Police ran 2nd dark web marketplace as sting to spot drug deals

In an innovative blow against illicit internet commerce, cyberpolice shut down the world's leading "dark net" marketplace, AlphaBay — then quietly seized a second bazaar, the Hansa Market, to amass intelligence on illicit drug merchants and buyers.

A day after shutting AlphaBay, Dutch police close Hansa Market after gathering intelligence on users

Europol Executive Director Robert Mark Wainwright, centre, accompanied by Attorney General Jeff Sessions, right, and by Deputy Attorney General Rod Rosenstein, left, speaks at a news conference to announce an international cybercrime enforcement action at the Department of Justice in Washington, D.C., on Thursday. (Andrew Harnik/Associated Press)

In an innovative blow against illicit internet commerce, cyberpolice shut down the world's leading "dark net" marketplace — then quietly seized a second bazaar to amass intelligence on illicit drug merchants and buyers.

AlphaBay, formerly the internet's largest dark net site, had already gone offline July 5 with the arrest in Thailand of its alleged creator and administrator, Canadian Alexandre Cazes. But on Thursday, European law enforcement revealed that Dutch cyberpolice had for a month been running Hansa Market.

Like AlphaBay, Hansa operated in the dark net, an anonymity-friendly internet netherworld inaccessible to standard browsers.

AlphaBay's users had flocked to Hansa, which is largely based in the Netherlands. The announcements Thursday on both sides of the Atlantic sowed panic among the sites' tech-savvy buyers and vendors.

"The cryptomarket community (is) spooked," said dark net researcher Patrick Shortis, of Brunel University in London. "Reddit boards are filled with users asking questions about their orders."

International dark net takedown

In Washington, U.S. Attorney General Jeff Sessions deemed the operation "the largest dark net marketplace takedown in history."

Dark net vendors are "pouring fuel on the fire of the national drug epidemic," he said, specifically citing cases of two U.S. teenagers killed this year, one a 13-year-old Utah boy, by overdoses of synthetic opioids purchased on AlphaBay.
The dark web is made up of secretive sites that aren't accessible by common search engines and police say it is a have for illegal activity. (iStock)

More than two-thirds of the quarter million listings on the two sites were for illegal drugs, said Sessions. Other illicit wares for sale included weapons, counterfeit and stolen identification and malware.

The police agency Europol estimates AlphaBay did $1 billion US in business after its 2014 creation.

A California indictment named AlphaBay's founder Cazes, a 25-year-old Canadian who died in Thai police custody on July 12. The country's narcotics police chief told reporters Cazes hanged himself in jail just prior to a scheduled court hearing. He'd been arrested with DEA and FBI assistance.

Canadian amassed $23M fortune

Cazes amassed a $23 million fortune, much of it in digital currencies, according to court documents. He bought real estate and luxury cars, including a $900,000 Lamborghini, and pursued "economic citizenship" in Liechtenstein, Cyprus and Thailand. A $400,000 villa purchase in February had already bought him and his wife Antiguan passports, a U.S. forfeiture complaint said.

He used what he claimed was a web design company, EBX Technologies, as a front, the indictment said.

Just two other arrests were announced Thursday. Both were of Hansa system administrators in the German town of Siegen, who were taken into custody in June. Europol spokeswoman Claire Georges said they were not named under privacy law.

The U.S. indictment lists several AlphaBay co-conspirators by title but not name. They include a security chief, a public relations manager and moderators. A U.S. attorney handling the case, Grant Rabenn, would not comment on whether additional arrests were expected.

Nicolas Christin, a dark net expert at Carnegie Mellon University, called the one-two takedown punch "psychological warfare."

Expect future arrests of dark net users

"It is definitely going to create a bit of chaos," he said, though after takedowns in the past, buyers and sellers move to other former second-tier sites after a few weeks of turmoil.

This time, Dutch police have upped the ante by craftily tracking dark net users, and that's expected to yield future arrests.

This is the moment to show the world that you can't trust dark markets anymore, because you never know who is the admin- Martijn Egberts, Dutch cybercrime prosecutor

They began running the Hansa site on June 20, impersonating its administrators, collecting usernames and passwords, logging data on thousands of drug sales and informing local police in nations where shipments would be arriving. Dutch cybercrime prosecutor Martijn Egberts said Dutch police had scooped up some 10,000 addresses for Hansa buyers outside Holland.

Running the site was a challenge, Egberts said, with police forced to mediate frequent disputes between buyers and sellers. "It turned out to be a lot of work!" he said. "The biggest effort for us was to get the site going on a way that nobody noticed it was us."

Egberts noted with satisfaction that online rumors about other dark net drug marketplaces possibly being compromised were already spreading.

"This is the moment to show the world that you can't trust dark markets anymore, because you never know who is the admin," he said.

But seasoned buyers and sellers aren't likely to get tripped up, and will simply become more cautious, Christin said.

Offspring of Silk Road

Dark net websites have thrived since the 2011 appearance of the Silk Road bazaar, which was taken down two years later. Merchants and buyers keep their identities secret by using encrypted communications and anonymity-providing tools such as the Tor browser. The dark net itself is only accessible only through such specialized apps.

Cazes' own carelessness apparently tripped him up — not the underlying security technology AlphaBay used.

According to the indictment, he accidentally broadcast his personal Hotmail address in welcome messages sent to new users. And when he was tracked down and arrested in Thailand, Cazes was logged into the AlphaBay website as its administrator, it says.

Caught on hotmail

Cazes also used the same personal email address — "pimp—alex-91@hotmail.com" — on a PayPal account.

The success of this operation may only cause a temporary disturbance in illicit online markets. After a November 2014 takedown called Operation Onymous took down more sites, the illicit markets not only recovered — but grew.

For perspective, Christin said, a slow day for AlphaBay alone — one amounting to roughly $600,000 in transactions — would have been equivalent to a typical late-2014 day for the entire dark net.