Image: Tyler McKay/Shutterstock

Then the SWAT Team Rolls Up: Was a Darknet Arms Dealer Arrested on Campus?

Undercover cops arrested a 25-year-old engineering student for dealing weapons internationally.

|
Mar 16 2015, 11:00am

Image: Tyler McKay/Shutterstock

It's 9:30 AM in Schweinfurt, Germany. It's the end of the semester and prospective mechanical engineers, programmers, and mechatronic technicians form groups on the campus to prepare for the impending final exams. The ergonomically-designed wooden benches, which emphasize the harsh reality of an engineering degree, are full of students poring over their notes on this Thursday, January 29th, 2015.

All of a sudden, one of them is pulled from a bench and thrown on the ground. Only after several undercover cops shout, "no pictures, no videos!" do the rest of the baffled students begin to realize what's happening. They are witnesses to a meticulously planned arrest as the SEK—the German equivalent of a SWAT team—closes in on the campus from different sides.

The target the Bavarian State Police is after is the 25-year-old student, Stefan*, who prosecutors are accusing of dealing arms throughout Europe. 

On the same day, the police search 11 apartments in Schweinfurt and the surrounding area, seizing 10 handguns and several thousand rounds of ammo.

Prosecutors are accusing a 25-year-old student of dealing weapons throughout Europe over the darknet

If the accusations against him stand up in court, the German authorities will have succeeded in closing an investigation that's as strange as it is surprising. The case could also offer a vivid example of how the darknet, the part of the web that can only be accessed using certain tools, shifts the paradigms of both crime and law enforcement—and how easily a 25-year old Bavarian student could find himself being called an international arms dealer. 

Ultimately, all the evidence disclosed thus far indicates that alleged darknet dealers can pretty much only get caught if they make mistakes—echoing the case of Ross Ulbricht, who was recently ​convicted in the US for masterminding the digital black market Silk Road.

Some of Stefan's classmates knew that he used the anonymity service Tor and encrypted his hard drive. Some of them also knew that he enjoyed surfing the dark web.

Just minutes before being busted by the SWAT team, he apologized for needing a few more minutes before joining the study session with his fellow students: "Someone in the darknet has a few more questions."

The study hall in the main building of the technical college in Schweinfurt where the 25-year-old suspect was arrested. All images: Max Hoppenstedt

It's no coincidence that the undergrad student was arrested on college campus. He was infamous among students for being a permanent fixture in the technical college's academic buildings. He occasionally showered there and would sometimes bring a foldout cot to school to take naps.

In a moment of quick-thinking, he yanked the power cable out of his battery-less, encrypted laptop

For the five semesters he was there, Stefan spent the majority of his time on campus—in addition to frequenting college barbecues, he was studious and hardworking. Admittedly, his permanent presence in the academic buildings was suspicious to some of his classmates. But none of them would have dared to think what the prosecutors are now accusing him of, even if after asking around campus, it's clear that there had been rumors circulating about his active darknet use for a while.

Neither the prosecutors in Schweinfurt nor Bavaria's State Police wanted to confirm to us that the suspect was dealing the weapons they found on the darknet. However, the 25-year-old is facing up to 15 years in prison for activities that violated the War Weapons Control Act—and police also apprehended four other individuals over the course of their investigation.

The so called "pink mansion" is situated right in the middle of Schweinfurt. If the 25-year-old suspect is detained in Schweinfurt, he is likely in this building. Image: Max Hoppenstedt

The authorities refused to disclose any further information because the proceedings are ongoing, however they did confirm that requests for administrative assistance in the case have been made with other European law enforcement agencies. It also has been determined that the case does not have a terrorism connection. "At the moment there are international investigations, and that's a good thing," lead prosecutor Ursula Haderlein said.

"Our goal right now is to get these guys."

Karl-Heinz Segerer, from the State Police in Munich, which had been investigating for several months before the arrest, also referred to ongoing investigations that made confirming information difficult. "Our goal right now is simply to get these guys," he said. ​

Violating the student Code of Conduct

As of yet, the only thing that's definitive is that Stefan violated his school's Student Code of Conduct. 

He would occasionally use multiple lockers in the library for extended periods of time, storing innocuous yet questionable items such as a mini pizza oven, electric heaters, and packages of quark (a cheap, high-protein ​dairy product). 

An electric kettle and a coffee machine were apparently also essential for his continuous presence in the academic buildings.

Yet no weapons or weapons parts were found in the lockers during the raid. Since the police must have been surveilling the campus for several weeks—presumably disguised as workmen—the use of the lockers didn't go unnoticed. But there's been a rule at the Schweinfurt library since the beginning of 2015 that lockers can't be used overnight, which made extended use of the lockers much more difficult for Stefan.

Dr. Robert Grebner, the president of the Fachhochschule Würzburg-Schweinfurt, meanwhile explained to me that the college "had no knowledge of the suspect's activities" while attending the school. And the college had only found out about the investigation on campus recently. "We supported the investigation to every extent they requested," he said.

Lockers in the library of the Schweinfurt campus where Stefan stored his household appliances for months on end. Image: Max Hoppenstedt

The last of the officers left the campus after over two hours. They were unsuccessful in one thing during the raid, however: acquiring Stefan's laptop while it was still booted up. While he was suddenly being yanked off the bench, he was somehow still able to pull the power cord from his laptop, which had no battery. Even if the police restart the laptop, its encrypted hard drive will be password-protected.

When the authorities realized that Stefan's computer wouldn't easily yield a trove of evidence, they became visibly frustrated. When Silk Road founder, Ross Ulbricht was apprehended in a public library in San Francisco, his laptop ended up serving as a ​key piece o​f evidence. The fact that it was actively connected to the administrator page of the black market made it considerably difficult for Ulbricht's defense to dispute his role as the head of the Silk Road.

"Cheating while being incarcerated is impossible."

Stefan's fellow students at college were all completely surprised by his arrest. "He always took really thorough notes," one classmate, who had studied with Stefan for many exams, told me. "We could really use his help right now for our exams and we miss him already."

​Code: wtf

Stefan's apprehension didn't just have consequences for his fellow students' final exams; Stefan himself has been held in a detention center for weeks. 

Additionally, 23-year-old Jens* was arrested on the same day, suspected of being an accomplice. He was only released 13 days later—even though it doesn't seem like the investigators are able to prove any involvement in the arms dealing.

Instead, investigators were holding a WhatsApp exchange with Stefan against him, alleging that a message Jens sent the night before the raid—which said simply, "wtf"—was apparently supposed to be a coded warning to Stefan. However, Jens seems less like a member of an international arms ring and more like a harmless classmate who didn't exactly appreciate a last minute request: the "wtf" was an answer to Stefan's message asking Jens to bring a desk lamp for an all-nighter study session, because the lights go out automatically at night on the college campus.

Another student, Peter*, who classmates say is completely harmless, was apprehended close to Schweinfurt and also held for a short period by the police. 

Meanwhile, other students in Schweinfurt are overtly unsettled about the possibility of surveillance going back weeks or months—and worried that telephone surveillance might still be going on (which is also the reason nobody wanted to use their real name for this story).

Most of the students are convinced that neither Jens nor Peter had anything to do with international arms dealing. People aren't so sure when it comes to Stefan, even if they didn't see him as someone dangerous. "At most he was a bit of a freak, but anybody studying this stuff and sticking with it has to be a freak," one student said.

The main entrance was also one of the entrances used by the SWAT team. Image: Max Hoppenstedt

This residential area adjoins the campus, and is also home to many students. Image: Max Hoppenstedt

If nothing else, the spectacular raid distracted from the exams students were about to take. A SWAT team raid at daybreak doesn't really help you concentrate on questions about, say, the fundamentals of electrical engineering.

The prosecution didn't want to make a statement concerning these accusations, again referencing the ongoing investigation. It's also unknown whether there are further accusations that justify Jens's prolonged detention.

German state police in the Darknet​

How did Bavaria's State Police, which must have had the college under surveillance for weeks, even get onto Stefan's trail? Could the arrest mean that the German authorities have found a way to efficiently investigate in the darknet?

Back in early November, 2014, the FBI, Europol, and other international law enforcement agencies surprisingly succeeded in taking 27 darknet hosts offline. 

Over the course of "Operation Onymous," which targeted these hidden services, the ​second​ version of Silk Road and many other darknet black markets were seized and taken offline.

The well-equipped international law enforcement agencies were able to locate Blake Benthall, the alleged administrator of Silk Road 2.0, due to amateur mistakes he made and insufficient OpSec (operational security). Nevertheless, people were worried that investigators could have found ways to exploit security gaps in the Tor network, which allows users to anonymously browse the darknet.

It still remains unknown how the FBI was able to make identifications over the course of Operation Onymous.

Since Operation Onymous, the development team behind the Tor Project, which maintains the Tor anonymous browser, is as dedicated as ever to continuously protect the security of the network structure against possible weak points. (Tor users also include activists and those in countries with oppressive freedom of speech laws, in addition to potential arms dealers on the darknet.) 

"I don't think the German authorities are competent enough to be able to infiltrate the hidden services technically."

Moritz Bartl, of the Zwiebelfreunde, a group that operates Tor exit nodes, rules out the idea that the German authorities of all people could have found a way to tap into Tor's infrastructure. "I don't think the German authorities are competent enough to be able to infiltrate the hidden services technically."

Yet it wouldn't be unthinkable that by now the local police are at least using a few crumbs of data from the fallout from Operation Onymous for further investigations. In November, 2014, in conjunction with Operation Onymous, the State Police in Hessen, Germany headed an investigation that led to the arrest of an alleged leader of a darknet drug shop, charging him with 12 counts of drug dealing.

What is certain by now, is that only a few days after the FBI took the first servers offline, three international exit nodes, which Moritz Bartl and the Zwiebelfreunde run, were also seized by the police.

In Germany, there are still only a handful of arms dealers that don't seem to be fraudulent scammers

As of yet, there are actually only a few cases known where the German police succeeded in pursuing activities in the darknet. One was in March, 2013, for example, when the drug dealer, ​"Pfand​leiher," was arrested in rural Bavaria. The Bavarian State Police set up a special task force for the operation, and underscored their own innovative prowess by calling it "Seidenstraße" (Silk Road).

However, the police only got wind of the suspect's activities ​because of an accidentally misrouted package

Villages in Lower Franconia. Raids have also hit homes in this rural area around Schweinfurt. Image: Max Hoppenstedt

In 2013, the German police registered a total of 500 violations of the War Weapons Control Act. However, that statistic does not differentiate between giant industrial companies exporting weapons—like when the German weapons manufacturer, ​Sig Sauer, questionably exported their goods to Iraq—and the private transfer of heavy military machinery and commercial arms dealing by gangs like the Hell's Angels. The police also don't separately record when or whether the internet or the darknet was involved in the illegal arms dealing.

All of the cases so far of known arrests through the darknett have had to do with drug dealing, as in the case of Silk Road. The world of digital arms dealing seems to be modestly sized in comparison. This sector globally—which also isn't allowed on all darknet platforms—makes up only an infinitesimal portion of what trades hands. In Germany, there are still only a handful of arms dealers that don't seem to be fraudulent scammers.

"It's not called the darknet for nothing."

And after repeated requests, neither the Bavarian State Police or the German Federal Police are able to give more precise information on their knowledge of extent and details of germans operating in the darknet. "It's not called the darknet for nothing," a spokesperson for the Federal Police said. 

At the same time, the case brings up an important reminder that proponents of Tor always refer to: using the Tor browser doesn't automatically ensure absolute anonymity. For true OpSec you have to exercise a lot of precautions, which Stefan didn't necessarily adhere to. For example, he would often log into his Facebook account over Tor, but would simultaneously use the social network outside of Tor.

In this way it's definitively identifiable which exit node (the Tor server that ultimately sends requested data to the user) is being used. Admittedly the content of the connection isn't revealed, but authorities can still deduce valuable evidence about the kind of Tor connection nevertheless.

The big lecture hall on the Schweinfurt campus with the library in the background. Image; Max Hoppenstedt

Karsten Nohl, a cryptography expert, explains that the German authorities "as of yet haven't distinguished themselves as necessarily being especially good or innovative at darknet investigations." 

Nohl, who also consults for prominent blue chip companies, thinks it's probable that, for practical reasons alone, conventional investigation methods led to the success. "A weapon isn't two grams of coke—you can't hide one that easily," he said.

Beyond the details of this individual case, Nohl says that a fundamental strategy for law enforcement to deal with the darknet simply doesn't exist. "We have not seen any tactical or thought-out methods for criminal prosecution, and Operation Onymous is the best example for that," he said.

These operations do nothing, he said, other than push the darknet servers further into Eastern Europe

"These operations only push the black markets into regions that are much more difficult for Western authorities to reach," he said. "Now we can see that these hidden services are mostly being hosted in Russia or Eastern Europe. Security services from all sides may know about them, but the people running them will not be extradited."

Expulsion ruled out for now​

It seems probable that at least a tapped cell phone played a role in the investigators in Stefan's case, which then resulted in some of the other arrests. Whether this investigative measure, which is typical these days, led police to the right people—and whether we're actually talking about a larger gang of international arms dealers—is another question altogether. Of the five who were arrested, four have been released from custody.

Only criminal proceedings and a possible court case will actually be able to determine whether the serious accusations against Stefan are true, and whether and in what way he was dealing in the darknet.

The college isn't threatening Stefan with expulsion at this point, the president, Prof. Dr. Grebner told me. On the contrary, the school is letting him take two of his exams in the detention center. And they don't have to worry at all about him cheating: "Cheating while being incarcerated is impossible."

This article was adapted from ​Motherboard Germany.

* Names have been changed.