A Globally Coordinated Operation Just Took Down Alphabay and Hansa
On July 20, “after a globally coordinated operation” between law enforcement agencies worldwide, the United States Department of Justice announced the takedown of Alphabay and Hansa marketplace. Other countries involved in the takedown held their own press events, and one announcement in particular came with an unexpected twist. Dutch law enforcement, unaware to much of the world, took control of Hansa market since June 20. In almost a perfect honeypot operation, global law enforcement brought down two major marketplaces, caught the admin of Alphabay and owners of Hansa, and captured the addresses and identities of at least 10,000 Hansa customers.
In early July, Alphabay went down. Mass chaos ensued. Some called the outage a server update, some called it an exit scam, and some believed law enforcement captured the operators. Canadian law enforcement raided several locations on the same day—in search of “computer equipment.” They also spoke of an international operation wherein police in Thailand already captured a suspect. Days later, we discovered that a Canadian “computer programmer” ended his own life in a jail in Thailand. The connection to Alphabay, according to some members of the community, was obvious.
That one Canadian suspect—Alexandre Cazes—was, in fact, linked directly to the downfall of Alphabay. According to the Department of Justice documentation, the late Alexandre Cazes was known as “admin” and “alpha02.” The/an owner of Alphabay. A surprising twist for some; Cazes’s skillset fit that of Alphabay’s “DeSnake,” not the elusive alpha02.
And according to the agency that had taken down the child abuse website “Playpen” with an illegal hacking tool, no such technique was needed in the Alphabay investigation. Instead, according to the Complaint, Cazes’s personal email was in the header of 2014 emails that welcomed new users to the darknet marketplace. The complaint explained that the email headers contained the owner’s email address, Pimp_Alexfirstname.lastname@example.org. From there, the connection between the Pimp Alex email address and Cazes was easily established with even simple OSINT gathering techniques.
Prior to Cazes’s arrest, German authorities arrested the “managers” of Hansa market, a 30 year old and a 31 year old from North Rhine-Westphalia. Authorities held both men, allowing Hansa users to buy and sell as if business had not changed. Dutch law enforcement discovered that Hansa was hosted on servers in Lithuania. Officials seized the equipment and simultaneously switched the site to an “exact copy of the marketplace.” According to Motherboard, authorities received assistance from a private security company called BitDefender. Motherboard’s Joseph Cox wrote that Europol implied that the Dutch police used a hacking tool to access and effectively restructure parts of the Hansa marketplace.
Dutch authorities monitored Hansa while the site still functioned as a darknet marketplace. They noted the high number of sales every day:
“On average, 1,000 orders were made per day in response to some 40,000 advertisements. The market last year had 1765 different vendors. Since taking over the management of Hansa Market [investigators] counted more than 50,000 transactions, especially for soft and hard drugs.”
Additionally, they gathered identifiable information on buyers—or at least buyers who had forgotten to use PGP encryption for their name and address:
“Police intercepted in recent weeks tens of thousands of unencrypted messages between sellers and buyers orders. With a large number of orders the delivery address could be traced. Some 10,000 foreign addresses of buyers Hansa Market are transferred to Europol.
More than 500 Dutch shipping addresses have been reported in post and courier companies in order to stop the deliveries.”
Then, come July 4, authorities took Alphabay offline. The go-to market, for many users, was Hansa market—especially with the implementation of multi-sig transactions that would hopefully prevent buyers and sellers from losing money to the marketplace in the event of a hostile takedown or simple exit scam. Dutch police said that new registrations on Hansa spiked from 1,000 users per day to 8,000 per day. They eventually had to shut down new user registration in an effort to keep Hansa operating smoothly, reopening not long before the permanent takedown.
Martijn Egberts Cyber Officer of the OM said that the Prosecution seized more than $2,700,000 from Hansa because “crime should never pay.” The FBI nabbed roughly eight million from Alphabay.
At the DoJ announcement, the Active Deputy Administrator for the DEA announced that because of the work completed by international authorities during the Hansa takeover, police gathered information on thousands of drug buyers that could end in thousands of arrests between the US and international partners.
So far, there are three known arrests: the managers of Hansa and the owner of Alphabay, alpha02. Alpha02, as we previously explained, took his own life in Thailand, one hour before meeting with an extradition attorney. So, authorities in Germany have two suspects, and the FBI’s only incarcerated suspect died. Regardless, the FBI are proud of their work. And the win, for the FBI, was likely more rewarding than the Operation Pacifier conclusion. In that operation, their illegal hacking tool ruined many cases. And since they used an email address from a “welcome email” instead of an exploit to eliminate Alphabay, they might get a conviction. Of course, Alphabay marketplace never sent welcome emails—but that is another matter.
The FBI publicized a list of Alphabay identities that they had identified, including Trappy, DeSnake, Disc0, and several other members of the Alphabay “team.” From owner (DS) all the way down to public relations manager, Trappy.
And the Alphabay closure requested by many members of the community finally happened: law enforcement threw their seizure banner up in place of the Alphabay landing page. Hansa market, too, hosts a seizure banner. It indicates that whoever published the banner has a real desire to portray an image to the public: the Hansa logo was modified and the ship is now half submerged.
More arrests to follow, assuming the authorities told the truth.