Articles
Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

Stephen Allwine: When crime tries to cover its digital tracks

In late 2016, I was approached by the Washington County (MN) Attorney’s Office to conduct forensic analysis on a number of devices in a homicide investigation. It soon became clear that the case would be one of the most interesting of my career, involving murder-for-hire, religious convictions, insurance money, infidelity, and a distinctly modern element—the Dark Web—that combined to make for one of the most tragic and complex cases I’ve encountered.

The Dark Web, a broad term used to describe the 83 percent of the internet inaccessible through common search engines like Google or Bing, is where many people go to find illegal drugs, child pornography, stolen credit card numbers, and hacking services (though not every service and product available in this online marketplace is illegal). Enter defendant Stephen Allwine: After his attempts to hire a hitman on the Dark Web failed, Allwine murdered his wife in their Cottage Grove home and staged it as a suicide. In January 2018, Allwine was sentenced to life in prison; forensic analysis played a critical role in fleshing out the narrative details that helped the jury make their decision.

In 2015, Steve Allwine began exploring a website known for neither its upstanding moral quality nor its cybersecurity strength—Ashley Madison. Through this cheating website, Steve began experimenting with extramarital affairs and the underbelly of the internet. Analysis of Allwine’s devices revealed communications with at least two women through the site; their conversations illustrated Allwine’s dissatisfaction with his marriage and his desire to become involved with other women, unhindered.

Exploring the Dark Web

While Ashley Madison itself is not part of the Dark Web, I would consider it to be a kind of gateway to the darker aspects of internet usage. It wasn’t long after his first few Ashley Madison-initiated affairs that the Dark Web became a prominent part of Steve Allwine’s browsing.

Jurors learned that Allwine first discovered Ashley Madison as a marriage counselor for couples in his church. Though Allwine ultimately initiated affairs through this site—many users who sign up for Ashley Madison and similar cheating sites don’t actually end up having affairs—he still did not regard divorce as an option. Constrained by the marital requirements of his church, Allwine took a dive into the Dark Web to search for other solutions to his predicament. It wasn’t long before Allwine discovered Besa Mafia, a Dark Web group claiming to provide anonymous hitman services.

Besa Mafia was a Dark Web vendor that advertised themselves with the slogan “Hire a killer or a hacker.” The enterprise was later revealed to be a scam, but Allwine—using the pseudonym “dogdaygod”—communicated extensively with Besa Mafia, communications which were subsequently released to the internet. These communications included multiple references to Amy Allwine and included her home address, phone number, physical description, and a photograph. One particularly thorough attempt to organize the hit once and for all involved Allwine providing particular location information, a current picture, and a description of her vehicle. Of particular note was the photo shared, which was subsequently discovered in a folder on one of Allwine’s devices. But the hit he sought to arrange never occurred, and Allwine would later report his lost thousands of dollars to the police.

While Allwine clearly endeavored to remain invisible on the Internet, a key piece of evidence unequivocally tied him to a Bitcoin payment made to Besa Mafia for the murder of Amy Allwine: a unique, 34-digit alpha-numeric Bitcoin wallet address typed out in his iPhone’s Notes app that had been deleted. This Bitcoin address matched the one used by “dogdaygod” to make a payment to Besa Mafia.

Though Bitcoin has become increasingly popular in recent months even among non-Dark Web users, it remains the preferred currency for Dark Web exchanges. The address found in Steve Allwine’s deleted note proved to be critical to the case. As Washington County prosecutor Fred Fink explained later, “It was absolutely vital for the State to prove that ‘dogdaygod’ was, in fact, Stephen Allwine. With that connection made, we were able to show intent to kill and premeditation.”

A pattern of deception

My analysis of Steve Allwine’s devices also reveal a steady pattern of anonymizing service use, disposable account creation, and a desire to conceal his identity from law enforcement. My office was provided with a staggering 66 devices—a huge number in comparison to the typical homicide case. Allwine used multiple devices to further obscure his online activity. On his Reddit account, also using the pseudonym “dogdaygod,” Allwine frequently researched questions pertaining to safe use of the Dark Web, the likelihood of law enforcement presence on the Dark Web, how to use disposable computers, and how to remain anonymous on the Internet. To access the Dark Web, Allwine used virtual private network services and the TOR network. These services act as portals to the Dark Web and encrypt accessed information by relaying it through a series of other networks. Incredibly, Allwine also used disposable email accounts to report evidence of his stolen Bitcoin to police after the hit did not materialize. He even created a fictitious person to frame for the stolen Bitcoin.

Allwine’s digital narrative also revealed a browsing history consistent with his intention to murder Amy and his desire to frame fictitious parties. On more than one occasion, Allwine reviewed his and Amy’s insurance policies as well as real estate and future home construction possibilities. In an effort to blame an unidentified third party, Allwine sent his wife a threatening email using an anonymous email service—after he had used doxxing (the process by which personal information is bought and sold on the Internet, often with malicious intent) to uncover information about Amy’s family to personalize his email and make it appear as if it was sent by a business rival.

Ultimately, forensic analysis shed light on the actual truth of what occurred, which pointed solely to Stephen Allwine as the guilty party. This case incorporates some of the most complicated aspects of digital evidence. It was complex in part because Allwine had done everything in his power to conceal his activity, remain anonymous, and hide as much as possible about his intent. Digital forensic analysis revealed critical details that filled in gaps in the physical evidence—gaps that may have inspired doubt in the jury and led to a different verdict. As Washington County attorney Pete Orput described the role of digital evidence in this case, “Mark’s forensic work and testimony about it to a jury made my murder case seem simple and overwhelming, and without this work the case would have been a horse race.”

 

MARK LANTERMAN is the chief technology officer of Computer Forensic Services. A former member of the U. S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security and forensic experience and has testified in over 2,000 cases.

Leave a Reply

Articles by Issue

Articles by Subject