Buying drugs online in Cambodia, is it really Anonymous?

 Author: Buzz KillingtonCategory: Analysis


The Cambodia party underground is buzzing around a new way to get a kick. In January, a team of psychedelics enthusiasts from Ukraine launched Cambodia’s first online shop to sell party drugs. They call themselves bees but it is not honey they hunt. They use a Russian concept of “treasure hunting” designed to protect drug dealers and customers. A customer places an order using the encrypted chat messenger Telegram and pays the drug dealers using the anonymous crypto currency Bitcoin. The drug dealer then leaves the drug package, the “treasure”, somewhere in public and sends the GPS coordinates to the buyer. The buyer follows the coordinates and retrieves it from the location and everything is anonymous and untraceable. At least, that’s what they’d like to believe. In this article Khmer440 goes undercover to find out how anonymous it really is.

Beeeshop operates in the open. The website is available in English, Khmer and Chinese. It is hosted in Amsterdam by a Cypriot company called Hostinger and the owners pay for everything using Bitcoin. They advertise and sell party drugs like cocaine, cannabis, Ecstasy, LSD and amphetamine.

By posing as a customer, Khmer440 was able to infiltrate secret chat groups operated by the shop owners that they use to advertise and communicate with their customers. We gained insight into their operations and were able to identify members of the chat groups using Telegram profile data and mapping social relations of members.

Their administrators wrote in a chat group that a thread about them on the Khmer440 forum was promotional content paid for by them. Khmer440 strongly denies this accusation.

The mastermind behind the operation is a man from Ukraine believed to be in his early 30s. The man uses the alias shiva Om on, a Russian language internet forum for drug users and shop administrators to review webshops and products and for shop owners to ask each other for help. He joined the forum in 2014 and has written over 310 posts leaving a detailed trail of his own drug purchasing habits and reviews about different shops and products. To gain respect among his peers on he also advertises his own shop, urging forum visitors to travel to Cambodia and sample his products.

Beeeshop advertises its products in an invite-only chat group on Telegram. It was created on the 3rd January with 54 members and was originally intended for customers to post reviews of the products they had purchased from Beeeshop. It was later renamed to FULL POWER CHAT and started to target the Cambodia party underground. A separate chat group named Reports and Reviews was created instead for reviews.

Administrators of the chat group invite everybody they chat with on Telegram to the FULL POWER CHAT group. Group members are in turn urged to invite their friends in exchange for coupons worth $10 for every 10 friends they invite who also purchase product from Beeeshop, imitating multilevel marketing companies. Customers are also rewarded with $10 coupons for each product review that they post in the Reports and Reviews group.

By analyzing the Telegram groups, Khmer440 could identify a large portion of Beeeshop customers and staff members. At the time of writing the group has a total of 171 unique members, 63 other unique Telegram accounts have some time been members but at some point left the group. 234 unique accounts are members or have sometime been. Members were added by 24 unique members 120 times and the invite link was used 67 times.

Khmer440 was able to identify 64 chat members from their photographs and 33 from their Telegram aliases. In total Khmer440 could identify 66 identities of members of the chat group using only public Telegram profile data. Most members speak Russian but the diversity is high. The members include a Russian dentist, an Italian pilot, a Filipino photo model and an Irish teacher.

When a user places an order they receive an automated message with a receipt with an order ID, a sequential number. Through the sequential number every paying customer can determine how many orders Beeeshop has had in total. Until 30th April there were a total of 82 confirmed orders. At the time of writing it is estimated that they have completed 89 orders in total.

Their most active staff member uses the alias Frank Lampard, named after the the head coach of Premier League club Chelsea. Frank Lampard is more engaged than the main Beeeshop admin account, “🐝”, an account registered with a Smart Axiata prepaid SIM card. “🐝” and Frank Lampard often post admin messages at the exact same time indicating that it is one person behind multiple aliases.

Screenshots posted on Telegram by Frank Lampard show that he is using Telegram on an Android device. His screen resolution reveals that he is most likely using a Pixelphone M1. He connects to Telegram through SOCKS5 proxy servers to conceal his IP address. shiva Om has posted several times on asking for opinions about specific SOCKS5 proxy servers from other posters of the Russian drug forum.

He uses Google Translate because his English knowledge is lacking.

In April, shiva Om wrote a thread on asking for beginner help about how to operate a website on the Tor network. The Tor network is often used for online drug trade, for example it was used by the notorious Silk Road marketplace. It appears that shiva Om has not yet succeeded with moving his shop to the Tor network.

It is clear that Cambodia’s first illegal online store for drugs is operated by a team of opportunistic chancers that are hoping to learn how to operate securely as they go, not by savvy technical geniuses. Albeit they are studying the market and have picked up some key concepts they have ultimately failed to stay safe. Through desperation to quickly enter the market they have sacrificed consumer safety in the name of marketing gimmicks. A carefully planned sting operation could bring down the whole network, trapping all the bees inside a honeypot. KHMER440

Leave a Reply

Your email address will not be published. Required fields are marked *