LEO Bulletin: “What to Look for During a Search Warrant”

A bulletin published by the Nevada High Intensity Drug Trafficking Area (HIDTA) describes what officers look for during “a search warrant involving dark web and cryptocurrency-related crime.”

The purpose of the bulletin is to provide law enforcement officers with “key indicators of darkweb activity while executing search warrants. This includes information to assist law enforcement in positively identifying cryptocurrency devices, electronic applications, and recovery seeds, which is critical for seizing digital assets.”

In 2020, the Nevada HIDTA reported increased criminal activity involving the darkweb and cryptocurrency. An out-of-state digital forensics group had to be present during the execution of search warrants. Before executing the warrants, law enforcement officers had to be briefed on “cryptocurrency devices, recovery seeds, and any electronics that could be examined for evidentiary value.” However, the bulletin explained, many of the law enforcement officers were not familiar with the “the information and terminology” introduced during the brief. As a result, the Nevada HIDTA published the bulletin titled “Dark Web and Cryptocurrency - What to Look for During a Search Warrant.”

The bulletin contains surprisingly basic information (boring).

Hardware Wallets

Hardware wallets are commonly used by cryptocurrency investors and darkweb criminals and are considered the best method to store cryptocurrencies. A hardware wallet is a cryptocurrency wallet that stores the user’s private keys in a secure hardware device. The main principle behind a hardware wallet is to provide full isolation between the private keys and the user’s computer. Private keys are codes only the user has access to and are used to access the user’s crypto assets. Private keys are what give the user ownership of their cryptocurrency. Hardware wallets have an associated web, mobile, and desktop application that enables you to monitor your cryptocurrency addresses and spend your cryptocurrency.

A picture of Seed, Trezor and Ledger — Seed, Trezor and Ledger

Recovery Seeds and Phrases

A crypto wallet will randomly generate a seed phrase or recovery phrase in an ordered set of 12 or 24 words, sometimes more, depending on the type of wallet used. The crypto wallet also uses the seed phrase to create private keys. The seed phrase is not linked to a particular cryptocurrency and can be used to access an entire portfolio of cryptocurrencies such as Bitcoin, Litecoin, Ethereum, and other crypto-assets. A seed phrase is the only way to access and recover a wallet and all of its contents if a device linked to the wallet is wiped, lost, or stolen**. If possible, recovering wallets and seizing cryptocurrency in an expeditious manner is highly recommended and should be treated with a sense of urgency. Anyone who maintains a copy of the recovery seed or has access to the recovery seed can re-create the wallet without geographical limitations and could easily withdraw the funds.**

A picture of Stock pictures of recovery seed phrases — Stock pictures of recovery seed phrases

Software Wallets

Software wallets come in many forms, each with its own set of unique characteristics and are somehow connected to the internet. Wallets are distinguished by a set of supported cryptocurrencies and software platforms such as Windows, Mac, and other operating systems. Software wallets are available in three forms - desktop, mobile and online.
Desktop wallets are computer programs that store cryptocurrencies on a PC so that their information is not accessible to anyone but the user. Private keys are typically kept on a desktop.

Mobile wallets come in a smartphone app and are easily accessible to their users at any time. However, mobile devices are vulnerable to various malware and can be easily lost.
Online wallets are web-based wallets that can be accessed anywhere and on any device. This makes them more convenient for accessing funds, and their private keys are stored by website owners rather than locally on user devices.

Examples of Wallets and Exchanges

Cryptocurrencies

Bitcoin (BTC)
Monero (XMR)
Litecoin (LTC)
Ethereum (ETH)
PAX Standard (PAX)
Dogecoin (DOGE)
Algory (ALG) (Really?)
Tether (USDT)

Software Wallets

Electrum
Exodus
Coinomi
Monero GUI
Cake
BRD
Blockchain
Mycelium

Exchange Wallets

Coinbase
Kraken
Crypto.com
Binance
Bitstamp

The Nevada HIDTA provided examples of the most common cryptocurrencies, wallets, and exchanges encountered during their investigations.

Examples of “Darknet Usage”

Browsers

Tor
Red Onion Tor

VPNs

Nord
Proton VPN
Tunnel Bear
Surfshark

VPNs as evidence of “Darknet Usage”?

Examples of Dark Net Market Links

Pretty Good Privacy (PGP) Encryption

Pretty Good Privacy (PGP) is an encryption system used for both sending and receiving encrypted emails and encrypting sensitive files. PGP encryption is required on most popular darknet markets such as White House Market. If messages are not encrypted using PGP encryption, darknet markets will not allow users to send and receive messages or purchase illicit commodities.

A picture of A public key used by Nevada HIDTA during an investigation in August 2021. I have not OCRd it. — A public key used by Nevada HIDTA during an investigation in August 2021. I have not OCRd it.

During the investigation into a prolific Xanax vendor on AlphaBay, law enforcement officers raided the defendant’s house and found loads of incriminating evidence. They seized multiple cryptocurrency wallets, including a Trezor cold storage wallet containing almost 200 Bitcoin. Investigators could not find the seed phrase for at least one of the wallets they had discovered.

The case began with an unrelated arrest of one of the defendant’s friends in a different state. Investigators also used the defendant’s (at the time) girlfriend’s drug habit to get a foot in the door for probable cause. I can remember that the DEA had at least four of the defendant’s acquaintances making statements. It seems likely that the actual number of loose lips is higher than four. After some time, investigators learned that the defendant had given the seed phrase to a friend. The friend had allegedly promised to keep the seed phrase no matter the cost. Law enforcement officers detained the person who had the seed phrase and threatened him with prison time. The friend gave up the seed phrase.

In the bulletin, the Nevada HIDTA wrote, “anyone who maintains a copy of the recovery seed or has access to the recovery seed can re-create the wallet without geographical limitations and could easily withdraw the funds.” As the case described above demonstrates, even if someone were to leave someone else with the only copy of the seed phrase, law enforcement will somehow sniff it out. If any readers know of a case where someone moved the funds out of a wallet seized by law enforcement, please let me know. I would love to read about their frantic attempts to recover the “stolen” funds.

Dark Web and Cryptocurrency - What to Look for During a Search Warrant pdf html html2

P.S. Whatever vendor sold “listing: 70209 7 grams Cocaine - Uncut Brick” and sends the following message to their customers is under investigation (and selling to the feds):

A picture of A decrypted message on White House Market from a Nevada HIDTA investigation in 2021. — A decrypted message on White House Market from a Nevada HIDTA investigation in 2021.

23 Comments

It's Called We Engage In A Mild Amount of Tomfoolery

8595b9f7

61aa5730 Sun, May 1, 2022

looks to be insta judging by whm in background and product of coke and adds up to nevada location RIP insta and FUCK 12

90119072

6e690d40 Mon, May 2, 2022

Good call. Nailed it. The bulletin credits “Nevada High Intensity Drug Trafficking Area (HIDTA) Drug Enforcement Agency (DEA) Enforcement Group 3” and the DEA SA working the Insta case, Daniel Kurinec, is “DEA Las Vegas, Nevada, District Office (LVDO), Enforcement Group 3 (EG3).”

1f91861f

ee17af50 Sun, May 1, 2022

fat officier read about darknet and let blacks rape our children

1dc280a3

72193870 Mon, May 2, 2022

wha? Stop taking drugs man, your mind is just whacked out. Or, better: take more! Enough to take your hate crime and turn it into love. Or to kill yourself. Either way, everyone wins.

2f64be12

e5216980 Wed, May 11, 2022

what the fuck is wrong with you?
fucking racist prick

52122cbe

81e807d0 Mon, May 2, 2022

What’s the point of this site, apart from publishing completely useless information?

b2f9f5c6

9d781ca0 Mon, May 2, 2022

If you consider this information useless, this site doesn’t seem to be made for you

4dece91a

50b27650 Mon, May 2, 2022

I FUCKING HATE NIGGERS

229fb7dd

055f0d90 Mon, May 2, 2022

Don’t worry, niggers fucking hate you as well.

2b19b681

2723ce00 Mon, May 2, 2022

based niggers are a disease look at what they did to the greatest nation on earth maga

7c972f87

96bfb7c0 Wed, May 4, 2022

are you lost? I think you were looking for your safe space iCloud/Facebook intranet

0c6bdd8e

0b6d4f00 Mon, May 2, 2022

I was suspect this was an ongoing unspoken thing with law enforcement. Now it is very clear it was real and not a conspiracy from paranoia and what not.
Time to get grimmey, as the greatest drum and bass producer/dj ever, Dillinjah, would say.

e7466b34

d4420780 Tue, May 3, 2022

A precursor for seizing all crypto assets - from anyone - for thought crimes. Suggestions to bypass risk?

ec0a19bc

1b471fc0 Tue, May 3, 2022

I would love the opportunity to ‘interview’ any one of these taskforce team members and hear their response to a handful of questions left unanswered. Really. TFLEA, when you read this, I would like to engage in a short open dialogue regarding core principalities and the general objectives and perspectives on recent and current operations/events. If you really do have the people’s well-being and safety at heart, you will agree that refusal to accept could only stand to pass by a great chance to open the doors to a better everything

12016d40

ad777450 Wed, May 4, 2022

Beautifully stated.

e04bff1b

f5eee0d0 Wed, May 4, 2022

Why not simply take a free course in investigative techniques? Many are now offered for free via some top tier academic institutions. All the resources can easily be found online via the clearnet.

Most of its publicly transparent or you can request info via the FOIA

Of course, would you ask the Ukrainian Army to give up intel? What do you think their response would be?
Its not rocket science: Its a LE Job. Its a Job. A Job, like everything else. Its illegal and we go after you, how hard is that to understand? You have freedom to soapbox all you want. If you don’t like it, vote, or run for office yourself. You can continue to gamble, and the greats will never be caught, but most, if not all of the younger vendors seem to have a social engineering vulnerability that is exploited. Don’t do the crime if you cannot do the time.

You can continue to live in your narcissistic fantasy of a black and white idolized world. Its a FUCKING JOB.

253dfa78

36d7c440 Mon, May 16, 2022

“You can continue to live in your narcissistic fantasy of a black and white idolized world. Its a FUCKING JOB.”

wait who is living in a narcissistic fantasy?

i’m confused, are you making fun of yourself playing the persona of someone who is LE? Or were you actually attempting to be serious and like… tough?

9b526f65

0f26f9b0 Wed, May 4, 2022

LET PEOPLE DECIDE WHAT THE FUCK THEY DO WITH THEIR OWN BODYS YOU FUCKING POWER HUNGRY CUNTS

de80ab96

0dc3eb70 Thu, May 26, 2022

nah cuz a dead slave is a slave that doesn’t pay taxes after the state is done appropiating their stuff, dead people is no bueno for business

e8ecf2d8

3d0c1c30 Fri, May 6, 2022

Smoke weed.

f0cdd278

82726990 Sat, May 7, 2022

am i the only sane person here

64a39916

c228ae50 Mon, May 9, 2022

yes definitely

ace59287

a00860d0 Mon, May 9, 2022

“If any readers know of a case where someone moved the funds out of a wallet seized by law enforcement, please let me know.”

The case of ‘Gary James Harmon’ is one

New comments are disabled after ten days in an attempt to limit spam.