Michael Goldberg, a 36-year-old man who sold meth on the darkweb under the name “Drugs R Us,” is going to prison.

As first spotted by Dark Net Daily and detailed in court documents, Goldberg ran a criminal organization with his wife and a few other associates. According to the criminal complaint, Goldberg and his associates purchased drugs from various sources and then shipped them internationally using UPS, DHL, and the United States Postal Service.

Goldberg and company weren’t sneaky and the authorities first figured out something was up in 2018 when they discovered several parcels intended for the Philippines were full of methamphetamine. Goldberg shipped them under fake names but used a phone number registered to his real name.

After the cops arrested him, Goldberg continued to run his criminal empire from a jail. “While detained at the Metropolitan Detention Center…Goldberg has made numerous phone calls to Rabulan, often using other inmates’ phone lines, to discuss drug trafficking, destruction of evidence, and the movement of currency,” the criminal complaint said.

The cops, of course, recorded these phone calls. Which is why we know his dark web store’s name. “I don’t know the login for the other thing…the dark web,” Goldberg’s wife said during a call the cops recorded.

“It’s ‘Drugs R Us,’” Goldberg said. 

Later in the conversation, his wife told Goldberg that the business wasn’t going well. “Babe. I was online yesterday. It was all bad. Oh my gosh, oh my gosh. That’s all I’m going to say,” she said.

“How many did they get? A lot? All of them?” Goldberg said.

“I’ve seen everything that you’ve dinged,” she said. “Like everything. Everything.”

“So, they got every last thing that we’ve sent? That’s crazy,” Goldberg said into an unsecured line while sitting in prison. 

Goldberg was a busy international drug dealer. “I have identified a total of 59 international mail parcels that I believe are part of Goldberg and Rabulan’s scheme to distribute drugs,” the criminal complaint said. “Shippers mailed these parcels to the Philippines, Australia, New Zealand, the United Kingdom, Italy, Poland, and France. Fourteen of the 59 parcels have been seized in the United States containing a total of approximately 22.3 kilograms of methamphetamine and 170 grams of marijuana. Authorities in other countries have seized four of the 59 parcels containing 2.1 kilograms of methamphetamine.”

Impressed with himself, Goldberg told an associate he knew what he’d do once he got out of prison. “I was reading this book about this Cocaine Cowboy [A famous drug dealer that inspired ‘Miami Vice’] and I was like, ‘this fool is fucking weak,’” Goldberg said. “I really want to do a movie and book when I get out. I think I’ll make enough money for everybody to get out of the game. Man, damn, this would be a great fucking documentary.”

Five men believed to be behind the web’s most notorious murder for hire scheme were arrested in Romania this week, in part of an operation aimed at putting an end to the infamous dark web scam. 

Since its inception in the 2010s, the operation has funneled users searching for ways to hire an assassin online to a site on the dark web. That site has gone by a series of different names; Besa Mafia, Camorra Hitman, and, most recently, the #1 Hitman Marketplace. Once there, users were asked to submit their target, information about how and when they would like them killed, and to pay a fee, typically $5,000-20,000, in Bitcoin. 

The site was quickly identified as a scam, and yet thousands of orders flowed in over the years, along with plenty of paying customers. Husbands ordered hits on their wives, business partners sought assassins for their colleagues, a man who lost money on a sports betting website asked to murder the customer service rep who failed to return it to him, and a predator paid to arrange the death of a 14 year-old boy. 

Romania’s Directorate for the Investigation of Organized Crime and Terrorism (DIICOT) says that it led the raids at the request of the United States; the Department of Homeland Security and the FBI have been investigating cases related to the operation for years. In a statement made after the arrests, DIICOT said that “authorities in the United States of America have determined that this group consists of five or more persons located in Romania, who acted in a coordinated manner to administer those sites and to launder money obtained as a result of instigating crimes to kill.” Five individuals and four witnesses were detained in the operation, a video of which the agency released along with the announcement. 

The security analyst Christopher Monteiro gained access to the backend of the first scam site run by this group, Besa Mafia, in 2016, allowing him to see a full inventory of the ordered “hits,” which he would then pass along to the authorities. He published a number of blog posts exposing the operation, which angered Yura enough to hire someone to threaten him personally. 

The operation is a scam, but its users are serious about their purchase, and intend to inflict real harms. Monteiro has access to this “kill list,” which I have viewed. Some of the names on that list now belong to homicide victims, killed by the person who originally made the order. Others know that someone in their lives wants them dead, which amounts to a unique form of psychological abuse. I reported extensively on the operation, and the database of evidence it yielded, for Harper’s Magazine in 2020. After years of mostly ignoring his tips, in 2020, authorities began taking them seriously. Since then, Monteiro estimates that around 25 arrests have been made of individuals who have paid to have people killed through the website. (Neither DIICOT nor the DHS immediately responded for a request for comment.)

But the team behind the site orchestrating it all remained elusive. For years, authorities were unclear who was behind the operation; all communications were conducted by a figure who went as “Yura.” Yura would communicate with users who sent messages inquiring into the hitman services, encouraging them to order and easing their concerns in broken English. It was long believed, on the evidence of those chat logs, that he or they resided in Eastern Europe, and Romania, which has a reputation for fostering a culture friendly to web scammers. Yura even conducted interviews, his voice disguised, for TV segments; and yet his identity and whereabouts were unknown. 

Even after the raids, it’s still unclear whether this was the work of one person who grew an operation to the point it needed support from a team, or if it was always a larger effort. The website itself evolved over time, from a clunky and simple page reminiscent of Geocities-era web to one that hosts putative forums, user profiles, and a (slightly) more modern design, replete with gruesome images intended to relay a proof of concept. 

The DIICOT says that the damages of the operation are believed to be around 500,000 euros, though if the scammers held onto the bitcoin they collected back in 2016, it would be worth far more than that today. And whether it’s enough to shut down the operation for good is an open matter; it is easy enough for another to keep running the scam. Furthermore, there are still thousands of people who have contacted Yura about hiring a hitman, and submitting the name of a person they want dead.

This is why Monteiro is ambivalent about the news of Yura’s apparent apprehension, despite years of working to shed light on the operation and its victims. “It's great an international law enforcement operation took down these criminals, but when will they ever proactively investigate the thousands of names on the kill list?” Monteiro wrote me in a message. 

Finally, even if Romanian authorities and U.S. agencies do manage to shut Yura’s operation down, it has already proved successful enough to inspire copycats around the web. Another site, which appears to be operated by different people, and claims to serve the Russian region primarily, is fully operational. I downloaded a Tor browser and logged on, found a link to the Telegram chat of the “Jabba Syndicate” and inquired into getting a hitman in Los Angeles. They replied within minutes. 

Yes, they could get someone to do the elimination right away. It would cost $15,000. 

Multiple websites linked to the infamous ransomware gang REvil are currently offline, according to multiple security researchers. REvil is the group linked to the recent hack of information technology firm Kaseya which an REvil affiliate used to then ransom a wealth of other companies around the world.

"Onionsite not found," an error message currently reads when visiting REvil's dark web site where the group ordinarily posts data stolen from victims.

Lawrence Abrams, owner of information security publication BleepingComputer, said in a tweet that the downtime extended to "all" of REvil's sites, including their sites used for ransom payment.

Pseudonymous research group vx-underground added in a tweet that "Unknown," a representative for REvil, has not posted on popular hacking forums Exploit and XSS since July 8.

Do you have new information about REvil? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The reason for the downtime is unclear. Sometimes dark web sites temporarily go offline and swiftly return. The site has been down now for over eight hours. Vx-underground added that the dumping site became unresponsive at 1AM EST.

REvil is a hugely prolific ransomware group, and was also responsible for the attack on the world's largest meat producer JBS. The group is Russian speaking.

President Biden told President Putin last Friday that Russia must "take action" against cybercriminals based in the country who target the United States. Russian and U.S. officials are meeting this week to discuss the issue.

The FBI paid a non-profit organization focused on unmasking child predators $250,000 for access to a series of hacking tools, according to public procurement records viewed by Motherboard.

The news provides more insight into how the FBI obtains some of its hacking tools, or so-called network investigative techniques (NITs). The contract also highlights the close relationship between private parties and the FBI when hacking suspects. Facebook, for example, previously bought a hacking tool for the FBI to use to unmask one of the social network's users who was aggressively targeting minors on the platform.

The procurement record says the FBI's Child Exploitation Operational Unit (CEOU) is "purchasing a set of NITs." The contract dates from June 2020.

The NITs "have been demonstrated for OTD and CEOU and which have the capability, if activated, of providing the true internet address of the subject," the product description continues, referring to the Operational Technology Division, a part of the FBI that carries out hacking operations. The latter half of the product description is cut-off, but reads in part "of providing the true internet address of the subject even when hidden behi," presumably referring to whether the target is behind a proxy or anonymization network.

Do you produce NITs for the government? Do you know someone who does? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The non-profit that the FBI paid for the NITs is called the Innocent Lives Foundation (ILF).

"We unmask anonymous child predators to help bring them to justice," the organization's website reads. "We use Open Source Intelligence Gathering (OSINT) methods to identify child predators. Once we have gathered the appropriate amount of information to confirm the identification of the predator, that file is then submitted to law enforcement," the website continues.

The ILF includes a board of directors, various corporate roles such as a Chief Operating Officer, and a number of volunteers who are accepted by invitation only, the website reads. In 2019, hacking conference DerbyCon selected the ILF as one of the featured non-profits of the conference, and provided the charity with more than $25,800 in donations, the ILF website adds.

U.S. law enforcement's umbrella term of network investigative technique has previously encompassed a wide range of different technologies and approaches. In some investigations NIT has referred to a booby-trapped Word document that once opened phoned home to an FBI controlled server, revealing the recipient's IP address. At the higher end, the FBI has deployed non-public exploits that break through the security protections of the Tor Browser. 

In a phone call with Motherboard, Chris Hadnagy, founder, executive director, and board member of the ILF declined to specify what sort of tool the NITs were, nor whether the charity developed the NITs itself or sourced them from another party.

At one point a company that sources zero-day exploits and then sells them to governments offered $80,000 for an attack targeting Firefox, which the Tor Browser is based on. That company, Exodus Intelligence, later provided a Firefox exploit to an offensive customer; a law enforcement agency deployed it to visitors of a dark web child abuse site, Motherboard previously reported.

Law enforcement agencies have used NITs to investigate financially-motivated crime, bomb threats, and hackers. Most prolifically, the FBI has deployed NITs in child abuse investigations, particularly on the dark web. Among other large scale cases, in 2015 the FBI hacked over 8,000 computers in 120 countries based on one warrant. Some judges threw out evidence in subsequent cases as they ruled that the judge who signed the warrant did not have the authority to do so. The campaign, dubbed Operation Pacifier, led to the arrest of 55 hands-on-abusers and 26 producers of child pornography, as well as recovering 351 children, according to a report from the Department of Justice Office of the Inspector General. 

The report also mentioned how between 2012 and 2017 the FBI’s Remote Operations Unit, which is part of the OTD, was largely responsible for the development and deployment of dark web solutions. 

"However, over the past 2 years, its dark web role has eroded due to budget decreases and an increased prioritization on tools for national security investigations. This has resulted in the operational units seeking tools useful to dark web investigations independently without a mechanism to share the product of their efforts," the report added.

The FBI declined to comment.

Update: This piece has been updated with a response from the FBI.

Subscribe to our cybersecurity podcast CYBER, here.