Posted by: DeepDotWeb
July 29, 2014
To follow up on CALIGIRL, who was arrested back in May:
- complaint: http://www.justice.gov/usao/flm/press/2014/May/20140530_Jones_Complaint.pdf (mirrors: https://pdf.yt/d/tcsNRAqsBiI6f-Yc / https://www.dropbox.com/s/76cd2ut2vmw85fj/20140530_Jones_Complaint.pdf )
- PACER docs: https://www.dropbox.com/s/8gsxrkzuj1p3jx3/2014-07-29-pacer-caligirl.maff
The summary here is that CALIGIRL sent packages which were easily profiled and all of which went through the same sorting center, allowing for relatively easy backtracking to a specific postal box he would drop his packages off in. Later, he put icing on the cake by allowing the undercover agent to pay directly to his bank account.
What strikes me is just how ridiculously comprehensive the investigation is (the complaint is 73 pages long) and how much data the agent could access. It’s comparable to MDPro – about the only thing he didn’t do is get the ISP to cough up records showing Tor usage. Here’s a (mostly) comprehensive list of data sources the agent used:
- Amazon shopping logs and IP
- #bitcoin-otc IP & transactions
- Local Bitcoin transactions
- domain names and telephone
- cellphone apps (Ding) usage & callers & IPs
- Post Office photos (from automated postal machine)
- landlord for his post box
- travel records
- electronic toll records recording movements of his car
- hotels he stayed at (he used places he stayed or was near as return addresses)
- financial records from:
- Xoom (and IP addresses)
- Wells Fargo
- JP Morgan Chase
- Western Union
As part of the investigation, I made two (2) undercover purchases from OALIGIRL’s silk Road account [11 July 2013, 25 September 2013] and six (6) additional undercover purchases from CALIGIRL [9 October 2013, 22 October 2013, 3 January 2014, 5 February 2014] outside of the Silk Road website utilizing an encrypted and anonymized program called Bitmessage. CALIGIRL only accepted the crypto-currency Bitcoin as currency for the purchase of controlled substances…I placed an additional two (2) undercover purchase orders which were subsequently cancelled by CALIGIRL due to supply issues.
…Based upon the reliable package profile developed from the known packages being sent through the USPS, more than 100 additional packages were identified as having been mailed by Jones. In addition to the eight (8) undercover controlled substance purchases from Jones/CALIGIRL, an additional four (4) packages containing controlled substances were seized and searched pursuant to federal search warrants issued by the United States District Court in the Northern District of Texas. To date, more than 400 Oxycodone tablets and more than 900 Hydrocodone tablets have been seized or purchased from Jones.
…Between April 10, 2013 and September 9, 2013, the CALIGIRL Silk Road account completed 685 finalized sales. From these transactions. CALIGIRL collected Bitcoins valued at approximately \$141,086.19. CALIGIRL also completed additional Silk Road sales valued at approximately \$36,166.05 that were not finalized by the buyer or the funds remained in escrow. The Bitcoin to dollar price was calculated at time of each transaction and was recorded on the Silk Road server.
…As CALIGIRL completed 900 Oxycodone orders, 608 Hydrocodone orders, 165 Clonazepam orders and 260 orders for other substances labeled ‘Prescription,’ ‘Pain Relief’, ‘Drugs’, ‘Adderall’, ‘Benzos’, ,’Tramadol’, and ‘Lorazepam’, each finalized sale likely contained multiple products in varying quantities. The transactions were as follows:
- 24 identified transactions took place in April.2013 with an approximate Bitcoin value of \$2,583.19;
- 6 identified transactions took place in May 2013 with an approximate Bitcoin value of \$1,030.73.
- 53 identified transactions took place in June 2013 with an approximate Bitcoin value of \$9,247.72.
- 225 identified transactions took place in July 2013 with an approximate Bitcoin value of \$47,741.31:
- 256 identified transactions took place in August 2013 with an approximate Bitcoin value of \$58.324.98: and
- Between September 1,2013 and September 9, 2012, 219 identified transactions took place with an approximate Bitcoin value of \$54,373.84.
…Utilizing the average price of Bitcoin for the above identified Silk Road transactions, between September 10, 2013 through February 1, 2014, the transactions were worth approximately \$1,152,367.48.
I located a post made by CALIGIRL’s Silk Road account in a message thread titled “Vendors/Buyers – Post Future Details and profiles Here – 3rd Backup Released”. The purpose of this message thread was to provide buyers and vendors on the Silk Road website with a means to continue business, despite the shut down and seizure of the Silk Road website. In the message posted by CALIGIRL, an e-mail address of
email@example.com a Bitmessage address were provided. On October 9, 2013, I sent a message to the Bitmessage address that was provided by CALIGIRL. CALIGIRL responded to my message by requesting my identity. I provided CALIGIRL with my undercover identity. CALIGIRL responded by providing me with a ‘trusted’ Bitmessage address and instructions to remove the original address. CALIGIRL further stated that future orders for controlled substances made through Bitmessage would be honored.
…On July 15, 2013, I received a USPS priority mail package at the undercover commercial post office box location that I provided CALIGIRL as the shipping address for the Oxycodone and Hydrocodone tablets purchased on July 11,2013. The box showed a handwritten return address of ” A. Wilson. 2071 N. Collins, Richardson, Texas 75080.” The USPS tracking number showed the package originated in Fort Worth, Texas on July 11, 2013. The package had \$5.80 postage affixed, in the form of one \$5.60 Arlington Green Bridge, stamp and two \$0.10 stamps.
…On September 30, 2013, I received a USPS Priority envelope at the shipping address I provided CALIGIRL for the shipment of Oxycodone purchased on September 25, 2013. The Priority envelope had a printed return address of “Kara Shea, Travel Professionals, 4903 W. Plano Pkwy, Plano, TX 75093”. The affixed USPS tracking number showed the package originated at the Coppell, Texas mail sort facility on September 26,2013. The envelope had \$5.60 in postage affixed, in the form of one “Arlington Green Bridge” \$5.60 stamp.
…On October 17,2013, I received a USPS Priority Mail envelope at the undercover address I provided CALIGIRL for the Hydrocodone tablets purchased on October 9, 2013. The USPS Priority envelope had a printed return address of “Tyler Randolph, Northwest Insurance, 616 N. Central Expressway, Dallas, TX 75206.” The USPS tracking number affixed indicated the package had originated at the Coppell, Texas mail sort facility on October 9, 2013. The envelope had \$5.60 in postage affixed to it in the form of one “Arlington Green Bridge” \$5.60 stamp.
…On October 25, 2013, I received a USPS Priority mail envelope at the shipping location provided to CALIGIRL for the Hydrocodone purchased on October 22, 2013. The USPS Priority envelope had a printed return address of, “McKinsey & Co, 2200 Ross Ave, Dallas, Texas 75201.” The USPS tracking number affixed showed the package originated at the Coppell, Texas mail sort facility on October 22,2013. The envelope had \$5.60 in postage affixed, in the form of one “Arlington Green Bridge” \$5.60 stamp.
…I requested that the order not be shipped until January 23,2014. On January 13, 2014, I went to the Coppell, Texas USPS processing plant. Because all of the undercover purchases of controlled substances, except one,17 originated at the Coppell, Texas mail processing plant, Postal Inspectors and I attempted to profile additional packages that could match packages originating with CALIGIRL. A total of four (4) packages matching the profile were removed from the postal stream. The four packages removed all originated from a blue U.S. Mail collection box located at 8135 Forest Lane, Dallas, Texas. That location was approximately 0.4 miles from Jones’ residence at the time of the shipment, 12009 Coit Road, Apartment 5313M, Dallas, Texas. The additional three (3) packages were addressed to Customer-1, Customer-2, and Customer-3. Federal search warrants, issued by the United States Court, Northern District of Texas, were executed on the additional packages. All three packages were found to contain controlled substances. Specifically, the packages contained: [oxycodone, hydrocodone, clonazepam]</blockquote> [no mention of whether the customers received controlled deliveries or not]
…Also on January 13, 2014, I accompanied a U.S. Postal Inspector to E-Z Mail Services. As detailed later in this affidavit, mailbox 620 at E-Z Mail Services is leased by Jones. While at E-Z Mail services, the owner/manager stated there was a suspicious package in mailbox 620. Inside the mailbox, I observed a small USPS Priority flat rate package that was addressed to Tyler Zeddai. All seams of the box were taped excessively. A federal search warrant, issued by the United States District Court, Northern District of Texas. was executed on the package. Inside the box, I located a “calm aid” box and a printed shipping invoice for a natural calming product. Concealed inside the “calm aid,” I recovered 685 Hydrocodone 5mg tablets.
…The USPS Priority envelope had a printed return address of, ‘Beading Dreams, 5929 W. Lovers Lane, Dallas, TX 75029’. The USPS tracking number affixed indicated the shipment originated in Coppell, Texas on January 21,2014. The envelope had \$5.66 of postage affixed to it in the form of one \$5.00 stamp and two \$0.33 stamps.
…The express mail envelope had a handwritten return address of, “Stewart Title, 127OO Preston Rd, Dallas, TX 75230.” The USPS tracking number affixed indicated that the package originated at the Coppell, Texas sort facility on February 8, 2014. The envelope had \$20.00 of postage affixed in the form of four \$5.00 stamps.
…On March 17,2014, I again made contact with CALIGIRL through the Bitmessage program and the ‘trusted’ Bitmessage address CALIGIRL supplied to me. I informed CALIGIRL that I wanted to purchase 100 Oxycodone 20mg tablets and 100 ‘Hycodan’ Hydrocodone 5mg tablets, but that I only had in my possession 1.4 Bitcoins which would not cover the cost. In response, CALIGIRL stated that I should contact Matthew Jones and provided me a telephone number of 972-666-1223 for Jones. Further, CALIGIRL stated that Jones was also known as “DYNAMITE2k” on http://localbitcoins.com/ and would be able to accept cash from me, as well as, provide Bitcoins for the purchase of controlled substances. I contacted Jones on the telephone number provided. Jones stated that he liked to speak to new Bitcoin clients to ensure that both parties understood Jones’ process and that there were “no surprises.” I told Jones that I wanted to provide him \$1,000 to convert into Bitcoins and then transfer I to CALIGIRL. Jones referred to CALIGIRL as “Jen”. Jones stated that he would provide me with a Wells Fargo Bank account number and account holder name via text message after the conclusion of our phone call. Jones instructed me to go to a Wells Fargo Branch location and deposit the currency directly into the account he provided. Jones told me not to put any information additional to the account holder name and account number, and to not answer any questions that may be asked by the bank teller. After the deposit was completed, Jones instructed me to send him a picture of the deposit slip. On March 18, 2014, I went to the Wells Fargo Bank branch located at 1530 International Parkway, Lake Mary, Florida. I completed a bank deposit slip with the information provided by Jones. I gave the deposit slip and \$1,000 to the bank teller. The bank teller provided me with a deposit receipt. I took a picture of the deposit slip and sent it via text message to Jones. In addition to the photograph that I provided to Jones, Jones stated via text message that he also contacted the bank to confirm the deposit. I asked Jones to confirm the actual amount of Bitcoins that would be credited towards future purchases. Jones stated that I should think in terms of cash, and that, after a 5% commission, \$952.38 would be credited towards future purchases. Based on my training and experience, Jones’ statements indicated that no conversion to Bitcoin was taking place; Jones was both the recipient of the currency and the sender of the controlled substances.
…The tracking number indicated the package received its first scan at the Coppell, Texas sort facility at 10:OO p.m. on March 18, 2014. Also affixed to the envelope was an Automated Postal (“APC”) computer generated postage stamp valued at \$5.60. The APC postage indicated a purchase date of March 17, 2014 and a purchase zip code of 75260. The APC machine was located at the Dallas Main Post Office, 401 Dallas Fort Worth Turnpike, Dallas, Texas 75260. The USPS Priority envelope had a printed return address of “Tonya Berent, LPC, 9323 Dove Meadow Dr., Dallas, 75243” affixed to it. …The United States Postal Inspector service subsequently provided me with the images captured by the APC machine during the purchase of the postage affixed to the package I received on March 20,2014. I compared the APC images to known images of Jones, including publicly available images on Facebook and found them to match. Additionally, I showed the images to DEA TFAs who have previously seen Jones in person. These agents also confirmed that the photographs depicted Jones. As part of this investigation, I reviewed telephone toll information for 972-666-1223 obtained from Dingtone, Inc. (Dingtone25). Telephone number 972-666-1223 was the number that CALIGIRL told me to call when I needed to speak to Jones.
…During the course of this investigation, I reviewed records obtained from Amazon.com (‘Amazon’) relating to Jones’ purchases from its website. The records reviewed included purchase, shipping, billing, and IP address information. The records showed that, on July 2, Jones utilized his Amazon account to purchase 1000 3″x5″ clear plastic zip lock baggies and 500 4″ x 8″ bubble mailer manila envelopes…Jones completed the Amazon transaction from IP address
188.8.131.52. I geo-located this IP address to Columbia. As detailed in this affidavit, Jones is known to frequently travel to Colombia. Jones has also accessed Bitcoin trading Internet chat rooms from this IP address. Specifically, on March 24,2013, Jones accessed the chat room
#bitcoin-otcunder the pseudonym ‘Dynamite’ from IP address
184.108.40.206.37. Jones was authenticated on the chat room by the Bitcoin-otc authentication software, providing proof that ‘Dynamite’ was indeed Jones and not someone attempting to utilize his pseudonym.
…I utilized Jones’ telephone number, 214-853-5236, to locate additional domain names registered by Jones. I located 12 additional domain names containing 214-853-5236 in the WHOIS records. Included in the list of domain names were www.aflinqtonhardware.com, vqww.fedi-check.com, and www.ledicharoe.cgm. All of these domains listed an address of 2602 McKinney Avenue, Dallas, Texas as the contact address. As detailed in this affidavit, the address 2602 McKinney Avenue, Dallas, Texas was utilized as the return address on a package identified by the United States Postal Inspector as originating with CALIGIRL. This package was placed in the mail stream on or about August 23, 2013.
…During the course of this investigation, I reviewed Jones’ records obtained from the North Texas Tollway Authority (NTTA). Jones uses a NT|A account and transponder….The NTTA records that I reviewed covered the time period of August 24, 2013 through February 21,2014. The toll charges incurred on the NTTA account detail that Jones’ vehicle utilized NTTA roads to travel between Jones’ former residence, 12009 Coit Road, Apartment 5313M, Dallas, Texas and Jones’ commercial mailbox located at E-Z Mail Services.
…During this investigation, I reviewed records obtained from Xoom Corporation regarding Jones’ Xoom account. Xoom is an online wire transfer service that provides consumer currency remittance…During this period, Jones sent Xoom wire transfers \$58,022.57 totaling in a total of 131 transactions. Of these transactions. 128 transactions, totaling \$57,472.57, were sent to Colombia. The remaining three transactions, totaling \$550, were sent to Costa Rica. 31 of these transactions, totaling \$20,979, were sent to ‘Mateo Jones,” which is an alias utilized Matthew Jones on Facebook. The average value of these transfers by was \$676.74. All of the wire transfers sent to ‘Mateo Jones’ were received in Ban Columbia account number xxxxxxx5028. 57 of the Xoom transactions, totaling \$27,091.07, were sent to ‘P.C.E.,’ Jones’ spouse. The average value of these transfers was \$475.29. All the wire transfers sent to “P.C.E.” were received in BanColumbia account number xxxxxx831 1. 145. 19 of the Xoom transactions, totaling \$5,174, were sent to ‘A.G.R.’ The average value of these transfers was \$272.32. All of the wire transfers sent to ?.G.R.” were received in BanColumbia account number xxxxxx3764. The transactions sent to ‘A.G.R.’ appeared to have been structured in a manner to intentionally avoid triggering money laundering and reporting requirements. There were multiple transactions made on the same day to the same person and there were several transactions over a short time frame to the same person. These transactions also appeared to have been structured in order to remove currency from the United States without triggering currency export reporting requirements. The remaining transactions, totaling 94,251.50, had a consistent relationship between the sender and recipient of the funds. Additionally, the funds were sent in consistent amounts with the average transfer amount being \$177.15. 70 of the Xoom wire transfers, totaling \$31,374.83, were funded utilizing Jones’ Wells Fargo debit card xxxxxx6133. This card debited money from Jones’ Wells Fargo account xxxxxx5888. Jones received statements for this Wells Fargo account at his E-Z Mail Services mailbox. 40 of the Xoom wire transfers, totaling S,S37.74, were funded utilizing Jones’ Diners Club card, xxxxxx5536. This card was issued to Jones by 49BHO Harris Bank. Jones received statements for his Diners Club credit card at his E-Z Mail Services mailbox. The remaining wire transfers were paid utilizing other debit and credit cards issued to Jones. Jones discontinued utilizing Xoom’s services after August 2, 2013. As Xoom operates as an online service, the records they provided also included IP addresses that Jones’ account was accessed from. I performed IP address lookups on the provided IP addresses. During the period Jones used Xoom, his account was accessed from IP addresses located in Dallas, Texas, Wilmington, North Carolina, and from IP addresses located in Colombia. The Xoom account was also accessed from IP address 38j07.218.2. I identified this IP address as assigned to the Sheraton Dallas Hotel. The Sheraton Dallas is located at 400 N. Olive Street, Dallas, Texas and is connected by elevated walkway to Jones’ place of employment. The Sheraton Dallas was utilized as a return address on packages containing controlled substances, including several of the packages seized on January 13,2014 at the Coppell, Texas U.S. postal Service sort facility.
…I reviewed records for Wells Fargo account xxxxxx5888, a checking account opened by Jones on February 8, 2010. When opening the account, Jones provided his Texas driver’s license, Social Security number, and a Citi Group MasterCard as forms of identification….I also reviewed Wells Fargo savings xxxxxx4421 which was opened at the same time as account xxxxxxx5888. …An additional \$10,853.56 was deposited at ATM machines. The Wells Fargo counter and ATM deposits were in inconsistent amounts, occurred on a variety of dates, and were made at a variety of geographical areas. Based on my training and experience, this activity is consistent with Bitcoin sales where a Bitcoin customer makes a pre-arranged counter-deposit into a Bitcoin dealer’s bank account. …Bitcoin exchange deposits \$7,493.71. Dwolla, into the account totaled an online Bitcoin exchange, deposits accounted for $6,409.71. Coinbase, another online Bitcoin exchange, deposits totaled $1,084.04. Notably, there were no Bitcoin related debits from any of the accounts I reviewed during any time period…Between June 14, 2013 and July 29, 2013, Jones utilized his Wells Fargo debit card to make 9 transactions with the United States Postal Service. The purchases were made at the Arlington, Texas U.S. Post Office and the Dallas, Texas U.S. Post Office. Jones spent \$435 during these transactions. The average amount spent at USPS was \$48.33. The highest value transactions took place on July 19, 2013 and July 29, 2013, and were both for \$119.70. Jones has no known legitimate business requiring heavy use of the USPS.
…As part of my investigation, I reviewed financial records obtained from JP Morgan Chase (JPMC) regarding accounts held at that institution by Jones for JPMC account xxxxxx9730. The account was opened on December 7, 2009 by Jones, who provided his Texas driver’s license as a form of identification when opening the account. …On August 15, 2013, Jones utilized the debit card associated with account xxxxxx9730 to make a \$23.66 purchase and a \$404 ATM withdrawal at a Walmart in Port Isabel, Texas. During this same time period, known packages originating with CALIGIRL were mailed from Port Isabel, Texas. These packages were sent using Express Mail on August 14,2013 and August 15, 2013. On July 9, 2013, Jones utilized the Chase debit card associated with account xxxxxx9730 to make a \$117.85 purchase at the United States Post Office in Dallas, Texas.
…As part of this investigation, I reviewed records received from Western Union relating to Jones’ use of its wire transfer services. The records covered the time period of September 21 , 2013 through October 9, 2013. Between September 22, 2013 and October 9, 2013, Jones received 53 Western Union wire transfers totaling 933,404.23. The wire transfers were initiated by multiple subjects and originated in different geographic allocations. The originating locations included 16 different states, Mexico, Chile, Germany, and Sweden. Of the 53 identified transactions, the average amount received by Jones was \$630.26. The largest single transaction during this time period was \$1,047.92 and was received by Jones on October 6, 2013. The smallest single transaction identified was \$209 and was received by Jones on September 21, 2013.
…As part of my investigation, I reviewed Jones’ use of MoneyGram wire transfer services. The records reviewed include transactions dated between September 28, 2013 and October 8, 2013…Between September 28, 2013 and October 8, 2013, Jones received 23 MoneyGram wire transfers, totaling \$12,872.22. The wire transfers were initiated by multiple individuals and originated in different geographical locations including 13 different states and Brazil. Of the 23 transactions, the average dollar amount received by Jones was \$559.66. The largest single transaction was $899 and was received by Jones on October 5, 2013. The smallest transactions received by Jones were for \$450. Jones received nine \$450.00 wire transfers during the period, all of which originated with different individuals.
…Jones operated on LBC under the pseudonym ‘Dynamite2k’. Through his LBC profile, I was able to determine that Jones utilized LBC to make over 100 Bitcoin trades, with 97 unique partners. Jones received 100% positive feedback.
This is a lot of interesting information that many people can learn from. We will be following this case and updating as more information becomes available, Again, Full credit goes to Gwern for posting this on Reddit.Updated: 2014-07-29