According to prosecutors, a Houston man arrested last month on federal explosives charges tried to buy dynamite, a grenade, and a remote detonator through the anonymous "dark web" market called AlphaBay.
The man, 50-year-old Cary Lee Osborn, allegedly took precautions to keep his identity a secret, as he sought explosives to ensure a building "burns to the ground" and to "send [a] message" to its occupant, according to Federal Bureau of Investigation transcripts of his alleged online messages.
In addition to shopping on a black market site only available through Tor, the anonymizing web service, and paying with bitcoin, Osborn wrote of using a "multi hop VPN" to further obscure his digital address, according to the transcripts. He allegedly rented a post office box with a false name and fake driver’s license in order to receive the explosives, officials say.
"Dont know exactly whats inside but person using for apartment," he’s alleged to have written to an AlphaBay vendor, explaining his need for the explosives. "Person will not be there when set off."
But despite his alleged use of modern cryptographic tools and old-fashioned deception, Osborn was quickly arrested for a surprisingly simple reason: The online vendor he’s accused of contacting to order the materials was an undercover employee of the FBI. According to court records, the explosives he received were fake, and he was arrested soon after opening the package.
The case, in which prosecutors say Osborn could face up to 10 years in prison, is one of a number of recent incidents where alleged buyers of illegal goods on dark web sites have been arrested attempting to buy from vendors who are actually undercover law enforcement agents. The sites, which can offer anonymized marketplaces for drugs, weapons, and other illegal goods, complete with Amazon-style vendor reviews, allow users to do business without revealing their internet protocol addresses, email addresses, or phone numbers.
But to buy physical goods, they’re still ultimately forced to trust those unknown vendors with some sort of address where they can receive their merchandise, which leaves them vulnerable to old-fashioned sting operations.
"We see fraudsters of all kinds, whether it’s health care or just trying to steal your banking transactions, trying to operate in a way that we can’t see," FBI director James Comey told Congress last September. "And so they think if they go to the dark web—the hidden layers, so called, of the internet—that they can hide from us. They’re kidding themselves, because of the effort that’s been put in by all of us in the government over the last five years or so, that they are out of view."
An FBI spokesperson declined to comment on the number of investigations, past or present, that have involved undercover work on the dark web. But the FBI and prosecutors have previously mentioned cited work in a number of cases. Last year, a then-22-year-old Manhattan man named Cheng Le was sentenced to 16 years in prison, after being convicted on charges that he attempted to buy the fatal poison ricin from an undercover FBI employee on an unnamed dark web site.
"This might sound blunt but do you sell ricin?" he allegedly asked, before repeatedly hinting at reselling the poison or using it for murder for hire, according to court documents.
"I’ll be trying out new methods in the future," he wrote, according to the documents. "After all, it is death itself we’re selling here, and the more risk-free, the more efficient we can make it, the better."
Also last year, a computer programmer from Liverpool, England, named Mohammed Ali was sentenced by a U.K. court to eight years in prison, also accused of attempting to buy ricin from an undercover U.S. investigator, who reported the case to British authorities. Ali told the court he was simply curious after exploring the dark web and learning about ricin from a Breaking Bad episode and didn’t realize the chemical was illegal, according to a report in The Guardian.
In a more controversial case, dubbed Operation Pacifier by the FBI, agents seized a server last year belonging to a notorious dark web child pornography site called Playpen and obtained a warrant letting them install malware on visitors’ computers in order to locate them despite Tor’s anonymized connections. Since the illegal goods were entirely digital, users would be unlikely to supply physical addresses or other identifying information. Officials arrested more than 135 people, though some of those accused are challenging the legality of operating the server and distributing malware, even with a warrant.
"The FBI carried out thousands of searches and seizures, in locations around the world, based on a single warrant," the Electronic Frontier Foundation has argued. "The particularity requirement of the Fourth Amendment was designed to prevent precisely this type of sweeping authority."
But in cases where law enforcement officers are simply impersonating sellers of illegal goods, and not hacking computers belonging to potential buyers, there’s likely little legal protection for those caught in such a sting, says Frank Rubino, a defense lawyer with offices in Houston and Miami. The technique is essentially the same as one that’s been used offline long before the dark web existed, he says.
"The government is allowed to act as a seller of illegal objects, no matter what they be," he says. "It’s been going on for years, where the government poses as, for example, a drug dealer."
And while laws protect against actual entrapment—where someone’s induced to commit a crime they otherwise had "no predisposition to commit," he says—there’s no legal problem with the government pretending to offer illegal merchandise to those clearly looking to buy.
"If a guy’s out there looking to buy bomb material to blow you and I up, I’m thrilled the FBI is the one selling it to them, because they’re going to bust him," he says. "And you and I are going to live happily ever after."