For people following the ongoing story about the questionable kidnapping involving model Chloe Ayling being ‘sold on the dark web’ by the Black Death Group, this is a research tips dump I’m running. Get in touch if you have anything else to add.

I am not focusing on the character of Chloe Ayling as this is already highly speculative and sensationalist. Instead I’m working primarily on digital forensic evidence that I can get my hands on.

If you need a background on the offline events, I recommend the current write-up on DeepDotWeb.

I’ve also created a timeline (unusable on mobile) to better visualise the events sequentially. It is designed to viewed and cross referenced against this post rather than fully stand-alone.

Contents

Adverts and Early Days

3 July 2015 — a few adverts were made places like the human-trafficking LARP site overchan.market.

— a few adverts were made places like the human-trafficking LARP site overchan.market. 5 July 2015 — Other advert locations include this one on 8chan from ‘ck’:

black death group is looking for a very highly skilled hacker for our ongoing contracts, we’re paying 3500$ per day whether you work or not more details and website available on request contact on: [email protected] [email protected] [email protected]

torbox3uiot6wchz.onion is a popular Tor-only email service, still up today.

Safe-mail.net is a popular Israeli free mail provider for the dark web, however it looks like they respond to legal requests via the Israeli government and this potentially international requests too. Unless the authorities have written the service off as a scam already, we can assume such a request could have been made already.

Bitmessage is a blockchain based messaging system.

delete us we dont want to be public

I wouldn’t say UnderDir can be 100% trusted on their stats, I can imagine being paid to add fake listing data being rather profitable for them. However I believe the start time (5th of July 2015) is around the time of their first ever actual launch. The 4c7pcgkpjlwg67zo.onion domain would also go down 8th of July, and the tabloid tip offs from the would-be kidnappers would come immediately after on July 9th.

Searching for the string ‘”All existing customers have been provided with new address” “Black Death”’

4 April 2016— The new y25iebrhjwone7py.onion is first spotted in a Tor directory

2016 Dossier

24 May 2016 — Europol produced a dossier on the organisation. This is on the very same date BDG moved to Freedom Hosting II and shilled on Reddit. Europol must have caught the advert and created the dossier at this point in conjunction with previous scrapes from 4c7pcgkpjlwg67zo.onion.

The history is obviously faked — ‘Enters the Deep web’ on January 2010? Please. And shortly after being ‘too’ popular? Given most of the hitman stories broke in 2013 this seems rather too early to be taken seriously to me.

The reference to “E & L Escrow and Laundry” escrowaaziantwzgd.onion were apparently verified on a service called ‘Tor Wild’, whatever THAT is. I am not convinced this ever was a valid address.

Before 24 May 2016 — At this point the address is y25iebrhjwone7py.onion.

— At this point the address is y25iebrhjwone7py.onion. 25 May 2016 — Europol report suggests the site is simply displaying the ‘Web site has moved. Existing customers has been provided with new address’. They likely moved to u5wk4op3rf2txnnx.onion at this point which ran from 30 May 2016. (See Freedom Hosting II)

‘MD’ starts his search for the Black Death Group

‘MD’ was Lukasz Herba’s alias on his business card. It has been published redacted as so:

As it’s such a long email address, it can only be that Tor mail service, Tor Box from earlier:

[email protected]

Searching for this address, you can actually see ‘MD’ trying to get a job [clearnet archive] as a hit man with that very alias on overchan.market on the decentralised NNTPCHAN forums:

Subject: hitman service Name: md MessageID: < [email protected] Date: Thu Aug 4 21:01:37 2016 Hi all, New to forum, new to deep web. Find it pretty straight forward.

I am trying to use deep web capabilities in order to promote very specific service I have to offer. 6 years military, spetsnaz experience

5 years private military company experience or mercenary if you wish Service: hitman, with full middleman implementation, or as you call it escrow.

I already know that all hitmen services are scams, I want to promote my own name. Where do I start? Niche market, I am aware, but I did that in the name of values that were never mine, I shall do it for personal gain instead

He gets told to GTFO, but persists:

Subject: None Name: md MessageID: < [email protected] Date: Fri Aug 5 19:03:39 2016

Trash talk as everywhere, but there is a reason why I offer 100% escrow. Where do I start? What are the biggest markets that offer escrow too?

Interesting is it not?

Subject: 377efdf4c2a73fd262 Name: MD MessageID: < [email protected] Date: Fri Aug 5 19:10:30 2016

There is a reason why I offer 100% escrow.

What are the biggest markets, websites or forums?

I would ask ‘who would fall for that?’ but that would be a very long story…

Subject: a941974d8a7789f22d Name: MD MessageID: < [email protected] Date: Fri Aug 5 19:49:19 2016

put the money in escrow and watch me despatch someone or contact on [email protected]

And he finally asks:

Subject: 377efdf4c2a73fd262 Name: md MessageID: < [email protected] Date: Mon Aug 8 06:14:30 2016

so what are the biggest forums or markets?

And that ladies and gentleman, is how you confess to being an assassin on the internet! (Not by blogging about it, plznoarrestkthx). He likely either sought out or researched the Black Death Group after this posting.

Police plz

Freedom Hosting II

There is evidence the first and second domain were both hosted on Freedom Hosting II — something I just happen to host the leak archive for!

24 April 2016 — this Reddit post [backup] is talking about them. On the very same day they move to Freedom Hosting II? Bit of a coincidence no?

The poster /u/justaguytorx only ever used this account, and they appear to shill their site in the same thread with /u/good-dude:

First domain

Searching the FHII database, I can also find their original 4c7pcgkpjlwg67zo.onion domain in there, user ‘bdgroup’, but with no database.

24 April 2016 — The data suggested they started hosting this domain at this point so they must have migrated in their private keys from where they were previously.

— The data suggested they started hosting this domain at this point so they must have migrated in their private keys from where they were previously. 9 June 2016 — The data also suggests they were last accessed 9 June 2016, the same as y25iebrhjwone7py.

The FTP report says FTP access was deleted. The SQL report says the database was deleted.

Second domain

y25iebrhjwone7py was hosted with user ‘bdgroup4’.

It’s appears they only ever had a flat, database-less site on FHII for y25iebrhjwone7py. You can see this by running against the dump.sql.

cat dump.sql | grep “Current Database: \`y25iebrhjwone7py\`” -B 5 -A 10

You’ll get the output showing they have an empty auto generated database.

24 April 2016 — FHII data suggests y25iebrhjwone7py was created at this date. Did they move their .onion private keys to FHII at this time?

— FHII data suggests y25iebrhjwone7py was created at this date. Did they move their .onion private keys to FHII at this time? 9 June 2016 — FHII data says its last log was at this time. However the site was not deleted at the time of the FHII closure so it’s unclear if they just become unpopular or moved to a new domain.

Other domains

Searching for ‘bdgroup’ in the domains I return additional domains previously unknown:

cat domains.csv | grep “bdgroup” -B 20

bdgroup2 — qmyt7fqs3ovkm5lq.onion — 11 July 2015–24 April 2016 — deleted — no database

bdgroup3 — g5gllga35n26mxqu.onion — 5 December 2015–23 April 2016 — deleted — no database

bdgroup5 — u5wk4op3rf2txnnx.onion — 30 May 2016–23 September 2016 — was up — has an empty database

bdgroup6 —5dldgxulhv6hmgla.onion — 21 November 2016–28 November 2016 — was up — has an empty database

This changes the time line considerably, placing the very first edition in July 2015, the same day as the first snapshot.

None of these domains have Google hits beyond unstructured dump references. Assuming the FHII hacker passed the full site data to the police, the police will be able to cross reference site snapshots of those old sites to build up a picture of any alleged trafficking taking place there.

The Polish Forum

If you grep the FHII database dump for 4c7pcgkpjlwg67zo you’ll come across just one other mention in a forum — the name of which its not worth me mentioning here as I am sure they are all lovely people.

[email protected] writes on 12 September 2015:

black death group to stara formacja z deep weba siedzieli na deep webie juz za czasow silk roadu i byli chyba pierwszymi ktorzy mieli pozytywne ratingi za zabojstwa czy sprzedaz militariow to wlasnie z ich uslug korzystal wlasciciel silk roadu kiedy eliminowal konkurencje ale nigdy mu tego nie udowodniono po zamknieciu silk roadu grupa zeszla do podziemi i z tego co wiem to teraz znacznie zwiekszyla swoje pole dzialania do handlu grubszymi rzeczami w ilosciach hurtowych i dzialaja tylko na zasadzie polecenia tutaj masz link kiedys bylo cos ze ukrali ukraincom kilkadziesiat zestaw przeciwlotniczych i na internecie byla burza ze trafilo to do rak mafii http://4c7pcgkpjlwg67zo.onion/ ale ciagle sie przenosza widac zalezy im na braku popularnosci i zgaduje ze klienteli w swoich srodowiskach maja wystarczajaco duzo nie mam aktualnej strony a tak sobie tez nie dadza generalnie to gruba sprawa i jesli nie traktujesz tego powaznie to lepiej sie nie pchaj bo to sliski biznes i z tego biznesu raczej sie nie odchodzi jak juz jestes jego czescia przynajmniej w jednym kawalku

This are semi-automated translations feature copy editing and light editorial for personal interpretation and clarity. Feel free to send corrections or alternative translations:

Black death group is an old organisation from the deep web. They were located on the deep web during the time of the Silk Road and they were probably the first ones who had positive ratings for the murder or the sale of military supplies. It was their service that was used by the owner of the Silk Road when he eliminated the competition, but it was never proven.

It’s well know that if indeed Ulbricht tried to have someone killed, he was scammed in the process and now we have the Black Death Group trying to take credit for this. I’m also not aware of any evidence of hit men on the Silk Road ever having (non-faked) positive ratings, but get in touch if I’m wrong.

After Silk Road closed, the group went underground and what I now know is that it has significantly increased its trading activities to bigger things in wholesale quantities, and work only on the basis of instructions given. Here you have a link to a few stolen Ukranian anti-aircraft defence weapons and there was an Internet storm that hit the drug mafia http://4c7pcgkpjlwg67zo.onion/ but still bear in mind they depend on the lack of popularity, and I guess that they have enough customers in their sector. I have no current site so don’t give up. Generally it’s a grubby thing, and if you don’t take it seriously it’s better not to push it, because it’s a slippery business and from this business it doesn’t go away as you are already part of it, at least one piece.

User [email protected] follows up:

Jaki jest obecny adres strony? Gdzie skladac zlecenia?

which is:

What is the current site address? Where to place orders?

[email protected] responds:

zjebie gimbo pamietajo ze na sylku byl zakaz handlu bronio i zlecania zabojstw

a ja zlecalem zabojstwa agentowy FBI dlatego mnie zamkly pizdo niemyto

which is:

You fucker gimbo [old person], remember that Silk Road was banned from trading arms and commissioning killings. But I was ordering the FBI agent’s murders, that's why they locked me up [in prison] you dirty cunt.

“Sure”

An anonymous user replies on the topic of the Ukrainian air defences:

A to oni zajebali buka i zestrzelili malezyjski samolot

Which is:

And they stole the BUK [missile system] and shot down a Malasian plane

So there you go, conspiratorial cryptic Polish talk from a secret underground forum, and it’s not even Tuesday yet here.

Thanks to Wojciech for the improved translations!

Lost History

2 February 2017 — Unless they moved to a new URL at this time (leaving the old one up), as FHII closed at this point, potentially it’s last incarnation could have been seen this point.

— Unless they moved to a new URL at this time (leaving the old one up), as FHII closed at this point, potentially it’s last incarnation could have been seen this point. 21 March 2017 — References on a blog speculatively reviewing the BDG, with a reference to them advertising on AlphaBay

ive heard of these guys before .. i think they are selling their ‘services’ on alphabay

8 July 2017 — Site goes down, if you believe UnderDir

Kidnapping?

19 April 2017 — Ayling met with Herba just after a terrorist incident in France

— Ayling met with Herba just after a terrorist incident in France 9 July 2017 — Email to the Daily Mirror “British Model Kidnapped by Russian Mafia” Note, this is apparently just 1 day after UnderDir says the 4c7pcgkpjlwg67zo.onion domain went down. Does anyone know the emails used?

— Email to the Daily Mirror “British Model Kidnapped by Russian Mafia” Note, this is apparently just 1 day after UnderDir says the 4c7pcgkpjlwg67zo.onion domain went down. Does anyone know the emails used? 17 July 2017 — Ayling returned to British consulate by Herba

— Ayling returned to British consulate by Herba 6 August 2017 — Story breaks in the Italian and British Media

Emails featured in this photo:

[email protected] <- as prevously

[email protected] <- as previously, non-blockchain version

[email protected] <- as previously

[email protected] <- new

[email protected] <- new

[email protected] bounced

554 5.7.1 <[email protected]>: Recipient address rejected: this address does not exist

Attempting to register the domain on proton mail I was met with a message about it being already registered. Perhaps it has been self-deleted or seized by the authorities?

The other email addresses did not bounce. I sent some nonsense emails to safe-mail.net, bitmessage.ch and tutanota.com addresses, which all bounced. Thus confirming the existence of the safe-mail.net, bitmessage.ch and tutanota.com email addresses.

I have not yet been able to track down the .onion address where she was advertised to the press, the closest appears to be this redacted image:

Conclusions

Herba’s words really tell all:

I read this as:

[Assassination services are a] niche market, I am aware, but [I’ve previously worked in the military and private security sector] in the name of values that were never mine, I shall [now] do it for personal gain instead

Was the ‘personal gain’ he mentioned to create a media sensation by picking an aspiring model he knew to extort money from her agent, media fees and later repayments from his co-collaborator?

Did Herba conspire with the ‘Black Death Group’ scammers in order to create the online content to support his story? Did he simply screw up his scheme by getting arrested at the consulate?

You might think that, I couldn’t possibly comment.