When you're a criminal on the dark web, there aren't that many places to turn to for help if something goes wrong. It's not like, say, you can complain to the cops when someone empties your bitcoin wallet on an illegal drug marketplace.
But it turns out, law enforcement is keeping tabs on that sort of crime too. On Wednesday, the United States Attorney's Office for the District of Connecticut announced charges against a man who allegedly tricked victims into handing over their passwords through fake dark web marketplaces login screens.
Michael Richo, 34, of Wallingford, is charged with access device fraud, wire fraud, identity theft, and money laundering offenses, all in connection with a plan to steal bitcoins using phishing pages.
Richo allegedly posted links to marketplaces on dark web forums. But instead of going to the real deal, when users clicked these links they were directed to a fake login page that Richo controlled, just like a more traditional phishing scam might use a page that looks like Gmail's login screen.
Dark web phishing links are particularly hard to spot.
When unsuspecting victims entered their details, their username and password were sent to Richo. From here, Richo supposedly logged into the target's real marketplace accounts, and transferred their bitcoins to a wallet he controlled. He then sold those in exchange for US currency, and deposited the cash into a bank account.
In all, investigators found over 10,000 stolen usernames and passwords on Richo's computer, according to the announcement.
Arguably, because Tor hidden service addresses are typically random strings of characters rather than easily recognisable domain names, dark web phishing links are particularly hard to spot. For this reason, many marketplaces remind users to check that they have landed on the correct URL.
Indeed, scammers have been using fake sites to steal passwords or other sensitive information from dark web users for years. Last summer, researchers found that one so-called dark web search engine, which acts more as a list of Tor hidden services, was directing visitors to 255 fake sites. These were designed to pinch login details and bitcoins, and included spoofed versions of since-shuttered marketplace Agora, and privacy-focused email service Lelantos.
Richo was released on a $100,000 bond. His money laundering charge carries a maximum term of imprisonment of 20 years, as does wire fraud.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.