As the world has become increasingly wired, and now wireless, it is only natural that transnational organized crime (TOC) has moved into the digital age. The use of sophisticated information systems is no longer solely the realm of the hacker and the coder, it is now also the realm of the drug dealer, the extortionist, and the illegal gambler. Currency is no longer sponsored solely by governments, but exists in a digital realm. The Internet of Things is a reality. Computer skills are in high demand, and those skills can be developed independently and online.
The Internet provides a sense of anonymity to users. Anonymity, in turn, breeds vice. Vice inevitably lures organized crime, which is only too happy to capitalize on it. This article will look at how organized criminals are utilizing technology, what that means for law enforcement, and suggest ways TOC investigators need to be positioned for success in this new era.
On February 9, 2017, U.S. President Donald Trump issued Presidential Executive Order 13773 on Enforcing Federal Law with Respect to Transnational Criminal Organizations and Preventing International Trafficking (E.O. 13773). That order reaffirms the commitment of the U.S. government to address the scourge of TOC and protect communities and individuals from its influence. That order specifically calls for the investigation of
criminal gangs, cartels, racketeering organizations, and other groups engaged in illicit activities that present a threat to public safety and national security and that are related to, for example: (i) the illegal smuggling and trafficking of humans, drugs or other substances, wildlife, and weapons; (ii) corruption, cybercrime, fraud, financial crimes, and intellectual-property theft; or the illegal concealment or transfer of proceeds derived from such illicit activities.1
All of those significant criminal activities have in common the fact that they become easier to accomplish and more efficient when technology is leveraged to facilitate them. A rapidly emerging criminal threat lies in the gap between traditional criminal investigations and core intrusion-focused cyber investigations, where criminals are utilizing high tech tools developed by others and taking advantage of particularly sophisticated functionality available via the Internet. These tools and technologies are determining the future of organized crime investigations. Nowhere does this future become clearer than when one looks at how illicit items are being trafficked on the dark web.
The deep web, the dark web, and TOR hidden services are “places” with which criminal investigators will all need to become familiar. The deep web consists of those areas of the Internet that are not mapped to search engines like Google or Bing. This makes up the vast majority of the Internet and much of it is legitimate. The dark web and TOR hidden services consist of areas of the deep web that are accessible only through the use of specialized browsers, such as a TOR browser, and utilize non-recognizable web addresses that are readable only by those browsers. Therefore, if a user were to put a dark web website address into their Internet Explorer browser, for example, even if the address was correct, that browser would be unable to access the website. However, if a user put the same web address into a TOR browser (which are readily available for download), he or she would be able to access the site. This is where things start to get more technical as the TOR browser will not be accessing the website directly, but rather will be bounced through a number of different servers, “hop points,” which obscure the location (IP address) of the user’s computer. The TOR browser does a few things that makes it attractive for criminal purposes—it obscures the location of the website and it obscures the location of the user, allowing for an anonymous interaction. There are legitimate reasons why someone might want to engage with others over a hidden pathway; for example, a person might want to spread free speech literature to activists within a repressive regime. However, far from all uses and users are legitimate in this space. TOR hidden services adds an additional layer, existing at addresses that are hidden and need to be obtained directly from persons who know them.
From early 2011, Ross Ulbricht, aka the Dread Pirate Roberts, administered the hidden services website Silk Road as a massive illegal marketplace. This proved the viability of a large-scale TOR-based online marketplace for illegal goods. When that site was taken down by law enforcement and Ulbricht was arrested, other similar marketplaces sprang up in its place, including Silk Road 2.0, administered by Blake Benthall, aka Defcon.2 The same way that sites like eBay, Amazon, and Alibaba have revolutionized how people shop for and purchase goods in the legitimate economy, so too have these individuals and sites revolutionized the illicit economy. Of course, these individuals do not represent the positive side of the technological revolution, and Ulbricht is serving a life sentence as a result of his foray into illicit commerce.3
As a result of this revolution, sites on the dark web and, more accurately, TOR hidden services have become the new open-air drug and weapons markets, where buyers and sellers mingle with little fear of detection. These hidden marketplaces are in and of themselves organized criminal conspiracies. They have major and minor functionaries within the organization whose power within the organization is based upon access and trust. The major difference from traditional organizations is that the members of the organization likely have never met each other in person and likely do not know each other’s real-world identities. They are known by screen names and authenticated by online histories and references from other screen personas.
These markets are not without their risk, as scams are ever present. But who does a user complain to when the website he or she paid 15 bitcoins to kill his or her spouse fails to deliver on their promise or if an order of fentanyl did not arrive in a timely fashion? Discipline for these issues is enforced through ratings provided by buyers to sellers. These conspiracies have developed escrow services to provide buyers with some measure of comfort in these anonymous transactions, holding funds until product is delivered and then releasing them, less a commission, to the seller. Of course, this has given rise to the “exit scam,” where the administrator of a dark web marketplace “exits,” taking all of the in-process escrowed funds with them.
The anonymity of these marketplaces, where screen names operate from hidden computers, poses significant difficulties for law enforcement both in terms of technical requirements and new investigative techniques. The investigative conversation surrounding the dark web’s illicit use quickly turns to discussions of guard nodes and hop points, which requires technical abilities and understanding that go beyond those of most organized crime investigators into the realm of the dedicated cyber investigator. This complexity requires the development of a long-term partnership between the cyber and the organized crime investigators.
Both groups bring key skills to the table—the OC investigators have the ability to work sources, track networks, and follow the money, while the cyber investigators can follow and penetrate those hop points and IP addresses to locate guard nodes and servers. Together, their work allows the investigation to go from screen names to identified flesh and blood actors who can be charged and arrested.
One of the first skirmishes in this new battle against organized crime on the dark web occurred in October 2016. Initiated by U.S. law enforcement agencies, the Five Eyes Law Enforcement Group (Australia, Canada, New Zealand, the United Kingdom, and the United States), and Europol members, Operation Hyperion targeted buyers and sellers of illegal drugs on the dark web.4 Participants ran the gamut of law enforcement, including multiple federal, state, and local law enforcement agencies. Operation Hyperion brought together various enforcement efforts, including “knock and talks” with identified buyers, controlled deliveries, and package interdictions. This operation was just a start and reflected in some respects the ground floor of organized crime investigations—targeting and flipping street-level sources in the hope of moving up the organizational chain—but it is a great example of the teamwork and cooperation that will be required in this area going forward.
Of course, other traditional organized crime activities are going high tech as well. For example, the traditional illegal gambling and numbers infrastructure, where bookies take illegal bets and lay them off among themselves has largely moved online. Collections however, are still largely done the old-fashioned way.
A good example of how this type of scheme can work was the Beteagle illegal online gaming website. The site owner, Joseph Graziano, conspired with a Gambino crime family crew to conduct illegal sports betting through the site. Bets were taken online via access credentials given in person. Money and collections were done hand to hand; only the betting occurred online.5
Of course, funds can’t always move hand to hand, particularly when organized crime groups seek to move large sums and to launder them into useable currency or, in the case of the dark web marketplaces, when buyers and sellers never meet.
Enter the crypto-currency. These crypto-currencies, the most common of which is the bitcoin, allow criminals to move funds without touching the traditional banking system and all of its regulation, records, and “know your customer” requirements. Bitcoin origins are difficult, though not impossible, to trace, and they can be even more obscured by utilizing washing or blending services where bitcoins are split apart, “blended” with other bitcoins, and spit back out. The bitcoin and other crypto-currencies underpin the functionality of these online illicit services. Illicit gambling websites may be prohibited from accepting credit cards due to their inability to access a merchant account that won’t be shut off due to suspicious activity, but no one is looking at whether the number of bitcoins it is accepting is unusual or suspicious.
Law enforcement, for its part, is seizing more and more bitcoins and other crypto-currencies. Procedures for seizing, storing, and liquidating bitcoins and other crypto-currencies need to be developed and refined by law enforcement agencies in this new realm.
TOC groups run networks that span vast areas. Critical to running these networks are communications and the ability to share information in a clandestine manner. This has led to the “going dark” issue, in which the ability of law enforcement to access communications has been dramatically impaired by encryption technology. As described by former FBI Director James Comey, during the period from October 2017 through December 2016,
2,800 devices were presented to the FBI … with lawful authority to open them….
In 43 percent of those cases, we could not open those devices with any technique—any technique. That is the shadow falling across our work.6
Accessing the data contained on mobile phones and devices is, of course, only part of the problem. Encryption technologies paired with VOIP technology and messaging applications that employ end-to-end encryption mean that obtaining content from wire intercepts is rapidly becoming impossible. The availability of bulletproof hosting servers residing with law enforcement–hostile Internet service providers and in jurisdictions with less than favorable legal systems, coupled with the huge resources at play, make chasing the online presence of offenders a further challenge.
Law enforcement agencies have traditionally dealt with online investigations as something separate from traditional criminal investigations, with the notable exception of work done in the crimes against children arena. In this new environment, that can no longer be the case. Lessons from the blending of disciplines that has enabled crimes against children investigators to impact that threat need to be adapted to organized crime investigations.
Criminal investigators need expanded access to training in online investigative techniques, the use and seizure of crypto-currencies such as bitcoin, and the capturing of evidence generated in chat rooms and online communications. In addition, a true spirit of cooperation needs to be fostered so that capabilities and sources can be shared across law enforcement agencies, both domestically and internationally. Finally, enhancements to existing deconfliction systems will need to be developed to ensure that unintentional law enforcement conflict situations are minimized in the digital world. These things are all happening, so, although the future poses challenges, savvy investigators are meeting those challenges.
To meet the challenges of investigating technologically advanced TOC actors, law enforcement agencies are developing new structures and new approaches to the crime problem. For its part, the FBI has created the Hi-Tech Organized Crime Unit (HTOCU) to evaluate, address, and mitigate the threat posed by TOC groups taking advantage of advanced technology to further their illicit activity. Not only will this allow for the development of strategic guidance, but it will allow for increased coordination, with a focus on global threats posed by TOC groups. The HTOCU has partnered with the FBI’s Cyber Division to train TOC investigators as online undercover employees and is in the process, in cooperation with the International Organized Crime Intelligence and Operations Center (IOC-2), of developing an online platform to target dark net marketplaces and online organized criminal activity. Hybrid squads are being developed in field offices that take advantage of existing capabilities of both cyber and organized crime investigators in new ways.
Law enforcement leaders need to foster those efforts and to recognize that, as they look to recruit the next generation of law enforcement officers, they will need individuals equipped with traditional law enforcement skills, plus the high -tech skills needed to meet these modern challenges.
2 United States Department of Justice, United States Attorney’s Office, Southern District of New York, “Operator of Silk Road 2.0 Website Charged in Manhattan Federal Court,” press release, November 6, 2015.
3 United States Department of Justice, United States Attorney’s Office, Southern District of New York, “Ross Ulbricht, A/K/A ‘Dread Pirate Roberts,’ Sentenced in Manhattan Federal Court to Life in Prison,” press release, May 29, 2015.
4 Department of Homeland Security, ICE, “Law Enforcement Agencies around the World Collaborate on International Darknet Marketplace Enforcement Operation,” press release, October 31, 2016.
5 United States Department of Justice, United States Attorney’s Office, District of New Jersey, “Owner and Employee of Illegal Online Gambling Website Admit Conspiring with Genovese Organized Crime Family,” press release, July 29, 2014.
6 James B. Comey, “The FBI and Cyber Crime: New Perspectives, New Partnerships, and New Ways of Doing Business” (remarks at Intelligence and National Security Alliance (INSA) Leadership Dinner, Alexandria, Virginia, March 29, 2017).