The Crystal Castle was the home page for Crimewave, with hidden text files at various urls

Back in March of this year, I reviewed the new Tor phishing service in town known as ‘Rotten Onions’. Crimewave, the lovable internet miscreant posted considerably on Reddit under the alias /u/crimewave_loves_you about his various exploits, providing a well documented history of a Bitcoin scam to dissect.

Not the first, but likely not the last

History

February 7th 2016 Launch

This is a cloned phishing login. Note how the form asks for the pin on login, it should only be on payment

It all started in January with the threads: “Rotten Onions — a spiritual successor to Onion Cloner that isn’t garbage” over at http://22222222shp56atq.onion/rotten_onions.txt

This was of course not well received by /r/onions:

“Promoting a “Phishing link” creation service? fuck you.”

February 13th — Bitblender notices the phishing

A week later, the owner of bitcoin tumbler BitBlender posted a warning that their users were being phished via a proxy site. Rather than implementing some real login security solutions like 2FA BitBlender tried to block the attack via some hacky javascript, Crimewave appeared immediately:

When you try and counter weaknesses in Tor architecture via javascript blacklisting

Thanks for tipping me off — I’ve disabled the bit of javascript you put up on the 2 Rotten Onions domains I have running against your site. lol, I was beginning to wonder why all the bitblender logins stopped showing up in my logs

I’m not sure who’s stupider here, Bitblender for their ‘fix’ or Crimewave for admitting to immediately having circumvented it.

March 10th — Deanonymisation attack?

At this point Crimewave is running ‘roughly 200’ onion services on his server and found that that someone had queried his onion domains via the server’s public IP address rather than via the Tor network as expected. Whist he suggest it was an Operation Onymous style “sniper” attack on his guard nodes (“my guard nodes were going down quite frequently”), details of his technical set up lead me to believe he was queried by a harmless automated scanner.

Crime architecture… crimecitecture? Scamcitecture?

So you may note the minor configuration mistake here in having the web server exposed to the internet, so that you’ll be about to make connections, but not receive responses. He later admits:

Another idea I’m playing with is setting up firewall rules to only allow traffic from localhost so that all traffic has to either be to or from a hidden service or it gets dropped, but that’d be something that wouldn’t work for everyone. In the case of Rotten Onions though, it’d be perfect and that’s definitely what I’m doing on the new box I’m currently in the process of setting up.

March 20th — Giving back to the community

Having rebuilt his server just in case, after scamming for just under 3 months, he’s rolling in the dough and wants to ‘give back’ to the community:

Having secured significant funding from running Rotten Onions, I can now host services that will improve the Tor community as a whole! And unlike most other hidden services, I’ve actually got the funding to keep these services alive. I’m currently planning an image hosting service, file hosting service, and possibly a blog hosting service. Now I just need to know: which of these should I start working on first, and what other services would you good onion people like to see?

But given the luke-warm response, increase he follows up with…

March 24th — Bitcoin for animal shelters

Looking to donate money to animal shelter. Can anyone recommend one that accepts BTC? The only requirement is that it be a no kill shelter and, obviously, that it accepts bitcoins. I’ve searched around quite a bit can’t seem to find a shelter that fits these simple requirements. Can anyone recommend?

You like animals right? Better support the scammer or the shiba inu gets it >:(

March 22nd — Email compromise

(yes this was earlier than the animal shelter thread, but I’m listing it here for narrative / readability reasons)

A complex scenario is illustrated whereby his [email protected] address has been compromised somehow. So not only has he burned his previous server, now there’s his email gone too.

By this point he’s up to 763 onion address — presumably as he’s realised that you get better click-through on an un-googlable string than one which might be sitting on a forum with someone saying ‘SCAM!’.

March 28 — Robbin’ the Hood on the darknet

Crimewave now claims to donate 25% of his ill-gotten gains as follows:

5% of the income goes to Run 2 Rescue, an organization that helps victims of sex trafficking. 10% of the income goes to R U 4 ME Pet Rescue, a no-kill animal rescue. And last but not least, 10% of the income goes to Last Door Recovery Centre, a drug rehab facility.

So we rob the drug users to pay for drug rehab! Truly Crimewave is the hero the darknet deserves.

April 9th — Radio silence

Following this commitment to robbing recreational drug buyers to make the world a better place, the last we’ll hear from Crimewave on Reddit is on April 9th when he decides to scam Redditors with a Red Room which is just a mirrored puzzle site.

Conclusions

With the recent arrest of a bloke from Connecticut USA for a similar scam, I wondered whether it could be the same person. However my own time stamp analysis on Crimewave’s posts suggests to me he could even UK based rather than US. But the choice of the US charities suggest the US.

Crimewave actually messaged me after my first piece saying:

Attempting to reveal Tor users’ real IP addresses with JS and STUN requests is still a planned feature — it hasn’t been implemented yet. Also, hi! I’m crimewave, and I liked your article

However I think he may ultimately be better known for: