Uncle Scam: Czech Owner of Sheep Marketplace Working With the FBI?

8 minute read

Posted by: DeepDotWeb December 4, 2013

Who benefited from one of the largest bitcoin heists in history?  ‘Benefit’ is an interesting word – simply because a benefit doesn’t necessarily mean a payoff in the form of currency.  Perhaps, the payoff can come in the form of a successful operation, a mission accomplished.

Let us go on an adventure into an intriguing theory, based off what recent reports have already told us, and curious information from a source, known as Gwern Branwen.

What’s Happened So Far?

Now up to $100 million in stolen BTC, this heist certainly rattled the entire Tor network drug trade.  On Nov 21, the Sheep Marketplace administrators were sticking with the story that a vendor named EBOOK101 absconded with 5,400 bitcoins.  However, SMP users weren’t quite convinced, due to suspicious occurrences that had already been taking place.   According to Net-Security.org,

“But there are many that don’t believe the explanation, and suspect the operators of Sheep Marketplace of having executed a clever scam. In the week leading to the theft, they began blocking users from withdrawing their Bitcoins.”

Due to the belief that the entire setup may have been a scam, SMP users begin to flock towards an online competitor, Black Market Reloaded.  Knowing that this flood of new users would compromise stability and security, BMR decides to close its doors.  According to RT.com,

“The administrator of the site, known as Backopy, said in a forum post the site would not be able to guarantee anonymity to its customers with the influx of new users since Tor – software that hides the identity of the site’s users and owners – is not designed to handle a large user base.

“SR is down, The Black Flag ended up as a scam, Atlantis ended up as a scam and now The Sheep Market follows that dark path. This puts BMR at the edge of the blade. Tor can’t support any site to be too big,” Backopy wrote.”

Essentially, Backopy has decided to close BMR doors in order to preserve the anonymity of its users.  The Tor network hides anonymity through the difficulty of tracking a single user in a sea of other Tor users.  However, when that network is channeled, it is much easier for these users to be tracked.

In addition, Tormarket, the site to which the suspected-scammer SMP has linked, is not happy about the publicity:

“Sheep Marketplace is not directing to another site called Tormarket, but the attention isn’t wanted. “First of all, we are not associated with the sheep team,” wrote Tormarket. “The sheep admin is linking us on their frontpage. This is the worst PR we can get right now. Please admin remove the link. Please. And most important thing: delete all data and backups to keep the users safe.”

At this point, Tormarket has now become ‘invite only’, attempting to hold back the flow from Sheep Marketplace.  Thus, Pandora is the natural next place that the SMP traffic will flow, as there are already several sources pointing in their direction.

Essentially, all of this traffic is bouncing from site to another in a massive exodus from SMP, then being forced in almost predictable directions –from BMR to Tormarket to Pandora.  From what we know of the NSA’s methods of ‘end-to-end correlation’, it certainly would make sense that SMP’s demise has provided law enforcement with volumes of information about the Tor network’s illicit drug trade traffic.  Backopy of BMR even warned about such movements in traffic, deciding to close down the site as a result.  This movement of traffic must have been predictable from the start.

Czech, Please

Only 1 month ago, a Reddit post from Theduded23 complained that Sheep Marketplace security was extremely flawed, saying that it took very little time to track down where the site was based and what company ran the server:

“Oh, we found sheepmarketplace.com’s real ip at the first attempt. Not bad.. Let’s check IP details whois Result: http://i.imgur.com/YUUUjtf.png Well, as you see sheepmarketplace.com hosted in Czech Republic on HexaGeek’s servers Guess what it means sheepmarketplace.com’s owner same as sheep5u64fi457aw.onion He is living in Czech Republic He sucks at security”

Perhaps it was this relaxed stance on security that landed Tomas Jiřikovský, the suspected scammer, in a difficult situation.  Attempting to move the stolen bitcoins like the wind through the blockchain, it appears as if he was running from a disgruntled SMP user called TheNodManOut:

“I’ve been a very busy boy. All day, we’ve been chasing the scoundrel with our stolen bitcoins through the blockchain. Around lunchtime (UK), I was chasing him across the roof of a moving train, (metaphorically). I was less than 20 minutes, or 2 blockchain confirmations, behind Tomas,” he wrote on 2 December Reddit post that refers to the individual accused of the scam.

“I’ve just chased a thief through a washing machine for you.”

This is where the story becomes interesting…

They Call Him Gwern

A researcher named, Gwern Branwen, posted a bet, heralding the end of both SMP and BMR.  He noticed that Sheep Marketplace had a ‘mirror site’ on the clearnet, meaning that it would show up on Google.  A clearnet site is, by nature, very easy to trace by law enforcement.  In addition, the similarities between the real darknet site and the clearnet site were eerie, as operation from servers in the Czech Republic seemed to be a recurring theme.  DJ Pangburn of Motherboard.vice.com reports,

“Even before the mysterious leaker’s help, Branwen smelled something fishy with the goings-on at Sheep Marketplace. “The veriest Google search [of Sheep Marketplace] would turn up that clearnet site,” wrote Branwen in his Reddit post The Bet: BMR and Sheep to die in a year. “And ithas been pointed out that the clearnet Czech site hosted by HexaGeek was uncannily similar to the actual hidden service.”

This bet was posted roughly one month before the SMP scam took place; however, mere days afterwards, Branwen was contacted by an anonymous ‘security hobbyist’, who told him that SMP was started and run by none other than a Czech individual named Tomas Jiřikovský, according to Pangburn.

The anonymous source said that he was able to track down Jiřikovský, and began to divulge damning information about the wayward scammer to Branwen.  The information was very convincing that Jiřikovský is the one who runs SMP.  Pangburn writes,

“The documents note, among other things, that Jiřikovský owns the Sheep Marketplace VPS hosting service, and controlled several other domains on that service, Old Cans and Font Park being two of them; that he was the earliest Sheep Marketplace promoter, advertising it on other sites earlier this year; that he is a Czech developer who runs Ubuntu, just like the Sheep Marketplace developer; and that his email address is listed on the Bitcoin Scammer List.”

The tale becomes even muddier when Branwen finds out that this anonymous security hobbyist had already contacted the FBI, concerning his findings (in addition to leaking information about BMR and even Project Black Flag in the past).  This means that the FBI already knew the location of Sheep Marketplace servers, in addition to the real world identity of it’s creator –and did nothing?  Could it be that the FBI wasn’t exactly surprised by this information?

An FBI Operation From the Start?

According to the Pangburn article, this anonymous security hobbyist leaked information to the FBI on Nov 2, which means that law enforcement would have had plenty of time to track down Jiřikovský.  However, the Czech was able to get away with millions in bitcoins after 18 days of no law enforcement interference?  Why didn’t they move in?

Perhaps, the FBI either allowed the scam to happen, or outright orchestrated the scam by gaining leverage through Jiřikovský’s wayward past.

One website even goes as far as to suggest that this Czech scammer was working with the authorities, and was able to work out some kind of a deal.  Curiously, this website is written in Czech.  Be warned, the translation is a little rough:

“FBI reportedly had received information from the same informant, who spoke with Branwen. Thus, if the programmer Thomas J. indeed for the operation of Sheep Marketplace centuries, perhaps a deal with investigators in some form of cooperation, Vice speculates.”

Again, we must ask, who benefitted most from the demise of Sheep Marketplace and the subsequent scamming of its users out of $100 million in BTC?  The result of this most recent scam removed one marketplace (SMP), shut down another (BMR), and directed the traffic to two obvious others (Tormarket then Pandora).

Concerning the scammer himself, Ross Ulbricht of Silk Road was caught from only a few mere slips in security, but Jiřikovský was not caught –yet had massive security flaws, in addition to a mirror site running on the same servers from the Czech Republic?

In addition, what was the true purpose of the mirrored clearnet SMP site?  Could it have provided law enforcement with an opportunity to launch “man-in-the-middle” attacks against Sheep Marketplace users?  We already know that the NSA is utilizing these tactics, especially against the Tor network, according to Bruce Schneier.  Could these attacks have infected user computers, and now authorities are extracting mountains of data about darknet drug trade traffic by stirring the anthill?

One argument against this theory could be that the FBI would never use such tactics, as it enables crime to persist on a grand scale.  Law enforcement itself would be responsible for untold numbers of illicit drug transactions.  However, this would not be the first time that the FBI has allowed large amounts of cybercrime to persist for the purpose of catching the big fish.

On Friday, Nov 15 2013, a hacker named, Jeremy Hammond was sentenced to 10 years in prison.  How did he get caught?  He was enabled by the FBI, and setup for the sting, said the convict:

“In August, Hammond released a statement suggesting that while Sabu aided the FBI, the bureau also used him to encourage other group members to hack various websites at the agency’s choosing, including those of foreign governments.

“What the United States could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally,” Hammond wrote. “Why was the United States using us to infiltrate the private networks of foreign governments? What are they doing with the information we stole? And will anyone in our government ever be held accountable for these crimes?””

If the FBI simply used SMP to track users in the darknet drug trade, allowing it to continue until the time was right, it is certainly not outside the realm of possibility.  With all we have found out about US government tactics in 2013 alone, no tactic seems out-of-bounds any longer.

These, of course, are only theories…


Updated: 2013-12-04