The U.S. Department of Justice said that it has charged nearly 20 individuals for their involvement in the xDedic cybercrime marketplace operation, with more than a dozen already sentenced to prison.

The department announced on Thursday that it had reached the “culmination of a transnational cybercrime investigation” against the darknet site. Since its takedown in 2019, international law enforcement officers have arrested administrators, sellers and buyers in the U.S., Moldova, Ukraine, the U.K. and Georgia.

The Ukrainian-language cybercrime forum was founded in 2014. It illicitly sold login credentials to servers located worldwide, along with personally identifiable information, including dates of birth and Social Security numbers of U.S. residents.

Once purchased, criminals used those servers for a wide range of illegal activities, including tax fraud and ransomware attacks, according to the Justice Department.

To conceal their locations and identities, the xDedic administrators operated the website across a widely distributed international network and used cryptocurrency for payment.

In total, the marketplace offered more than 700,000 compromised servers for sale, including at least 150,000 in the U.S.

Victims included government agencies, hospitals, emergency services, call centers, accounting and law firms, pension funds and universities.

The major players

In the years that followed the takedown of the xDedic, the U.S. investigated, charged and convicted individuals involved in every level of the website’s operation. To date, 14 people have been sentenced, and five cases are still pending, including those of Bamidele Omotosho from Nigeria; Olayemi Adafin, Olakunle Oyebanjo and Akinola Taylor from the U.K.; and Oluwarotimi Ogunlana from the U.S.

Some of the prominent cases include:

Administrators. Alexandru Habasescu, who resided in Moldova, was the lead developer and technical mastermind for the marketplace. He was taken into custody in Spain in 2022 and extradited to the U.S.

Pavlo Kharmanskyi, who lived in Ukraine, advertised the website, paid administrators, and provided customer support to buyers. He was arrested at the Miami International Airport in 2019 as he attempted to enter the U.S.

They were sentenced to 41 and 30 months in prison, respectively.

Sellers. Dariy Pankov, a Russian national, was one of the highest sellers on the marketplace by volume, listing for sale the credentials of more than 35,000 compromised servers located all over the world and obtaining more than $350,000 in illicit proceeds, according to DOJ.

He developed a powerful malicious software program NLBrute that was capable of compromising protected computers by decrypting login credentials. Pankov was taken into custody in Georgia in 2022 and extradited to the U.S. He was sentenced to 60 months in federal prison.

Buyers. Allen Levinson, a Nigerian national, was particularly interested in purchasing access to U.S.-based certified public accounting (CPA) firms. He used the information he obtained from those servers to file hundreds of false tax returns with the U.S. government, requesting more than $60 million in fraudulent tax refunds.

Levinson was taken into custody in the U.K., in 2020 and extradited to the U.S. He was subsequently sentenced to 78 months in federal prison.

German law enforcement has seized the servers of the darknet marketplace Kingdom Market, a bazaar for drugs, malware, fake documents and other tools for cybercriminals.

In a press release on Wednesday, the police said they posted a takedown notice on the website and are now analyzing Kingdom Market's server infrastructure to identify the people behind the website's operation.

One person allegedly connected to Kingdom Market was identified last week as Alan Bill, a Slovakian national, who also went by his alias "Vendor," according to U.S. court documents.

U.S. law enforcement agencies "closely cooperated" with Germany in the operation, along with police from Switzerland, Moldova and Ukraine.

Kingdom Market was an English-speaking marketplace operating since March 2021. It offered more than 42,000 items for sale, including around 3,600 products from Germany. German police claim that "tens of thousands of customer and several hundred seller accounts" were registered on the marketplace.

The website's operators accepted bitcoin, Litecoin, Monero and Zcash cryptocurrencies for payment. They also received a 3% commission for processing the sales of illegal goods via the platform.

This is the second major darknet website takedown this week after the FBI seized the website of the AlphV/Blackcat ransomware gang on Tuesday. AlphV/Blackact affiliates have compromised over 1,000 organizations and received nearly $300 million in ransom payments.

Shortly after the FBI posted a takedown notice on the AlphV/Blackcat website, the hackers replaced it with their own message claiming they had "unseized" the page and brought it back under their control.

Many researchers, however, doubted this claim, saying the hackers were able to make it appear back online because the website where they listed victims was run as an onion service, a specialized type of anonymous website that can only be accessed over the Tor network.

Police forces across the UK are to be given access to a software platform to support officers in investigating the dark web.

A procurement process has been launched by the City of London Police. The force houses the National Police Chiefs’ Council Cybercrime Programme – which serves as the “national strategic lead” for law enforcement’s response to cyber offences, according to a newly published commercial notice.

The City of London Police wishes to hear from suppliers that could provide “a dark web intelligence tool [as] software-as-a-service [and] to be used throughout the UK by police forces, regional organised crime units, the Serious Fraud Office, as well as other law enforcement agencies”.

The procurement notice says that the force is looking for a technology tool that will use web-scraping techniques to “provide an increased level of investigative capability… by providing dark web investigators with current data collections… from open, deep and dark web sources – including other sources such as leaked forums”.

The dark web uses internet connectivity but has been deliberately hidden from search engines and can only be accessed via special browsers. Users of the dark web can trade on the anonymity it offers to buy or sell illegal goods and services, or engage in other illicit activities.

The software sought by the City of London Police should also offer a “user-friendly web-based interface for the management of cases, and to access and utilize all investigative features, such as searching, tagging, reporting – this includes advanced features that enable a granular focus… such as timeline filtering, or the real-time monitoring of specific artifacts [or] keywords

The software will need to integrate with similar tools already deployed to help officers investigate blockchain environments.

The chosen provider will be appointed to an initial one-year contract, scheduled to commence around the start of the next fiscal year. The deal – which will be worth £500,000 a year to the winning bidder – can be extended for two further 12-month terms. To access the full detail of the tender and complete the bidding process, firms must sign a non-disclosure agreement. Bids are open until 8 January.

The contract notice said that the investment in a specialized dark web tool will enable the City of London Police to expand the efficacy of an already hugely successful initiative.

“The Cyber-crime Program has led in this area since 2018 and has delivered significant strategic and operational goals,” it said. “In many areas, the Cyber-crime Program has delivered world-leading initiatives and our approach over previous years has resulted in significant operational success, both in terms of successful criminal convictions, but also our ability to disrupt and tackle sophisticated, financially motivated cyber-criminals.”

Anatoly Legkodymov, founder of the dark web-tied crypto exchange Bitzlato, has pleaded guilty to operating an unlicensed money transmitting business in a New York court.

The Department of Justice originally filed charges against the Hong Kong-based exchange’s majority owner last January.

Bitzlato “sold itself to criminals as a no-questions-asked cryptocurrency exchange, and reaped hundreds of millions of dollars worth of deposits as a result,” US attorney Breon Peace said in a statement at the time.

According to the DOJ, Legkodymov will dissolve Bitzlato and “release any claim over approximately $23 million in seized assets of Bitzlato” as part of the plea agreement. A sentencing date has not been set yet.

“We are dismantling and disrupting the cryptocrime ecosystem using all tools available — including criminal prosecution. In January, the Department and our partners took down Bitzlato’s infrastructure and seized its cryptocurrency. Today’s conviction of Bitzlato’s founder is the latest product of our efforts,” Deputy Attorney General Lisa Monaco said in a press release.

The DOJ and German authorities shut down Hydra Market — which allegedly specialized in being a marketplace for drugs and stolen financial information — back in 2022. The online marketplace exchanged roughly $700 million worth of crypto with Bitzlato, the authorities said.

Legkodymov was denied bail at a hearing back in March due to his status as a Russian national in the US on a visa and his “access” to crypto, cited as reasons to keep him detained.

The initial DOJ announcement surprised some in crypto, with some taking to X to post that they had never heard of the exchange before.

!

WASHINGTON –Milomir Desnica, 33, a national of Serbia and Croatia, pleaded guilty today in U.S. District Court in the District of Columbia to charges of conspiracy to distribute and possession with intent to distribute 50 grams or more of methamphetamine, announced U.S. Attorney Matthew M. Graves and FBI Special Agent in Charge Wayne A. Jacobs, of the Washington Field Office’s Criminal and Cyber Division. U.S. District Court Judge Carl J. Nichols scheduled sentencing for February 15, 2024.

According to the government’s evidence, Desnica, of Smederevska Palanka, Serbia, entered into a conspiracy in 2019 to develop and operate a website to sell narcotics that became Monopoly Market. According to the indictment, Monopoly grew into a vast marketplace for the sale of illicit narcotics including opioids, stimulants, psychedelics, and prescription medications, among other drugs.

In 2021, law enforcement within the United States placed and received numerous orders for narcotics on Monopoly from various vendors. Authorities ordered more than 100 grams of methamphetamine on Monopoly. Through its investigation, the FBI determined that Monopoly facilitated over $18 million in narcotics sales around the world, including the sale of over 30 kilograms of methamphetamine to customers in the United States.

In December 2021, in coordination with foreign law enforcement partners in Germany and Finland, law enforcement seized the computer server hosting Monopoly and took it offline. Through analysis of the seized server, law enforcement identified records of the narcotics sales, financial records documenting cryptocurrency payments on Monopoly, an online forum associated with Monopoly, communications from the Monopoly operator to vendors, commission payment invoices, and more. Through extensive analysis of these records, Desnica was identified as an operator of Monopoly.

In November 2022, in coordination with the Austrian Fugitive Active Search Team (FAST) and the Public Prosecutors Office Vienna, Desnica was located and arrested in Austria. Law enforcement conducted a search of his residence and vehicle, seizing electronics and cash.

On June 23, 2023, Desnica was extradited from Austria to the United States to face drug trafficking charges.

This case is being investigated by the FBI Washington Field Office’s Hi-Tech Opioid Task Force and Germany’s Zentrale Kriminalinspektion (ZKI) Oldenburg Cybercrime Unit. The Hi-Tech Opioid Task Force is composed of FBI agents, analysts, and task force partners, including special agents and officers of the Food and Drug Administration’s Office of Criminal Investigations, Drug Enforcement Administration, U.S. Postal Inspection Service, and detectives from local assisting police agencies. The task force is charged with identifying and investigating the most egregious darknet marketplaces and the vendors operating on the marketplaces who are engaged in the illegal acquisition and distribution of controlled substances, including methamphetamine, fentanyl, and other opioids.

The Justice Department’s Office of International Affairs worked to secure the arrest and extradition from Austria of Desnica and also provided significant assistance. Valuable assistance was also provided by Finland’s National Bureau of Investigation; Europol; Germany’s Bundeskriminalamt; Austria’s Bundeskriminalamt Cybercrime Competency Center, FAST team, and Public Prosecutors Office Vienna; and the Republic of Serbia High-Tech Crimes Special Prosecutor. It is being prosecuted by Assistant U.S. Attorneys Andy Wang and Nihar Mohanty of the Violence Reduction and Trafficking Offenses (VRTO) Section of the U.S. Attorney’s Office for the District of Columbia.

A Ukrainian national is facing an eight year prison sentence for running an online marketplace that sold the personal data of approximately 24 million US citizens.

Vitalii Chychasov, 37, was sentenced on Tuesday after pleading guilty to conspiracy to commit access device fraud and trafficking in unauthorized access devices. In addition to the prison sentence he will forfeit $5 million in assets, the proceeds of fraud, and his control of the various marketplace domains.

Attempting to enter Hungary at the time, Chychasov was arrested in March 2022 for running the SSNDOB Marketplace, which stands for "social security number, date of birth" and operated over various domains including blackjob[.]biz, ssndob[.]club, ssndob[.]vip, and ssndob[.]ws.

He was later extradited to the US in July 2022, a month after SSNDOB was shut down by US, Latvian, and Cypriot authorities.

A Ukrainian national is facing an eight year prison sentence for running an online marketplace that sold the personal data of approximately 24 million US citizens.

Vitalii Chychasov, 37, was sentenced on Tuesday after pleading guilty to conspiracy to commit access device fraud and trafficking in unauthorized access devices. In addition to the prison sentence he will forfeit $5 million in assets, the proceeds of fraud, and his control of the various marketplace domains.

Attempting to enter Hungary at the time, Chychasov was arrested in March 2022 for running the SSNDOB Marketplace, which stands for "social security number, date of birth" and operated over various domains including blackjob[.]biz, ssndob[.]club, ssndob[.]vip, and ssndob[.]ws.

He was later extradited to the US in July 2022, a month after SSNDOB was shut down by US, Latvian, and Cypriot authorities.

The SSNDOB Marketplace dates back more than a decade and was operating as early as 2013, then on the domain ssndob[.]ru.

At the time, full records (fulls), which included full names, addresses, phone numbers, dates of birth (DoB), and social security numbers (SSNs) were sold for $0.50 per individual. If these "fulls" were located by DoB, they cost $1, and if they were located by ZIP code, they cost $1.50.

Consumer credit reports were also available for a loftier $15, as were background reports for $12, and driver's license records for $4.

The research, led by infosec investigative journalist Brian Krebs at the time, suggested that the criminals had access to at least five different systems at US-based consumer and business data aggregators. These allegedly included Lexis-Nexis, Dun & Bradstreet, and Kroll Background America.

US authorities estimate that SSNDOB alone has generated more than $19 million in sales over the source of its operation.

Recently, we've identified some operators associated with a high-risk, for-profit scheme. This financial scheme is promising monetary gains with cryptocurrency tokens, and is operated by third parties without the endorsement or approval of The Tor Project. We consider these relays to be harmful to the Tor network for a number of reasons, including that certain of the relays do not meet our requirements, and that such financial schemes present a significant threat to the network's integrity and the reputation of our project as they can attract individuals with malicious intent, put users at risk, or disrupt the volunteer-driven spirit that sustains the Tor Community.

As part of our assessment and due diligence into the matter, we engaged with relay operators and were often presented with scenarios in which relay operators associated with this scheme were putting themselves at risk by lacking the awareness of what project they were actually contributing to or operating relays in unsafe or high-risk regions. It has become clear to us that this scheme is not beneficial to the Tor network or the Tor Project. Which is why we proposed the rejection of those relays to our directory authorities who voted in favor of removing them.

This recommendation is further rooted in the fundamental principles of the Tor network: collaboration, the commitment to fight internet censorship and pervasive surveillance---and having the highest priority be to safeguard people's access to privacy and anonymity online. By removing relays associated with this for-profit scheme, the Tor network not only protects its users from potential harm but also reinforces its commitment to maintain a trusted and community-driven network. Upholding these principles is essential to ensure that Tor remains a safe and reliable tool for users seeking privacy and anonymity online.

For the purposes of the following subsections of this blog post, we'll be looking at the Revenue total following the 990, and breaking this total into the following categories:

• U.S. Government (53.5% of total revenue)
• Individual Donations (28.5% of total revenue)
• Non-U.S. Governments (7.5% of total revenue)
• Foundations (6.4% of total revenue)
• Corporations (3.4% of total revenue)
• Other (0.6% of total revenue)

According to court documents, 28-year-old Laderian Odom of Monroeville, Alabama, purchased 950 sets of stolen log in credentials from Genesis Market. The credentials included usernames and passwords for online bank accounts, shopping sites, social media accounts, and other online platforms. Investigators established that Odom purchased the stolen credentials after receiving an invitation to Genesis Market in the summer of 2020. He was arrested in April 2023 as part of an international operation dubbed, "Operation Cookie Monster," which took down 11 clearnet domains that belonged to Genesis market.

Operation Cookie Monster was launched in December 2018, five months after the market's launch. The investigators first gained access to the market's servers in December 2020. They collected information associated with the market's users such as usernames, passwords, email addresses, bitcoin addresses, and purchase history.

The investigators lost access to the servers after the market's admins changed hosting services. They regained access to the servers in May 2022 and continued collecting information on the market's users.

The investigators took the market's clearnet domains down on April 4, in an internationally coordinated action. The investigators executed search warrants at 208 properties worldwide. Odom was one of the 119 suspects arrested following the searches.

The investigators did not take down the market's onion domain. The market's administrators kept the onion domain online and took it offline after a while. The admins put up the market for sale and recently announced that they had found a buyer for the market's entire infrastructure.

Odom pleaded guilty to one count of possession of fifteen or more unauthorized access devices. US District Court Judge Terry F. Moorer sentenced Odom to the maximum sentence of two years in prison for the charge even though he had pleaded guilty.

Judge Moorer agreed with the prosecution's request to not reduce Odom's sentence after establishing that Odom had lied about being under indictment while trying to purchase a handgun in August 2023.

cross-posted from: https://links.hackliberty.org/post/285435

> When a private sector company blocks Tor, I simply boycott. No private entity is so important that I cannot live well enough without them. But when a public service blocks Tor, that’s a problem because we are increasingly forced to use the online services of the public sector who have gone down the path of assuming offline people do not exist. > > They simply block Tor without discussion. It’s not even clear who at what level makes these decisions.. could even be an IT admin at the bottom of the org chart. They don’t even say they’re blocking Tor. They don’t even give Tor users a block message that admits that they block Tor. They don’t disclose in their privacy policies that they exclude Tor. > > Just a 403 error. That’s all we get. As if it needs no justification. Why is the Tor community so readily willing to play the pushover? Even the Tor project itself will not stand up for their own supporters. > > The lack of justification is damaging because it essentially sends the message: “you Tor-using privacy seekers are such scum we don’t even have to explain why you are outcast. We don’t even have to ask permission to exclude you from participating in society” This reinforces the myth that Tor users are criminals and encourages non-criminal Tor users to abandon Tor, thus shrinking the Tor userbase. The civilized world has evolved to a point of realizing the injustice of #collectivePunishment. At best this is a case of punishing many because of a few. I say “at best” because I’m skeptical that a bad actor provokes the arbitrary denial of service. > > When the question is publicly asked “why did service X start blocking Tor” answers always come as speculation from people who don’t really know, who say they were probably attacked.

cross-posted from: https://links.hackliberty.org/post/303031

> These are the steps I take against companies who block Tor (e.g. a grocery store, bank, DNS provider.. whoever you do business with who have started using Cloudflare): > > 1. GDPR art.17 request to delete my email address & any other electronic means to reach me, but nothing else. > 2. Wait 30 days for them to comply. > 3. GDPR art.13 & 14 request to disclose all entities personal data was shared with + art.15 request for all my data (if I am interested) + art.17 request to erase all records. These requests are sent together along with criticisms for their lack of respect for privacy and human rights and shaming for treating humans like robots (if that’s the case). > > The reason for step 1 & 2 is to neuter the data controller’s option to respond electronically so they are forced to pay postage. It’s a good idea as well because they would otherwise likely use Microsoft for email and you obviously don’t want to feed MS. It may be feasible to skip steps 1 & 2 by withdrawing consent to use the email address (untested). > > A few people doing this won’t make a dent but there is a threshold by which a critical mass of requests would offset their (likely uncalculated) cost savings by arbitrarily marginalizing the Tor community. It’s a way to send a message that cannot be ignored.

According to court documents, 32-year-old Marquis Hooper of California and his wife, Natasha Chalk, stole the PII of more than 9,000 people and sold it to fraudsters through the dark web and encrypted messaging platforms for $160,000 in bitcoin. To acquire the PII, Hooper created an account on a company that maintains a database that contains the PII of millions of individuals. The company allows its customers to download reports with all of an individual's PII information.

To open an account on the platform, Hooker claimed he had been ordered to open an account on the paltform and use it to verify the information of Navy personnel. The company approved the account on September 9, 2018.

Hooker and Chalk consequently ran tens of thousands of searches on the company's database. By December 18, when the company suspended Hooker's account, the couple had acquired the PII of over 9,000 individuals.

In March 2019, Hooker attempted to open another account on the company's platform. He asked a Navy officer to claim he had been asked by the Navy to use the company's database to conduct background checks on Navy personnel. Hopper and his accomplice attempted to use fraudulent documents to convince the company to approve the account. Their attempts failed as the company flagged the account for fraud.

Hooker and Chalk were charged with conspiracy to commit wire fraud and multiple counts of wire fraud and identity theft in a 16-count indictment filed in January 2021. The couple pleaded guilty to the charges in March 2023.

Hooker was sentenced to five years and five months in prison on October 16, 2023. His wife will be sentenced on November 20.

A Moldovan national has been extradited from the United Kingdom to face charges related to allegedly running an online marketplace selling access to compromised computers.

Sandu Diaconu, 31, appeared in a Florida courtroom on Monday for his arraignment. According to a Department of Justice press release, Diaconu was an administrator for the E-Root Marketplace, which was taken down by authorities at the end of 2020. Buyers could allegedly seek out “compromised computer credentials” on the site, such as remote desktop and secure shell access, “by desired criteria such as price, geographic location, internet service provider, and operating system.”

According to the DOJ, the site used an online payment system called Perfect Money to conceal the chain of payments.

“It also offered its illicit cryptocurrency exchange service for the purpose of converting Bitcoin to Perfect Money and vice-versa,” the Justice Department said. “This exchange was also seized.”

Authorities estimate that credentials belonging to 350,000 devices were listed for sale on the marketplace, with victims spread globally. According to the release, one such victim was a local government agency in Tampa, Florida.

“Many victims were subject to ransomware attacks, and some of the stolen credentials listed on the Marketplace were linked to stolen identity tax fraud schemes,” they wrote.

Diaconu was arrested while trying to leave the U.K. in May 2021, and was ordered extradited to the U.S. last month by Westminster Magistrates’ Court.

cross-posted from: https://links.hackliberty.org/post/115041

> The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.

Law enforcement officials in Finland worked with Europol and a cybersecurity firm to take down a dark web marketplace called PIILOPUOTI.

The platform had operated on the Tor Network since May 2022 as a way for people to smuggle and sell drugs as well as paraphernalia into Finland, according to a statement from Finnish Customs.

“The criminal investigation is still underway. At this point, Finnish Customs and our international cooperation partners will not provide any further information on the matter,” they said.

cross-posted from: https://links.hackliberty.org/post/98004

> The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.

The CyberBunker was a web-hosting services provider operated from a former NATO bunker in Rhineland-Palatinate, Germany. It provided hosting to multiple dark web marketplaces including, Cannabis Road, Wall Street Market, and Flugsvamp 2.0.

On December 13, 2021, the Trier Regional Court issued prison sentences of between one year and five years and nine months against the operators of the CyberBunker after finding them guilty of participating in a criminal organization. The defendants were also ordered to forfeit funds ranging from approximately €9,000 to €900,000. The court acquitted the defendants of aiding and abetting in the crimes committed through the platforms hosted on their servers.

Following an appeal by both the eight defendants and the prosecution, the Federal Court of Justice reviewed the verdict and issued its ruling on September 12, 2023. The court denied the defendants' demand for acquittal and upheld their conviction of participating in a criminal organization. The court said that there was sufficient evidence to prove that the defendants were members of a criminal organization that "committed particularly serious crimes."

What do you get when you pair hard-bitten cops with cyber whiz kids? One of the largest, most creative dark market takedowns in the history of the internet.

In 2017, police with the Netherlands’ National High Tech Crimes Unit did more than shut down Hansa, once Europe’s most popular dark web market. For nearly a month, a group of computer nerds and boots-on-the-ground police officers took it over — running the site from the inside, setting up cyber booby traps and showing how a marriage of technical and tactical specialists can enable an operation for the ages.

That combination — old-school cops working with a younger cyber set — is still paying dividends for the Dutch national police. In an exclusive interview with the Click Here podcast, Matthijs van Amelsfort, head of the National High Tech Crimes Unit, discusses the legacy of the Hansa operation, his team’s unique structure and how a “game-changing” ethos is helping law enforcement stay a step ahead of cybercriminals.

Three men were sentenced to a total of 24 years in prison for their roles in a £2 million counterfeit pills production and distribution operation.

According to a Metropolitan Police press release, Allen Valentine, 62, his son Roshan Valentine, 39, and Roshan's childhood friend, Krunal Patel, 40, operated several vendor accounts on different dark web marketplaces through which they distributed counterfeit Xanax and Valium pills.

Charles James Randol, 33, admitted that from October 2017 to July 2021, he operated a virtual currency for cash business known as "Bitcoins4Less," and later "Digital Coin Strategies." He provided bitcoin for cash and vice versa for a fee.

Randol failed to maintain an effective AML program for his business and allowed individuals to anonymously launder millions of dollars. The business was directly linked to a fraud scheme that saw an elderly victim lose over $1 million in savings and retirement funds.

According to the Australian Federal Police (AFP), the 23-year-old defendant purchased a wide variety of drugs including MDMA, methamphetamine, oxycodone, and heroin from a dark web vendor based in the UK and had them shipped to a residence in Western Sydney.

Investigations that resulted in the defendant's arrest began in May 2023 after the Australian Border Force (ABF) intercepted three incoming packages.

In the first package, the officers reportedly found and seized 133 tablets of MDMA, 100 oxycodone pills, and 97 pills of an analogue of the synthetic opioid, Nitazene. In the other two packages, the officers found a total of 60 grams of MDMA, 25 grams of ketamine, 15 grams of methamphetamine, and 14 grams of heroin. The drugs were reportedly hidden in items such as cookware, and toy cars.