I was at a recent cybersecurity conference where the head of Europol’s European Cybercrime Centre (EC3) was talking about the threats we face today from the dark web. After Silk Road, much of its illegal business switched to Alpha Bay. The authorities took out Alpha Bay and Hansa business increased almost eight-fold overnight. The authorities take out Hansa and then there are more. Can we ever get on top of this?
The answer is yes, as the Alpha Bay and Hansa takedown was planned and co-ordinated. It’s a fascinating case study that I missed during the summer, but worth repeating here now as did cover the Silk Road story before.
What happened in July is that the world’s largest dark net trading venue for drugs and other illicit materials was Alpha Bay and suddenly, on July 4 (Independence Day), it was seized in a joint operation between Europol and the US Department of Justice.
OMG! The criminal community were up in arms, seeking to find alternatives, and most flocked to Alpha Bay’s nearest rival Hansa.
Hansa accepted their credentials and registrations for two weeks and then that site disappeared just as quickly too, seized by Europol and the DoJ on July 20.
This is because the authorities had been monitoring all the dark web traffic and accepting all of those online applications, as it gave them immediate access to who the illegal protagonists were.
Europol estimates that Alpha Bay generated more than a billion dollars in sales of drugs, stolen data, and other illegal goods over its three years online and, by the time of the seizure, was selling up to $1 million a day. Apparently, there were 250,000 listings on AlphaBay alone, with 200,000 members and 40,000 vendors. You may wonder if that’s substantial, and it is. For example, there were over 100,000 live listings when the site was taken offline; compare that with Silk Road which had 14,000 listings when the FBI shut it down in 2013 and you get the idea.
The FBI and DEA (Drug Enforcement Agency) had sought the extradition from Thailand of one AlphaBay administrator, Canadian Alexandre Cazes, but the target was found hanged in a Bangkok jail cell in an apparent suicide before an arrest could happen. Nevertheless, the PR manager for Alpha Bay (really?) was arrested two weeks ago.
Equally, the outline of the operation is fascinating, in that Alpha Bay users flocked to Hansa in their droves, with Interpol recording an eight-times increase in the number of new users on Hansa immediately following the takedown of Alphabay. That means that law enforcement agencies now have identifying details on an untold number of dark web sellers and buyers. Europol claims that it gathered 10,000 postal addresses of Hansa customers, and tens of thousands of their messages from the operation.
How the authorities seized these anonymous sites involved a co-ordinated effort as AlphaBay’s servers were seized with the help of authorities in Thailand, Lithuania, Canada, Britain and France, and Hansa’s were operating in Lithuania, the Netherlands and Germany. This shows that a lot has changed in the four years since the Silk Road takedown, with vast improvements in the pooling of intelligence with international partners, such as Europol.
But how did they find Cazes in the first place? Hmmm, like Ross Ulbricht (Silk Road), basically Cazes was foolhardy. Despite the sophistication of tools like Tor and bitcoin police discovered Alexandre Cazes, AlphaBay’s founder, through his hotmail email address Pimp_Alex_91@hotmail.com, which was used to send out password recovery emails for AlphaBay. That led investigators to Cazes’ LinkedIn account, where he listed awfully familiar skills like website hosting and cryptography, making his prominence as a suspect in the case only continue to grow. As a final nail in the coffin, authorities acquired Cazes’ PayPal records, which listed Pimp_Alex_91@hotmail.com as contact information, directly tying Cazes’ payment information back to the incriminated address. This put a swift end to Cazes’ almost three-year-old eBay-style illegal goods site
What Cazes should have done is create an anonymous John Doe persona, complete with a fake email address, phone number, home address, and life history. That way when he makes mistakes, which always will occur, you expose John Doe as the target, a non-existent nobody.
What is interesting for me is that, with these two major dark markets shut down, the underground still sought alternatives and many focused upon another new service called Trade Route. But guess what? Nope, the authorities didn’t shut it down. It just shut down itself and made off with the money – cryptocurrencies – in what is called an exit scam. Exit scams occur often in the dark markets, and is basically where the operators of a darknet marketplace abscond with users’ cryptocurrency, which is usually bitcoin but more often now is Monero, as it is harder to track and trace.
Even so, FBI deputy director Andrew McCabe acknowledges that shutting down such markets was like playing whack-a-mole. His agency would likely have to take on more massive dark web marketplaces in the future, he said.
“Critics will say as we shutter one site, another will emerge,” McCabe said at a press conference. “But that is the nature of criminal work. It never goes away, you have to constantly keep at it, and you have to use every tool in your toolbox.”
This is obviously the truth as the European Union reported just last week that the online, illegal drug trade is growing rapidly. The report by Europol and EMCDDA found that two thirds of dark web transactions involve drugs, and the rest generally involves guns, explosives and computer hacking tools. The biggest European markets are Germany, Britain and the Netherlands. There are now 14 dark web markets in operation with names like ‘Darknet Heroes League’ and ‘House of Lions market.’
A problem that will never be eradicated and just means that for every seizure of illegal goods and services, there will always be another one to catch.