Cops wage psychological warfare against online drug bazaars
By RAPHAEL SATTER and FRANK BAJAK
Jul. 21, 2017
HOUSTON (AP) — In an innovative blow to illicit internet commerce, cyberpolice shut down the world's leading "darknet" marketplace — then quietly seized a second bazaar to amass intelligence on illicit drug merchants and buyers.
AlphaBay, formerly the internet's largest darknet site, had already gone offline July 5 with the arrest in Thailand of its alleged creator and administrator. But on Thursday, European law enforcement revealed that Dutch cyberpolice had for a month been running Hansa Market. Like AlphaBay, Hansa operated in the darknet, an anonymity-friendly internet netherworld inaccessible to standard browsers.
AlphaBay's users had flocked to Hansa, which is largely based in the Netherlands. The announcements Thursday on both sides of the Atlantic sowed panic among the sites' tech-savvy buyers and vendors.
DARKNESS OVER THE DARKNET
"The cryptomarket community (is) spooked," said darknet researcher Patrick Shortis, of Brunel University in London. "Reddit boards are filled with users asking questions about their orders."
In Washington, U.S. Attorney General Jeff Sessions deemed the operation "the largest darknet marketplace takedown in history."
Darknet vendors are "pouring fuel on the fire of the national drug epidemic," he said, specifically citing cases of two U.S. teenagers killed this year, one a 13-year-old Utah boy, by overdoses of synthetic opioids purchased on AlphaBay.
More than two-thirds of the quarter million listings on the two sites were for illegal drugs, said Sessions. Other illicit wares for sale included weapons, counterfeit and stolen identification and malware.
The police agency Europol estimates AlphaBay did $1 billion in business after its 2014 creation.
DEAD IN PRISON
A California indictment named AlphaBay's founder as Alexandre Cazes, a 25-year-old Canadian who died in Thai police custody on July 12. The country's narcotics police chief told reporters Cazes hanged himself in jail just prior to a scheduled court hearing. He'd been arrested with DEA and FBI assistance.
Cazes amassed a $23 million fortune, much of it in digital currencies, according to court documents. He bought real estate and luxury cars, including a $900,000 Lamborghini, and pursued "economic citizenship" in Liechtenstein, Cyprus and Thailand. A $400,000 villa purchase in February had already bought him and his wife Antiguan passports, a U.S. forfeiture complaint said.
He used what he claimed was a web design company, EBX Technologies, as a front, the indictment said.
Just two other arrests were announced Thursday. Both were of Hansa system administrators in the German town of Siegen, who were taken into custody in June. Europol spokeswoman Claire Georges said they were not named under privacy law.
The U.S. indictment lists several AlphaBay co-conspirators by title but not name. They include a security chief, a public relations manager and moderators. A U.S. attorney handling the case, Grant Rabenn, would not comment on whether additional arrests were expected.
Nicolas Christin, a darknet expert at Carnegie Mellon University, called the one-two takedown punch "psychological warfare."
"It is definitely going to create a bit of chaos," he said, though after takedowns in the past buyers and sellers move to other former second-tier sites after a few weeks of turmoil.
But this time, Dutch police have upped the ante by craftily tracking darknet users, and that's expected to yield future arrests.
They began running the Hansa site on June 20, impersonating its administrators, collecting usernames and passwords, logging data on thousands of drug sales and informing local police in nations where shipments would be arriving. Dutch cybercrime prosecutor Martijn Egberts said Dutch police had scooped up some 10,000 addresses for Hansa buyers outside Holland.
Running the site was a challenge, Egberts said, with police forced to mediate frequent disputes between buyers and sellers. "It turned out to be a lot of work!" he said. "The biggest effort for us was to get the site going on a way that nobody noticed it was us."
Egberts noted with satisfaction that online rumors about other darknet drug marketplaces possibly being compromised were already spreading.
"This is the moment to show the world that you can't trust dark markets anymore, because you never know who is the admin," he said.
But seasoned buyers and sellers aren't likely to get tripped up, and will simply become more cautious, Christin said.
BRANCHES OFF THE SILK ROAD
Darknet websites have thrived since the 2011 appearance of the Silk Road bazaar, which was taken down two years later. Merchants and buyers keep their identities secret by using encrypted communications and anonymity-providing tools such as the Tor browser. The darknet itself is only accessible only through such specialized apps.
Cazes' own carelessness apparently tripped him up — not the underlying security technology AlphaBay used.
According to the indictment, he accidentally broadcast his personal Hotmail address in welcome messages sent to new users. And when he was tracked down and arrested in Thailand, Cazes was logged into the AlphaBay website as its administrator, it says.
Cazes also used the same personal email address — "firstname.lastname@example.org — on a PayPal account.
The success of this operation may only cause a temporary disturbance in illicit online markets. After a November 2014 takedown called Operation Onymous took down more sites, the illicit markets not only recovered — but grew.
For perspective, Christin said, a slow day for AlphaBay alone — one amounting to roughly $600,000 in transactions — would have been equivalent to a typical late-2014 day for the entire darknet.
Satter reported from Paris. AP Technology Writer Anick Jesdanun in New York and AP reporter Kaweewit Kaewjinda in Bangkok contributed to this report.