Welcome to our IRS presentation, "Understanding the Basics of the Dark Web." We're glad you're joining us. My name is Philip Yamalis. That's the name tied to the face on this slide. I am a stakeholder liaison at the Internal Revenue Service, and it is my pleasure to be your moderator for today's web conference. Ladies and gentlemen, today's web conference will last 120 minutes. Before we begin this presentation, I'd like to ask that if you are with the media, to please send us an email message at the address provided on this slide. That address is SBSE.SL.Web.Conference.Team@iRS.gov. In your email, please include your contact information and the news publication that you're with. Our team of media relations specialists or stakeholder liaison staff can assist or answer any questions that you might have. So, here we go. This slide, again, gives you some information if you have technology problems today. Let me highlight a few, because it could happen to you. Again, audio for today's webcast will be available through your computer speakers only. Technical help document is available to you if you have problems. And I'm going to tell you how to access that on the next slide. If you don't have the gear icon that you see on this slide, use a different browser to launch and view the web conference. Here are some instructions to select the flash instead of HLS. You might have received today's materials in a reminder email. If not, no worries. You can download the PowerPoint in PDF format, as well as the technical help document that I referred to. This can assist you if you experience technology issues, you'll have both right in front of you. To download, click on the materials button on the left side of your screen. Now, if you've done everything that you can and you're still having trouble hearing the audio through your computer speakers, I'm glad to tell you that closed captioning is available once the presentation begins. Click CC button on the left side of your screen to access it, and then you don't have to worry if you can't hear me.

You'll be able to read what I'm saying, or what our presenter is saying. If you have topic-specific questions for us today, please submit them by clicking on the "Ask Question" button on the left side of your screen. Many of you got to practice using this feature during our chatting session, and we appreciate that. Now, if you have a question during the web conference, please enter it in the text box, and then simply click submit. Please, please, please do not enter any sensitive or taxpayer specific information. We can't stress that enough. Most likely, the presentation content will cover your questions, so we ask that you wait for your specific topic to be addressed before submitting your question. And as you can see, we pull from those questions throughout the conference, so ask them -- feel free to ask those questions as you need to. Now, we may not be able to answer all the questions submitted during this web conference, but we will answer as many of them as we have time for, and we have some time built in. We really do appreciate the questions you asked us, because they certainly help us ensure that we have relevant information on IRS.gov for you. Finally, we're going to take a few breaks during the presentation to share some knowledge-based questions with you. At those times, a polling feature will pop up on the screen with a question and some multiple-choice answers. You should select the response that you believe is correct by clicking the radio button next to your selection, and then simply click submit. As a note, you might need to turn off your pop-up blocker, pop up blocker, to receive these questions. So, if you're not seeing the questions when I ask them, simply get in there and turn off your pop-up blocker. If you do not get the pop-up box for responding, then you can enter your response timely in the Ask Question feature so that we can track your participation. Okay, folks. Now it is certainly my pleasure to introduce our presenter for today's web conference, Mr. James Daniels. James is a special agent in the IRS criminal investigation division. He's been a special agent since 1995. During this time, he conducted complex financial investigations involving tax evasion, bank secrecy, structuring, money laundering, narcoties, identity theft, and cybercrimes. And folks that's not all. He's also conducted various complex fraud investigations, including tax, healthcare, bank investigations, bankruptcy, wire and mail fraud. James is the current program manager for cybercrimes in the IRS criminal investigation division, and he's responsible for the program areas not only with virtual currency, but today's topic, the Dark Web. Jim, let me turn it over to you. Looking forward to a great presentation once again. JAMES DANIELS: Thank you very much, and thank you for having me here today. I will mention at first that we will have time in the Q&;A later to answer questions regarding virtual currency that I think were left unanswered in the first presentation, so we should have time at the end for that. All right. So we're going to jump into and start talking about the Deep and the Dark Web. This graphic here shows kind of a representation of what's out there in terms of the Internet. And quickly, what this shows is that the Surface Web, which is the place that most people are used to and go majority of the time is at the very top. Down below with Deep Web, in order to gain access to that, these are private databases and password protected sites. Within the Deep Web, we've got the Dark Web, which is only accessible via special software; and is intentionally hidden and anonymous. So let's dive into each one of these a little bit more. So, the Surface Web. This is accessible via normal browsers that you're used to. Explorer, Firefox, Chrome. And they're the normal websites you go to. Google, Yahoo, Facebook, those kind of places. It's been part of the worldwide web since the first browser was introduced in 1990 and it's a thing most people are familiar with. Anything you can discover through your Internet browser using any of the main search engines is what you get access to. This is where you read about the news, buy something on Amazon, or visit any of your daily sites. It's also an area of the web that's under constant surveillance by governments across the world.

Everyone has access to the Surface Web. There's nothing there that's protected. The interesting note is this only makes up 5% of the total Internet content that exists today.

Estimates suggest the Deep Web could be anywhere from 500 to 5,000 times larger. In perspective, there are roughly 20 terabytes of data and roughly one billion documents on the Surface Web, compared to 7,500 terabytes of discovered data and almost 6 billion discovered documents in the Deep Web. So, let's talk about the Deep Web. The Deep Web is part of the web at its conception. In its basic terms, it's an opposite of the surface has it has anything that search engines cannot find. The key difference between the two in real data terms, sites on the surface in it are indexed for search engines to find, like Google. But the Deep Web is not indexed.

However, both are accessible by the public; they just require different methods to access them.

Usually, a specific password, encrypted browser, or a set of log-in details. The Deep Web contains the Dark Web, and it isn't as bad as it sounds. But without it, we wouldn't be able to It is this need to keep files that gave a rise to the need to keep a portion of the web secure and use the Internet as we do today. The Deep Web contains all of our medical records, financial records, social media files, and plenty of other information we want to and need to keep secure. away from the, quote unquote, Googled at the whim of anybody at any time. A good example is when you have to either generate a PIN number or have memorable information to enter across bank accounts often online. This information is stored in the Deep Web, and you have to use details like passwords and those kinds of things to allow you special access. But as you can see it, and you do still have access to the Deep Web, and it isn't that entirely illicit dangerous part of the web that it's often confused with. Which is what the Dark Web is. So the Dark Web is part of the Deep Web. But its major difference is that it has been intentionally hidden and is inaccessible to normal web browsers. The technology to create the Dark Web was initially created and is still funded by the U.S. military researchers since the mid 1990s. And the reason was, it was to allow spies and intelligence agencies to anonymously send and receive messages.

It's named The Onion Router, and was quickly coined the shorter term Tor, T-O-R, with its name coming from the application layer encryption within a communication protocol stack. Basically, it represents layers of an onion in terms of encryption. If the military unit built it, why is it accessible to anyone with the right tools? Well, the strategy was to release the Tor into the public domain with simple logic. You can't hide messages if there's nothing to hide them behind. Therefore, if more people have access to send anonymous messages, it's harder to find -- for counterintelligence agencies to discover these messages.

So the government opened it up to allow others to use it so they could use it to send messages back and forth, things that they didn't want governments to know or other people to know.

Another perceived benefit was to help people in nations where they seemed to be oppressed.

With impossible freedom of speech laws to allow the voices freely where they cannot be tracked and punished. A good idea in theory. However, it has been primarily filled with crime and the ability to find these criminals is extremely difficult. Which is what the entire process and point of the Tor project was, was to make it impossible to find who's communicating out there.

Let's take a look at the usage of the Dark Web from a global perspective. As you noticed in the graphic here, there are a lot of numbers of people using it in European countries and in Asia.

And it doesn't necessarily represent that this is where crime is occurring or those kind of things, but basically, this is just a representation of the users accessing the anonymous Internet that we're going to talk about today being the Dark Web. Now, one of the things I want to talk about is what kind of services or what is out there on the Dark Web? And one of the big things, just like most things on the Internet, is pornography. But, in this case with the Dark Web and it being anonymous, unfortunately, we see a lot of child pornography out there, and child exploitation. It's done out here because of the anonymity of the Dark Web, because it's difficult to find and track these people. The other thing we have is pharmaceuticals. People will end up selling extra medication that they've got out on the Dark Web, and doctors will end up selling medication that they get access to at a significant profit. People who aren't allowed to buy weapons or want to buy weapons that aren't necessarily allowed where they're at, this is where they can get them. There are blogs out there that talk about how to commit crimes. The blogs that go through and talk about ways to commit fraud, ways to commit identity theft, and even how to steal from the government, how to file false tax returns, and even commit other violations. There are financial fraud sites that specifically go through and show users how to go through and look for identifying information on people, and a system in exploiting the financial industry. There's a significant amount of drugs that can be purchased out on the Dark Web. Fake documentation services where you can get passports created and/or driver's license information created. There are carding sites where you can take credit card information and have them encoded onto new cards, or get access to other people's account information. So, why don't we go ahead and do our first polling question. PHILIP YAMALIS: That sounds good to me there, James. Our first polling question is: What type of activities occur on the Dark Web? Okay. What do you think the correct answer is? Is it A, drug sales. B, weapons sales. C, money laundering. D, all of the above. I think we're going to get 100% correct here. Let's take a minute, click on the radio button you believe most closely answers this question. What do you think the correct answer is? Is it: A, drug sales B, weapon sales C, money laundering or D, all of the above Take a few more seconds here. Okay, let's stop the polling now.

Share the correct answer on the next slide. And the correct answer is -- drum roll, please -- there it is. D, all of the above. Drugs, weapon sales, money laundering, as many of those that occurred on that slide that Jim gave us, all occur on the Dark Web. Well, 95% of you responded correctly, so, James, let me turn it back to you. JAMES DANIELS: All right. Sounds good. So the question is, how do people access the Dark Web? Well, actually, it's not very difficult to do. It requires special software that needs to be run on your computer, and one of the ways you can do it is a software by the name of Tor, which is free software enabling anonymous communication. The name is derived from the acronym of the original software project called The Onion Router. Another component to use with this is a software program called Tails, which relies on the Tor anonymity network to protect your privacy online. All the softwares configured to connect to the Internet through Tor. If an application tries to connect to the Internet directly, the connection is automatically blocked for security. This is one of the things that Tails provides for you. Tor is an open and distributed network that helps defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. So it's specifically designed to anonymize your communication and it's specifically designed to stop others from attempting to find out what you're sending out to the Internet. Tor protects you by bouncing your communications around a network of relays, which we'll talk a little bit more about in a minute. But it prevents somebody from watching your Internet connection and learning what sites you visit. And prevents the sites you visit from learning about your physical location.

With the Tor, you can be anonymous by hiding your location. You can connect to services that would be considered censored otherwise. You can also resist attacks that block the usage of Tor using circumventing tools such as bridges. To learn more about Tor, you can go to their official website. Tor can be downloaded and installed by anyone. It is free. One of the ways that people use this in conjunction, Tails and Tor, basically allows them to install all of these software tools onto a single thumb drive, which then effectively leverages your computer to not route any of the information to your hard drive and hides and secures who you are. This is just another level of security that can be done. Now with this, all of these things that I've talked about, none of this protects you from malware or ransomware. It just stops the identification of the communication that you're doing, not preventing the potential malicious code and/or viruses to your computer.

So, how does Tor work? Tor connects directly to the Internet through a free worldwide volunteer overlay network that consists of more than 7,000 relays to conceal users' location. The intent of Tor's use is to protect the personal privacy of their users. Tor does not prevent an online service from determining when it's being accessed through the Tor, but it protects users' privacy. But it does not hide the fact that someone is using Tor. Some websites restrict allowances through Tor. There are several websites that will block connections from Tor.

Onion routing is implemented by encryption in the application layer of the communication protocol stack. Nested like layers of an onion, Tor encrypts the data, including the next node destination IP address. Multiple times it sends it through a virtual circuit comprising of successive random selection Tor relays. Each relay decrypts a layer of the encryption to reveal the next relay to go to. The final relay decrypts the most inner relay, and tehn sends the original data to its destination without revealing or knowing the source of the original IP address. Because the routing of the communication is partly concealed, at every hop in the Tor circuit, the method eliminates any single point at which the communication peers can be determined through network surveillance that relies upon knowing its source and destination. And these Tor nodes that are out there are just volunteer computers. Once you install Tor onto your computer, you can decide if you want to become part of the Tor network and make your computer a Tor node. Because IP addresses of the sender and recipient are not both in clear text at any hop along the way, anyone eavesdropping at any point along the communications channel cannot directly identify both ends. Furthermore, to the recipient, it appears that the last Tor node, called the exit node, rather than the sender, is the originator of the communication. So in our example here, with Alice sending this information, Jane believes it's coming from the last computer and has no knowledge of Alice. This allows Alice to be secure in her communication. Now, you can use this communication not just to get to the Dark Web, but it can also be used to just go to the surface websites as well. So if you wanted to conceal where you were coming from to do searchs, through Google or through other websites, then you could use Tor to conceal where you're coming from. Now, it does make your communication slower, so it's not as fast as your normal Internet. But, again, depending upon the level of security you want to use, this is one potential way to do it. So let's look a little bit more into the Tor browser itself. When you open up the Tor browser. It is based upon Mozilla's Firefox, and is preconfigured to protect your anonymity. It does this through plug-ins that it ueses directly for Firefox. Now again it does not protect your computer from malware or viruses or anything like that. Once you open up the Tor, you can click on the link shown here, and then that will take you and open up and show you what your IP address appears to be. Now, on this slide, your IP address is shown in the middle. I've got it circled in red. If you were to open up a browser that was not using Tor, this IP address would be different. Again, this is important if you're attempting to conceal where you're at or where you're trying to communicate from. A good example would be, you know, you coming from a different address, house address, than the one that you actually live at. You can say one, but you're actually at another. It just allows another relayed node in between. So then that way, whatever website you go to, this is where it will appear to be coming from, even though you aren't actually coming from that location. Now, in the upper corner, there is a little onion, part of this Tor browser. If you click on that, that will actually take you to the notification of where your relays are going. And on here, you can see that the browser is connecting through three different hops. One goes through France, then through Germany, and then through the United States. So these are the connection Tor nodes that you're actually hitting when you're going through this particular Tor connection. Now, this one here, if I was attempting to make it look like I was coming from the United States would be the one that I would want. But if I did not want this particular communication link to make it look like I was coming from the U.S., I could click on the very top where it says new identity, and it would give me three brand-new Tor nodes that I would go through. And I can keep clicking that as many times as I want to get the actual connection that I want. You can also close down this software itself and reopen it, and that would give you a new connection as well. So depending upon the level of security that you're looking for would depend upon how often you would redo this identity. And I think we've got another polling question. PHILIP YAMALIS: Yeah. This is -- I think you're right. So, okay, audience, I hope you're ready. I know we got a little bit of panic after the first one. It seems like something is going on with the system that caused some of our participants to get an error message when submitting their poll responses. So, I want to let you know that as long as you submit the response through the Ask Question feature, you're good. So if you get that error, just send your response through the Ask Question feature. So, here's our second polling question. Is the Dark Web -- or the Dark Web can be accessed through which web browser? What do you think is the correct answer? Is it: A, chrome B, Firefox C, Tor or D, Explorer Take a minute, click on the radio button. If you click the radio button and you submit it and you get an error message, just simply put your answer in the Ask Question feature. Think the correct answer is A. Chrome, B. Firefox, C. Tor, or D. Explorer. I'll give you a couple extra seconds just in case there's that error. Okay. We'll stop the polling now. Let's share the correct answer on the next slide. There it is. The correct response is C, Tor. And I'm seeing that 76% of you responded correctly. Maybe that could be because of the errors we're receiving. Jim, just in case, why don't we clarify that a little bit and explain why Tor would be the web browser that we use. JAMES DANIELS: Correct. So, Tor is the component of the web browser that you actually need to use itself. Firefox is the software that it sits on top of. Chrome and Explorer are just normal web browsers that do not allow access to the Dark Web. So if you don't have Tor, then you can't get access to the Dark Web based on this answer. Now, there are a couple other pieces of software that do the same thing that Tor does, but in this particular example, Tor would be the correct answer. PHILIP YAMALIS: So if I'm petrified of the Dark Web and I've got Chrome and Explorer on my computer, I don't really have to worry about accessing the Dark Web because I'm not going to be able to put Tor on there, unless I use that special software. JAMES DANIELS: Correct. If you don't have the special software, you can't get to the Dark Web. Kind of like if you've got Microsoft Word document. If you don't have Word, you can't open it. Now, you may have another piece of software, maybe Google has a piece of software that can open up a Word document or Office can open it up, but you have the right software in order to get to it.

PHILIP YAMALIS: Got it. Why don't we continue and talk about searching the Dark Web.

JAMES DANIELS: All right. So, getting into the Dark Web and actually looking around, you have to go to something other than Google. And there are a couple of websites that are out there, and I say websites, these are dark websites, that you would go to. And one distinction, you know whether you're on a dark website or a regular website would be the address of the website itself. The .onion at the very end distinguishes a dark website from a regular website. Normal websites have on a .com, .org, .info, etc. Dark net websites have a .onion address and agian that onion is for that layer of that encryption.

That's what it's referencing in terms of the onion layers. So in here, you've got the Onion URL Repository. And basically, it's a massive index of over a billion page results and it doesn't have a limitation on the type of information it holds. Another one would be the Uncensored Hidden Wiki sites. Again, this is another website that has an uncensored collection of links and articles over the site's history, and they've included links to information on criminal activities from drugs to child pornography. There are still links to graphic content and illegal sites can be found on there. The NotEvil website is a search engine that allows users to skip over any ads or any other information and specifically get to what they're looking for and kind of acts like and mimics Google. ParaZite is another search engine that works on the Deep Web. It has basic useful features to allow people to get around. Now, one question usually comes up, why is the Deep Web search not available from Google? Well, the primary reason is Google doesn't provide Deep Web content, in that this content is not indexed with regular search engines. Hence, search engines will not show the results, or crawl to a document or file, which is unindexed by the worldwide web. The content lies behind HTML forms, which is the basic storage mechanism of web pages. Regular search engines crawl and searchs are derived from the interconnected servers that they have access to. And again, only 4 to 5% of the internet content is actually visible to the general public. The other 96% is hidden behind the Deep Web. So, let's take a look at one of these search type engines. One of the ones that used to be in existence out there and now no longer is is called Grams. A lot of these websites come up and down all the time. But in this particular example, I just went to the search browser and typed in cocaine. And when I hit the search engine, it came up with various number of Dark Net sites that allow me access to purchase cocaine in various amounts, sizes, and from different locations. So, depending upon where I wanted to get it shipped from or depending upon the volume or the amount I wanted, I've got the ability to use these type of search sites to go out to the Dark Web. So a lot of these sites aren't openly accessible. There isn't just a place to go and look them up. So, some websites have popped up, and one of them here is called the deep dot web. On here, they give you a list on the Surface Web of a lot of things that are happening out on the Dark Web. Where to go. Websites you can go to. Marketplaces you can go to, and blogs and forums that you can join. They also have a equivalent of a .onion address, which you can see and hear that they give their deep.dot.web onion address on there as well. And if you can go and access it through the onion address, you can directly link to these websites while you're in the Dark Web. It's also a new site dedicated to events in and surrounding the Dark Web, featuring in-depth interviews and reviews about dark net markets, Tor hidden services, legal actions, privacy, bitcoin, and other really big news. So, let's take a look at some of the Dark Net markets. I"m going to describe basically what a dark net market is. What it is, it's the equivalent of Amazon, but in the Dark Web. So, if you wanted to use Amazon to go and buy a set of speakers for your computer, you would open up Amazon and type in what you were looking for. Computer speakers. And you would get a series of customers who are willing to sell that product to you. You can browse and see the prices, the types, how much they're willing to sell it, if there's shipping costs. The Dark Web has the exact same thing. And your equivalent is called a Dark Net market. And these Dark Net markets do the exact same thing that Amazon does. But, their categories are a little bit different. As you can see on this page, you can browse for categories for fraud, drug and chemicals, guides and tutorials, counterfeit items, jewelry and gold, weapons, et cetera. So, categories are different than what you would see on Amazon, but the look and feel are the same. Even on this page here, you can see postings for particular featured items. Now out on the dark web, people don't operate under their normal real name. That's why they've got here. They're here because they want to be anonymous. So when they're there, they have a user name or a user handle to go by, and they come up and make a fake name. In this particular example, we've got a user name of angrydragon007. And with that, this person now can operate underneath that name. And everyone out on the Dark Web knows them as that name, and that's the name that you operate under, that's the name you communicate with, that's what you buy under, and that's what you sell under. And the main reason is, people want to have confidence in who they're dealing with. They may never have met this person in real life, but, in operating underneath this name now, now they can go out and see, hey, who is this person? This is the person I want to communicate with. I don't know who their real name is. I don't know where they live. But I know and possibly can trust this person to interact with and do transactions with. And a lot of these websites that are out there allow you to basically rate the transactions as well. So, if I want to buy some heroin, and I click on this, I would look at what kind of rating that this person had, and they would either have four or five stars, just like you would see on Amazon. It's no different. And the main reason why they want to do that is if somebody starts to get bad ratings because they're now sending out what they had promised, then nobody's going to transact with them. So, it is a self-sustaining market that works because of the anonymity and for this feedback. So this type of website basically allows for people to do anything that they want. Now, this AlphaBay Market is no longer active. It was taken down by law enforcement. On July 20th of last year. It was a globally coordinated operation between law enforcement agencies worldwide. The United States Department of Justice announced the takedown of AlphaBay and Hansel Marketplace at the same time. It offered a bunch of different listings, including illegal drugs, firearms, and stolen personal identifying information. Payment was regulated using bitcoins. And that's another significant thing with these types of Dark Net marketplaces, is they don't take credit cards.

They take virtual currency. And they take different types of virtual currency depending upon what's being sold. So, if it is a transaction for some PII, which is personally identifiable information for someone else, maybe that particular seller will only take bitcoins. And so you would then transact with this person using bitcoins rather than real money. Other vendors may only take Manero or Ethereum. And so depending upon the type of payment that they'll take will depend upon how you conduct that transaction with them. No different than what you see out on Amazon or e-Bay or something else like that. E-Bay may say, hey, we'll take Paypal, we'll take credit card, but we won't take checks. This operates the same way, but it's with virtual currency. They also have escrow accounts as well to protect buyers and sellers. It would allow you to go in and basically make a payment, and the escrow company on the Dark Web would hold that until you agreed that, yes, I got this, and now I feel comfortable releasing the money. So there's also that set in there as well that helps protect both sides, if you will. So I'm going to talk a little bit more about the AlphaBay Market takedown. So AlphaBay was reportedly launched in September of 2014. At the time, it had about 14,000 new users in the first 90 days of operation. Dark Net informal website placed AlphaBay Market at the top tier of the markets in the first six months that it had been operating. In October of 2015, it was recognized as the largest Dark Net market according to Digital Citizens Alliance. In May of 2015, the site announced an integrated digital contracts in escrow system, which I had talked about. October of 2015, it had over 200,000 users. And by the time it was taken down in July of 2017, it had over 400,000 users. AlphaBay was known in the world of dark markets for accepting other currency types other than bitcoin. It had support for Manero and other types of crypto currency.

Some interesting articles that came out about AlphaBay Market were, in March of 2015, AlphaBay made the news for selling stolen Uber accounts. Uber had made a statement regarding the potential data breach. We investigated and found no evidence of a breach. Attempting to fraudently access or sell accounts is illegal and we notified the authorities about this report. It's a good opportunity to remind people to use strong unique user names and passwords and avoid re-using credentials across multiple sites and services. In 2015, London-based telecommunications company, TalkTalk, sustained a major attack. The stolen data was put on sale on AlphaBay, which led to the arrest of a 15-year-old boy who had done the hack. In December of 2015, a website called code breaker released a podcast describing shopping experience on the marketplace. The podcast talked about purchasing illegal items on the marketplace such as pharmaceutical drugs.

The UK based media outlet Daily Mail pointed to the marketplace that might be linked to the Russian Mafia. According to the UK-based media outlet "Daily Mirror," it's administered in Russia By July of 2017, AlphaBay was ten times the size of its predecessor Silk Road, which was and has a Russian computer server. Expert claims it has links to the country's Mafia and has proven impossible to shut down. taken down in October of 2013. Silk Road was also taken down by the United States as well.

It had over 39,000 listings, 400,000 users, and was facilitating between 600 and 800,000 transactions per day. By the time the first service began, Diaz used his hot mail address, and this would be Alex, the main organizer of this particular Dark Net marketplace. And this is how we as the United States ended up figuring out who this was. He had used a pseudonym to run the sites, which he had previously used in other carding forums in 2008. This is where it comes into when I was describing before about when you pick a user name, everyone sticks to it on the Dark Net market sites, because if you move and change user names, you have to rebuild up your credibility.

Diaz's laptop reportedly contained unencrypted personal net worth tapping to all of his global assets across jurisdictions at the time he was captured. He also had servers which contained multiple and consistently unencrypted crypto currency wallets. That's where the majority of his profits went. Assets were liquidated through proceeds were held in a variety of accounts directly related to Diaz's wife and companies they owned in Thailand, or directly held in personal accounts in Liechtenstein, Cypress, Switzerland, and Antigua. The statements about the goal on his site that he launched in 2014 and his goal was to become the largest e-Bay style under world marketplace. In May of 2017, law enforcement was active on the site. In June, a warrant was issued by the United States and the eastern district of California for racketeering, narcotics, identity theft and access to {indiscernible}. Transferring of false IDs, trafficking illegal device, and making equipment and conspiracy to commit money laundering. A warrant was issued for his arrest in Thailand by the end of June. In early July of 2017, Canadian police raided a company in Montreal. It was his company and it was the reported location of the physical servers as well as two residential properties. He was arrested in Bangkok at his dwelling in a district which was searched by the royal Thai police police with the help of FBI and DEA. He expectedly committed suicide while he was in custody of the narcotics division in Bangkok. His wife has also been reported to be charged with money laundering, and by the end of July, the site was shut down. So that's just one example of one of the investigations that we end up doing. There were many other sites that we have taken down, but AlphaBay was one of the main ones. Why don't we go ahead and go to our next polling question. PHILIP YAMALIS: I don't know, I'm too petrified. [Laughter] Sure thing. Let's do it. Let's do it. So, our third polling question for this afternoon is: What is the name of a Dark Net market? Okay. What do you think is the correct answer? Is it -- A, Amazon B, Google C, AlphaBay D, Ethereum Take a minute. Click on the radio button that you believe most closely answers this question. If your radio button isn't working, click on the Ask Question feature and submit your answer there. All you need to do is submit either A, B, C, or D. . Is it A, Amazon; B, Google; C, AlphaBay; D, Ethereum. Okay. All right.

Let's stop the polling now, and we'll share the correct response on the next slide. And the answer is, C, AlphaBay. Yeah, 93%, James, of our audience responded correctly. You know, this is very sober -- very interesting, and I must say sobering information. You know, for the CPA that's out there wondering the connection to what we do through tax and investments, will this be part of the discussion as well, or is this presented to help us understand what's out in the Wide World Web? JAMES DANIELS: It's a combination of both. We've got the, this is what the Dark Web is and this is what happens out there. And the connection to the CPA and the tax -- because, again, I'm a criminal investigator with the Internal Revenue Service, and all of these things impact tax administration and the collection of the appropriate taxes that need to be paid. All of these industries are taxable when you talk about drugs and money laundering and all of these things. If there's a profit being generated, it has to be taxed as well, in addition to it being money laundering. Now, from the CPA perspective, the biggest thing to take away is this is where the CPAs and small businesses, they get hit and they get hit hard. So, what we have seen and we've been working on is there are websites out there that are specifically dedicated to supplying access to CPA firms and tax preparation companies and their service. PHILIP YAMALIS: I'm going to ask that you move a little closer to your microphone, because you seemed to fade out there just a little bit. JAMES DANIELS: Oh, okay. All right. How about that? PHILIP YAMALIS: Oh, that's much better. Thank you. JAMES DANIELS: Sounds good. So what we're seeing out there is the identity theft that's occurring. Is that we are having the malicious software that's out there is being downloaded inadvertently or intentionally onto computers' machines. And when that happens, it gives access to that particular computer. And CPAs and tax preparers, they're the ones that have the majority of the information. So I'm going to get in and talk in a little bit more depth later about that. But that's going to be the connection to the CPA and the tax preparers that are out there, is knowing what is out there on the Dark Web, knowing what occurs out there, and that you're subject to your information being out there as well because it either was stolen or captured at some point in time. PHILIP YAMALIS: And I'll tell you, James, as stakeholder liaison, we are usually the first source of that tax practitioner that calls the IRS that says, hey, looks like I've been hacked. Looks like some of my client's info has been stolen. Well now you know where it goes when it's stolen. I'm glad you're going to get into that just a little bit more. So, thanks for that. Okay. So we got through our polling question. Why don't we continue on the next slide. JAMES DANIELS: All right. Sounds good. The next thing I'm going to talk on a little bit here is the opioid crisis. And the reason why I'm touching on these other avenues of crime that are occurring out there is these things are what are supporting the other type of financial crimes that are occurring. In addition to PI being bought and stolen, in addition to tax returns being captured, a lot of the support -- PHILIP YAMALIS: You said PI, personal identification, right?

Personally identifying information. JAMES DANIELS: That's right. PII, personal identifying information. A lot of that is being done specific to help and support different drug habits like the opioid crisis that's going on right now. So I'm going to quickly touch on that, what's occurring out on the Dark Web right now. We as federal agents, both with the IRS and DEA, FBI, are working with HSI, which is Homeland Security Investigations, to help combat this opioid crisis. And we're seeing that pop up more and more on the Dark Web itself.

With this, the root causes of the current crisis are complex. And one of the solutions federal agencies have developed and implemented to help stem the tide of opioids coming into communities is relatively simple and straightforward. Leveraging the unique authorities and broad resources of HSI to disrupt, dismantle, and defeat the transnational criminal organizations and disrupt networks responsible for the current crisis identifying and targeting upper echelon traffickers, seizing their assets, and holding them accountable for the destruction they are responsible for.

To accomplish this, HSI is determined to target these individuals along with other federal agencies, wherever they are located, including in the deep recesses of cyber space. As a result, those who traffic in opioids, particularly within the Dark Web, are a top priority of the federal agencies. Dangerous and often fatal substances such as Fentanyl and other synthetic opioids as well as heroin and illicitly obtained prescription opioids are increasingly being distributed online via the Dark Web, requiring new and innovative technologies that law enforcement must implement. So the other thing to remember with this whole opioid crisis and everything that's going on, this all comes back to money, and allowing money that's being transacted on the Dark Web, almost all of it is being done through virtual currency. And this is the other avenue that [indiscernible] comes into, is there is a very large subset of people that are using virtual currency to conduct illegal activities.

So, if you're a CPA and you have a client that is involved in this type of activity in terms of operating with virtual currency, it may be worthwhile to inquire as to what are they using it for.

Because some of this virtual currency is being used in the Dark Web for illegal activity.

Let's go ahead and go to the next slide. This is a package -- a picture of a package of opioid type material and drugs that are being delivered through the postal system. And one of the ways that you can do this in terms of this information being -- the drugs themselves being moved through our postal service is because of the Dark Web. The Dark Web through these Dark Net markets are allowing these dealers to set up and have complete distribution systems set up to go from where they're being either made out of the country and/or from illegal prescriptions in doctor's offices and other ways, because leveraging the Dark Web and the anonymity of it that it allows, allows for this type of activity to occur. Okay. Let's go to the next slide.

So, at the forefront of this activity, is the HSI Cyber Crimes Center, which is also identified as C3. The personnel at C3 are devoted to spearheading and coordinating transnational investigators that originates from illicit trafficking of opioids within the Dark Web. Federal agents, intelligence analysts and other personnel assigned to C3 have spent years honing and refining their skills in penetrating and navigating the Dark Web and routinely collaborate with each other, the personnel domestically and overseas to develop investigative strategies that have been critical in piercing the anonymity of users and administrators in Dark Net marketplaces. Training has been increased along with intelligence, which is a critical pillar in a multi-pronged strategy to the newly enhanced online undercover capacity that has been highly successful in penetrating these online narcotics distribution networks. All right. Go to the next slide. The digital nature of all of these things also leads back into the financial component we were talking about. The data you see during these previous Dark Web investigations, in many cases aggregated by federal agents and other law enforcement agencies to be made available for them to work their investigation. And a lot of this money -- PHILIP YAMALIS: Let me interrupt. Forgive me. It sounds like your microphone is failing out on us again. So, I'm just going to ask you to tap that thing or something and see if we can -- the producers are telling us that our audio is giving us a little bit more difficulty. So, be patient with us, folks. James, if you could give it a try again, we'd certainly appreciate it. JAMES DANIELS: All right. How does this sound? Is that any better? PHILIP YAMALIS: That is better. That is better.

JAMES DANIELS: Okay. All right. And so money laundering is the main key that runs into us from an investigation standpoint, that that's how we as IRS criminal investigation again get involved in these narcotics type transactions and investigations. So the next thing we're going to talk about is ransomware, and ransomware is a type of malicious software that threatens to punish the victim's data or potentially lock access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called crypto viral extortion, which it encrypts the victim's files, making them inaccessible and demands a ransom payment to decrypt them. In a particularly implemented crypto file extortion attack, recovering the files without the decryption key is almost impossible and difficult to trace digital currencies such as cash and bitcoin are used to make ransoms making tracing and prosecution of the perpetrators difficult. Ransomware attacks are typically being carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening it when it arrives in an email attachment. However, one high profile example, the WannaCry worm, traveled automatically between computers without user interaction. The WannaCry virus began in May 2018 with evidence pointing to its initial infection from Asia was likely through an exposed vulnerable server message block port rather than an email phishing, as it was initially assumed. Within a day, the code was reported to have affected computers in over 150 countries. Organizations that had not installed the Microsoft security update in April of 2017 were affected by the attack. Those still running an unsupported version of Microsoft Windows such as XP Or Windows Servers 2003 were particularly high risk because no security patches had been released since April 2014. Lab study report showed that less than .1% of the affected computers were running XP and that 98% of the affected computers were running Windows 7. In a controlled testing environment, the cyber security firm found that they were unable to infect an XP system with WannaCry just using exploits. As the payload failed to load or cause the operating system to crash rather than execute encryption files. However, when executed manually, WannaCry could still operate on Windows XP. Worldwide cyber attack of WannaCry ransom crypto worm which targeted computers running the Microsoft windows operating system, by encrypting data and demanding ransom payments in the bitcoin crypto currency. It propagated through an exploit in an owner's Windows system released by the shadow brokers a few months prior to the attack. While Microsoft released patches previously close to the exploit, much of WannaCry has spread from organizations that had not applied these, or were using older Windows systems that were part of the -- past their end of life. WannaCry took advantage of installing back doors onto infected systems. The attack was stopped within a few days of discovery due to emergency patches released by Microsoft. And the discovery of the kill switch that prevented affected computers from spreading WannaCry further. One of the largest agencies struck by the attack was the national Health Service Hospitals in England, and over 700,000 devices including computers and MRI scanners, blood storage refrigerators, and computer equipment have been affected. NHS services had to turn away non-critical emergencies and some ambulances were diverted. Nissan motor was also affected out the UK where they had to halt production after the ransomware infected some of their systems. (Indiscernable) also stopped production in several sites in an attempt to stop the spread of the ransomware. In December of 2017, the United States and United Kingdom and Australia formally asserted that North Korea was behind the attack. So let's take a look at what some of the results are of using ransomware. PHILIP YAMALIS: I want to point out, thank goodness that Microsoft was able to come up with a patch to clean up WannaCry, but as you and I both know, and seeing reports of practitioner breaches, we still know that malware, it's downloaded by somebody just clicking on a hyperlink in an email that looks official.

And that ransomware still can easily be downloaded on a tax practitioner's computer, you know, having all this personally identifying information that can really haunt their business down the road. JAMES DANIELS: Yeah. And that's actually one of the things that we're seeing happening right now, is that tax practitioners are either having an issue downloading some ransomware or malware onto their machine unknowingly, and we are working active investigations right now where there is one site where somebody in the Dark Web can go to, and call and look up a list of all of the affected computers, and it's a list that kind of looks like what we saw before in terms of a Amazon style page, where you can sort by country, you can sort by computer type, you can sort by the type of access that you can get to the computer. Now, the interesting thing on this is one of the things that this malware does when it gets installed on the machine is goes through and checks to see what's installed on that machine. So, I can actually go in and look at all of the information about a particular computer, and the first thing that we noticed for us when we were doing our investigations was that it was accounting for and finding tax preparation software. Which would then let the person know looking at this potential computer that they wanted to get access to, that this is a potential taxpayer, or tax preparer, and that they have all of their client information on this machine. Now, what I can do then is through this website is purchase access to that machine. I can get the administrator password and administrator log-in to log into this machine remotely, go in, get all of the CPA's information, get all of the tax preparer's information, get copies of all of the tax returns, and turn around and close my connection without that person even knowing I had done it. And in addition, if I did it good enough to where nobody knew it was there, I can turn around and sell the access back to the website at about an 80% difference, and now I've got access to all the data, plus I just returned the information back to the place to turn around and sell again. PHILIP YAMALIS: Wow. JAMES DANIELS: We're not just seeing this in the United States. We're seeing this all across the world. PHILIP YAMALIS: So, James, what if I'm a practitioner that gets this ransomware downloaded onto my computer. Should I pay the ransom? JAMES DANIELS: So, there are two schools of thought on this. And one of the schools of thought from the government's perspective says that -- oh, I'm getting some real feedback now. There we go.

Okay. One of the schools of thought is, no, you shouldn't pay it. Because if you end up paying, you're perpetuating the ability for these people to go out and do this. The other school of thought says, well, if you don't have any backups and you don't have your data maintained somewhere else, you may not have a choice to attempt to do it. Now, that's not to say that they will or won't send it. That, I don't know. It kind of just depends on who it is and, you know, what they're willing to pay and what they're willing to do. So, it's hard to say which is which, but it's kind of up in the air. I personally can't advise one way or the other as to what to do.

PHILIP YAMALIS: Sure. Now let's go back to the ransomware slide. This is what it looks like then if ransomware comes across your screen and you start to panic, right? JAMES DANIELS: Yeah, exactly. So if this is what comes up on your screen, this is where you're being notified that ransomware has been downloaded to your machine and that your files -- potentially all of them -- have been encrypted. And in this particular one, the only way to unencrypt it would be to pay this fee. Now, there are some services out there, other computer specialists that may be able to assist you depending upon the level of encryption or sophistication, but I think the biggest thing to note out of all of this is that you want to make sure that you're not downloading any software that you don't recognize, and that you're not clicking on any links from within emails or web pages that you're not familiar with, because that's a majority of where all of these things occur is through there. Now and intersting thing from the last presentation we did, you notice on here, it says bitcoins accepted here, and then there's a bitcoin address. Now this bitcoin address that's in this page right here can visually be seen on the block chain, and in the last presentation, we talked a little bit about that. This is one of the ways that we in law enforcement now have the ability to potentially track these transactions.

If we see this web address receiving money now, then we can potentially go in and follow that transaction as to where somebody may convert it back from this type of virtual currency, being bitcoin, back to a currency being U.S. dollar or something else. All right. Let's go to the next page. So this here is another example of having your computer infected and/or -- with ransomware. One of the interesting things to note on this particular one is it's telling you how to get to the Dark Web to make a payment. That it gives you specific dot onion addresses, and even tells you how to download the Tor software needed to get there. So, depending upon who it is and how it was encrypted will depend upon how they want to be paid. The previous one would allow you to pay via the Surface Web, using bitcoin, where this one is actually requiring you to go to the Dark Web to become unencrypted. And again, it's just another reminder that backing up all of your data, keeping an off site backup of your stuff is highly important because of this particular scenario. Whereas if you do have all of your stuff backed up that hasn't been unencrypted by ransomware or malware or some other means, then you're in a much better position to not have to worry about this and just reinstall the data that you've got. So one of the other interesting things that we're seeing is the difference between the ransomware and combining it with potential mining. So what we're seeing now is a combination of the two. Rather than going through and stealing, requiring people to pay money to have their files unencrypted, they're moving to a new concept called crypto jacking, and basically what this is, it's led to the eventual and predictable shift from cyber criminals not only crypto jacking, but also installing malware with the sole purpose of using it as an end point that isn't theirs to mine the crypto currency. It's a smart strategy if you're a cyber criminal. Why not try and ransom someone else's machine -- or why would you try to ransom someone else's machine and wait for them to pay, when you can just leverage their computer to do mining for you? Crypto jacking is one of the more illicit uses of an end point of a computer. There are a number of ways to actually do this, but one of the more persuasive models comes in the form of a script created by Coin Hive. If you think of a normal web-based marketing model, it serves ads on web pages to generate revenue for the site and drive customers to whoever the advertiser wants. This model, as annoying and persuasive as it is, has helped fuel the growth of the Internet. What Coin Hive did was change that model. Instead of serving ads while watching content or visiting websites, the script will run and use your computer's browser as a crypto currency miner. This actually presents an upside and allows people who want to donate to charities by monetizing their CPU. But the problem begins to show up when looking at how easy it is to inject malicious code into the websites. Cyber criminals quickly started using these types of scripts and piggy backed on existing injection techniques. This has occurred for legitimate websites as well as for malicious ones. And it's got so persuasive that it actually started to damage people's mobile phones. Crypto mining malware grew from there. In January of 2018, researchers identified 250 unique pieces of crypto mining malware alone. As with other profitable malware models, the cyber criminals will continue to innovate, obfuscate, and try to evade existing inpoint prevention capabilities, the problem will persist until the model no longer becomes profitable. Ransomware and crypto mining malware will continue to be a thing. As long as there's a profit, the cyber criminals will continue to use it as an avenue of attack. I would expect to see the same innovation and invasion we have seen from ransomware continue to evolve in this next form of extortion. Stopping this form of malware requires the same approach we've always taken to stop other pieces of malware. The intention of malware may be different, but prevention detection and response to them are the same.

The next slide shows an example of what and how easy it is on the Dark Web to buy your own ransomware. And it's become so popular and easy that with this particular example here, it shows that you can for $39 buy your own piece of ransomware. And it comes with the instructions itself on how to actually modify it and install it on other people's machines. You can actually set the amount of time somebody's got to pay you and include the bitcoin address you want them to pay you at to have it unencrypted. You don't have to know how to write any code whatsoever in order to create your own ransomware. This particular one gives the victim 96 hours to pay to have their computer unlocked. After 96 hours, data starts disappearing and it's fully undetectable at this point, until the owner pays to access his personal information, the ransomware will start deleting files at random. Eventually, if the bounty is never paid, there won't be any files left to recover. The last thing I want to talk about on the Dark Web are bots, an Internet bot, which is a software application that runs automated tasks or scripts over the Internet.

Typically, bots perform tasks that are both simple and structurally repetitive and at a much higher rate than possible for the human alone. The largest use of bots is in web spidering or web crawling, which is an automated script that fetches, analyzes, and files information from web servers as many times the speed of the human. More than half of all web traffic is made up of bots. Efforts by servers hosting websites to counteract bots vary. Servers may choose to outline rules on the behavior of Internet bots by implementing a bots file protocol. This file is simply a text file stating the rules that govern the bot's ability and behavior on that computer. Any bot interacting with or spidering any server that does not allow to follow these rules should in theory deny access to or remove from the effective site. It's the only rule implemented by a server is a posted text file with no associated program software or application, then adhering to these rules becomes entirely voluntary. In reality, there is no way to enforce these rules or even ensure that the bot's creator/implementer acknowledges or even reads the file contents. Some bots are good, IE search engines and spiders, while others could be used to launch malicious and harsh attacks, most notably in political campaigns. These can be installed on your machine and sit there for a while until they become activated by the main creator or a main server and will wait until they get told what to do. So this is just one of the many things that are out there that come from the Dark Web, that interact in our normal daily lives. But I think now would be a good time to turn it over to have some questions. PHILIP YAMALIS: Yeah, let's do that. Before I do that, let me go to our final polling question, and ask the question. What do hackers use to encrypt files and force someone to pay to have them unencrypted? What do you think is the correct answer? Is it -- A, miners B, hackwar er C, ransomware D, ransom code Not a trick question. Please take a minute. Click on the radio button you believe most closely answers this question or submit your answer on the Ask a Question feature. Again, what do you think the correct answer is? Is it: A, miners; B, hackware; C,ransomware; D, ransom code. Okay. We'll stop the polling now and share your responses.

We'll also share the correct answer on the next slide. The answer is C, ransomware. And I see that 98% of our audience responded correctly. That's pretty good. I think this is some great information that you're sharing with us, James. Although I was a bit scared when you started talking about that ransomware. I'm paranoid. I can understand that we can easily be protected by continually educating ourselves, not necessarily as tax practitioners, but wherever we might work to avoid, you know, ransomware and malware from infecting our computers. And then you concluded with the Dark Web. So, why don't we do this. Let's go on to the Question and Answer period. Since we got 98% of our folks answering that question correctly. First of all, James, I want to thank you for all the phenomenal information and for the great presentation that you've given us here this afternoon. I know I personally have learned a lot, and I'm sure the audience -- I hope you did, too. Before we again the Question and Answer session, I want to mention again that we might not have time to answer all of the questions submitted during this web conference.

However, let me assure you, we will answer as many as we have time for. James has also agreed to answer some questions that might have been left over from our morning web conference on virtual currencies. So, please note that if you're participating to earn a certificate and related continuing education credit, you'll qualify by participating for at least 100 minutes from the official start time of this webcast, and that was 2:00 p.m. Eastern Standard Time. Don't forget, you can't include that first ten minutes of chatting that we engaged in. So, sorry about that. Make sure you give yourself 100 minutes to get that certificate. Okay, everyone. We received a lot of questions. Let me get started so we can get to as many as possible. Let's see what's getting thrown our way in terms of the questions here. Quite a few questions here. Oh, here they go. All right. So, we started talking about the Deep Web. And there seems to be confusion by a couple of the folks that answered questions. Hey, is the Deep Web different from the Cloud? And if it is, how is the Deep Web different from the Cloud? JAMES DANIELS: So, the Cloud is just a space out on the Internet that allows for storage in terms of data to be accessed by you and/or other people that you want to give access to. It just happens to be accessible to everyone, if you will, that has access. So the Cloud would reside within the definition of Deep Web, if you had to get a password in order to access it. If it was something that is shared with the public, then it would be within the Surface Web. Now, you can have cloud capability within the Dark Web as well if the information was stored in a way that you would need a browser in order to access it. So, a Cloud is more all encompassing of where the data is stored.

It's not necessarily stored locally on your machine. It's stored out on the Internet somewhere.

And depending upon how it's stored would depend upon which category it fell into. PHILIP YAMALIS: Right. So, let's talk about this, James. What's the process for reporting tax scams?

I have a practitioner here that received a voicemail message on their cell phone advising them that they were under indictment for tax crimes. I called the number back, and the call was answered with IRS. It certainly sounded like a call center, and that's one of the scams I've personally not heard about in that way. But let's remind our audience today what is this process for reporting tax scams? JAMES DANIELS: So, I believe -- and again, I will defer to the liaison office, but I believe that there is a 1-800 number that can be called to report these. I believe you can also report them online through the IRS. But I will say that you out in the general public are not the only ones subject to these calls, as I too was called by the IRS and was informed that I was under criminal investigation and that if I didn't pay my taxes, somebody was going to come out to arrest me. Which I thought it was quite comical seeing as how this person is purported to work in the same office as I did, made it for quite a fun conversation with them. PHILIP YAMALIS: Absolutely. And I do want to remind our audience that you can type "scams" in the upper right-hand corner of IRS.gov in the keyword search, and it will tell you some of those ongoing scams going on right now that you'll be able to recognize and share with your clientele. There also is a method of reporting those scams from right there under scam on IRS.web. Just a reminder. I know we talked about that before the presentation started. I thought I'd throw that out there for you now. So, here's a question, and it relates to virtual currency as well as the deeper Dark Web. Is virtual currency located in the deeper Dark Web? JAMES DANIELS: So virtual currency is a digital form of payment or a digital form of currency. It operates within the Dark Web, it also operates within the clear web, you can use virtual currency to pay to buy something on Amazon. You've can also use it to pay for something in a Dark Web as well. PHILIP YAMALIS: And we learned earlier that some tax offices are accepting virtual currency for payment as well. JAMES DANIELS: Exactly.

PHILIP YAMALIS: But I think the most important thing as you stressed earlier on the virtual currency is that on the Dark Web, they're only going to use virtual currency as opposed to normal currency. JAMES DANIELS: That's correct. The Dark Web will only accept virtual currency because they want to keep their anonymity to a high. They want to make sure that they're not transacting in something that potentially could be traced. Where virtual currency is more difficult to trace than using a credit card or a bank transfer or something like that. So the dark marketplaces out on the Dark Web will not accept payment other than in virtual currency.

PHILIP YAMALIS: You shared earlier the success of authorities to shut down some of the sites that we heard about and we read about them in the papers. One, of course, being AlphaBay.

How come the authorities aren't able to completely shut down the Dark Web? How are you successful in shutting down things like AlphaBay, but yet the authorities cannot shut down the Dark Web?

What's the reason? JAMES DANIELS: Well, the thing to remember is the Dark Web was actually created by the U.S. government. PHILIP YAMALIS: How about that?

JAMES DANIELS: And they use it to communicate, you know, sensitive information back and forth.

They've created an environment to do that. And they need that environment in order to have that encrypted communication and they need others to use this same tool in order to hide their messages back and forth. So, taking out the Dark Web is not what the intended purpose is. It just happens to be being used for the wrong purpose. And people are finding a way to use it for illegal things. Just like anything else in the world, somebody's going to find a way to turn something into a criminal enterprise, and that's where federal law enforcement has to get involved and attempt to dismantle that as much as possible. Now, we've got our own investigation techniques that help us trace and track people doing these type of things, and when we find them, we will take them out. But in terms of the Dark Web, it's out there for an intended purpose. It just happens to be others are exploiting that purpose for criminal means. PHILIP YAMALIS: James, are you aware of a replacement for AlphaBay on the Dark Web? Has a replacement, have other great replacements for AlphaBay been created that you're aware of? JAMES DANIELS: Yes. I mean, as soon as AlphaBay went down, I think Dream Market was the next one that came up. And when Dream Market goes down, there will be another one that pops up. Like I said, we took out Silk Road, which was one of the very first Dark Net marketplaces. Others have popped up and we've taken those out, and it's just a matter of continually taking them out and attempting to dismantle, you know, these illegal marketplaces that are transacting in, you know, these types of goods and this illicit activity. PHILIP YAMALIS: Awesome. So, let's talk about it.

How can you prevent your personal info from appearing on the Dark Web? JAMES DANIELS: Well, there are a couple things you can do. With computers that you have access to, you know, you can be secure by having the right, you know, malware software installed. You know, the antivirus software. Making sure that that's up to date. And the biggest thing is phishing scams. Making sure that you're not clicking on email links that you don't know. Making sure you're not opening emails that you don't know who they're from. And even the phone calls you can get, with people advising you that they need information from you in order to do something. That's where the social engineering type is getting information out of you. Other things are completely out of your control that you can't do. When hacks occur on businesses, when hacks occur on doctor's offices or CPA firms or those kind of things where your data happens to be stored on their machine, and their machine then is compromised and it comes off of there, there's nothing you can do about that one. It's just a matter of attempting to protect yourself as much as you can, and this is where it becomes the responsibility of those that have data need to be responsible for protecting it. And need to take the same steps as everybody else to attempt to protect that data as well. PHILIP YAMALIS: That's awesome. So for a practitioner, it's a good idea to download publication 4557, keeping your clients' data secure. You know, I mean, you're mandated by law as a tax practitioner to do that, and publication 4557 does include a checklist to help the tax practitioner doing so in protecting the data of their clients as well. So, many times -- I have a question here from a tax practitioner. Many times I do a search for something specific. Suddenly, I have advertising on my site focusing on what I had searched for. Would Tor stop that? Or is that just part of the system of using things like that? JAMES DANIELS: Could you ask that question one more time? PHILIP YAMALIS: Yeah. So, many times I'm on there and I do a search for something specific, on the Internet. Suddenly, there's advertising on my site focusing on what I had searched for. We all find that to be a common thing, especially if we're using certain types of social media. I guess the question is, would Tor -- would the Tor software stop that? JAMES DANIELS: Yeah. So, the Tor software, utilizing that anonymizes your communication and would stop other parties from seeing what you're sending out to do searchs on. It would significantly decrease that component of it because when you submit something out of Tor, it's encrypted and only goes to the place that it's expected, so when it comes back, others can't see what you're attempting to search for and/or trap the information that you're sending out. PHILIP YAMALIS: Very good. So is there a reason, though, for an everyday person with no issues to use Tor? JAMES DANIELS: Because of -- PHILIP YAMALIS: Other than that one, can you give me another example where Tor might be helpful to somebody in the everyday world? JAMES DANIELS: It just comes down to, you know, privacy and security. Using Tor -- now, I will say, if you use Tor, it's going to be slower than your normal communication of click and wait. Because it has to go through those levels of encryption.

And so it's a combination of convenience versus necessity. You know, Tor will encrypt your information and will stop others from seeing it. But at the same time, you're going to have to wait a little bit longer to get the responses back because as we saw, it has to go through various levels of communication in order to go there and come back. So it is slower, but it does encrypt your information so others can't get access to it. PHILIP YAMALIS: Okay. Very good.

Is this Tor software available for anyone to obtain it? JAMES DANIELS: Anyone can download Tor. It's free to use. Mozilla Firefox, which is the browser that it works in conjunction with, is also free. So, yeah, it's a completely free application to use.

PHILIP YAMALIS: Not that I want to suggest any type of browsing software over any, but Firefox seems slow to me anyway. So adding Tor, I guess it could significantly slow down your system for sure. Somebody says that we mentioned Tails. Did we say something about Tails? Did we miss that? Did this person or I miss that? JAMES DANIELS: We did. We talked about Tails. Tails can be used in conjunction with Tor and Mozilla Firefox as another level of anonymity to use. Tails will basically mimic the minimum software operating system necessary to run a computer. So you could install it on a thumb drive, and then install Tor within that environment, and then basically, operate in a secured environment within Tails. That way you can open and close that Tails type environment without actually getting access to your regular computer. So if somebody attempted to come in to your machine while you're using Tails, they can only get into that Tails environment, they couldn't get into your actual computer.

PHILIP YAMALIS: Very good. And I know we've talked about this. How is the Dark Web getting Social Security numbers, even those of children? JAMES DANIELS: Through data breaches.

It comes through the malicious code that gets installed on servers and, you know, CPA machines and normal businesses, their account files. And then those account files are then downloaded to a person's machine who will turn around and upload them to the Dark Web for sale. PHILIP YAMALIS: That's where the data breaches begin. That's where our headaches begin here, right?

JAMES DANIELS: Exactly. PHILIP YAMALIS: So... all right. This is something that ties in a little bit with what we spoke about this morning and today. So how do you pay for something that you find on the Dark Web? Of course, you wouldn't use your credit card and your real name. How would you pay for the product? JAMES DANIELS: That's correct. That's where virtual currency comes into play. What you would end up doing is converting your money, your cash, to a virtual currency. Then you would use your virtual currency to pay for things online. You can use that with a wallet. You can use that with your -- you know, the public key.

As we saw on the ransomware page, public key is the address where money gets sent to and comes from. The private key is the thing that allows you to transfer that money. So with your public and private key, with those two things, you can go out and make payments for things on the Dark Web. It's all using virtual currency. PHILIP YAMALIS: And James, this would be a great opportunity, I want to remind our audience that this morning's virtual currency presentation, as well as this afternoon's presentation on the Dark Web, have been recorded and will be available in approximately three weeks as an archived webinar. So keep that in mind. If you missed this morning's presentation, and I do urge you to keep that in mind, it will be available in three weeks for you. And that ties so much in with what you spoke about this afternoon. So, after I purchase something on the Dark Web using virtual currency, how would someone receive that purchase? Do they use their personal address? I mean, they use so much anonymity -- did I say that right? You use so much of that by using virtual currency. Do they use your personal address to obtain the item they purchased on the Dark Web? How would they do that?

JAMES DANIELS: So there's lots of different ways people can get it to them, depending upon the security level that they want to do and the sophistication that they're at. Some examples that I've seen in investigations that I have worked is someone can go as easy as setting up a mailbox's et cetera address. Where you would go down and use not your real ID, use someone else's ID that you bought off the Dark Web, to set up a mailbox's et cetera address, and have things delivered there.

That way it's not coming back specifically to you. Now, if it's a larger package, and depending upon the volume of, you know, criminal activity you're in, we've seen people go so far as to actually rent apartments or even buy houses, to have things shipped specifically to there, that way it is not in specific connection to them and they'll drive by at night or various times during the day to pick up the package and take it back to where they really want it to go. So it just kind of depends upon the level that someone is willing to go to. Some people have it shipped directly to their house. Again, that's not for their perspective the best way to do it, but just depends upon how complex they want to get in terms of hiding the shipment. PHILIP YAMALIS: Got it. One of our audience members heard of carding. Can you describe what carding is and how that relates to the Dark Web? JAMES DANIELS: So there's a couple different things with carding. That's where you attempt to get or do actually access people's credit card type information. Whether it be an ATM card or a credit card itself. They have the ability to buy on the Dark Web with the full credit card number along with the CVV number and expiration, everything you would need to transact online, you can do that.

With that, if you have a card writer, a machine that you can actually encode onto, then you can actually take the information you bought on the Dark Web and encode it onto credit cards themselves. And then use those at a normal store. So it just kind of just depends. The carding arena really kind of holds in fits around working with a credit card and account type information that you've stolen from someone else. PHILIP YAMALIS: This is great stuff, James. So, a lot of our audience, our tax preparers as we saw in the chatting feature before we got started, what should they do if they suspect a client is involved in the Dark Web buying and selling? JAMES DANIELS: Well, again, it depends upon what they're buying and selling. You can't inherently say that, hey, if someone is doing this, then it's X, but normally, the Dark Web purchases, a majority of the ones that we have seen are involved in illegal activity. I would say from a CPA perspective, as a way to make sure that you're protecting yourself, having clients that are involved in illegal activities may attempt to use you to help launder their money. Now, whether you know it or don't know it. So, if there is, you know, Dark Web activity that you know about, it's one of the things that you need to protect yourself to make sure they're not being involved with something unknowingly and/or potentially a client being involved in something that you don't want to be associated with. PHILIP YAMALIS: That's so very, very true. And more so why due diligence comes into play as a tax preparer. I hear it all the time from taxpayer practitioners, I just don't want to be involved with that. And back to the old simple publication 17 statement, just because that income isn't illegal doesn't mean it doesn't need to be reported on the tax return. So, let's get back to the tax preparer again. A big issue for their clients right now is the theft of tax identification, tax identity theft. Can we explain how tax identities are stolen and finally exploited via the Dark Web, and we can get into a little bit about what do we do as a tax practitioner if we discovered that we have been victims of tax identity theft. Two-pronged question there.

JAMES DANIELS: Yeah. Again, a majority of the data comes from data breaches, whether that be from a company or from a person's, you know, personal drive or wherever. And then what happens is Those those identities go for sale out on the Dark Web, like on AlphaBay type markets, where you can buy identity information or lists of information, depending upon if you buy it in bulk, you can get it for 50 cents an ID. Now with that information, once you've got the Social Security number, you know, name, address, other identifying information, then that information could potentially be used to create false tax returns. Which then puts your clients into the precarious position that if tax returns have been filed and accepted by the IRS prior to your client filing, then that runs into some serious situations of you not being able to get your clients' return through. And so it's just that vicious cycle that occurs, once that name is out there, it can be sold multiple times and used multiple times for many different financial crimes. PHILIP YAMALIS: And the bottom line here is, we can't keep ourselves absent minded thinking that it's not going to happen to us. As tax practitioners, we're more vulnerable because we have all this PII, Personally Identifying Information, in our computer bases, and the Dark Web basically goes after those types of computers. So it's certainly more apt to happen to a tax practitioner than someone else out there. You made some great examples of the Uber case, of some other cases that occurred, where even these big companies didn't think it was happening to them but it was. So as tax practitioners, I guess we have to be a bit more vigilant, right? JAMES DANIELS: Oh, very much so. In terms of information needed in order to secure, you know, the finances and financial information that's necessary, tax practitioners are the ones that have the most. And again, it's not just tax crimes that occur.

With that information, you can go out and get credit cards. You can get loans. You can actually buy houses with it. Because you've got all the information that's necessary in order to do it, especially if they have access to past tax returns as well. So not only do they leverage them to file taxes in future years, but they can also use that past tax information to go out and get a loan in a person's name. And turn around and get cash out on properties. So there's lots of information that can be used in tax practitioners' computers that can be leveraged in the financial criminal world. PHILIP YAMALIS: So, let me do this. Let me ask you the second part of that question. If you as a tax practitioner believe that you are a victim of a data breach, you should immediately contact your -- not only your local authorities, but you also want to contact your Stakeholder Liaison to give you some guidance to report that to the Internal Revenue Service. Stakeholder Liaison will then assist you in getting this reported to criminal investigation on our end as well as refund compliance, and also guide you in terms of who you should be contacting locally or in your State. So, keep that in mind. If you find yourself to be a victim of data breach, you want to make sure you contact your local Stakeholder Liaison, and I'll tell you shortly before we end this presentation on how to do that. Anything else you would add to that, James? JAMES DANIELS: No, I definitely reiterate that -- I mean, I'll be honest, what we have seen in the field is a fear from tax practitioners of reporting this information. And it needs to be the exact opposite. Because it's not -- it's not one of those things that once it's happened, there's nothing you can do to reverse it. And you're better off protecting the clients and protecting information rather than worrying about, you know, what's going to happen if someone finds out. Because eventually it's going to get found out. Eventually it's going to get tracked back that hey we got 80 tax returns that came in false. Lo and behold, last year they were all prepared out of one CPA firm. It's pretty easy to figure out where the breach occurred. So, if you do know about it, in terms of protection of yourself and your clients, getting that information to us as fast as possible is the best thing to do. PHILIP YAMALIS: So very true andI appreciate you adding that. It's good to have the fear that, man, this could happen to me, but it's a different thing to have the fear to try to cover up. You don't want to do that. You want to get to us right away. Thanks for saying that. It's so important.

Alright, so, as tax practitioners, should we be using a Tor setup when working with people's taxes?

Should we be using this as a layer of privacy for our home Internet use? Does it work like a VPN?

JAMES DANIELS: So, again, it's one of those things in terms of security level of what you feel most comfortable with. What information do you have stored on the machine that you're using.

I definitely, if I was a tax practitioner, would take a higher level of security on the computer I'm using to prepare tax returns versus the one I used to surf the Internet and not store sensitive information on. So I think you need to apply the security level to the data that's being stored. And I'll be honest, I've talked to some tax practitioners that have a desktop computer that they use strictly for doing their tax returns that's not connected to the Internet.

You can't get to it other than being in the office. So depending upon the level of security that you want to take this to, will kind of depend upon how fearful you are of having something happen. And it's one of those things that you've got to do the best you can and have the best processes, you can, but all of these things will add different levels of protection. Using Tor in conjunction with tax returns probably isn't the saving grace of everything. Tor is just more for the communication protection. It's not going to stop ransomware or malware from getting onto your machine. That's more of the making sure that you're not opening up those emails, you're not downloading things that you don't know about. PHILIP YAMALIS: Well, that leads us to a good question that I just saw. Recently heard about a very sophisticated scheme that appears to be from a real client and even has some personal notes in the body of the email that make it appear that it's really from the client. I've seen that happen where somebody spoofs themselves as a client and says, hey, here's my tax return information. Check it out. Any thoughts on that?

You click on that and what happens? JAMES DANIELS: A lot of those, that�s the actual social engineering that we're talking about, sending out something to make you feel comfortable with what you're being provided.

That hey, this is somebody I know, so I should feel comfortable clicking on this link. Without actually getting into the header information of emails to see where things actually came from, you can make the email address look like it came from one place even though it came from another if you're just looking on the outside. If you look on the inside of the email, which is where the headers are located, where the email came from, the data related behind the email, you would be able to tell, hey, this didn't come from the right Gmail server, it came from somewhere else.

But again, it's one of those things, all these protections and all these worries have to be weighed out with actually being able to operate your business. Probably the best thing to do is separate where you answer emails from, from where you prepare tax returns. If you are concerned about potentially opening up, you know, an email that could potentially affect your computer, you probably don't want to have that on the same computer where you prepare all your tax returns from.

PHILIP YAMALIS: Very good. I know our presentation was mainly on the Dark Web, but, hey, one of the questions that came in is how do you know when your computer was actually hacked?

Can your computer be hacked and they, of course, wait 30 days before letting you know?

JAMES DANIELS: Yeah. So they'll put in there some things that are time bombed. Code which basically says, hey, it will install and wait 30 day, wait 90 days before it does something. And some even more malicious code, like the one I described, that goes in and looks to see what's on your computer. You would never even know. It just happens in the background. And then it reports back what's on your machine, and if you have a vulnerability to get into your machine, then it would report that as well and all of this could happen in the background without any of your knowledge and you wouldn't even know it occurred. We've had several situations where we have identified the CPA that had been compromised and went out to go talk to them and they had no knowledge whatsoever, even though we found all of their data for sale on the Dark Web, they had no knowledge of it whatsoever. They didn't know. It takes a computer technician and a computer expert to go in and take a look at the back end of the computer and the data files as to when the breach potentially occurred, what type of breach it was, and those kind of things. PHILIP YAMALIS: Very good stuff. Very good stuff. Let me just throw this question out there again. Just for clarification. So, James, are you saying that anyone, and anyone is capitalized here, are you saying anyone can access the Dark Web as long as you have this Tor software? JAMES DANIELS: Yes. Anyone can access the Dark Web. Yep. Again, you can go to the Dark Net market.

Anyone can get to that Dark Net market with a Tor browser installed on their machine. Anybody can get to it. PHILIP YAMALIS: And what do you recommend to the person in the audience today that's thinking, hmm, let me go check it out. JAMES DANIELS: Again, it's one of those things that -- I've been on the Dark Web, not even from a work perspective, just to go out and see what it is. There's nothing inherently illegal going out to the Dark Web. I wouldn't recommend clicking on sites that are going to be relative to pornography and those kind of things because the last thing you want to do is end up in some child pornography website by accident.

So, it's one of those things. Going out there doesn't necessarily mean you're doing anything illegal, but the other thing that, unless you know where you're going or what you're doing, you may inadvertently click on something you hadn't intended on, and end up with stuff on your computer that you didn't really want in the first place. It's one of those things, you need to be careful with it. Just like anything else in this world, it can be used for good or for evil.

PHILIP YAMALIS: Very good. I did see some comments coming in on the Ask Question feature about what happened to the last polling question. We did get it in. We got it out of place. I know you saw the pop-up box. We got that back in. So as long as you participated by using the Ask Question feature, we did get that in. I've got a couple questions left over that do relate to this afternoon�s presentation left over from this morning's presentation on Virtual Currency. One of the questions is, you spoke about today that people pay for things on the Dark Web using the crypto currencies.Is this legal? Aren't crypto currencies used on the Dark Web being done so illegally? JAMES DANIELS: Right.

For this question, I like to use the example that people buy and sell drugs using cash. The mere fact that I have cash and I'm buying drugs, yes, that's an illegal transaction. Now, if I have cash and I go out and buy a cup of coffee, not an illegal activity. It's not an illegal transaction. Virtual currency is the same way. I can use virtual currency to buy something illegal on the Dark Web. I can buy cocaine with it. Now I've conducted an illegal transaction.

Or I can use virtual currency to go down and buy a Tesla. Not an illegal transaction. So you're using the medium of exchange, whether it be cash, whether it be in virtual currency, but the mere fact that you're doing the transaction in that is not the illegal part. The illegal part is what are you using it to buy. What are you using it to transact? What's the purpose? That's the part that's illegal. PHILIP YAMALIS: Awesome. I love that analogy, and you used it earlier this morning, and it seems to enliven the discussion about the currency, the crypto currency.

Let me throw this one in about crypto currency. How do you convert virtual currency to Fiat currency, the currency used by the government? Will my bank automatically do that?

JAMES DANIELS: So banks, there are very few banks -- I can't think of any off the top of my head that will actually transact in virtual currency. Usually, what you have to use is a virtual currency exchanger. And so there are a couple of them out there. Some we highlighted this morning are Coin Base and Etoro. There is quite a few of them out there. But basically, you set up an account with them. And when you have an account set up with them, then they would allow you to convert from virtual currency to a Fiat currency like U.S. dollar or Euro or something else. So you have to go through an exchanger that will basically do that conversion for you. Or you've got to find someone who's willing to, you know, buy your bitcoins or other virtual currency in some other way. So someone else has got to kind of make that conversion for you. Banks out there, up until now, have not been involved in doing any of that. PHILIP YAMALIS: Very good. I'm going back to the Dark Web, because this person has asked that a couple times, so I'm going to go ahead and do it. It's a two-(?).

So, number one, this person asks, are user net sites part of the deeper web? And second, as someone who has no intention to purchase heroin to arrange for a murder or anything else nefarious, do I have any reason to ever go into the Dark Web? JAMES DANIELS: Ok, so to answer the first question, yes, a user site where I needed a user name and password to get into, that would be, yes, part of the Deep Web, because that's a protected area that no one can get access to, and that's the way I kind of like to think about it, is with the Surface Web. Is it anyone can click on the site and look at the information without having to log in, then that's the Surface Web. If I have to log in to either get my bank information, health information, or even into some social media part of like Facebook, some of it is public that everyone gets to see, some of it is private that only I get to see or who I decide to share it with gets to see. So that's the distinction between the Deep Web and the Surface Web. So, the difference between the Dark Web and the Deep Web is -- yeah, there's probably no reason for that person to ever want to or need to go to the Dark Web. Again, it's normally -- it's used from the illegal perspective of what we talked about, the criminal activities for drugs, you know, pornography, carding, all of those kind of things. And it is also used for legitimate purpose for securing communication back and forth. If you needed to communicate with somebody that you didn't want anybody else to know about, that's how you would do it. That's how the government uses it. There is a legal avenue for using the Dark Web. But in terms of your normal everyday person, the answer is no. PHILIP YAMALIS: Okay. And once again, give me a legal example of using the Dark Web. JAMES DANIELS: Perfect example would be the government needs to communicate to another government for military action. Or you could be in a potentially politically oppressed country where you want to speak out and start a group to talk about a certain topic that maybe that particular government doesn't allow you to talk about. And so this would give you a forum to do it. Those are the main uses for it, is for communicating anonymously back and forth.

PHILIP YAMALIS: Phenomenal. James, great stuff. And I think that's all the time we have for questions. I really, really want to thank you again for taking the time to answer the questions for our audience. We sincerely appreciate your time, and we appreciate you sharing your expertise with us today. James, let me do this. Before we leave, do you have some important points that you'd like to share with the audience, those points that, hey, if you didn't get anything, I hope you got this. JAMES DANIELS: Yeah. I think the big thing to remember, the important points, is the Surface Web only contains about 5% of the data that's actually stored on the Internet.

And that special software like the Tor is what you would need to access the Dark Web. And I think the most important thing is don't click on links from unknown people or email addresses. That's how and where a majority of the malicious software and the malware happens, is in unintended clicks on email addresses. Or links within email addresses. PHILIP YAMALIS: Absolutely, absolutely. So, again, James, thanks so much for an amazing presentation. For those of you that attended today for at least 100 minutes after the official start time of the web conference, you will receive a certificate of completion that you can use with the credentialing organization for possible CPE credit. Again I want to remind you if you're eligible for continuing education from the Internal Revenue Service and you registered with your valid PTIN, your credit will be posted in your PTIN account. And of course, you're eligible for continuing education from the California Tax Education Council. Your credit will be posted to your CTEC account as well. Folks, if you qualify and have not received your certificate and/or credit by June 28th, please email us at SBSE.SL.Web.Conference.Team@iRS.gov. Of course, the email address is shown on this slide. And, if you want to know who your local Stakeholder Liaison is, if you already don't know, you may send us an email using that same address shown on this slide. We'll send that information to you. Or you can find a contact for your State by visiting IRS.gov and using keyword search, Stakeholder Liaison. So, as part of the service's efforts to provide you with timely topics and interesting speakers, we'd appreciate if you'd like to take -- if you'd please take a few minutes to complete this short evaluation before you exit. If you have any requests for future web conference topi