Behind the Beard Lurked a Darknet Drug Lord, DEA Alleges

Behind the Beard Lurked a Darknet Drug Lord, DEA Alleges

Cybersecurity
,
Fraud

Agency Says It Traced Bitcoins From Vendor ‘Tip Jar’ to Frenchman Gal Vallerius

Behind the Beard Lurked a Darknet Drug Lord, DEA Alleges
Gal Vallerius. (Photo: Twitter)

A beard can disguise one’s identity, be it to bypass paparazzi or rob a bank. Of course, not all beards are bad. But behind the hirsute exterior of competitive beard-grower Gal Vallerius, there lurks a darknet drug lord, U.S. authorities allege.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The Drug Enforcement Agency has accused the 38-year-old Frenchman of sporting the decidedly nonGallic moniker “OxyMonster” and serving as an administrator and vendor on the darknet marketplace called Dream Market.

Vallerius was arrested on August 31 at Atlanta International Airport, while en route from his home in France to compete in the annual World Beard and Moustache Championships in Austin, Texas. He appeared earlier this month in federal court in Atlanta, where he did not contest his identity or detention.

On Sept. 15, Linda T. Walker, a federal magistrate judge in Atlanta, ordered Vallerius to be transferred to federal court in Miami, where he’ll face a conspiracy to distribute controlled substances charge that carries a maximum penalty of life imprisonment.

Vallerius’s attorney, John Lovell, could not be immediately reached for comment.

Vallerius allegedly distributed controlled substances from May 2015 until this past August, according to the DEA. It says the FBI, Internal Revenue Service, Homeland Security Investigations and the U.S. Postal Inspection Service also participated in the investigation.

At the time of his arrest, Vallerius was carrying a laptop, on which agents conducted a “border search” and found evidence confirming that he was “OxyMonster,” according to an Aug. 31 affidavit signed by DEA Special Agent Austin D. Love.

In addition, it says the laptop contained a copy of the Tor browser, “apparent login credentials for Dream Market,” plus $500,000 worth of bitcoins and a PGP encryption key named “OxyMonster” that matched the key used by the Dream Market vendor called OxyMonster.

“The Dream Market website is specifically designed to facilitate illegal commerce by working to ensure the anonymity of its administrators, as well as the buyers and sellers who participate in commerce on the website,” according to the DEA’s affidavit.

Darknet marketplaces function like illicit versions of eBay. “Sellers create accounts on Dream Market to advertise their products, such as narcotics or hacked computer passwords, and buyers create accounts to browse sellers’ products and purchase them,” according to Love’s affidavit.

Darknet sites, which carry a “.onion” address, are only reachable by using the Tor anonymizing browser. Like other darknet marketplaces, Dream Market uses cryptocurrency to attempt to disguise the identity of buyers and sellers. But while cryptocurrency is pseudo-anonymous, it does not automatically confer anonymity on buyers, especially when they attempt to convert cryptocurrency into cash.

Tumbling Services

Dream Market, however, allegedly also offers its own “tumbling” or “mixing” service, designed to blend and route multiple bitcoin transactions through a succession of accounts to try and make individual transactions more difficult to trace.

At the end of August, the DEA says there were more than 94,000 listings on Dream Market across the following categories:

  • Drugs (47,405 listings): Including subsections listing everything from opioids, ecstasy and cannabis to psychedelics, steroids and weight loss drugs;
  • Digital goods (41,394 listings): Including data, drugs, e-books, fraud, fraud-related goods, hacking, information, security and software;
  • Drug paraphernalia (456 listings);
  • Services (3,056 listings): Including subsections listing items under hacking, IDs and passports, money and cash out;
  • Other (2,383 listings): Including subsections for counterfeits, electronics, jewelry, lab supplies and defense.

Dream Market is the world’s second-largest darknet marketplace, after Russian-language darknet site RAMP, and followed in size by Silk Road 3.1, according to DeepDotWeb, a site that tracks the dark web.

While darknet marketplaces have long been popular, this summer’s international, coordinated law enforcement takedown of the world’s former two largest darknet marketplaces – AlphaBay and Hansa – has driven many users to rival sites, including Dream Market, according to authorities (see Police Seize World’s Two Largest Darknet Marketplaces).

Since early 2016, DEA agents have been making undercover narcotics buys off of Dream Market sellers – including sellers using the handles Digitalpossi2014, ReximumMaximus and MethForDummies – and receiving them via undercover mailboxes in Miami, according to the affidavit.

Like the Quebecois administrator of AlphaBay, Alexandre Cazes, who was found dead in his Thai jail cell after being arrested July 5, an administrator of Dream Market would have allegedly benefited from the commission charged by the site on the sale price of every item sold (see One Simple Error Led to AlphaBay Admin’s Downfall).

“Dream Market charges a commission from every transaction as a percentage of the sale price,” according to the DEA’s affidavit.

Follow the Bitcoins

“OxyMaster” was listed as being a “senior moderator” on Dream Market, and first registered a profile on the site in May 2015. In June, the DEA said his account was advertising “controlled substances OxyContin and Ritalin,” and “his profile stated that he ships from France to anywhere in Europe,” although a linked listing at TradeRoute – a way to purchase goods as well as leave cryptocurrency tips for vendors – said he also shipped to the United States.

“After observing the bitcoin ‘tip jar’ advertised by OxyMonster, agents conducted analysis of the incoming and outgoing transactions from that bitcoin address and learned that 15 out of 17 outgoing transactions from the OxyMonster tip jar went to multiple wallets controlled by French national Gal Vallerius on Localbitcoins.com,” a site that allows people to buy and sell bitcoins.

The DEA says its agents also found Instagram and Twitter accounts for Vallerius, and compared the writing style used on those services to posts from “OxyMaster” on Dream Market. “Agents discovered many similarities in the use of words and punctuation … including: the word ‘cheers,’ double exclamation marks, frequent use of quotation marks and intermittent French posts,” according to the affidavit.

Go to Source

No Comments

Sorry, the comment form is closed at this time.