TITANIUM: Tools for the Investigation of Transactions in Underground Markets

Generic Use Case: how can new technology contribute to combat internet organise crime?

Soesterberg (09 October 2018)

How does it work when you want to develop tools for needs that are not yet identified, using technologies that are not yet validated?

This is one of the challenges for projects like TITANIUM. The "chicken and egg" question: what the end users want depends on what is possible, and vice versa.

TITANIUM solved this in three steps.

  • The first step is to define a "generic use case" - this directs the direction of the research and the development of the tools.
  • The second step is a hackathon where the developers show what they have created to the potential end users, and get feedback.
  • The third step is a field lab, in which the updated tools are deployed in a practical situation.

The Generic Use Case

The TITANIUM generic use case describes criminal activities. We chose illegal trade in prescription drugs as a realistic starting point. A criminal offers products for sale in a dark marketplace (e.g., Dream market, The Trade Route, Tochka Free Market) and this is noted by Law Enforcement officers. Thus, they start to gather evidence from the dark marketplace (sales advertisements, discussions) and they check the identifiers (nicknames, virtual currency addresses, PGP keys, email addresses, IM usernames, IP addresses, etc.) the criminal uses; can they be found elsewhere in the darknet or in the clearnet (giving hints of the criminal's real identity)?

The next step is to track the flows of criminal's virtual currencies (maybe different currencies, cross-ledger analysis needed): where have the funds come from, where they are going to? Where and when are the funds cashed out?

To gauge the size of the illegal activity, it is relevant to identify how much financial profit did the criminal get from the deals. Also, it is good to know whether the same seller operates in different marketplaces, how much, and for how long. Conversations between the criminal vendor and their customers will be of interest, and accomplices may be just as relevant.

When the police has found enough evidence to arrest the criminal, additional evidence may be found in the devices that are confiscated (virtual currencies contained in smart phones, laptops, USB mass storage devices, etc.)  or to find other evidence of criminal activities from the devices (traces left by applications, e.g., wallet software, visits to dark marketplaces with Tor browser, files containing personal notes and ledgers about the trades, etc.).

Special importance is placed at each step to respect all applicable laws, especially those that address the privacy of possible innocent bystanders. And, last but not least, it is necessary to provide court-proof evidence when the offender is brought to justice.

All of the above steps are described in the Generic Use Case and will be addressed by functionality in the TITANIUM tools. However, the use case is just a story. Reality is considerably more "messy" and may prompt other requirements. Therefore, the Field Labs are deployed, so that the future end users have the opportunity to work with the tools in realistic settings, working on data that comes from real and actual cases.

Based on the feedback of the Field Labs, improvements will be defined by TITANIUM and will be developed and evaluated in a second iteration of use case inspired development, hackathons for integration and early testing, and Field Labs to perform a final validation.

For more information contact the project's coordinator here.