Hacker OPSEC

STFU is the best policy.

Silk Road Security

Counterintelligence Lessons for Drug Dealers

NOTE Events have overtaken my slow writing speed. This post was in the works before the Silk Road bust in September 2013. I’m uploading it anyway because it has some useful information, however there seems little point in finish it now.

The dealers on Silk Road ship a large amount of illegal products around the world, and it is clear that they’re successful at it. However, the US Postal service has been aware that drug dealers user their service for shipping illegal substances and has developed guidelines for determining suspect packages efficiently. Unfortunately for them, those guidelines have leaked and this allows someone abusing the US mail as an illicit distribution channel to evade the USP’s checks.

Suspicious Post Guidelines

The actual guidelines for suspicious packages list a number of major indicators that the inspectors look for. This guide is somewhat outdated, and a revised version has also be leaked. In both cases, the triggers and the reasoning behind them are similar.

FBI Profiling Criteria

  1. Heavy taping along the seams;
  2. poor preparation for mailing;
  3. uneven weight distribution;
  4. apparent package reuse; and
  5. labels that are handwritten, contain misspellings, originate from a drug-source State, indicate person-to-person not business-to-individual mail, have a return zip code that does not match the accepting post office zip code, a fictitious return address, names of senders or recipients with features in common (John Smith, e.g.) and having no connection to either address

Drug Mail Profile

  1. the use of Express Mail,
    • Express Mail is primarily used by businesses for document delivery.
  2. the weight of the package,
    • drug traffickers are mailing approximately one kilo of cocaine per package, plus some dummy weights
  3. the package is sent from Puerto Rico, a known drug source location,
  4. the package was mailed from a post office address outside of the zip code on the return address,
  5. an Accurint check reveals that no one by the sender’s name lived at the return address,
    • Police will also check Google and Facebook to get more information
  6. the package is heavily taped at all seams
    • heavy taping may or may not help evade detection by drug sniffing dogs–but we know one thing for sure–it certainly helps draw police attention to the package!
  7. the label is handwritten
    • Since most Express Mail is business-to-business, or business-to-client, labels that aren’t typed are suspect

Collated

Anything that looks like someone is sending slightly over an even metric weight of something, from a known suspect location, to another person, in an old heavily taped package with a fake return address. Sounds like bad tradecraft.

  1. Suspicious packaging
    • Heavy taping
    • Package reuse
  2. Not business mail
    • No printed label
    • Clearly not documents
    • Individual to individual
  3. Known suspicious origin
    • Occasionally specific post offices
    • Specific countries (Puerto Rico)
  4. Flimsy “return address” cover
    • Fake name
    • Mismatched name + address
    • Mismatched address + zipcode

Main points to take away:

  • drug packages appear different from normal mail
  • many factors are contribute to creating a plausible cover/alias.
  • The packaging of a drug shipment provides a cover, which needs to be backstopped.

Don’t make shit up, do your research and steal an identity with a real address.

Backstop your cover

When creating a cover, make sure it is as fully fleshed out as possible. This means developing supporting evidence to bolster the validity of the cover. In intelligence lingo, this is called backstopping.

A backstopped cover is one where checks to verify the authenticity of the cover story are verifiable. For example, if the cover story includes a name, there are matching identity documents; if there is an phone number, it connects to someone who will substantiate the cover story; if there is an address, it exists. The old Soviet illegals used to spend years developing their cover and backstopping them. They’d live for a few years in a country they claimed to be immigrating from, so they would have the memories, experience and verifiable evidence that they were from there.

If you are going to use a cover (you probably should), then put in the effort to create a backstop. The complexity and depth of that backstop are dependant on how deeply the cover will be investigated. Remember though, it is better to have too much, than not enough…