INTER-AMERICAN DRUG ABUSE CONTROL COMMISSION C I C A D

SIXTY-THIRD REGULAR SESSION OEA/Ser.L/XIV.2.63 April 25-27, 2018 CICAD/doc.2388/18 México D.F., México 25 April 2018 Original: Español

SPAIN - TRENDS IN THE SALE OF SYNTHETIC DRUGS AND NPS THROUGH THE INTERNET: DARKNET, CRYPTOCURRENCY AND POSTAL SYSTEMS

Trends in the sale of synthetic drugs and NPS through the Internet:

Darknet, cryptocurrency and postal systems

Roberto Fernández Alonso Chief Inspector Central Cybercrime Unit National Police, Spain OAS/CICAD Mexico City, April 26, 2018 Introduction– Impact of new technologies

Very near past → Traditional crimes and cybercrimes (intrusions and child sexual exploitation) Present → Traditional crimes supported by new technologies, cybercrimes + sophisticated and specialized Great impact of new technologies → anonymity, encrypted (use of , cryptocurrencies). Volume of electronic devices Rapid technological development and need to update How to surf the Darknet?

The Onion Router is a project whose main objective is the development of a distributed and superimposed communications network over the Internet, in which the routing of messages exchanged between users does not reveal their identity, that is, their IP address (anonymity at the network level) and that, in addition, maintains the integrity and secrecy of the information that travels through it. “Wikipedia-spanish” How to surf the darknet? USE OF TOR BROWSER

Tor browser is usually installed together with a local HTTP proxy (privoxy) that makes connections with the Tor network - It can be downloaded as a bundle

- Download: https://www.torproject.org/download/download How to surf the darknet? USE OF TOR BROWSER How to surf the darknet?

TOR use through Sandbox:

• Mechanism to execute programs safely and separately • It is often used to execute new code, or software of dubious reliability from third parties

Cryptocurrency. Its use as payment method Characteristics • Decentralized and convertible • Based on cryptographic algorithm • Public-private key system. • Integrity and security of the system managed by the user community • Limited number of currencies Cryptocurrency. Its use as payment method

Transaction Facilitates Transaction processing international costs time trade

Out of control Encourages of state Anonymity money authorities laundering Cryptocurrency. Its use as payment method VIRTUAL PURCHASES.- They allow the user to create and manage their accounts and make transfers. They have security measures and allow having portfolios in the "cloud" Cryptocurrency. Its use as payment method

BLOCKCHAIN. Register of all transactions, public, determines the amount of that each account has, is updated by the user community through a process called "mining" (https://blockchain.info/en)

EXCHANGERS: - Bitstamp, Localbitcoins, Kraken - Bitfinex, Coinbase, Bitnovo, cex.io

Darkmarkets

- The way to access is by the TOR browser - No direct connection between client and hidden service - There are introductory points that generate paths and route packages through a circuit to a hidden service - The “cryptomarkets” allow payments with cryptocurrencies (Bitcoins, Monero,Litecoin…) - https://www.deepdotweb.com/ma rketplace-directory/listing/

Darkmarkets

THERE ARE TWO TYPES OF MARKETS: - 1. CRYRPOMARKETS, where there are multiple suppliers ("vendors"). There is an administrator who takes commission of sales. They offer protection service against payments. Escrow ("scrow“). FEEDBACK. Answer for scammers ("scamwatch") - 2. SELLER STORES (“single-vendor markets”). Only one vendor. No commissions.

- WHAT IS MORE REAIABLE AMONG BUYERS? - Cryptomarkets generally have sections on their websites that list rules for both sellers and buyers related to the transaction and the associated security measures. Darkmarkets Darkmarkets

TOTAL WEIGHT= PRODUCT AMOUNT (g) NUM. SALES PRICE (€) TOTAL MONEY = PRICE*SALES AMOUNT*SALES

MDPV 2,5 g 133 111,42€ 332,5 g 14.818,86 € (methylenedioxypyrovalerone)

MDPV (methylenedioxypyrovalerone) 5 g 54 191,02€ 270 g 10.315,08 €

MDPV 10 g 9 354,77€ 90 g 3.192,93 € (methylenedioxypyrovalerone)

TOTAL MDPV SOLD / EARNED MONEY 692,5 g 28.326,87 €

Ecstasy MDMA Methylenedioxymethamphetamine 2,5 g 19 111,42€ 47,5 g 2.116,98 €

Ecstasy MDMA Methylenedioxymethamphetamine 5 g 9 191,02€ 45 g 1.719,18 €

Ecstasy MDMA Methylenedioxymethamphetamine 20 g 1 615,50€ 20 g 615,50 €

TOTAL MDMA SOLD / EARNED MONEY 112,5 g 4.451,66 €

4-MEC para-methylmethcathinone 2.5 g 3 111.57€ 7.5 g 334,71 €

525,97 €4-MEC 5 g 1 191.26€ 5 g 191.26 € para-methylmethcathinone

8 g TOTAL 4-MEC SOLD / EARNED MONEY BENEFICIOS TOTALES 585.854,5 € Darkmarkets

The hidden wiki (http://zqktlwi4fecvo6ri.onion/wiki/index.ph p/Main_Page) URLs Lists Deepdotweb (https://www.deepdotweb.com/2013/10/28/ updated-llist-of-hidden-marketplaces-tor- Access to Darknety i2p/) is done with a URL (usually with extension .onion) .fi (http://msydqstlz2kzerdg.onion/) Search engines similar to Duckduckgo Google (http://3g2upl4pq6kufc4m.onion),

Notevil (http://hss3uro2hsxfogfq.onion)

Operation Tower - Highlights

• Increase in illegal sale of medicines over the internet • Dismantling of the largest criminal network in Spain dedicated to the illegal import, sale and distribution of medicines over the internet. The drugs were imported from India using the Darkweb and cryptocurrencies (BITCOINS) • More than 6000 customers in Spain through websites that operated with the appearance of legal pharmacies and postal distribution companies Operation Tower – Investigation

Multidisciplinary Investigation

Technological Patrimonial Conventional Investigation Investigation Investigation

O.L.A. Operation Tower – Investigation

1. Reverse logistics of packing→ Fictitious companies 2. Packing company collaboration → Fictitious company shipping list (+ 20k) 3. Identification of network→ OSINT techniques + Big Data + Traditional investigation 4. Location of different platforms and web pages for sale 5. Phone Interventions + Surveillance 6. Declaration from buyers → Delivery of samples 7. Interception of packages for scanning → X-rays 8. Preparation of the device → E&R + Detentions + Investigated

Network Identification

Analysis of about 20,000 shipments made throughout Spain by the organization from March to December 2017.

Network Identification

During the analysis of internet traffic, recurrent navigations to a web page containing an online store selling erectile dysfunction products were detected.

Network Identification

Pulling admin passwords from telephone intervention through man-in-the-middle (MitM). Legal authorization to enter the administrators’ panel of the website using said credentials Download of DB SQL and removal of trace left by investigators Preparation of local web server with Prestashop CMS, import of SQL database with data of orders made by customers (about 6000) Identification of virtual wallets and use of TOR

Network Identification

Benefits obtained by criminal organization. (Mar 2017 increase) Balance

Preparation and Execution of Operation

• More than 100 officers • 12 E&R in 6 Spanish cities • 25 arrested

Medicines Intervened

Medicines Intervened

Medicines Intervened

Medicines Intervened

Medicines Intervened

Medicines Intervened

Operation Tower - Results • 25 people arrested

• 12 entries and records • More than 500,000 units of drugs against erectile dysfunction • € 65,000 in Bitcoins in several virtual purses • € 23,000 in cash • € 320,000 blocked in bank accounts • Documentation and electronic devices • Closure and intervention of the web

Operation Tower - Press Operation Tower – Post detention

1. Analysis of intervened devices → Payments in through different exchangers → Location of supplier company 2. Localization of the origin of medicines → Police techniques OSINT + BBDD + WhatsApp conversations analysis 3. Investigation still open

Thank you very much for your attention

Questions? Central Cybercrime Unit GENERAL COMMISSION OF JUDICIAL POLICE NATIONAL POLICE, SPAIN

Chief Inspector, Roberto Fernández Alonso [email protected] [email protected] Tlf. +34 91-582-41.79