Online drug dealers have been getting sloppy, with some even unwittingly uploading the exact coordinates of their location when placing ads on the dark web. Though marketplaces on the Internet’s shady underside can only be accessed using software that renders users’ IP addresses untraceable, some vendors have been shooting themselves in the foot by uploading geo-tagged photos of their goods.

The blunder was spotted by Harvard seniors Paul Lisker and Michael Rose, who, while conducting a project for a class on privacy and technology, noticed that many dark web users don’t delete the piece of data called EXIF that accompanies photographs. EXIF can include all sorts of details, such as the time a photo was taken and the make and model of the camera. These days, many smartphones with built-in GPS trackers include a geo-tag in this data, providing the precise location that a photograph was taken.

While you might expect tech-savvy dark web users to be wise to this, Lisker and Rose found that some are not taking precautions to prevent this information from being shared. When analyzing 7,522,284 images in dark web adverts for drugs, they discovered 2,276 geo-tagged photographs, coming from 229 unique locations.

They then compiled this interactive map, showing where these blundering sellers are based. Although the location data contained within EXIF is extremely precise, Lisker and Rose have removed the decimals from the numbers in order to protect users’ privacy, showing their whereabouts to within a mile or so.

Though most online drug dealers take precautions to protect themselves by deleting EXIF data before uploading pictures, it is also in the interest of the dark web marketplaces themselves to ensure this data does not get shared. One such marketplace, known as Agora, seems to have wisened up to this on March 18, 2014, after which date no more geo-tagged photos appeared on the site, suggesting that the administrators deployed some sort of technique to remove this data from all pictures.