Drop Gangs

Cryptocurrencies, GPS, drones, and cheap beacons are driving a new evolution in illegal markets:

…[A] major change is the use of “dead drops” instead of the postal system which has proven vulnerable to tracking and interception. Now, goods are hidden in publicly accessible places like parks and the location is given to the customer on purchase. The customer then goes to the location and picks up the goods. This means that delivery becomes asynchronous for the merchant, he can hide a lot of product in different locations for future, not yet known, purchases. For the client the time to delivery is significantly shorter than waiting for a letter or parcel shipped by traditional means – he has the product in his hands in a matter of hours instead of days. Furthermore this method does not require for the customer to give any personally identifiable information to the merchant, which in turn doesn’t have to safeguard it anymore. Less data means less risk for everyone.

The use of dead drops also significantly reduces the risk of the merchant to be discovered by tracking within the postal system. He does not have to visit any easily to surveil post office or letter box, instead the whole public space becomes his hiding territory.

…Classically, when used by intelligence agencies, dead drops relied on being concealed. This lead to dead drops being hard to find even by the intended recipients without costly preparation and training. One of the results of this was that dead drops were often used repeatedly, which increased the probability of both sender and recipient being identified by surveillance.

An ideal dead drop is however used exactly once. Only then can the risks of using it be reduced to pure bad luck.

This challenge is met by Dropgangs in various ways. The primary one is that the documentation of each dead drop is conducted in minute detail, covering GPS coordinates, photos of the surrounding and the location, as well as photos of the concealment device in which the product is hidden (such as an empty coke can). The documentation however increases the risk for the Dropgang since whoever creates it would be more easy to identify by surveillance. In addition, even great documentation still requires the customer to understand it and follow it precisely, which can lead to suspicious behavior around the dead drop location (staring at photos, visually comparing them to the surrounding, etc).

A first development to mitigate the problem of localizing is the use of Bluetooth beacons. In addition to the product, the dead drop contains a little electronic device that sends a signal that can be received by a smartphone, which in turn can display the direction and approximate distance to the device. In addition to the GPS coordinates, the customer requires only a smartphone with the correct App. Beacon devices like these are available on the open market for under ten dollars.

They do however pose the risk of a non-authorized party to discover the dead drop, simply by searching an area suitable for hiding dead drops with their own smartphone.

There are first reports of using beacon devices that are not constantly sending a signal, but have to be activated first. The activation usually happens by establishing a WiFi hotspot on the customer’s phone (by using the WiFi tethering feature). Only if the beacon sees a WiFi hotspot with a specific, merchant provided, unique name will it start to send a homing signal itself. Devices like these are very cheap (<15 USD) and have gained traction in the field, but they pose risks to the customer: His smartphone becomes identifiable by observers, even over considerable distance. This can lead to tracking the customer.

…A plausible next step would be the development of markets for dead drop operators that make their living by picking up product from one dead drop and placing it in another, working as a proxy for the customer to increase his safety and to reduce his efforts. This would also make this distribution model wider spread and available to more products, which will blur the lines between the black and the legal market. On this blurred line new services and technologies will establish themselves, inherently dual use services like lock boxes that can be paid by peer-to-peer cryptocurrencies.

Looking even further into the future, it seems plausible that the whole urban environment might find itself integrated into a dynamic landscape of very short-lived dead drops that are serviced by humans and cheap drones (unmanned aerial vehicles), which are already cheaply available and likely only require one market actor to develop and spread a mechanism to pick up and drop goods. Both merchant and customer could use drones, that are available for rent through dedicated Apps, to deliver product to a meeting point on a roof, where another drone would pick it up. Chaining multiple exchanges like this will make the tracing of the delivery extremely hard, essentially leading to mixing techniques so far used only in anonymizing digital communication.

Read the whole thing.

Hat tip: Eli Dourado.


Comments for this post are closed