The Impact of Dark Web Marketplace Takedowns [AlphaBay and Hansa]
Table of contents
It has been almost seven years since the take down of the largest dark web marketplace of the time, AlphaBay, and its successor Hansa. Still today questions linger about moderator succession and what cybercriminals did next.
But first, let’s recap what exactly happened.
In 2017, a coordinated effort, codenamed “Operation Bayonet” by the Dutch National Police, Europol, and the FBI, shut down the two dark web markets which together traded over 350,000 illicit commodities, ranging from opioids, ransomwares and money laundering. It became known as one of the most sophisticated takedown operations against cybercrime.
AlphaBay accessed through the TOR network, had over 40,000 vendors at its peak, and over 250,000 listings of drugs and other chemicals, as well as over 100,000 listings for stolen identities, credit cards, counterfeit goods, malwares, and firearms, among others. Estimates suggest this marketplace facilitated trades worth USD 1 billion in bitcoin and other cryptocurrencies. Similarly, at the time of the takedown, Hansa was the third largest dark web marketplace, the perfect honeypot for global law enforcement teams to lure in cyber criminals and strike back.
But there were flaws with the operational security takedown of these marketplaces.
Two prongs for two darknet shutdowns
Even today it remains a glittering example of one of the most elaborate and cooperative efforts of international law enforcement agencies to fight cyber criminality. In July 2017 both AlphaBay and Hansa markets were successfully taken down.
However, only AlphaBay was taken offline, begging the question, what exactly happened to AlphaBay market?
Prong 1: Taking down AlphaBay, the biggest darknet market
AlphaBay, was a cutting edge darknet marketplace that has been facilitating illegal trades since 2014. It was a significantly larger heir apparent to the pioneering darknet platform, Silk Road, which itself had been shut down in 2013.
On 5th July 2017 the royal Thai police arrested a Canadian citizen, Alexandre Cazes in Bangkok, Thailand. He was the alleged founder and administrator of the site, using the code name “Alpha02” in communications.
Thai authorities seized the servers hosting AlphaBay, and cut off access to users, but did not publicly announce the closure or takeover of the platform. The rumours this incited among the malicious actors on dark web forums ranged from technical issues, to exit scams in which dark web marketplace administrators shut down the platform and to steal the users’ money.
Whatever may have happened with AlphaBay, business continued to as usual for its users, who swiftly flocked to other marketplaces. As one of the remaining reputable and popular dark web platforms, users and vendors alike flocked to Hansa, resulting in Hansa experiencing an eight fold increase in user numbers.
Prong 2: Preparing the perfect honeypot cybercriminals
After several years of investigation and research, in 2016, Europol’s European Cybercrime Centre discovered a lead into Hansa’s backend infrastructure.
This was a undercover Europol mission, with shared intel between the Dutch national police, and later with the American authorities. While the American and the Thai authorities worked together to shut down AlphaBay, Europol and the Dutch police had secretly infiltrated and taken control over Hansa’s infrastructure. This essentially led to the creation of a honeypot in the aftermath of the AlphaBay shut down.
Using this access, the police had modified the platform’s code to collect data from vendors and buyers of counterfeit goods like drugs, toxic chemicals, firearms, malware, and other fraudulent activity. Data including email addresses, passwords, PGP keys, history, messages and more were tracked. It opened up huge data pools and gave global law enforcement teams insights into thousands of cybercriminals.
Julian King, the European Commissioner for the Security Union commenting on this case noted that, “This latest success demonstrates not just the growing threat posed by increasingly sophisticated criminal enterprises exploiting the largely unregulated space occupied by the internet, but also the vital role of international cooperation.”
It seemed for the moment that law enforcement were handling everything smoothly.
Who were the masterminds behind these dark web marketplaces?
Alexandre Cazes, was discovered in Bangkok from a lead the authorities picked up from his own marketplace’s welcome email. It was a welcome email AlphaBay sent to its new users and vendors with a linked hotmail address in its header. This email was linked to the LinkedIn and MySpace accounts of Cazes.
According to FBI Special Agent Chris Thomas, the fall of these cyber criminals was caused by hubris, “They understood that law enforcement was monitoring their activity, but they felt so protected by the dark web technology that they thought they could get away with their crimes.”
After the arrest, while waiting for extradition to the United States, Cazes apparently died by suicide while in custody in Thailand. Later that month, the US Attorney’s Office in California filed a civil forfeiture complaint against Cazes and his wife’s high value assets located across the globe, including several luxury vehicles, residences, and a hotel in Thailand, as well as millions in cryptocurrency. These were seized by the FBI and the Drug Enforcement Administration.
After the shutdown of Hansa, a follow up investigation by the Dutch police lead to the arrest of two of its administrators who were German citizens, as well the seizure of their servers located in the Netherlands, Germany, and Lithuania. The identities of the administrators were not revealed. The Dutch National Police, Europol, the FBI, and the US DEA were involved in the coordinated operation to take down Hansa
What happened after these huge dark web takedowns?
Despite these takedowns, the impact and consequences of the crimes it facilitated continues to today.
One major impact has been drug related deaths. At the height of its reign, AlphaBay had over 250,000 listings for illegal drugs and toxic chemicals.
According to complaints filed at the District of South Carolina, an investigation into an overdose death involving a synthetic opioid exposed that the drugs were purchased on AlphaBay. Another complaint in Florida indicates that the fentanyl that caused another overdose death was also purchased on the platform. Multiple overdose deaths across the U.S. have all lead to the malicious and illegal services and goods being sold on AlphaBay and similar such platforms.
However, as we saw with the mass migration to Hansa, cybercrime is not limited to specific dark web marketplaces. According to a 2023 research paper by the Institute of Cyber Security for Society, data shows that after a market closes, dark web users will quickly move to other reputable markets as soon as possible.
The vacuum created by AlphaBay and Hansa was filled in 2018 by Empire Market. It was subsequently taken down in 2020. This was followed by the seizure of Genesis Market in April 2023. Then came the repeated takedowns and renewals of BreachForum, another dark web forum. Read our blog “Top Threat Actors on the Dark Web | 2023 Recap” for more insights on new players.
AlphaBay 2.0
Though the creator and administrator of AlphaBay was arrested, his second in command, known as “DeSnake” was still active.
In early August 2021, a user verified by independent sources as “DeSnake” launched AlphaBay 2.0 with a post on the darknet forum, “Dread.” They posted that, “I want to dedicate this to alpha02 first and foremost we promised each other to go to the bitter end, here I am keeping my end of the deal.”
The new AlphaBay was filled with several new policies such as strict restrictions on selling Covid-19 vaccines, fentanyl, firearms, etc. DeSnake also came out with a brand new feature which aimed to bypass the secret infrastructure infiltrations. Aiming to avoid what occurred with Hansa, this feature was named AlphaGuard.
AlphaGuard is a technology that allows users to withdraw funds and the server hosting the market to self-destruct in case of any unexpected changes to any or all of the servers. Only those with administrative access such as DeSnake had the ability to disable it, by entering a key within 72 hours.
According to several sources AlphaBay 2.0 was shutdown in 2023 as the result of AlphaGuard being deployed. The administrator, DeSnake, for unknown reasons, was unable to sign off in time, leading to the end of AlphaBay 2.0. DeSnake has not been seen reported active since then.
Wrapping up
Here is a mini recap of the bolts and nuts of this story so far:
- Coordinated operations by law enforcement agencies (including the FBI, Dutch National Police, Europol) led to the shutdown of AlphaBay and Hansa in 2017. These were significant dark web marketplaces for illegal goods, cybercriminal activity, and malware exchanges.
- Post-AlphaBay takedown, unsuspecting users migrated to Hansa, not knowing it was controlled by law enforcement. This ensured that extensive criminal data was and facilitated further arrests.
- Despite these takedowns, dark web activity has persisted as users moved to other platforms. This is thanks in part to the fluid resilience of underground marketplaces.
- DeSnake, a pivotal member of AlphaBay tried to resurrect this marketplace as “AlphaBay 2.0” with enhanced security measures. However the platform was mysteriously shut down in 2023, further emphasizing the ongoing battle against dark web marketplaces.
If you loved this blog, follow our socials; LinkedIn, Twitter/X, and Facebook, to enjoy fresh content and analysis weekly.