TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
I've been combing through the data dump⚠️ from the Swedish Police investigation into the Flugsvamp 2.0 market, seeing what OpSec lessons can be gleaned from it.
Pushing up against character limits, so without further ado:
Summary description of connections between servers
This document provides a summary description of servers and their connections identified in the investigation. Appendix 1 shows an overview of what is described in the document.
1. flugsvamp 2.0 sites
During the period flugsvamp 2.0 was active, there were three websites that were central to the marketplace:
The actual marketplace flugsvamp 2.0, which was reached via the TOR browser. Of late the address of the marketplace was http://flugsvamp72rajmk.onion.
flugforum reached via TOR browser. Last forum address was http://flugforum5puztp6.onion.
Flugwiki.se, which was reached via "standard" browsers (for example, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, etc.). The site contained guides and information regarding buying and selling in the marketplace.
See the document Overall description (marketplaces etc.) for more information around the sites.
2. Tracings
Early in 2018, the Swedish police conducted a tracking of the Flugforum (flugforum5puztp6.onion and forumahlcqmgmtmk.onion), see PM for tracking service rar at TOR.
The tracking showed that Flugforum (with the address Flygforum5puztp6.onion) could most likely be connected to a server with IP address 185.35.138.106 the company Zyztm Research Division. It was also likely, according to the tracking the forumahlcqmgmtmk.onion address could be connected to a server with IP address 185.86.148.41, associated with Yourserver SIA (Makonix). The latter IP address was the same as the investigation previously seen that the domain Flugwiki.se was linked to.
2018-06-29 a European Investigation Order (EIO) was sent to Germany with requests about assisting to find out which IP address could be linked to, among other things. .onion-address flugsvamp72rajmk.onion. Response was received from Germany, 10 October 2018, that IP-address that could be linked to the onion page was 185.35.139.140 which belonged to the company Zyztm Research Division.
3. European investigation order Germany regarding servers Zyztm Research Division / Cyberbunker DataCenters
2018-09-20 a European investigation order was sent to Germany with requests for assisted in getting information from hosting company Zyztm Research Division (also called
Cyberbunker DataCenters) and the server with IP address 185.35.138.106. It was sent
also a European investigation order 2018-10-09 to Germany with requests to take part of information from the server with IP address 185.35.139.140 and the server IP address
185.35.138.106, which was included in the previous investigation order.
Material from server 185.35.138.106 was received on 2018-10-26 and material from server
185.35.139.140 could not be secured.
Through the investigation order (2018-09-20) the inquiry received information about the customer, customer payments for servers and correspondence between customers and billing@cyberbunker.com. The customer's registered name was Johan Waterloo company information Waterloo S.A. The customer also has a registered mail-address: waterloo2kk@yandex.com. The documentation shows that the customer paid for seven servers:
Wakanou, IP address 185.35.138.105, ordered 2015-03-19
Waterloo, IP address 185.35.138.115, ordered 2015-03-19
Walhallah, IP address 185.35.138.106, ordered 2015-04-14
Wotannah, IP address 185.35.138.110, ordered 2015-07-09
Universe, IP address 185.35.139.140, ordered 2017-01-14
Massive, IP address 185.35.137.113, ordered 2017-01-14
Infinity, IP address 185.35.139.67, ordered 2017-01-14
According to the information from Cyberbunker DataCenter, the Universe server has the same IP-address (185.35.139.140) as the result of the European investigation order to Germany
(2018-06-29). All seven servers have BTC (Bitcoin) as the Payment Method. The servers was paid monthly and the latest payment was 2018-09-14 and was due by 2018-10-14.
In the material from the server Walhallah (185.35.138.106), connections were found to one another server, IP address 46.244.20.36. 6 The address went to A2B IP B.V. (see section 4). One reference to that IP address was also found in communication between Johan Waterloo and Cyberbunker DataCenters:
In the material from Walhallah, a command string was also found that started with
/ usr / local / bin / megacopy u waterloo2kk@yandex.com ...
See section 5 on Mega.
4. A2B
2018-10-22 a European investigation order was sent to the Netherlands to get a copy of a server copy with IP address 46.244.20.36 from the hosting company A2B.
2019-03-04 the investigation received a copy of the server.
5. Mega
As previously described, in the material of the server Walhallah, a string containing "megacopy" and "waterloo2kk@yandex.com" which means files on the server has been synchronized with the help of the file management service Mega. inquiry then suspected that there was an account with Mega with mail-address waterloo2kk@yandex.com. The company Mega provides storage service. The request was made to Mega 2018-10-30 regarding the account waterloo2kk@yandex.com and the same day the inquiry received account information. The information showed, among other things to:
The account was created on 10-10-2015.
The latest activity on the account was 2018-09-24.
The account has registered the email address waterloo2kk@yandex.com, the same email address registered with the Zyztm Research Division / Cyberbunker DataCenters.
There are 1.54 TB stored in the account.
The Session Details section contains the IP addresses of the server to Walhallah, Universe and Massive.
In the same information section, the IP address is 94.228.219.212 majoritytimes. The address belongs to the company Netrouting (see section 6).
In later communication with Mega, it appears that the account can also be linked to IP-addresses 185.35.138.115 (Waterloo) and 185.35.138.110 (Wotannah).
6. Netrouting
2018-10-31, a European inquiry order was sent to the Netherlands to take part of material from the identified server (IP address 94.228.219.212) at the hosting server the company Netrouting as well as information about the customer to the server.
2019-03-04 the inquiry received response to the inquiry order. The server, which is called educationistonline.com, was ordered 2016-08-29.
The following customer information was registered for the customer to the server:
First Name: Jonathan
Last Name: Svensson
Company Name: EducationstOnline AB
Email Address: jonatan.svensson@yandex.com.
Address 1: Torgg 20
City: Herrljunga
State / Region: Västra Götaland County
Zip code: 52430
Country: SE- Sweden
7. Flugwiki (Yourserver / Makonix)
On February 19, 19, a European investigation order was sent to Latvia to find out material from the identified server (with IP address 185.86.148.41) and information regarding the customer to the server.
In the received material from the server was found, among other things. an rsync command containing landing IP address 95.215.46.181 - an IP address that also belongs to Yourserver SIA (Maconix).
On April 4, 23, a new European investigation order was sent to Latvia to take part material from the server with IP address 95.215.46.181. The inquiry received the information from the server that contained references to fluewiki.no and fluewiki.
A third European investigation order was sent to Latvia on 2018-10-09 regarding new ones updated copies of the previously requested servers (185.86.148.41 and 95.215.46.181).
Both servers were connected to the following registered customer information:
Name: Gottfrid Svartholm
Email address: flugwiki@yandex.com
Country: Sweden
Note: believe this is a fake name, and not the Pirate Bay co-founder
PM regarding tracking of servers on TOR
Note: this appears to be a response from an administrator with the Swedish police referred to only as U0037944. I haven't yet located any specifics on how they associated the forum with these ip addresses, but seeing as it was through the forums, I would speculate it was either a misconfiguration, or they leaked some entropy on the clearnet ip address.
The undersigned was given an assignment by the case manager in the case in question to try trace a number of servers located on the darknet network TOR. The tracking was carried out early in 2018.
The results of the tracking and the addresses that have been tracked are found in the table below.
Hidden service name Tracked IP address Probability Network Owner
flugforum5puztp6.onion 185.35.138.106 Great probability Zyztm research division (Netherlands)
forumahlcqmgmtmk.onion 185.86.148.41 (DNS name flugwiki.se) Probable YourServer / makonix (Latvia)
---------------
U0037944
Appendix 1. Overview of servers
Tor - Image via matrix⚠️
Clearnet - Image via sh1ttykids Twitter⚠️
Pushing up against character limits, so without further ado:
Summary description of connections between servers
This document provides a summary description of servers and their connections identified in the investigation. Appendix 1 shows an overview of what is described in the document.
1. flugsvamp 2.0 sites
During the period flugsvamp 2.0 was active, there were three websites that were central to the marketplace:
The actual marketplace flugsvamp 2.0, which was reached via the TOR browser. Of late the address of the marketplace was http://flugsvamp72rajmk.onion.
flugforum reached via TOR browser. Last forum address was http://flugforum5puztp6.onion.
Flugwiki.se, which was reached via "standard" browsers (for example, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, etc.). The site contained guides and information regarding buying and selling in the marketplace.
See the document Overall description (marketplaces etc.) for more information around the sites.
2. Tracings
Early in 2018, the Swedish police conducted a tracking of the Flugforum (flugforum5puztp6.onion and forumahlcqmgmtmk.onion), see PM for tracking service rar at TOR.
The tracking showed that Flugforum (with the address Flygforum5puztp6.onion) could most likely be connected to a server with IP address 185.35.138.106 the company Zyztm Research Division. It was also likely, according to the tracking the forumahlcqmgmtmk.onion address could be connected to a server with IP address 185.86.148.41, associated with Yourserver SIA (Makonix). The latter IP address was the same as the investigation previously seen that the domain Flugwiki.se was linked to.
2018-06-29 a European Investigation Order (EIO) was sent to Germany with requests about assisting to find out which IP address could be linked to, among other things. .onion-address flugsvamp72rajmk.onion. Response was received from Germany, 10 October 2018, that IP-address that could be linked to the onion page was 185.35.139.140 which belonged to the company Zyztm Research Division.
3. European investigation order Germany regarding servers Zyztm Research Division / Cyberbunker DataCenters
2018-09-20 a European investigation order was sent to Germany with requests for assisted in getting information from hosting company Zyztm Research Division (also called
Cyberbunker DataCenters) and the server with IP address 185.35.138.106. It was sent
also a European investigation order 2018-10-09 to Germany with requests to take part of information from the server with IP address 185.35.139.140 and the server IP address
185.35.138.106, which was included in the previous investigation order.
Material from server 185.35.138.106 was received on 2018-10-26 and material from server
185.35.139.140 could not be secured.
Through the investigation order (2018-09-20) the inquiry received information about the customer, customer payments for servers and correspondence between customers and billing@cyberbunker.com. The customer's registered name was Johan Waterloo company information Waterloo S.A. The customer also has a registered mail-address: waterloo2kk@yandex.com. The documentation shows that the customer paid for seven servers:
Wakanou, IP address 185.35.138.105, ordered 2015-03-19
Waterloo, IP address 185.35.138.115, ordered 2015-03-19
Walhallah, IP address 185.35.138.106, ordered 2015-04-14
Wotannah, IP address 185.35.138.110, ordered 2015-07-09
Universe, IP address 185.35.139.140, ordered 2017-01-14
Massive, IP address 185.35.137.113, ordered 2017-01-14
Infinity, IP address 185.35.139.67, ordered 2017-01-14
According to the information from Cyberbunker DataCenter, the Universe server has the same IP-address (185.35.139.140) as the result of the European investigation order to Germany
(2018-06-29). All seven servers have BTC (Bitcoin) as the Payment Method. The servers was paid monthly and the latest payment was 2018-09-14 and was due by 2018-10-14.
In the material from the server Walhallah (185.35.138.106), connections were found to one another server, IP address 46.244.20.36. 6 The address went to A2B IP B.V. (see section 4). One reference to that IP address was also found in communication between Johan Waterloo and Cyberbunker DataCenters:
In the material from Walhallah, a command string was also found that started with
/ usr / local / bin / megacopy u waterloo2kk@yandex.com ...
See section 5 on Mega.
4. A2B
2018-10-22 a European investigation order was sent to the Netherlands to get a copy of a server copy with IP address 46.244.20.36 from the hosting company A2B.
2019-03-04 the investigation received a copy of the server.
5. Mega
As previously described, in the material of the server Walhallah, a string containing "megacopy" and "waterloo2kk@yandex.com" which means files on the server has been synchronized with the help of the file management service Mega. inquiry then suspected that there was an account with Mega with mail-address waterloo2kk@yandex.com. The company Mega provides storage service. The request was made to Mega 2018-10-30 regarding the account waterloo2kk@yandex.com and the same day the inquiry received account information. The information showed, among other things to:
The account was created on 10-10-2015.
The latest activity on the account was 2018-09-24.
The account has registered the email address waterloo2kk@yandex.com, the same email address registered with the Zyztm Research Division / Cyberbunker DataCenters.
There are 1.54 TB stored in the account.
The Session Details section contains the IP addresses of the server to Walhallah, Universe and Massive.
In the same information section, the IP address is 94.228.219.212 majoritytimes. The address belongs to the company Netrouting (see section 6).
In later communication with Mega, it appears that the account can also be linked to IP-addresses 185.35.138.115 (Waterloo) and 185.35.138.110 (Wotannah).
6. Netrouting
2018-10-31, a European inquiry order was sent to the Netherlands to take part of material from the identified server (IP address 94.228.219.212) at the hosting server the company Netrouting as well as information about the customer to the server.
2019-03-04 the inquiry received response to the inquiry order. The server, which is called educationistonline.com, was ordered 2016-08-29.
The following customer information was registered for the customer to the server:
First Name: Jonathan
Last Name: Svensson
Company Name: EducationstOnline AB
Email Address: jonatan.svensson@yandex.com.
Address 1: Torgg 20
City: Herrljunga
State / Region: Västra Götaland County
Zip code: 52430
Country: SE- Sweden
7. Flugwiki (Yourserver / Makonix)
On February 19, 19, a European investigation order was sent to Latvia to find out material from the identified server (with IP address 185.86.148.41) and information regarding the customer to the server.
In the received material from the server was found, among other things. an rsync command containing landing IP address 95.215.46.181 - an IP address that also belongs to Yourserver SIA (Maconix).
On April 4, 23, a new European investigation order was sent to Latvia to take part material from the server with IP address 95.215.46.181. The inquiry received the information from the server that contained references to fluewiki.no and fluewiki.
A third European investigation order was sent to Latvia on 2018-10-09 regarding new ones updated copies of the previously requested servers (185.86.148.41 and 95.215.46.181).
Both servers were connected to the following registered customer information:
Name: Gottfrid Svartholm
Email address: flugwiki@yandex.com
Country: Sweden
Note: believe this is a fake name, and not the Pirate Bay co-founder
PM regarding tracking of servers on TOR
Note: this appears to be a response from an administrator with the Swedish police referred to only as U0037944. I haven't yet located any specifics on how they associated the forum with these ip addresses, but seeing as it was through the forums, I would speculate it was either a misconfiguration, or they leaked some entropy on the clearnet ip address.
The undersigned was given an assignment by the case manager in the case in question to try trace a number of servers located on the darknet network TOR. The tracking was carried out early in 2018.
The results of the tracking and the addresses that have been tracked are found in the table below.
Hidden service name Tracked IP address Probability Network Owner
flugforum5puztp6.onion 185.35.138.106 Great probability Zyztm research division (Netherlands)
forumahlcqmgmtmk.onion 185.86.148.41 (DNS name flugwiki.se) Probable YourServer / makonix (Latvia)
---------------
U0037944
Appendix 1. Overview of servers
Tor - Image via matrix⚠️
Clearnet - Image via sh1ttykids Twitter⚠️