DEF CON 33 Recon Village - Pretty Good Pivot - Simwindie

Title: The PGP Pivot: Unmasking Darknet Vendors Through Metadata and OPSEC Failures In the shadowy corners of the darknet, vendors rely on a trifecta of anonymity: Tor for network routing, Monero for financial privacy, and PGP for communication. However, the very tools meant to protect them often become their undoing. In his DEF CON 33 talk, Sin Windy reveals a critical flaw in the darknet's armor: the metadata hidden within PGP public keys. For an OSINT investigator, a PGP key isn't just a string of characters; it is a potential roadmap to a real-world identity. This post explores the methodologies and case studies presented at the Recon Village, demonstrating how investigators can pivot from a public key to a physical doorstep. PGP, or Pretty Good Privacy, uses asymmetric encryption. A vendor shares their public key so buyers can encrypt messages that only the vendor’s private key can decrypt. When creating these keys, software like GnuPG prompts for a name and email. While these fields are optional, many vendors—driven by a need for customer support or sheer habit—fill them with data. This information is stored in the User ID (UID) packet of the public key. If a vendor uses a personal email or a username linked to their clear net presence, the encryption layer becomes irrelevant to the task of unmasking. Understanding the PGP Packet Structure: Every PGP public key is composed of packets. To peek under the hood, investigators use the GnuPG utility. By running gpg --list-packets [keyfile], you can view the raw structure of the key without importing it into your keyring. The goal is to locate the user ID packet. This packet contains the text string entered during the key's creation. Many vendors fail to realize that this string remains in the public key even after it is exported to a darknet profile. Automating the Hunt: Analyzing hundreds of keys manually is inefficient. Sin’s methodology involves three main steps. First, Hashing: Create a SHA-256 hash of the key file. If the same hash appears on multiple market profiles, those accounts are linked regardless of the username. Second, Extraction: Use grep and regex to pull email addresses from the GPG output. Third, Validation: Use Whois lookups to ensure the domain is active and not a dummy string. Once emails are extracted, they are cross-referenced against data breach repositories like Have I Been Pwned. A hit in a breach like LinkedIn or MySpace is a gold mine because it proves the email was used for personal social media long before the darknet enterprise began. Case Study 1: The Cameroonian Scammer. A vendor selling malware and hacking services was found using a Gmail address in their PGP key. A quick Google search revealed this email was spammed across clear net forums, gun selling sites, and even niche community forums. The vendor had been reported on Ripoff Report by victims of their fraudulent services. The smoking gun was found in correspondence where the vendor instructed victims to send money via money order to a specific name in Cameroon. This case highlights that for many vendors, the darknet is just one of many platforms they use for illicit activity, and their clear net footprint is often much larger. Case Study 2: The Scribe Metadata Slip-up. A vendor of fake identity documents practiced better hygiene by not spamming their email across the web. However, they utilized the document-sharing site Scribe. To bypass download limits, the vendor uploaded their own templates and personal files. One spreadsheet contained metadata with a unique author username. This username appeared on only two sites globally: a Nigerian forum and a Facebook profile. This illustrates that OPSEC is only as strong as your weakest link—in this case, an automated metadata field in an Excel document that the vendor forgot to scrub. Case Study 3: InfoStealers and the Brazilian Connection. The most advanced pivot involved an adult content vendor. Sin found an older PGP key associated with the vendor’s brand that contained a Hotmail address with a full, unique real name. While the vendor had since moved to a clean PGP key, their branding and history remained linked. Using InfoStealer logs (specifically Azzarel logs via Hudson Rock), Sin found that the vendor’s machine had been compromised. The logs revealed redacted Gmail and Yahoo accounts that followed the same naming pattern. Cross-referencing these with Facebook followers in Brazil allowed the investigator to find the vendor's real profile through a mutual friend network. This technique of using commercial threat intelligence to fill in the blanks of a target's digital life is a powerful advancement in OSINT. Mitigation & Defense: For researchers, the lesson is clear: never ignore the metadata. For defenders and those interested in privacy, the recommendation is simple: leave the User ID fields blank when generating keys for sensitive work. Use a unique key for every persona and avoid clear net email providers like Gmail or Yahoo. PGP keys should be rotated, and metadata scrubbing should be part of every upload process. Conclusion: The work of Sin Windy at DEF CON 33 serves as a stark reminder that technology is rarely the weakest point in a security chain; humans are. The Pretty Good Pivot isn't just about PGP; it's about the persistence of identity across the digital landscape. As long as darknet actors continue to prioritize convenience over strict OPSEC, the public keys they use to hide their messages will remain the keys investigators use to find them. The research proves that with the right pivot points and a bit of automation, the darknet is far more transparent than its inhabitants believe.