Find a Security Clearance Job!

Homeland Security

International Sting Hits Dark Web's Promise of Anonymity

By Masood Farivar August 01, 2017

They are known as the "dark Web" – encrypted corners of the internet that promise anonymity to customers who want to buy or sell illegal drugs, weapons and other contraband.

But these futuristic marketplaces recently became much less anonymous after an international sting captured the addresses of thousands of users and shut down two of the biggest sites: first AlphaBay in early July, and then Hansa Market at the end of the month.

Now, many users are wary of joining the next secretive marketplace, and that's exactly the point.

"Don't be stupid and hop on the next big market," one user wrote on the Reddit discussion forum where users openly trade tips on dark Web markets. "It will most likely be completely run by [law enforcement]."

U.S. and European law enforcement authorities say the closures of AlphaBay and Hansa Market were the largest dark Web criminal marketplace takedown in history.

To dark Web users, the message is clear, said Europol Director Robert Wainwright: "You're not as safe, as anonymous, as you think you are."

The takedown

For U.S. law enforcement agencies, dismantling the criminal dark web has taken on added urgency in recent years amid a deadly opioid epidemic that feeds off these sites. According to a 2015 study, drug forums and contraband markets made up the largest category of sites on the TOR network.

AlphaBay and Hansa were two of the top three criminal markets on the dark Web, sites that sprang up in the wake of drug market Silk Road's takedown in 2013.

Hansa's users numbered in the five digits; AlphaBay had more than 200,000 customers and 40,000 vendors, making it 10 times as large as Silk Road. It generated nearly $1 billion in sales.

The operation to shutter AlphaBay and Hansa grew out of several independent investigations, according to U.S. Deputy Attorney General Rod Rosenstein.

The investigation into AlphaBay appears to have started as early as 2015 when undercover agents posing as customers started making small purchases on the site. In one case, an agent bought an ATM skimming device; in another, an undercover officer purchased a small quantity of drugs.

In December 2016, investigators got a break when they came across a priceless clue: the site operator's personal email address. In the days after AlphaBay's launch in December 2014, investigators learned, the administrator included his personal email address – Pimp_Alex__91@hotmail.com – in AlphaBay's "welcome email" to new users singing up for the site's discussion forum.

It was the kind of gaffe that had exposed Silk Road's founder and would lead to the downfall of AlphaBay's creator.

Traced to website designer

The email address was traced to Alexandre Cazes, a French-speaking Canadian website designer from Quebec. Born in 1991, Cazes had posted the email address on a tech forum as far back as 2008 and later used it to create PayPal and LinkedIn accounts.

Meanwhile, Europol provided Dutch law enforcement authorities with a lead on Hansa Market that would allow them to identify the site's administrators and locate its servers in Lithuania, Germany and the Netherlands.

"When we knew the FBI was working on AlphaBay, we thought, 'What's better than if they come to us?' " Petra Haandrikman, leader of the Dutch investigative team that brought down Hansa, told cybersecurity blogger Brian Krebs.

Investigators then coordinated the timing of the two sites' takedown. A plan was hatched: The Dutch would move in first, followed by the Americans.

On June 20, as German police arrested Hansa's two German administrators in Germany, Dutch law enforcement authorities moved to seize control of the site. The takeover was seamless.

On July 4, the FBI took AlphaBay offline but made it look like an outage. Unaware that the FBI was on his tail, Cazes swung into action to bring the site back online.

When Thai police, assisted by FBI and U.S. Drug Enforcement Administration agents, raided Cazes' house in Bangkok the next day, they found he'd contacted AlphaBay's server host to request a reboot and was logged into its forum to answer comments by AlphaBay users.

On his unlocked, unencrypted laptop, agents found passwords for AlphaBay, its servers and other online identities associated with the site.

As rumors swirled that AlphaBay operators had absconded in what is known as an "exit scam," authorities sought to quell the talk: AlphaBay was down for maintenance and would be up again soon, they posted on Reddit on July 6.

In the days that followed, the number of users on Hansa jumped 800 percent as AlphaBay users streamed in, according to Wainwright of Europol. To cope with the flood of orders, authorities temporarily closed registration to new users.

"There was a lot of frustration from ex-AlphaBay users that weren't allowed to register on the site," Haandrikman said.

Then on July 20, authorities pulled the plug. The Dutch shut down Hansa, putting up a banner saying the site had been "seized and controlled" since June 20. A nearly identical FBI banner went up on AlphaBay.

U.S. and European authorities went public with the news. Attorney General Jeff Sessions called AlphaBay's seizure "the largest dark Web criminal market takedown in history." Wainwright of Europol said the criminal dark Web had taken "a serious hit" and that there were "more of these operations to come."

Intelligence yield

The intelligence yielded by the Hansa operation "has given us a new insight into the criminal activity of the darknet, including many of its leading figures," Wainwright said.

Dutch authorities said that 10,000 foreign addresses of Hansa Market buyers had been identified and shared with Europol. Over 500 deliveries were stopped in the Netherlands alone. Europol sent "intelligence packages" on drug shipments to law enforcement agencies in 37 countries. Wainwright said the identified users would be subject to follow-up investigation by Europol and partner agencies.

Joseph Campbell, a former assistant FBI director, said the intelligence – users' names and phone numbers, email and IP addresses, banking and wire transfer information – is invaluable to law enforcement authorities looking to dismantle criminal networks on the internet.

"They can utilize that to identify criminals, identify victims, identify sources of the contraband, sources of the funding, transiting of the currency, look for money laundering activities, where the funds coming from, are they going to offshore banks," said Campbell, who is now a director at Navigant Consulting.

The next AlphaBay

Meanwhile, business is down on the dark web as shellshocked "AlphaBay refugees" lie low, waiting for the dust to settle. But sooner or later, they'll find a new home.

"Just like a massive gang takedown in a city, some other group is going to come in, unless preventive activities take place, and fill that void even more," Campbell said.

Still, he added, the operation is going to be "deterrent to some individuals."

Law enforcement has long been criticized for playing catch up with criminals. Acting FBI Director Andy McCabe acknowledged the criticism but said that was "the nature of criminal work."

"It never goes away," McCabe said at a July 20 news conference. "You have to constantly keep at it. And you've got to use every tool in your toolbox. And that's exactly what we'll do."

For the FBI, cybercrime represents "a high-priority threat," Campbell said.

"So they're going to continue to target their resources against this threat and work to identify where activities are taking place that are that are victimizing people," he said.



NEWSLETTER
Join the GlobalSecurity.org mailing list