Conventional wisdom says everyone should practice basic online security measures, like using different passwords for different accounts. And when you want to stay anonymous, don’t publish your email address on public forums, or tie it to things like Facebook or Instagram.
But failing to do so is what helped federal law enforcement take down some of the most notorious cybercriminals on the dark web.
At the Black Hat security conference in Las Vegas on Wednesday, attorneys Harold Chun and Norman Barbosa described how federal prosecutors built a case against the famous hacker and credit-card fraudster Roman Seleznev. It was a multi-year effort that took painstaking attention to cyber details, including finding links between the email account he used for crime and personal transactions.
There were two different email accounts Seleznev tied to his online personas. But he also tripped up and used them for personal communications. He used one email to open a PayPal account associated with his real home address, and another to send a gift to his wife.
“We found a number of things tracing back to him, including a flower order that he had placed for his wife in his own name with a phone number that showed up in other records tied to him,” Barbosa, the assistant U.S. attorney for the Western District of Washington and the office’s Computer Hacking and Intellectual Property Crimes coordinator, said.
Related: Cybercriminals can take a class on stealing credit cards
Further, because the feds knew Seleznev used the same passwords on a variety of online accounts, they were able to immediately guess the password to his laptop that contained 1.7 million credit card numbers.
Seleznev was arrested in the Maldives in 2014, and sentenced to 27 years in prison in April of this year.
The fraudster’s case isn’t unusual. Last week, the Justice Department announced the takedown of AlphaBay, the largest marketplace on the dark web. On it, criminals could buy and sell everything from drugs to firearms to malware.
Alexandre Cazes, the 25-year-old AlphaBay administrator, was arrested in Thailand earlier this month, and killed himself in custody.
In the complaint filed against Cazes, U.S. attorneys list a variety of his security failures. At one point, the administrator listed his personal email address “Pimp_Alex_91@hotmail.com” in the headers of emails to new users and the password recovery process on AlphaBay. The same email was used to post on other internet forums, where he signed his real name.
Ring leaders aren’t the only ones that get captured thanks to bad operational security. On Monday, the Justice Department announced two AlphaBay drug dealers were sentenced to 6.5 years in prison. The feds were able to determine that one of them tied his email and usernames used on the dark web to his real Instagram, Facebook, and Twitter accounts.
According to Chun, now an independent attorney, operational security is getting better, but criminals can still easily make mistakes.
“The hard part is keeping your online profile and your actual self separate completely,” Chun said. “Sometimes your VPN fails, sometimes mistakes just happen on your hardware. And if law enforcement sees that one mistake, it’s something to work on.”