/month/year.

While Bitcoin transactions are relatively untraceable, it is not impossible to do so. Each transaction is recorded on a public ledger, and while wallets are anonymous, this ledger makes it possible to follow a trail. Knowing this, criminals operating on the dark web often use something called a “crypto-tumbler” (the Dream Market, where Castro operated on for many years provided this service for all its vendors). Crypto-tumblers are services which make many micro transactions mixing one’s coins to obscure the trail back to the fund’s original wallet.

Law enforcement used blockchain analysis software to track Castro’s cryptocurrency which led them to identifying 7 different Bitcoin wallets associated with him. While the specific software that law enforcement used is unknown, software created by Chainalysis (a company specializing in forensic analysis of virtual currency) was likely used. Software of this sort leverages machine learning to detect clusters of entities in the blockchain ledger.

With the assistance of their blockchain analysis software, law enforcement learned that Castro had purchased gold from an online broker using his real name and paid with Bitcoin from one of the exchange accounts they were following. When questioned, the online gold broker provided Castro’s personal e-mail address that he had used with them (which was not an encrypted Protonmail address).

Law enforcement obtained a warrant to authorize access of the contents of this personal e-mail address and discovered a trove of incriminating e-mails. In addition to this, a court order authorized the use of a pen/trap device on Castro’s ISP where they successfully monitored his Internet activity, further incriminating him and providing the necessary evidence to later convict him.

Castro’s associate, Luis Fernandez, was tracked down by analyzing packages containing the purchased narcotics. Law enforcement managed to identify him using surveillance cameras at the post offices from which these packages were originating from.

In mid March 2019, law enforcement arrested both Castro and Fernandez. They searched Fernandez’s residence in the Bronx, NY and found: (1) mailing labels similar to those found on packages connected to the narcotics shipments, (2) lists of addresses of customers who had received packages, (3) approximately 78 grams of fentanyl analogues and over 300 grams of u-47700 (an opioid analgesic that is 7.5 times more potent than morphine) (Department of Justice, 2019).

Richard Castro pled guilty to one count of conspiracy to distribute and possess with the intent to distribute three controlled substances: carfentanil, phenyl fentanyl, and fentanyl. Castro agreed to forfeit more than $4 million in criminal proceeds. His sentencing is still being determined but faces a minimum of 10 years.

Luis Fernandez was convicted and sentenced to 151 months in prison for his role in distributing these substances. Fernandez was ordered to forfeit $269,623 in narcotics proceeds. In imposing his sentence, the Court stated that Fernandez played a critical role in the conspiracy and that he was responsible for “shipping death” to hundreds of customers around the US. 

Closing thoughts

There is a lot of criminal activity that takes place on the dark web: drug trafficking, buying and selling personally identifiable information (ranging from credit card numbers to social security numbers), hacking tools (e.g. Botnets as a Service), and child pornography. Due to the nature of the dark web and the inherent anonymity of those who use it, there is a considerable effort required in dark web forensics and dark web investigations that need to be made by law enforcement and cyber threat intelligence analysts if they wish to catch criminals. Black markets on the dark web seem to be ever increasing and alongside this, investigative techniques must improve as well.

In the case of Chemsusa, we have looked at only a handful of these investigative techniques commonly used by law enforcement: penetrating black markets as undercover buyers, blockchain forensic analysis, e-mail fingerprinting Mr. Castro, and ultimately investigating the postal system and using its surveillance system to track down his associate, Mr. Fernandez. In addition to these technique, we can assume that law enforcement used many different forensics tools for crawling the dark web to collect pertinent information.