The Strange Case of Oxymonster

The Strange Case of Oxymonster

By Stephen Heath – VP of Security – Intrinium 

In August of 2017, a 38-year-old Franco-Israeli by the name of Gal Vallerius boarded a plane bound for Austin, TX. His destination? World Beard and Moustache Championships.

Gal’s hopes were likely high. After all, he had placed 8th two years earlier and his long, red beard was nearly legendary.
Little did he know that the DEA was waiting…

Plusquellec, a town in Northwestern France with less than 600 inhabitants, was where Gal called home with his young wife Yasmin. His fellow residents described him as quiet and eccentric, but harmless. Besides from frequenting a local McDonald’s drive-thru, he kept to himself, often hiking nearby trails with his Russian wife Yasmin. Little did his fellow residents of this Brittany hovel knew that Gal Vallerius was harboring a secret: He was an online drug dealer known by the handle “Oxymonster.”

On the Darknet’s Dream Market, Gal Vallerius first made his name by selling OxyContin and Ritalin, before rising in the ranks to become an admin and senior moderator. It was this high profile position that first led investigators to begin targeting “Oxymonster.”

In the security community, there are often rumors of attacks against Tor (the anonymous network that is the backbone of the Darknet). Rumors persist that the feds have compromised the Tor network and hidden 0-days exist to expose the internet’s bad actors. While all this is very possible, this case cracked like so many before it: Gal Vallerius was sloppy.
The South Florida High-Intensity Drug Trafficking Area Task Force (HIDTA) were able to identify a “tip jar” attached to Vallerius’s Dream Market profile. (A tip jar allows marketplace users to donate to admins and vendors to thank them for their services.) By analyzing the outgoing transactions, law enforcement was able to determine that 15 of 17 transactions went to bitcoin wallets on registered to Gal Vallerius.

Furthermore, they also completed linguistic analysis on his Twitter and Instagram accounts to identify similarities in the language with OxyMonster’s posts on Dream Market. This analysis yielded common patterns such as double exclamation points, frequent quotation marks, the use of the word “cheers,” and occasional French posts

As Gal and Yasmin Vallerius disembarked Delta Flight 83 for a layover in Atlanta, the DEA was waiting. According to court documents, Special Agent Lilita Infante has requested that customs pull the pair aside for additional questioning. During this questioning, Vallerius freely provided the customs officer with passwords to his laptop, iPhone, and iPad.

Infante’s DEA team quickly located his Tor browser, login credentials to the Dream Market, an encryption key entitled “OxyMonster” that matched the one on Dream Market, and a half-million dollars in bitcoin. The DEA agents then moved in and arrested the man, with his wife returning quickly to France.

Vallerius would later try to challenge this search in court, saying he believed he was under arrest and wasn’t read his Miranda rights at the time of the border questioning, but to no avail. The real reason Gal Vallerius spoke so freely? He was high at the time of his arrest.

Gal Vallerius would eventually plead guilty to conspiracy to possess with the intent to distribute controlled substances and conspiracy to launder money. As part of his plea deal, he will be allowed to serve out part of his sentence in Israel or France.

Gal’s sentencing is scheduled for September 25, 2018.

Reference Articles: Regmedia & Paris Match

Want to learn more about Oxymonster and the deep “dark” net?

Check out our most recent webinar, “Exploring Darknets”, Stephen takes you on a deep dive of the Darknets, in which you will gain a glimpse in the wretched hive of scum and villainy where everything from prescription drugs, PHI, credit cards, and even organs are rumored to be bought and sold.

Pin It on Pinterest

Share This