Deep in the recesses of the internet, criminals trade passports, biometrics, and even hacked toothbrushes. In this digital underworld, INCERT, Luxembourg’s digital security watchdog, is keeping watch. Wielding cryptography instead of steel, the agency’s battlefield stretches from Telegram channels to encrypted marketplaces where criminal organisations barter stolen identities, forged documents, and illicit currencies.
INCERT operatives sometimes have to infiltrate hidden networks, negotiating directly with hackers to understand their latest tricks. Since they are in charge of identity management of Luxembourgish passports, operatives even test offers that claim to sell authentic Luxembourgish identities.
“One of the biggest risks for us is that a criminal organisation manages to reproduce the cryptographic material used for issuing travel and identity documents. If it succeeds, we will not be able to differentiate a genuine document from a counterfeit one”, explains Benoit Poletti, INCERT’s CEO and a member of INTERPOL’s Global Cybercrime Group.
One such cautionary tale still circulates among investigators. A darknet vendor offered ten Luxembourg passports, five real, five fake. The truth? None could bypass the fortress of cryptography embedded in a genuine document.
But it is not just about passports. Any given week, you can find credentials from Luxembourgish organisations, utility bills, and even biometric data advertised alongside narcotics. Proof of address and income statements, once trivial paperwork, are now valuable commodities used to bypass financial checks.
“Criminal organisations have a lot of imagination”, Poletti warns.
The currency of this hidden world is, predictably, crypto. “We saw that cryptocurrencies were used to buy firearms and drugs, and even in Luxembourg we identified wallets that were used for this purpose”, Poletti says.
Tracing one such wallet led investigators on a dizzying 50-step journey through Switzerland, the UK, Ukraine, Luxembourg, and Singapore – a trail designed to be untraceable. But INCERT’s forensic mapping eventually uncovered the true holder.
Not all discoveries are so clinical. In 2022, INCERT analysts uncovered a chilling “Christmas catalog” from the darknet, featuring drones, firearms, and even hitmen for hire. In one grotesque stunt, a vendor filmed himself packing narcotics as if they were festive gifts.
“If you want a missile, we can buy one – even a tank or an M16 – wrapped in Santa decorations”, according to Poletti.
Believe it or not, even your bathroom is not safe from the darknet. “We have reached a point where we even have to worry about our toothbrush”, warns Poletti.
He’s not being metaphorical. In one case, criminals hijacked internet-connected toothbrushes and reprogrammed them into a botnet – a network of infected devices – to launch a series of cyberattacks.
The idea of a hacked toothbrush might sound absurd, but it is alarmingly simple. Smart toothbrushes connect to apps via Bluetooth or Wi-Fi. If that connection is not secure, hackers can exploit software vulnerabilities and take remote control.
Once compromised, thousands of toothbrushes can be linked together to flood targeted servers with traffic, overwhelming them in a distributed denial-of-service (DDoS) attack. The toothbrush itself is not the target but an unwitting foot soldier in a larger assault.
While these threats are very real, Luxembourg is far from defenseless. In the shifting labyrinth of the darknet, INCERT, amongst other entities, fights this border-less war where vigilance is the last line of defense.
“There is no regulation on the Darknet, what matters for criminal organizations is again money, and they are ready to sacrifice anything and anyone to achieve this goal,” said Poletti.
While INCERT’s specialists patrol these hidden corridors, the public must also take precautions. Using strong authentication, keeping devices updated, and treating personal documents with care are simple but effective steps. The darknet may be a hidden world, but its consequences are very real.
Protecting your personal information is no longer optional; it’s an act of self-defense.
This entry concludes the Dark Web Diaries. Read parts one and two here and here.
