A resident of Connecticut has been arrested for stealing Bitcoins and phishing for deep web logins. By posting links to fake darknet marketplaces, Michael Richo managed to collect a large amount of platform logins from other deep web users. With this information, he was also able to access the original accounts, and empty bitcoin wallets if they contained any balance.
The FBI and other law enforcement agencies have been keeping a close eye on the darknet marketplace sector as of late. During one of their investigations, they came across a person building clone websites of platforms such as AlphaBay. As it turns out, these were deliberate phishing attempts to collect login information from users and hack their accounts.
Phishing The Darknet For Logins and Bitcoins
After being arrested by the New Haven Division cybercrime squad, it didn’t take long for Richo to admit he was running a phishing scheme. Moreover, he admitted he created the websites, submitted the links to popular platforms, and stealing Bitcoins. For now, it remains unclear where the links were posted, albeit Reddit and darknet forums seem to be likely candidates.
Once the username and password for a particular platform were collected, Richo would access that account on the legitimate website. He would then check all accounts for a Bitcoin wallet balance, and withdraw any funds that may be present. Richo also kept tabs on these accounts to monitor for any incoming deposits, and sluice those proceedings away as soon as possible.
To make matters even worse, Richo admitted to running a secondary scheme to steal Bitcoin wallet balances By using a tool he dubbed “Bitcoin monitor”, he could post links that would route all traffic through his own servers. Doing so allows him to monitor all user keystrokes, enabling him to steal even more Bitcoin funds.
Obtaining stolen funds is one thing, but converting it to untraceable currency is very difficult. The investigation revealed Richo used Bitcoin Fog, a coin tumbler that allegedly provides anonymity. Once that process was completed, the “clean” Bitcoins would be sold through LocalBitcoins in exchange for US Dollars deposited into a bank account.
For the time being, it remains unclear as to how much money was stolen in total. We do know nearly 10,000 usernames and passwords were in Richo’s possessions at the time of his arrest. This goes to show that, despite users going through the extra trouble of using Tor and other tools, are still vulnerable to these types of “traditional” attacks.
Header image courtesy of Shutterstock