From 6906ab0eba0588dff264601bc561b14d91df9fcc Mon Sep 17 00:00:00 2001 From: MulliganSecurity Date: Wed, 21 May 2025 10:34:17 +0200 Subject: [PATCH] add more recent examples --- opsecmistakes/index.md | 56 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/opsecmistakes/index.md b/opsecmistakes/index.md index 901ae0d..fdcdc7f 100644 --- a/opsecmistakes/index.md +++ b/opsecmistakes/index.md @@ -46,13 +46,53 @@ A simple example: ### What bad OPSEC looks like + ![smugglers](smugglers.jpg) +## Smugglers + The quicker you are identified, the quicker your other lines of defense must come into play. If you are a novice in clandestine ops, it is likely that you still have stuff to learn in order to be safe. If your activities are quickly identified, that's even less time available to you to actually get better at survival. +## Extorsionists + +### Zeekill +Julius "zeekill" Kivimaki extorted a Finnish online psychotherapy service, threatening them with the release of patient data (thereapy notes among them). +While preparing a data package for release he mistyped the tar command and instead of only releasing the pilfered data also released the entire content +of his home directory, helping investigators identifying him. That way he managed to speedrun both initial detection and identification, what a champ! + +### USDoD +USDod made several OPSEC mistakes, allowing investigators to link his public and clandestine personas. + + +- same bio on public and clandestine twitter accounts, shared with an instagram account as well +- Instagram account mentioned by + - a tattoo artist + - a SoundCloud profile with his public identity and pictures of his face + - the pictures were the same used on a medium blog, allowing for trivial linking +- The medium blog contained a post about an alien vault pulse (a cyber threat intelligence report) mentioning the same pseudonym used for his instagram account +- Associated gravatar account with the instagram pseudonym and pictures of his face +- Gravatar linked email publicly associated with + - registered domains + - github accounts + - tvtime + - leaked data from HackForum (linked to user name LLTV), itself associated with the publication of leaked data + - Shared pseudonym with reddit (user LLTV), mentioned in his medium blog + +## Darknet Markets Administrators + +Honorable Mention to Pharoah (see [indictement](https://www.justice.gov/archives/opa/media/1352571/dl) for details), for troubleshooting his servers after they went down (FBI seizure) +using google with his personal email account (page 30 of the document), he used the same account to also conduct development research. + +~~~ +On or about July 20, 2022, at approximately 00:18 UTC, +00:19 UTC, 00:20 UTC, and 00:23 UTC, the user of the Lin Personal Email Account-1 searched +Google for “pm2 crashed,” “view pm2 daemon logs,” “pm2 daemon logs,” and “pm2 changelog,” +respectively. +~~~ + #### How it plays out - [drug smuggling](https://www.upi.com/Archives/1984/11/21/British-boat-loaded-with-marijuana/3929469861200/) @@ -60,7 +100,21 @@ to actually get better at survival. - bungling the weight and balance of a smuggling ship so much that its course became erratic and attracted attention - Outcome - Seizure of the ship and it's 32M$ worth of cargo, arrest of the crewmembers - +- zeekill + - OPSEC Mistakes + - lack of operational segregation: there is no valid reason for having PII on the same machine as the one you use to manipulate operational data, at least use a different user created only for this purpose + - Outcome + - Arrest and conviction (6 years) +- USDod + - OPSEC Mistakes: + - too many to count in this section, see above + - Outcome + - Arrest +- Pharoah + - OPSEC Mistakes + - use of a personal account to conduct research and operational activities + - Outcome + - [Arrest](https://www.ice.gov/news/releases/incognito-market-owner-arrested-operating-one-largest-online-narcotics-marketplaces) ## Identification