Updated Information About the Investigation into DeepDotWeb

May 7, 2019 · 13 min read

The end of an era and the arrest of the man behind DeepDotWeb.

In a somewhat surprising twist, law enforcement agencies around the globe collaborated on the arrest of the administrator of DeepDotWeb and the seizure of DeepDotWeb.com and deepdot35wvmeyd5.onion. On May 7, users on Dread and Reddit reported seeing a seizure banner in place of the usual homepage.

I was not going to identify suspects originally. However, the cat seems to have left the bag. The person known to many of us as Deepdot is Tar Prihal, the Israeli citizen (living in Brazil) arrested in France. DeepDotWeb contributors know one of Deepdot’s developers. That developer was Michael Phan, an Israeli citizen arrested in Israel. Israeli law enforcement arrested another individual in connection with the operation of DeepDotWeb. That suspect made headlines several years ago for “accidentally” accessing databases belonging to law enforcement in the United States.

Image for post
Image for post
DeepDotWeb: This Site Has Been Seized

This site has been seized as part of an FBI operation concerning the violation of 18 USC 1956(h) and in coordination with European law enforcement agencies acting through Europol in accordance with the law of European member states

Conspirators face charges under the United States Money Laundering Control Act. Here is the indictment: (PDF).

The investigation involved the United States Federal Bureau of Investigation; Europol; Dutch National Police; the Federal Criminal Police Office; the National Crime Agency; the Israeli National Police; Tel Aviv Police; the Joint Criminal Opioid and Darknet Enforcement (J-CODE); the Brazilian Federal Police; the Internal Revenue Service Cyber Crimes Unit; and the United States Postal Inspection Service. Based on the seizure banners alone, the DeepDotWeb takedown involved more law enforcement agencies than the investigation and seizure of Wallstreet Market.

Policia Federal Tweet with the DeepDotWeb Seizure Banner

Deepdot, the usual contact for people looking to get in touch with someone at DeepDotWeb, served as the site’s owner or primary operator for the past few years. However, as recent news articles suggest, Deepdot was not alone in creation, advertisement, and administration of the site.

The site quickly became one of the primary sources of information for people interested in using darkweb markets. The site featured a list of darkweb markets that many users of darkweb marketplaces used as their only list of onion addresses.

Image for post
Image for post
A list of payments received by DeepDotWeb

After the news of the seizure surfaced, a number of people asked about the links DeepDotWeb had hosted. The links, unlike those on dark.fail, generated revenue for DeepDotWeb. Every purchase made via DeepDotWeb’s referral links (or with the referral code) earned the site’s admin(s) a percentage of the sale. This is usually between 2% and 4%.

Image for post
Image for post
Dream Market Ref Link /?ai=1675

Anyone can invite users and take advantage of the bonuses offered by various markets. According to Brazil’s Federal Police, DeepDotWeb had earned a percent of every transaction from at least 15,000 users. Those transactions amounted to millions of dollars in Bitcoin and other cryptocurrencies. “The site had been active for a long period of time and millions of dollars of transactions had been made on the site,” per a press release from Reuters.

Tal Prihar, often known as Deepdot, an owner of DeepDotWeb, moved from Israel to Brazil more than a year ago. Roughly one year after living in Brazil, Prihar met the qualifications for a Brazilian citizenship. His circumstances allowed for the expedited application of citizenship.

Image for post
Image for post

Brazilian citizenship is important in this scenario since the Brazilian government would not have extradited Prihar (as a citizen of Brazil) for money laundering or related crimes.

Cash Seized from Deepdot’s House

Instead of arresting Prihar in Brazil, authorities arranged for his arrest in France where Prihar would land for a connecting flight between Israel and Brazil. French authorities arrested Prihar at the Charles de Gaulle Airport. The French extradition treaty with the United States allows for the extradition of anyone suspected of the following:

Receiving money, valuable securities or other property knowing the same to have been unlawfully obtained, when such act is made criminal by the laws of both countries and the amount of money or the value of the property so received is not less than two hundred dollars or one thousand francs.

While authorities in France arrested Prihar at the airport, the Federal Police in Brazil executed a search warrant at Prihar’s home in Lago Sul, Brazil. They seized more than $200,000 in cash and an undisclosed amount of various cryptocurrencies, including Bitcoin. The Federal Police reportedly arrested a suspect in Brazil.

Image for post
Image for post
The Federal Police at Prihar’s House

The suspect was most likely a person Deepdot referred to as his partner — another Israeli who had moved from Israel to Brazil. The duo had worked together on a number of legal businesses in both Israel and Brazil.

The Federal Police and the FBI, acting in international cooperation, launched last Monday (6/5) joint actions in the fight against Internet crime and Dark Web.

The main target of the operation is an Israeli citizen, who resides in Brasília / DF, responsible for administering a website on the Dark Web used for the practice of online crimes, such as drug and arms trafficking, smuggling and money laundering.

In simultaneous actions, while the investigated was arrested at the Charles de Gaulle Airport — Paris / France, searches were carried out at his home in the South Lake, prime area of ​​Brasilia. In the search were seized devices used to guard crypto-coins and R $ 200,000 in cash (foreign currency and reais).

The Israeli also ran a web site that served as an index of Dark Web’s main illegal markets and was used to educate users on how to safely buy products and drugs online by offering not only the addresses but also a number of tutorials for consumers to browse anonymously, avoiding police repression.

The Internet portal worked in partnership with the largest clandestine markets in Dark Web and the resident of Brasilia was paid for every transaction carried out through the site, such as the distribution of drugs, illegal drugs, hacker tools, bank details and so on.

Investigations have found that the Israeli has received transaction fees of about 15,000 users, who traded the most various illegal products, that is, obtained a share of the proceeds from illegal product transactions.

The prisoner is also suspected of committing the crime of child pornography and was the subject of a search and seizure warrant to investigate such an offense in October 2018. On that occasion, the Federal Police seized R $ 1 million in cash (foreign currency and reais) his residence in Brasilia, as well as notebooks and smartphones.

The joint action also seized the internet domain used in criminal practices, an important repressive action against clandestine markets operating on Dark Web.


The Tel Aviv Police arrested a 35-year-old resident of Tel Aviv and a 34-year-old resident of Ashdod. The suspect from Ashdod, Michael Phan, allegedly helped develop and manage the site’s backend. Phan and Prihar had a 50/50 split, according to United States authorities. Both were remanded for six days at the Tel Aviv Magistrate’s Court. Authorities have accused both men of operating DeepDotWeb.

In recent months, a covert cross-border investigation was conducted by the FBI with the assistance of the cyber unit of the Tel Aviv Central Unit. Last night, the investigation was made public with the arrest of a number of suspects in several countries, including Israel, France, Germany, Holland and Brazil.

The investigation revealed that the suspects operated a website that contained references to illegal sales sites in a dark network where weapons, drugs, abductions, stolen credit cards, and more can be purchased. The suspects used the “affiliate marketing” method through which they profited from every sale made, thus earning millions of dollars. Payment for the completed transactions was transferred to the suspects via digital currency “Bitcoin”.

The Dark Network is a network that allows anonymous surfing, which attracts illegal activity such as drug trafficking, obscene materials, weapons and the hiring of criminal services.

Last night, as the investigation went into the open stage, investigators and police detectives raided them with search warrants and arrests on suspects’ homes. The suspects (35, Tel Aviv, 34, Ashdod) were arrested and brought for interrogation in the cyber unit in the Tel Aviv District. The two were remanded for six days today at the Tel Aviv Magistrate’s Court.

The Israel Police will continue to investigate and expose criminal offenses and to seek and reach any place where there is suspicion of criminal activity that harms normative civilians.

The press release from the Tel Aviv Police indicated that German authorities had arrested at least one suspect. The inclusion of the Bundeskriminalamt logo on the DeepDotWeb seizure banner also indicates that something happened in Germany. According to the German newspaper Süddeutsche Zeitung, the German Federal Criminal Police Office (BKA) had only a minor role in the investigation. “Parts of the infrastructure of Deepdotweb had been on German soil,” according to a BKA spokesperson. The BKA also denied that this investigation had any connection to the recent Wallstreet Market seizure.

5/8/19 Update: The Federal Criminal Police confirmed to Heise Online that they supported US authorities in the DeepDotWeb investigation. They also confirmed that no arrests have been made in Germany in connection with the case.

No idea.

Image for post
Image for post
Image for post
Image for post


Content continues below.

PITTSBURGH — United States Attorney Scott W. Brady announced today the alleged owners and operators of a website known as DeepDotWeb (DDW) have been arrested on charges of money laundering conspiracy relating to millions of dollars in kickbacks they received for purchases of fentanyl, heroin, and other illegal contraband by individuals referred to Darknet marketplaces by DDW. The website has now been seized by court order.

In an indictment unsealed today, Tal Prihar, 37, an Israeli citizen residing in Brazil, and Michael Phan, 34, an Israeli citizen residing in Israel, were charged on April 24, 2019, in a one-count indictment by a federal grand jury in Pittsburgh. Prihar was arrested on May 6, 2019 by French law enforcement authorities in Paris, pursuant to a provisional arrest request by the United States in connection with the indictment. Phan was arrested in Israel on May 6 pursuant to charges in Israel. Further, FBI Pittsburgh seized DDW, pursuant to a court order issued by the U.S. District Court for the Western District of Pennsylvania.

“This is the single most significant law enforcement disruption of the Darknet to date,” said U.S. Attorney Scott W. Brady. “With western Pennsylvania at the epicenter of the opioid crisis in America, the U.S attorney’s office has leveraged its significant cyber expertise in attacking the sale of fentanyl and opioids on the Darknet. This case signifies the first takedown of the very infrastructure that supports and promotes the illegal marketplaces where these deadly drugs are sold on the Darknet.”

According to the indictment, between October 2013 until the date of the indictment, Tal Prihar and his co-conspirator Michael Phan allegedly owned and operated DDW, hosted at www.deepdotweb.com.

DDW provided users with direct access to numerous online Darknet marketplaces, not accessible through traditional search engines, where vendors sold illegal narcotics such as fentanyl, carfentanil, cocaine, heroin, and crystal methamphetamine, firearms, including assault rifles, malicious software and hacking tools stolen financial information and payment cards and numbers access device-making equipment and other illegal contraband.

Image for post
Image for post

Prihar and Phan received kickback payments, representing commissions on the proceeds from each purchase of the illegal goods made by individuals referred to a Darknet marketplace from the DDW site. These kickback payments were made in virtual currency, such as bitcoin, and paid into a DDW-controlled bitcoin “wallet.” To conceal and disguise the nature and source of the illegal proceeds, totaling over $15 million, Prihar and Phan transferred their illegal kickback payments from their DDW bitcoin wallet to other bitcoin accounts and to bank accounts they controlled in the names of shell companies.

The Money Laundering Kickback Scheme

According to the indictment, Darknet marketplaces operated on the “Tor” network, a computer network designed to facilitate anonymous communication over the Internet. Because of Tor’s structure, a user who wanted to visit a particular Darknet marketplace needed to know the site’s exact .onion address. DDW simplified this process by including pages of hyperlinks to various Darknet marketplaces’ .onion addresses.

Image for post
Image for post

Users who visited DDW were able to click on the hyperlinks to navigate directly to the Darknet marketplaces. Embedded in these links were unique account identifiers, which enabled the individual marketplaces to pay what they referred to as “Referral Bonuses,” to DDW. These kickbacks, paid in virtual currency, were a percentage of the profits of all of the activities conducted on the marketplace by any user who made purchases on the marketplace by using DDW’s customized referral link. Through the use of the referral links, DDW received kickbacks from Darknet marketplaces every time a purchaser used DDW to buy illegal narcotics or other illegal goods on the marketplace.

During the time period relevant to this Indictment, DDW’s referral links were widely used by users in the Western District of Pennsylvania and elsewhere to access and then create accounts on many Darknet marketplaces, including AlphaBay Market, Agora Market, Abraxas Market, Dream Market, Valhalla Market, Hansa Market, TradeRoute Market, Dr. D’s, Wall Street Market, and Tochka Market. These Darknet markets offer illegal drugs, fraudulent identification materials, counterfeit goods, hacking tools, malware, firearms, and toxic chemicals. Two of the largest markets included AlphaBay and Hansa Market, which were both seized by law enforcement in 2017. Approximately 23 percent of all orders completed on AlphaBay and 47% of all orders completed on Hansa were associated with accounts created through DDW referral links, meaning that DDW received referral fees for 23%of all orders made on AlphaBay and 47% of all orders made on Hansa.

During the time period relevant to this Indictment, DDW’s referral links were widely used by users in the Western District of Pennsylvania and elsewhere to access and then create accounts on many Darknet marketplaces, including AlphaBay Market, Agora Market, Abraxas Market, Dream Market, Valhalla Market, Hansa Market, TradeRoute Market, Dr. D’s, Wall Street Market, and Tochka Market. When AlphaBay was seized by law enforcement in 2017, it was one of the largest Darknet markets that offered illegal drugs, fraudulent identification materials, counterfeit goods, hacking tools, malware, firearms, and toxic chemicals. Approximately 23.6%of all orders completed on AlphaBay were associated with an account created through a DDW referral link, meaning that DDW received a referral fee for 23.6% of all orders made on AlphaBay.

Over the course of the conspiracy, the defendants referred hundreds of thousands of users to Darknet marketplaces. These users in turn completed hundreds of millions’ of dollars’ worth of transactions, including purchases of illegal narcotics such as fentanyl, carfentanil, cocaine, heroin, and crystal methamphetamine, firearms, including assault rifles, malicious software and hacking tools, stolen financial information and payment cards and numbers, access device-making equipment, and other illegal contraband. Through the use of the referral links, the defendants received kickbacks worth millions of dollars, generated from the illicit sales conducted on Darknet marketplace accounts created through the site.

The defendants grew and promoted the DDW site, which functioned to drive further traffic to the DDW referral links, generating additional income for the defendants. Prihar functioned as the administrator of DDW. He registered the domain, made infrastructure payments and maintained control over site content. Phan was responsible for DDW’s technical operations, designing and maintaining the website’s day-to-day operation. Phan and Prihar communicated on a daily basis to facilitate their criminal enterprise.

From in or before November 2014 until the date of this indictment, the defendants ,,ontrolled a bitcoin wallet that they used to receive the kickback payments for purchases completed on the various Darknet marketplaces. Throughout the course of the conspiracy, DDW operated accounts on Darknet markets and communicated with the operators of various Darknet markets regarding kickback payments.

Between in and around November 2014 and April 10, 2019, DDW received approximately 8,155 bitcoin in kickback payments from Darknet marketplaces, worth approximately $8,414,173 when adjusted for the trading value of bitcoin at the time of each transaction. The bitcoin was transferred to DDW’s bitcoin wallet, controlled by the defendants, in a series of more than 40,000 deposits and was subsequently withdrawn to various destinations both known and unknown to the grand jury through over 2,700 transactions. Due to bitcoin’s fluctuating exchange rate, the value of the bitcoin at the time of the withdrawals from the DDW bitcoin wallet equated to approximately $15,489,415. In seeking to conceal their illicit activities and protect their criminal enterprise and the illegal proceeds it generated, the defendants set up numerous shell companies around the world. The defendants used these companies to move their ill-gotten gains and conduct other activity related to DDW. These companies included WwwCom Ltd., M&T Marketing, Imtech, O.T.S.R. Biztech, and Tal Advanced Tech.

“While there have been successful prosecutions of various Darknet marketplaces, this prosecution is the first to attack the infrastructure supporting the Darknet itself,” said U.S. Attorney Brady. The website has been seized by the FBI based on a court order obtained in the Western District of Pennsylvania.

Image for post
Image for post

“Websites like DeepDotWeb pose global threats that require global partnerships,” said FBI Special Agent in Charge Robert Jones. “DDW acted as a gateway to the Darknet, allowing for the purchase and exchange of illicit drugs and other illegal items around the world, and the individuals charged today profited from those nefarious transactions. The efforts of federal and international law enforcement should send the message that we are coming after the operators of these dangerous websites.”

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store