The Impact of Dark Web Marketplace Takedowns [AlphaBay and Hansa]
Table of contents
In July 2017, law enforcement pulled off one of the most sophisticated sting operations in cybercrime history. While AlphaBay’s 400,000 users were being locked out of the largest dark web market ever built, Dutch police were secretly running its replacement — Hansa — harvesting criminal data for weeks before shutting that down too. This is how Operation Bayonet worked, why it succeeded where others failed, and what happened to the dark web economy afterwards.
AlphaBay alone had over 250,000 drug listings, 100,000 listings for stolen identities and malware, and was processing between $600,000 and $800,000 in transactions every single day at its peak, roughly ten times the size of Silk Road when that was seized in 2013. Estimates suggest this marketplace facilitated trades worth USD 1 billion in bitcoin and other cryptocurrencies. Similarly, at the time of the takedown, Hansa was the third largest dark web marketplace, the perfect honeypot for global law enforcement teams to lure in cyber criminals and strike back.
But there were flaws with the operational security takedown of these marketplaces.
Two prongs for two darknet shutdowns
Even today it remains a glittering example of one of the most elaborate and cooperative efforts of international law enforcement agencies to fight cyber criminality. In July 2017 both AlphaBay and Hansa markets were successfully taken down.
However, only AlphaBay was taken offline, begging the question, what exactly happened to AlphaBay market?
Prong 1: Taking down AlphaBay, the biggest darknet market
AlphaBay, was a cutting edge darknet marketplace that has been facilitating illegal trades since 2014. It was a significantly larger heir apparent to the pioneering darknet platform, Silk Road, which itself had been shut down in 2013.
On 5th July 2017 the royal Thai police arrested a Canadian citizen, Alexandre Cazes in Bangkok, Thailand. He was the alleged founder and administrator of the site, using the code name “Alpha02” in communications.
Thai authorities seized the servers hosting AlphaBay, and cut off access to users, but did not publicly announce the closure or takeover of the platform. The rumours this incited among the malicious actors on dark web forums ranged from technical issues, to exit scams in which dark web marketplace administrators shut down the platform and to steal the users’ money.
Whatever may have happened with AlphaBay, business continued to as usual for its users, who swiftly flocked to other marketplaces. As one of the remaining reputable and popular dark web platforms, users and vendors alike flocked to Hansa, resulting in Hansa experiencing an eight fold increase in user numbers.
Prong 2: Preparing the perfect honeypot cybercriminals
After several years of investigation and research, in 2016, Europol’s European Cybercrime Centre discovered a lead into Hansa’s backend infrastructure.
This was a undercover Europol mission, with shared intel between the Dutch national police, and later with the American authorities. While the American and the Thai authorities worked together to shut down AlphaBay, Europol and the Dutch police had secretly infiltrated and taken control over Hansa’s infrastructure.
During the weeks Dutch police covertly operated Hansa, they collected the real IP addresses of vendors, reset security settings to expose buyer locations, and passed 10,000 international delivery addresses to Europol. It was a deliberately engineered intelligence operation, not just a takedown. This essentially led to the creation of a honeypot in the aftermath of the AlphaBay shut down.
Using this access, the police had modified the platform’s code to collect data from vendors and buyers of counterfeit goods like drugs, toxic chemicals, firearms, malware, and other fraudulent activity. Data including email addresses, passwords, PGP keys, history, messages and more were tracked. It opened up huge data pools and gave global law enforcement teams insights into thousands of cybercriminals.
Julian King, the European Commissioner for the Security Union commenting on this case noted that, “This latest success demonstrates not just the growing threat posed by increasingly sophisticated criminal enterprises exploiting the largely unregulated space occupied by the internet, but also the vital role of international cooperation.”
It seemed for the moment that law enforcement were handling everything smoothly.
Who were the masterminds behind these dark web marketplaces?
Alexandre Cazes, was discovered in Bangkok from a lead the authorities picked up from his own marketplace’s welcome email. It was a welcome email AlphaBay sent to its new users and vendors with a linked hotmail address in its header. This email was linked to the LinkedIn and MySpace accounts of Cazes.
According to FBI Special Agent Chris Thomas, the fall of these cyber criminals was caused by hubris, “They understood that law enforcement was monitoring their activity, but they felt so protected by the dark web technology that they thought they could get away with their crimes.”
After the arrest, while waiting for extradition to the United States, Cazes apparently died by suicide while in custody in Thailand. Later that month, the US Attorney’s Office in California filed a civil forfeiture complaint against Cazes and his wife’s high value assets located across the globe, including several luxury vehicles, residences, and a hotel in Thailand, as well as millions in cryptocurrency. These were seized by the FBI and the Drug Enforcement Administration.
After the shutdown of Hansa, a follow up investigation by the Dutch police lead to the arrest of two of its administrators who were German citizens, as well the seizure of their servers located in the Netherlands, Germany, and Lithuania. The identities of the administrators were not revealed. The Dutch National Police, Europol, the FBI, and the US DEA were involved in the coordinated operation to take down Hansa
What happened after these huge dark web takedowns?
Despite these takedowns, the impact and consequences of the crimes it facilitated continues to today.
One major impact has been drug related deaths. At the height of its reign, AlphaBay had over 250,000 listings for illegal drugs and toxic chemicals.
According to complaints filed at the District of South Carolina, an investigation into an overdose death involving a synthetic opioid exposed that the drugs were purchased on AlphaBay. Another complaint in Florida indicates that the fentanyl that caused another overdose death was also purchased on the platform. Multiple overdose deaths across the U.S. have all lead to the malicious and illegal services and goods being sold on AlphaBay and similar such platforms.
However, as we saw with the mass migration to Hansa, cybercrime is not limited to specific dark web marketplaces. According to a 2023 research paper by the Institute of Cyber Security for Society, data shows that after a market closes, dark web users will quickly move to other reputable markets as soon as possible.
The vacuum created by AlphaBay and Hansa was filled in 2018 by Empire Market. It was subsequently taken down in 2020. This was followed by the seizure of Genesis Market in April 2023. Then came the repeated takedowns and renewals of BreachForum, another dark web forum. Read our blog “Top Threat Actors on the Dark Web | 2023 Recap” for more insights on new players.
AlphaBay 2.0
Though the creator and administrator of AlphaBay was arrested, his second in command, known as “DeSnake” was still active.
In early August 2021, a user verified by independent sources as “DeSnake” launched AlphaBay 2.0 with a post on the darknet forum, “Dread.” They posted that, “I want to dedicate this to alpha02 first and foremost we promised each other to go to the bitter end, here I am keeping my end of the deal.”
The new AlphaBay was filled with several new policies such as strict restrictions on selling Covid-19 vaccines, fentanyl, firearms, etc. DeSnake also came out with a brand new feature which aimed to bypass the secret infrastructure infiltrations. Aiming to avoid what occurred with Hansa, this feature was named AlphaGuard.
AlphaGuard is a technology that allows users to withdraw funds and the server hosting the market to self-destruct in case of any unexpected changes to any or all of the servers. Only those with administrative access such as DeSnake had the ability to disable it, by entering a key within 72 hours.
AlphaBay 2.0 operated under DeSnake until February 2023, when it went offline without explanation. Unlike the original shutdown, no law enforcement action was publicly claimed — leaving open questions about whether it was an exit scam, a technical failure, or something more deliberate.”
Wrapping up
Operation Bayonet remains the clearest example of how law enforcement can turn a takedown into an intelligence operation — using one criminal marketplace to surveil the users fleeing to another. For security teams, the lesson is the same one that still applies in 2026: dark web activity doesn’t disappear when a market closes. It migrates. CybelAngel monitors that migration continuously, tracking where threat actors move and what they take with them.
