/r/DarkNetMarkets has received its first known LE subpoena: a request for 5 accounts' data, including mine, related to Evolution and the supposed doxing/leaks.

Recently (2015-03-25), I was alerted by Reddit that there had been a subpoena for my Reddit account information and they would be responding by 2015-03-30; this followed their privacy policy where they inform all accounts affected by subpoenas if there is no gag order (which is more than most websites will do for you):

16. We may disclose - or preserve for future disclosure - your information if we believe, after due consideration, that doing so is reasonably necessary to comply with a law, regulation, or valid legal process. If we are going to release your information, we will do our best to provide you with notice in advance via reddit's private messaging system unless we are prohibited by court order from doing so (e.g., an order under 18 U.S.C. § 2705(b)). We reserve the right to delay notice to users in cases involving the exploitation of minors and when we believe a delay is necessary to prevent imminent and serious bodily harm to a person.

Such subpoenas are not unprecedented, especially for third-party data; see for example the 2014 Reddit transparency report. The subpoena (#BA13CR12BA0018) turned out to be a 2-page "21 U.S.C. § 967, Public Law 97-258, section 1, as amended" (Controlled Substances Act) administrative subpoena (very commonly used by USG) sent by a Baltimore DHS ICE agent, dated 2015-03-20, demanding information about 5 Reddit accounts:

EVOSMITH (evosmith) NSWGREAT (NSWGreat) Z-L (z-l) GWERN DEEPTHROAT_ (DeepThroat_)

For those who mercifully missed the drama: NSWGreat is an Australian vendor who sold on Evolution & also was an employee in a mostly PR capacity who memorably confirmed the recent Evolution exit scam (ending the doubt and uncertainty about the failing withdrawals); z-l, DeepThroat_, and evosmith were just 3 of the legion of trolls and scammers and fools who popped up in the immediate aftermath, claiming to have secret information, offering to dox or attack the Evo admins in exchange for Bitcoins (upfront, naturally), posting faked chats intended to deliver malware (example). z-l claimed to have been an Evo programmer and to be offering the source code, user database etc; the normal way of verifying such a claim is for the leaker to give someone with accounts the hash of their password, which that someone can then hash their password and check it matches, and since I had one or two Evo accounts for spidering, I offered to verify using mine to either show z-l to be somewhat genuine or a troll like all the others. z-l never gave me any hashes, databases, or the source code, claiming that - oops! - his copies must be on some other hard drive and he was still looking for it. Last I saw, he was now claiming to have given up on releasing the info to anyone but the FBI or to have been paid off by Kimble/Verto, I forget which.

Given the date and the affected accounts, it doesn't take Holmes to deduce the reason for this subpoena: the ICE agent is interested in the trolls z-l and Deepthroat, and also thinks that they may be able to get IPs for NSWGreat (just one naked connection revealing his home IP would be enough and if he's like past market employees, a raid will turn up all the damning evidence one could hope for). This is a bit hilarious because z-l and Deepthroat never produced anything but drama: nothing but a lot of big talk, threats, and a chat conversation of dubious authenticity, which nevertheless got eaten up by this subreddit's readers and other subreddits and got some media attention. I'm sure that they were both thrilled to be told by Reddit about the subpoena - they couldn't've hoped they would be able to draw such attention and increase the drama even more.

I'm presumably included because I offered to verify z-l's Evolution hashes using my own Evo accounts' passwords, which he was never able to provide - instead I got excuses about how he couldn't find the user database and it must be on another hard drive. And this subpoena furnishes further proof that z-l was a troll, since he claimed to have sent all his material to the FBI, and if he did, why on earth is an ICE agent (located, incidentally, in the same city as the Marco Polo FBI task force) subpoenaing his account?

The specific information required:

a. The subscriber's name; email address, registration IP address, registration date, current IP address b. The subscriber's address; c. The subscriber's local and long distance telephone toll billing records; d. The subscriber's records of session times and durations; e. The subscriber's length of service (including start date) and types of services utilized; f. The subscriber's telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and g. The subscriber's means and source of payment for such service (including any credit card or bank number).

I assume the main goal here is the IPs. While Reddit may have phone numbers for 2FA and billing information for Gold or advertising, it is unlikely any of our accounts have that and those parts are more boilerplate. (Reddit's lawyer declined to specify what information would be provided, referring me to the privacy policy.)

Administrative subpoenas effectively cannot be fought because the judicial standards are ultra-low and because they are going to a third-party (Reddit); one has little legal standing or rights in data held by third-parties, which is one reason subpoenas feature so prominently in the past black-market cases I've written about (cases often involve subpoenas to Amazon, ISPs, Gmail, PayPal, etc, and those are just the ones mentioned - implying many more subpoenas were sent off but didn't turn out immediately useful). So there's nothing that can be done about this.

So the basic lesson here is:

Don't feed the trolls. If someone claims to be a hacker, or staff, or whatever, don't swallow their stories and excuses; either they are going to leak & provide proof, or they are not. If the latter, then they are of interest, otherwise, simply ignore them like you would any other spammer. It's not that hard.

If you people had kept your heads more level and hadn't overloaded Reddit with doxing fervor, I wouldn't have been forced to waste a day reading up on subpoenas & seeking legal advice, being stressed out, and having LE violating my Reddit account to read my PMs and potentially endanger my source - all in addition to the time I already wasted answering questions about z-l and reading through alerts related to him/me. Gee thanks guys... (And this is despite all the effort the mod team put into putting a lid on the worst of the frenzy! And believe it or not, it's continuing, with /u/Bluehighsky and /u/z-l2.)

The subpoena does include some boilerplate language to the effect that "You are requested not to disclose the existence of this subpoena for an indefinite period of time. Any such disclosure will impede this investigation and thereby interfere with the enforcement of federal law.", however this threat is obviously hollow: Reddit has already notified the accounts involved, 21 U.S.C. § 967 includes no gag order like NSLs and financial subpoenas do, subpoenas are commonly discussed publicly, administrative subpoenas are commonly used, discussing it fits under no laws or cases of interference, discussion of LE activity is protected by precedent & free speech, and as a journalist & researcher I pretty much have to write about this.

My personal vulnerability is relatively low: I am well-aware that as a semi-public figure writing about the black-markets I am doxable, especially by LE, and for that and many other reasons, I have never been a seller, market operator, or market employee, and I have never accepted payment from any of the above; in addition, I have not purchased from any markets for quite some time now (because it would interfere with my self-experiments, true, but nevertheless). However, it is impossible to not violate laws in the USA and I cannot really afford a good legal defense, so I am still worried. This seems like a good time to note that my writing & research on the blackmarkets - my mirroring of the markets such as Evolution, my research into arrests, analysis of market lifetimes, and background - are supported by donations: 1GWERNEDr2o3JYfD3n5GHkoPxSxPk3MbK3 (EDIT: thanks to everyone who donated. I am surprised and humbled to have received ฿3.5 so far!)

Nevertheless, how can I continue as a moderator knowing that all my non-PGPed communications have been laid bare, there may be followup subpoenas for my Gmail account, and I may be under further investigation myself? I am still considering this, but I will probably step down as a moderator soon; I'd been considering moving on to other areas for a while now, but the subpoena may be the last straw and a message.

Finally: don't panic. The Eye of Sauron is upon us indeed, but we all expected this would happen eventually or had been happening all along. Double-check you are using Tor; archive copies of any important pages or comments; remove any comments or posts which on reflection may reveal too much to the entire world; switch accounts or switch to using hidden-service forums like The Hub for any dangerous talk.

(Wired article; ars technica; Forbes; HN)

[NSWGreat was ultimately arrested by Australian police in February 2019. It is unclear if the various subpoenas had anything to do with his arrest. —Editor, 16 February 2019]