Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.

Dark Shipping: A Case Study

I wrote recently about the risks of shipping using your country’s shipping service and had a lot of interesting feedback. One individual which I believe has the experience raised an interesting suggestion so I thought a few case studies might be useful to discuss.

While not a shining example of solid OPSEC, Dread Pirate Roberts gives us a real-world perspective on what people are willing to do to ship things, illegally. Let’s review a few of the things we know about his attempts to be dark.

Case Study: DPR Is Your Roomate

Ulbricht/DPR was known as “Josh” to his roomates that he met on Craigslist. He paid in cash to sublet a summer apartment in San Francisco. He arranges to pay in cash, he has no cell phone, and his current residence is a hotel near the airport. He made this seem less sketchy because he told the owners he was returning from a trip from Australia and wasn’t on his feet yet.

This is a near-perfect situation. There’s no legal record that “Josh” exists in this apartement but it’s plausible that someone would want to rent it out. Josh could buy a new shirt and some jeans online to have a clean shipping record and then wait to ship his sensitive package.

  • Good: Finding a shared location under a fake name.
  • Pretty Good: Paying in cash. This is often a red flag.
  • Bad: Not having a cell phone makes you look suspicious to normal people.
  • Bad: Craigslist is difficult to use completely anonymously. Law enforcement invest a lot of time into watching what happens on Craigslist now.

Case Study: DPR Tries To Use UPS

One of the many OPSEC failures of DPR was when he went on his Google+ profile and asked if any of his contacts worked at UPS, FEDEX or other private companies. I believe his plan was to collect some intel on what private companies do to prevent illicit shipments or get a local hookup to pay off so that his packages weren’t flagged.

The fact is there are several mandates that require private parcel companies to comply with U.S. federal laws. If for whatever reason they do not seem to adhere to these standards, the company will be fined and the business could be suspended. For publically traded companies, that’s a very big incentive to try to catch illegal packages.

On the other hand, some of the very private parcel movers exist because of an expectation of privacy for their clients. Normaly this would be sending company secrets or plans for the big firm’s merger, but the same would go for illicit deliveries. More often than not, these services are very expensive, and will not even consider taking any kind of untraceable payment.

  • Good: Gathering intel about shipping methods.
  • Bad: Posting the request on Google+.
  • OK: Thinking about hiring a private group to ship things
  • Bad: It’s unlikely you’ll find a company that can ship across borders for cash or bitcoin.

Did we learn anything?

Some people say they have the perfect solution and others believe it’s not possible. I still believe that if it’s important enough to you, you’ll find a way to ship it. In that case, all you can do is limit your risk by not being an obvious target. You’ll also have to decide how commited you are in terms of a time and money investment. Some of the things that DPR did require a lot of effort. He gave up his social life, his identity, and in the end, his freedom to be able to do what he wanted. Are you prepared to do theh same?