Alphabay and Hansa Seized, Dream Darknet Market Compromised

Today has been a big day for law enforcement as they announced the shutting down of two of the three largest darknet markets. The Department of Justice released a press release earlier today summarizing the facts of Mr Cazes’ arrest and how they found the identity of the administrator.

According to Attorney General Jeff Sessions:

“This is likely one of the most important criminal investigations of the year – taking down the largest dark net marketplace in history.”

According to the full criminal complaint, Alexander Cazes allegedly the main administrator of the site, made a crucial mistake back in 2014 which led authorities straight to him.

When Alphabay was first launched, users were required to provide an email in order to receive password recovery instructions. Once a user signed up he would receive an email from alphabay providing a link and instructions to reset their password. However, after analyzing the header of the password recovery email, they noticed an unusual hotmail account “[email protected]”. After an investigation, authorities concluded that the email belonged to Alexander Cazes who was coincidentally born in ’91.

From that point forward, law enforcement used traditional investigative techniques to finally identify and apprehend Alphabay’s admin. One questions remains, why did it take so long for law enforcement so long to arrest Cazes if they had his personal email more than three years earlier?

Along with the shutting down of Alphabay, the Dutch police were able to successfully take over the Hansa Market, which was the third largest market before Alphabay’s seizure. The seizure of both markets was part of Operation Bayonet, which included the seizure of both Alphabay and Hansa. Unlike Alpahabay, where the FBI shut down the servers after gaining access to them, the Dutch police did something unprecedented, they ran the market as a honeypot for 3 weeks.

According to the Dutch press release, the market was originally seized on June 20th, after the arrest of two unidentified German men. With their cooperation, the Dutch police collected info on more than 500 dutch buyers and thousands of foreign addresses, which were forwarded to the appropriate authorities.

“Some 10,000 foreign addresses of Hansa Market buyers were passed on to Europol. More than 500 Dutch delivery addresses were reported to couriers and postal services with the intention of stopping the deliveries.”

With two out of the three largest darknet markets gone, only one significant market remained – Dream Market. However, a user on reddit found Dream Market’s IP address within their javascript source code. Furthermore, there have been many reports suggesting that vendors’ public PGP keys were changed to that of the Dutch police. Whether the vendors were compromised because of shared passwords among multiple markets, or if the market is actively under LE control is still unclear.

Today has been a big day for law enforcement as they successfully shut down most of the illegal trug trade infrastructure on the darknet. In a statement, Europol mentioned that they expect new markets to pop up, but that they will continue to investigate and dismantle these criminal organizations using every tool in their arsenal.