When AlphaBay, the world’s largest dark web bazaar, went offline two weeks ago, it threw the darknet into chaos as its buyers and sellers scrambled to find new venues. What those dark web users didn't---and couldn't---know: That chaos was planned. Dutch authorities had already seized Hansa, another major dark web market, the previous month. For weeks, they operated it as usual, quietly logging the user names, passwords, and activities of its visitors—including a massive influx of AlphaBay refugees.
On Thursday, Europol and the US Department of Justice jointly announced the fruits of the largest-ever sting operation against the dark web's black markets, including the seizure of AlphaBay, a market Europol estimates generated more than a billion dollars in sales of drugs, stolen data, and other illegal goods over its three years online. While AlphaBay’s closure had previously been reported as an FBI operation, the agency has now confirmed that takedown, while Europol also revealed details of its tightly coordinated Hansa takeover.
With Hansa also shuttered as of Thursday, the dark web looks substantially diminished from just a few short weeks ago---and its denizens are shaken by law enforcement's deep intrusion into their underground economy.
"This is likely one of the most important criminal cases of the year," attorney general Jeff Sessions said in a press conference Thursday morning. "Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity by ‘going dark.’ This case, pursued by dedicated agents and prosecutors, says you are not safe. You cannot hide. We will find you, dismantle your organization and network. And we will prosecute you."
So far, neither Europol nor the Department of Justice has named any of the administrators, sellers, or customers from either Hansa or AlphaBay that they plan to indict. The FBI and DEA had sought the extradition from Thailand of one AlphaBay administrator, Canadian Alexandre Cazes after identifying him in an operation they called Bayonet. But Cazes was found hanged in a Bangkok jail cell last week in an apparent suicide.
Still, expect plenty of prosecutions to emerge from the double-takedown of Hansa and AlphaBay, given the amount of information Dutch police could have swept up in the period after Alphabay's closure.
"They flocked to Hansa in their droves," said Interpol director Rob Wainwright. "We recorded an eight-times increase in the number of new users on Hansa immediately following the takedown of Alphabay." The influx was so large, in fact, that Hansa put up a notice just last week that it was no longer accepting new registrations, a mysterious development given that Dutch police controlled it at the time.
That surveillance means that law enforcement likely now has identifying details on an untold number of dark web sellers---and particularly buyers. Europol claims that it gathered 10,000 postal addresses of Hansa customers, and tens of thousands of their messages, from the operation, at least some of which were likely AlphaBay customers who had migrated to the site in recent weeks. Though customers on dark web sites are advised to encrypt their addresses so that only the seller of the purchased contraband can read it, many don't, creating a short trail of breadcrumbs to their homes for law enforcement when they seize the sites' servers.
In a strange and dramatic move, the Dutch national police have created a dark web site themselves that lists darknet vendors by pseudonym, including those under investigation, those who are "identified," and 15 who have already been arrested in current and past investigations. "We trace people who are active at Dark Markets and offer illicit goods or services," the site reads. "Are you one of them? Then you have our attention."
It's still unclear how global law enforcement penetrated Hansa, given that it hid the location of their servers, administrators, and users with anonymity software like Tor and I2P. The FBI didn't respond to WIRED's request for more information, and Europol declined to comment beyond its press statement. But an indictment against AlphaBay's Cazes filed Wednesday includes the detail that in 2014, Cazes's personal email, "Pimp_alex_91@hotmail.com" was inexplicably included in welcome message to new users. That led them to his Paypal account and a front company, EBX Technologies. On July 5, Thai police along with FBI and DEA agents searched Cazes' home in Bangkok and found his laptop unencrypted and logged into the AlphaBay site. (They also found a document on the laptop tracking Cazes' net worth, which it estimated at $23 million.)
An FAQ on the Dutch national police's own dark web site includes the question,"Have you de-anonymized TOR?" The agency's answer: "No. But if we would have, we wouldn't tell you ;)"
Despite the size of the sites, the takedowns should by no means end the dark web's vibrant trade in drugs, which researchers at Carnegie Mellon estimated in 2015 to cumulatively generate revenue in the hundreds of millions of dollars, annually. After AlphaBay's shutdown, many of its users also flocked to another site known as Dream Market, which is likely the second-largest marketplace, ahead of Hansa. Now Dream Market will no doubt take more refugees from Hansa, to become the dark web's reigning bazaar of the moment.
But fallout of the AlphaBay and Hansa takedowns may eventually be felt there as well. Vendors who flee those sites for Dream Market may still be compromised by law enforcement, and if arrested, could potentially give up the addresses of any new Dream Market's customers, too.
“We know that removing top criminals from the infrastructure is not a long-term fix. There’s always a new player waiting in the wings, ready to fill those shoes," acting FBI director Andrew McCabe said in Thursday's press conference. "It’s like demolishing a building. Hacking away at individual walls and beams only does so much. But using federal statutes to prosecute these individuals is akin to blowing up the foundation with dynamite...With the weight of this kind of operation, the organization crumbles.”
Dark web users, meanwhile, were rattled by the sting, advising each other to change their passwords as soon as possible, and spreading paranoid warnings of a possible "backdoor" into dark net markets. "Looks like I'll be sober for a while. Not trusting any markets ATM," wrote one user on Reddit's dark web market forum.
But don't expect even this law enforcement victory to permanently damage the dark web's black market business. After all, takedowns like the seizure of the Silk Road in 2013, and so-called Operation Onymous in 2014, which ended half a dozen top darknet sites, took chunks nearly as large out of the darknet markets infrastructure. Each time business rebounded, as users again went in search of anonymous, online contraband sales. "LE may have won this battle, but they will NEVER win the war on drugs," noted one poster on Reddit's darknet market forum. "For as long as drugs are illegal the DNMs will thrive."
