Site will be messed up for a bit as I work on things/break them.
DNL

Admin of Germany's Largest Darkweb Forum Heads to Prison

The administrator of the German darkweb forum Deutschland im Deep Web (DIDW) was sentenced at the district court of Karlsruhe to six years in prison for crimes linked to the forum and to the 2016 Munich shooting. Federal Court rejected the convicted forum administrator’s appeal and finalized the sentence.

Germany in the Deepweb Homepage

Germany in the Deepweb Homepage

The Deutschland im Deep Web Ruling

DIDW made headlines in July 2016 when 18-year-old David Sonboly opened fire on 14 people in a shooting spree inside Munich’s Olympia mall. Nine people died as a result of his attack. In the days following the incident, law enforcement and media outlets learned that Sonboly had purchased a Glock pistol and 9mm ammunition from a vendor on Germany’s largest darkweb forum, Deutschland im Deep Web. This discovery led to an intense crackdown on darkweb activity in Germany and a thorough investigation into the gun vendor used by Sonboly. After catching the vendor, German law enforcement arrested the forum’s sole administrator.

Related: Germany in the DeepWeb: Fake SQL Injection and OPSEC Failures

The admin–known to forum users as Lucky or Luckyspax–set up various subcategories to promote narcotics and distribute weapons, according to an announcement from the Federal Court of Justice in Karlsruhe. Although Lucky moderated the forum with a uniquely hands-off approach, prosecutors alleged that he knew and actively promoted the sale of narcotics and firearms. The German Federal Criminal Police Office (BKA) arrested Lucky at his apartment in Karlsruhe for “aiding and abetting the illicit trade in weapons and narcotics.”

DIDW Homepage

DIDW Homepage

Months after the arrest and initial indictment for his role in narcotics and weapons trafficking, the Mannheim public prosecutor’s office added nine counts of negligent homicide and negligent assault in connection with the Munich shooting in 2016. The court recognized that Lucky had no role in the actual shooting and that Sonboly had not involved anyone else in his attack. That was not enough to absolve Lucky of guilt, in the court’s opinion. “[Lucky] could have recognized and must have that the possibility of anonymous arms acquisition away from the regulated legal market can lead to the acquirer using a firearm acquired in this way for killing and injuring people,” the court ruled.

DIDW had surfaced in the media in 2015 as well in connection with the 13 November attacks in Paris. The forum’s involvement in the case had much less of an impact on the media and went largely unreported compared to the reports about DIDW following the Munich shooting. After the Paris attack, Lucky had temporarily disabled the weapons categories on DIDW in an attempt to curb media interest in the site. The court ruled that this action proved Lucky had an understanding of what could happen if the wrong person purchased a firearm from an anonymous vendor on a darkweb forum.


The Investigation into Lucky

The investigation into the administrator of the forum involved some newsworthy tactics by the German Federal Criminal Police Office. They identified Lucky after spotting a fairly typical OPSEC failure.

According to BKA investigators, the link between Lucky and Alexander’s email address was discovered after Lucky had asked for Bitcoin donations from forum users. An undercover BKA investigator who had been actively using a DIDW account spotted a donation address on December 25, 2016. Investigators quickly learned that Lucky had been receiving the donations at an address connected to bitcoin.de, a German bitcoin exchange.

Post

After identifying the administrator, they devised a plan to keep him busy and logged into the server hosting DIDW. They launched a “hacking” campaign without a court order allowing them to collect any evidence through such a campaign. An investigator testified in court that since they knew the software running the forum, they knew certain types of attacks would fail. The BKA only attacked the forum in ways they knew would fail.

“We knew what software was used, so we knew the attack would not work,” he explained. Another BKA officer—the one with the active DIDW account—contacted Lucky and explained that the forum had a massive vulnerability. The undercover agent, using an account under the name “Gazza,” sent the following message to Lucky mere minutes before the arrest: “Hi Lucky – I do not want to worry you, but I’ve found a serious security hole.”

Through the window of Alexander’s apartment, BKA officers and members of the tactical GSG 9 watched as Alexander directed his focus to two computer monitors installed at a desk in his living room. Moments later, Alexander’s door came down and the BKA had Alexander on the floor. They had the decrypted computer he had been using as well as the server hosting Germany in the DeepWeb. A BKA investigator immediately say down to work. They had to sort through 75 gigabytes of data. Of that, only two gigs had any relevance to the forum.

The rest of the data, according to the prosecutor, consisted primarily of computer games. But before they managed to pull important data off the machine, one BKA investigator accidentally pulled the plug.

Post

BKA seizure banner

BKA seizure banner


This six-year prison sentence ends the case against DIDW. Vendors and customers are still facing charges throughout Germany, however.

Archived Press Release