German authorities, after the “Munich massacre,” doubled their efforts to investigate criminal activity on the darkweb. One of their targets was the forum “Germany in the DeepWeb.” Prosecutors in the case against the suspected forum adminstrator have detailed some of the unique tactics used during the investigation into the forum.

Germany in the DeepWeb

At the Karlsruhe District Court, prosecutors have explained how a 31-year-old computer scientist named Alexander U. created and singlehandedly operated one of the most popular hidden services for people living in Germany. After his arrest in late 2017, Alexander effectively admitted committing the original crimes the government had accused him of committing. The German Federal Criminal Police Office had arrested the man for “aiding and abetting the illicit trade in weapons and narcotics.”

Many German media outlets accurately covered the case, pointing out the differences between the phpBB forum and darkweb marketplaces such as Alphabay or Silk Road. Germany in the DeepWeb (“Deutschland im DeepWeb” or DIDW) served as a place for discussions first and foremost. It functioned as a free market to a lesser degree, primarily due to the forum adminstrator’s stance on personal liberty. And Alexander’s defense has heavily relied on his “hands off” moderation approach.

From Drugs to Negligent Homicide

Months after German authorities had allowed the man’s pretrial release, the prosecutor hit Alexander with new charges in connection with the Munich massacre. Much like the gun vendor who had sold a Glock to the gunman, Alexander committed the crime of gross negligence in nine assaults and nine homicides, the prosecutor said. Information from the server seized at the forum adminstrator’s apartment and evidence seized during the investigations into other German darkweb vendors indicated that Alexander had more of an active role in what the vendors had been selling.

He had apparently communicated with vendors regarding every item or product listing the vendor wanted to sell through the forums “marketplace” subforums.

The charges stemmed—primarily—from information uncovered during an extensive investigation into the forum owner and an elaborate operation to seize Alexander’s computer before he had the opportunity to shut it down, decrypting the data. Ironically, despite successfully accessing Alexander’s decrypted computer, the majority of the evidence detailing the forum’s intricacies came from forum other sources. The unique part of the case, though, was the investigation that led to Alexander’s arrest.

Tracking “Lucky”

The German Federal Criminal Police Office (BKA) knew of DIDW prior to the Munich massacre, prosecutors revealed. But the killings in Munich set the investigation in motion. Although the case has many interesting pieces of information worth discussing, the investigation is what I will briefly though on in this article.

Investigators knew the forum owner and admin identified himself on the hidden service under the username “Lucky” or “Luckyspax.” They also knew that his OPSEC was on point and that his forum was coded and maintained by someone with talent. So they waited for the man to slip up and make an OPSEC mistake in the future. Consider the Silk Road and Alphabay investigations; United States law enforcement worked the opposite directions, relying on beginner mistakes that Ross Ulbricht and (allegedly) Alexandre Cazes had literally made at the start of their careers as darkweb market owners.

According to BKA investigators, the link between Lucky and Alexander’s email address was discovered after Lucky had asked for Bitcoin donations from forum users. An undercover BKA investigator who had been actively using a DIDW account spotted a donation address on December 25, 2016. Investigators quickly learned that Lucky had been receiving the donations at an address connected to bitcoin.de, a German bitcoin exchange.

Bitcoin.de Screenshot

The BKA requested information associated with the Bitcoin address Lucky had been using to receive domains. The exchange sent the investigators the account information: Alexander’s full name, address, and email address. But even with that information, it took investigators nearly another year to execute a plan that would almost guarantee their success. They already had his information, access to his bank account, and his home address. It is not exactly clear what took law enforcement so long to prepare the final steps.

The Raid and Forum Takedown

On the day of the raid, the BKA launched a “hacking” campaign aimed to keep Alexander busy. “We tried an SQL injection attack,” the investigator said in his testimony. The investigator explained that the attack would keep Lucky nervous. They knew he would investigate the attack. But the authorities had not obtained a court order for any data seizure—something often achieved by malicious actors via SQL injection. The investigator explained, though, that the attacks were designed to fail.

“We knew what software was used, so we knew the attack would not work,” he explained. Another BKA officer—the one with the active DIDW account—contacted Lucky and explained that the forum had a massive vulnerability. The undercover agent, using an account under the name “Gazza,” sent the following message to Lucky mere minutes before the arrest: “Hi Lucky – I do not want to worry you, but I’ve found a serious security hole.”

Through the window of Alexander’s apartment, BKA officers and members of the tactical GSG 9 watched as Alexander directed his focus to two computer monitors installed at a desk in his living room. Moments later, Alexander’s door came down and the BKA had Alexander on the floor. They had the decrypted computer he had been using as well as the server hosting Germany in the DeepWeb. A BKA investigator immediately say down to work. They had to sort through 75 gigabytes of data. Of that, only two gigs had any relevance to the forum.

The rest of the data, according to the prosecutor, consisted primarily of computer games. But before they managed to pull important data off the machine, one BKA investigator accidentally pulled the plug.

The data, since the day of the raid, has been impossible for the BKA to access. Their failure to actually pull actionable information from the computer(s) will impact the prosecutor’s ability to prove some of the crimes Lucky allegedly committed. We will not know the full impact of that failure until the next court appearance, though.