AlphaBay Shutdown Drove Users to Hansa, Where Police Were Already in Control
At a Thursday news conference, the FBI and Europol announced that they’ve jointly seized the world’s two biggest darknet – or dark web – marketplaces, AlphaBay and Hansa, which were collectively responsible for more than 10 times the volume of sales as the notorius Silk Road marketplace.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
AlphaBay launched in December 2014 and boasted more than 200,000 members and 40,000 vendors. Like Hansa, AlphaBay offered for sale everything from weapons and drugs to healthcare data and counterfeit payment cards.
But AlphaBay went dark over the July 4 weekend, leading users to suspect either that the administrators had committed an “exit scam” – disappearing with the millions of dollars’ worth of cryptocurrency being traded between buyers and sellers – or that the site had been shut down as part of a law enforcement operation.
It turns out that AlphaBay was shuttered thanks to an FBI and Drug Enforcement Agency-led operation, called Bayonet, that identified the site’s administrator, Canadian citizen Alexandre Cazes, 26. On July 5, at the request of the U.S. Department of Justice, he was detained by police in Thailand, where he was residing (see Darknet Marketplace AlphaBay Offline Following Raids).
Cazes was later found dead in his jail cell, apparently after taking his own life.
In the wake of AlphaBay going offline, security experts predicted many users would flock to alternative marketplaces, including the world’s then-largest darknet marketplace, called Hansa.
But it turns out that Dutch police had led an investigation that resulted in the arrest of two Hansa administrators in Germany and the seizure of servers in the Netherlands, Germany and Lithuania. On June 20, Dutch National Police secretly took control of the Hansa marketplace, under Dutch judicial authorization.
Hansa was shut down one month later, on July 20. Seizure notices then appeared on the homepages of both AlphaBay and Hansa.
Secret Hansa Admins: Dutch Police
In the interim, however, Dutch police watched and recorded everything that happened on Hansa.
“In the past few weeks, the Dutch police collected valuable information on high-value targets and delivery addresses for a large number of orders. Some 10,000 foreign addresses of Hansa market buyers were passed on to Europol,” according to a statement released by Europol, which is the EU’s law enforcement intelligence agency.
Authorities say they shared intelligence with 37 countries, including details about 38,000 drug-related transactions. In addition, Dutch police have passed 10,000 non-Dutch mailing addresses tied to Hansa market buyers to Europol.
“This is an outstanding success by authorities in Europe and the U.S.,” Rob Wainwright, the executive director of Europol, said at the Thursday news conference in Washington, where he appeared alongside the U.S. Attorney General, the acting director of the FBI, and the deputy director of the U.S. Drug Enforcement Administration.
“The capability of drug traffickers and other serious criminals around the world has taken a serious hit today after a highly sophisticated joint action in multiple countries,” Wainwright said. “There are more of these operations to come.”
The immediate impact of the takedown appears to be significant, in that it has disrupted transactions, resulted in a loss of cryptocurrency for buyers and sellers, as well as potentially outed thousands of darknet marketplace users. “According to Acting FBI Director Andrew McCabe, AlphaBay was 10 times the size of the Silk Road – formerly the largest DDW [darknet and deep web] marketplace that was responsible for over $1 billion in narcotics sales,” says Ronnie Tokazowski, a senior malware analyst at security intelligence firm Flashpoint, in a blog post.
Expect Follow-On Investigations
Alan Woodward, a computer science professor at Surrey University who advises Europol – the EU’s law enforcement intelligence agency – on cybersecurity, says that police will now be chasing down the leads obtained from this takedown.
Let this sink in for a moment – the Dutch police have been running Hansa for a month so they have all sorts of lovely user details.
— Alan Woodward (@ProfWoodward) July 20, 2017
Europol says Dutch police reaped a bonanza of intelligence after monitoring Hansa for one month. “It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform,” according to Europol. “In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay.”
Europol says that it’s supporting ongoing efforts by the FBI, DEA, the Dutch National Police and other agencies and partners “on the forensic work that needs to be performed on huge amounts of seized material.”
Darknet Markets: Caveat Emptor
The forum takedowns demonstrate the promise and peril of darknet marketplaces for buyers, sellers and their administrators. On the one hand, such forums offer partial anonymity, bolstered by the pseudo-anonymizing Tor browser and cryptocurrency, and allow people to obtain all manner of illegal merchandise – from illegal narcotics to assault rifles to malware.
On the other hand, when police manage to infiltrate a forum, and can monitor activities on it wholesale, they can easily amass extreme amounts of intelligence that can be used to “follow the money,” unmasking numerous forum users at one fell swoop.