Dark Web’s Wall Street Market & Valhalla Seized, Six Arrested

Servers of dark web marketplaces Wall Street Market and Valhalla have been seized by law enforcement agencies in Germany and Finland, and suspects have been arrested in Germany, the U.S. and Brazil.

Both platforms were highly popular for peddling unlawful goods, one for being among the largest and the other for its long-lasting activity that impressed a stamp of trust.

Vendors could sell almost anything, with the largest category being "drugs," but malware or forged documents were also available.

One of the oldest dark web markets falls

Hiding behind the Tor network, Valhalla marketplace was one of the oldest markets on the dark web, listing over 30,000 products by some statistics. Its activity started in October 2013 as a Finnish-only site called Silkkkitie.

Some time after February this year, in cooperation with the French National Police and law agencies in other countries and Europol, the Finnish Customs (Tulli) seized Valhalla's server and ended its run.

In the wake of the shutdown, vendors fled to other dark web markets, Wall Street Market being one of them. An announcement from Finnish authorities informs that the operation led to seizing a significant amount of bitcoin cryptocurrency.

It is unclear how authorities were able to take control of the server as Valhalla admins were adamant about the security of funds and operations.

For instance, there was a time when they made it more the URL to the site and they also set up a bug bounty program - like other marketplaces that are currently down, that offered rewards for reporting new issues.

Finnish authorities are in the initial stage of the investigation and keep the silence about details.

Imminent fall of Wall Street Market

Even if authorities hadn’t acted to take down Wall Street Market (WSM), the marketplace was bound to disappear. However, another course would likely not have thrown vendors into the hands of law enforcement.

Three alleged administrators of WSM, aged 22 to 31, were planning to run off with the money held in escrow for current transactions between customers and vendors, when German authorities arrested them on April 23 and 24.

The illegal market was not the trio’s first enterprise of this kind. Previously, the group ran a German-based dark web marketplace that shut down in 2016.

To follow with their plan, the admins shut the platform for maintenance but on April 20 users started to suspect the exit scam when a WSM admin had not made contact for almost three days but the cryptocurrency was moving from the escrow wallet.

On top of this, a WSM support/community manager named Med3l1n (Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil), who was probably left out of the exit scam, started to blackmail WSM users who had not encrypted their details when submitting a support ticket or dispute request. His price for deleting the information was BTC 0.05 (between $270 and $280 at the time).

Med3l1n also published his details for logging into the support panel and the IP address for the market administration panel. This information is a boon for law enforcement, who could use them to access all the content stored on the market’s servers.

With servers in Germany and the Netherlands, WSM was the second largest illegal sales platform for drugs, stolen information, fake identification documents, and malware. It had more than 63,000 product listings and attracted more than 5,400 sellers. The number of registered customer accounts was over 1,150,000.

All transactions were in Monero or Bitcoin cryptocurrency and the trading commission for the admins was between 2%-6% of a sale’s value.

While these events unfolded, multiple law enforcement agencies from the U.S. and the Netherlands had already started investigating and in March the leads pointed to three German nationals.

The investigation caught a break when the VPN connection one of the administrators used to log into WSM failed and the true IP address became visible, thus revealing their specific location. On May 2, law enforcement moved to shut the illegal operation down.

The spoils of the outlaws

The German Federal Criminal Police (Bundeskriminalamt) leading the investigation worked with multiple agencies to shut down WSM and arresting the individuals allegedly in charge of the market.

The effort involved the U.S. Drug Enforcement Administration, the Federal Bureau of Investigation, the U.S. Internal Revenue Service, the U.S. Homeland Security Investigations, the U.S. Postal Inspection Service, the U.S. Department of Justice, the Dutch National Police (Politie), Europol, and Eurojust.

Searching the homes of the three suspects, German authorities seized over €550,000 in cash, Bitcoin and Monero currencies “in 6-digit amounts,” multiple luxury cars, computers, storage drives, and a firearm.

A Europol spokeperson confirmed to BleepingComputer that the info on the seized cryptocurrency is not the result of a conversion to fiat.

This means that the suspects possessed at least 100,000 units of Monero and Bitcoin. The former converts to over $6.7 million; the latter rounds to $580 million. However, it is unclear if the six-figure refers to units of both cryptocurrencies.

An alleged WSM user kept track of the transactions seeping out from the WSM escrow wallet noting that the total amount received to that address was BTC 9,498 (over $53 million).

Blockchain gives a different value for total received funds, BTC 2,567 amounting to $14,5 million. This is because blockchain explorers count received transactions differently.

The investigators believe that the money held in escrow is approximately $11 million. The three German nationals face charges both in their country and in the U.S.

Three more arrested in the U.S. and Brazil

Apart from the alleged WSM operators, Med3l1n was also arrested and law enforcement in Brazil raided residence. He was identified from details left in forum posts and old online pictures.

The investigation into WSM’s administrators allowed authorities to put a name to two top vendors on WSM, Platinum45 and Ladyskywalker. Both are located in the U.S. and operated on multiple marketplaces, the DoJ informs.

Acting on a search warrant on their homes, authorities found millions of dollars in cash, drugs, and a variety of weapons.