It's very lucrative and the competition is pretty inept so expectations are low. You can retire to thailand off the residuals. If you're a 20 year old who isn't looking forward to decades of corporate work that might not sound bad.
This was something that always boggled my mind how inept these guys sometimes were. In this business your life literally (and I mean literally) depends on good security and they would make some really rookie mistakes.
It's human. Mistakes can sometimes be really subtle and require only a moment's inattention but sound REALLY dumb when you look at it in fundamental terms.
Christ, trained CIA field agents with funding and support staff have made some really stupid mistakes en par. Things like being tracked by metadata from not turning off their cell phone because they thought a chip bag was a good enough faraday cage. Ostensibly it sounds dumb, but that might have only been one time for 20 minutes or something that allowed the Italian investigators to connect the dots.
Perfect security for a short time period with one incident is actually still really hard. When you make it a lifestyle going on for months/years, it's nearly impossible.
Many many CIA agents sent into China have disappeared. If an agency with the greatest set of resources on earth are getting busted regularly what hope does the average Joe software engineer have.
CIA Agents and CIA Assets are 2 completely different thing. A CIA Agent (or spy) goes into a region and recruits Assets. Assets are just normal people with no extra training, but happen to be in a position that informs them on things the CIA (or any spy agency) wants to know. An Asset could literally be the Janitor at some place that has some happenings that the CIA wants to know more about, such as a Research Lab or a local Newspaper.
Assets have no special training and routinely put their lives on the line anywhere in the world they live and are recruited.
Yup. Agents usually have diplomatic cover. Unless they commit an egregious crime, they’re usually just kicked out of the country.
That’s not to say their identity is always kept secret, however. They are often discovered and only expelled at a later date when a message needs to be sent.
Proper air gap maintained religiously should be able to solve a lot of problems in cyber crime. After all, we still interface with computers through meat and bones.
Yes, it's just the maintaining it religiously part that's surprisngly hard.
Like, things and emergencies come up just like they do in a normal business but you have to go all the way back into secure mode to address them.
That process takes time and effort. Cleaning runs to location where you connect, switching hardware, activating all the vpn chains or tor connection, etc etc. Coordinating occasional OTP key exchanges, time/location randomization, etc. ...you didn't slip up and get lazy with the entropy generating your "secure" encryption key did you? You have to find drop shipping locations and those expire or go wrong.
Or there was a car at location X which is a choke point that is technically on your list of triggers for counter surveillance but it's 7PM on a Friday and that cute girl you're supposed to meet is waiting. Do you assume the worst and burn everything, re-do your secure connection point or just ignore it and go through your usual process since 99/100 it's likely to be a false alarm? Or hey, the delivery guy was a day late on the 1-day shipping you used to limit the time frame the agencies could use to get a warrant, and now it's outside your predetermined acceptable window. Do you have the discipline to take the loss and refuse the package?
You get the idea. It's exhausting and people make one stupid mistake and get called out on the internet for being a moron.
State actors (officials) even acting internationally (outside jurisdiction), tend to have a high level of immunity from legal sanction. Independent and non-state actors less so.
The CIA agent might blow cover or case but usually gets out alive and remains free. The DarkNet criminal, not so much.
One reason they are inept is those guys usually end up doing all the work themselves, for security reasons (you won't tell random people "hey I will run a drug empire, will you help me?").
So there is a lot to do when you need to build the platform yourself from the ground up; plus, you need to spend a lot of time on moderation and spammers and attackers; and, you need to make the platform easy to use, which sometimes goes against security; read any forum for darknet markets and people always struggle with basic PGP usage. (PGP is used for encryption in darknet markets; Signal-like protocols leak way too much metadata.)
Also, people that are good at infosec will not start doing this risky stuff, as they can do something better.
There used to be a market that required PGP in all messages, and users hated that, from what I remember.
I no longer visit forums for this stuff, but look up "dred", darknet market forum.
I always wondered, why are none of the darknets operated from some "rogue state" (like North Korea) or militia-controlled areas, like FARC in Colombia. Or by actual mafias in Russia or Ukraine. But I guess even they are not that dumb and focus on what they know how to do, rather than branching into darknet.
All it takes is one rookie mistake and it wipes out the other 99.9% perfect. Yes, there are guys and girls that can do 100% of what you need to run a darknet market perfectly, but they are typically in very high demand on the employment market, so their acceptable risk to reward ratio makes participation in criminal conspiracies very unlikely. So crime naturally selects for half-asses.
Well there are three classes really. (1) Criminals who got caught. (2) Crimes that were obviously committed, but were never solved. (3) And crimes that were performed so well that we don't even know they happened.
I think you would be very hard-pressed to create a large scale drug marketplace in category 3. Thus we can look at ratio of 1 and 2, to see how clever criminals are.
Samuel Little is a perfect example of some one category 3, that was eventually caught...
He was charged with 4 counts of murder in 2013, but in 2018 he was connected to a murder in Texas. Further investigations connected him to over 50 murders over almost 40 years, but he claims 93. The police hadn't connected ANY of the murders until he was picked up on narcotics charges and his DNA matched a bunch of cases in LA. He'd been in and out of jail 26 times between '61 and '75 for lessor charges, and was even charged with murder in '82, but was acquitted.
It was Category 3 enough that they never connected all the murders together until he told them... We didn't know he was a serial killer, and we didn't know that there WAS a serial killer running around.
Some people can’t make a stable living in regular jobs, so they resort to some form of crime. And it takes very little to add “Anybody can make money on the internet. Zuck did it and he’s a dropout.” and “Drugs make money” together.
