With the shut down of two major dark markets, July has been a rough month for the underground economy. Only a few days after Alphabay went dark, we learned that not only Alphabay was closed by law enforcement agencies (which was expected at this point) but also that Hansa has been run by them for a month and has been turned into a deadly trap for its users. This article aims to provide some insight into the orders of events leading to this day and how law enforcement set-up a deadly trap for users of these platforms.
The story begins on July 5 around 03:00 UTC, when AlphaBay suddenly went offline without prior notice. The same day, multiple police operations were reported. In Canada, the GRC and the FBI conducted three searches. One in Montreal and two at Deux-Rivières, Quebec. The objective of these raids was the seizure of IT material, and at least a server has been seized while no arrests occurred. TVA Nouvelles interviewed the Canadian Cpt. Camille Habel who announced that an investigation was ongoing and that she was, therefore, unable to give many details but that more was to follow. Meanwhile, a Canadian man around 25 was reported arrested in another conjoint FBI, DEA and Royal Thai Police operation in Bangkok.
It did not require a lot of time before a handful of different theories emerged. In the first place, the predominant ones were the exit scam and website maintenance. The 5 July, a Reddit user named Big_Muscles (supposedly an AlphaBay moderator) exhorted people to “calm down [and] be patient” while some other claimed to have detected significant withdrawals from AlphaBay. In fact, some of the clusters “investigated” just belongs to Kraken or Poloniex and have nothing to do with a potential exit scam.
Shortly after that, people began to believe more and more in the law enforcement shut down theory. This theory spread even more from the 12 July, after a 26-year-old Canadian named Ales CAZES (the one arrested in Thailand) hanged himself with a towel in his cell.
Naturally, AlphaBay’s users went to the second biggest market available: Hansa. The flux of new users was so consequent that Hansa stopped the registrations between the 9th and the 17th of July, submerged by the influx of “AlphaBay refugees”. We were crawling this particular market between the 8th and the 10th of July and used the obtained data to draw the following chart.
Hansa is displaying three things (among others) on the vendors’ page: their registration date, their last connection and since when they are on vacation (if they enabled the vacation mode). Our chart displays these dates as:
- blue: the number of new vendors during the month
- orange: the number of vendors that have been seen the last time during the month
- yellow: the number of vendors that activated the vacation mode during the month
Hansa had a total of 2,133 vendors. Two hundred forty-three of them had no registration date but had the last connection date, and sometimes a vacation date. From the vacation and last connection dates, we can assume that the registration date is consistent with our previous chart. The graph reveals two interesting things. First, most of the vendors seemed to be active as 1,289 were seen in July and 171 in June. Then, it confirms that vendors came to Hansa after AlphaBay went offline. To have a better idea of how significant is the increase of registrations, we drew a chart showing the new vendors day by day.
The average of new users per day is 91 for June. As AlphaBay closed the 5 July and Hansa closed the registrations on the 9 July, we will use the numbers from the 5 to the 8 July. In this period, there are 137 new vendors. We can then calculate that the number of registration increased by 372% after AlphaBay went dark. This number is probably even more significant since it is said that AlphaBay had 40,000 users and since we miss the last ten days of registrations. As buyers do not have any profile, we were not able to estimate their number, but we can assume that it follows the same trend.
A big surprise
The 20 July, Hansa stopped working, and a press conference (transcript here) was held by the DOJ. They confirmed what everyone suspected; AlphaBay was closed during a police operation. They also announced something surprising: they were controlling Hansa since June 20.
The same day, the Netherland police made an official announcement. They explained that thanks to the arrests of two administrators of Hansa Market in Germany, they were able to control the servers hosted in Lithuania, and therefore, to intercept everything going through. This is how they captured approximately 10,000 addresses of Hansa customers on 50,000 transactions. The number of transactions went from an average of 1,000/day to 8,000/day after July 5 and has been a challenge for the authorities who wanted to keep the situation under control. KrebsOnSecurity conducted an interview with a police officer which explained that disallowing the new registrations was done to be able to follow up with the orders.
Unfortunately, there is not much information about how Hansa was closed. What we know, however, is that Bitdefender helped the authorities at some point. Also, some theories on the Internet suggest that it could be linked to the closure of lul.to, a platform distributing illegal copies of books. It seems that two persons suspected to be its administrator have been arrested in Germany on the 21 June.
The operation Bayonet or how Cazes owned himself
Now that the timeline is known, let’s look into what led to the success of the operation Bayonet (which only refer to the closure of AlphaBay). The answer is simple: poor OpSec. If you are familiar with the details of the closure of Silk-Road, you will undoubtedly feel a déjà-vu. The (main) reason Cazes why was arrested is because he used his email address. On AlphaBay. To be accurate, in 2014, some emails sent to users such as welcome email or password recovery included Cazes personal email [email protected] in the headers. You might have heard one day that the Internet never forgets? Here is the perfect example: if the emails with the Cazes’ address were sent in 2014, law enforcement agencies only heard of that in 2016.
From there, finding more proofs was not a challenge for federal agents. The man posted a question in late 2008 on the well-known forum commentcamarche.com including not only his name, email but also his nickname, “Alpha02”. Yes, the very same he used later on AlphaBay. But that is not all. The email was also used in multiple PayPal accounts, as well as on his LinkedIn profile. Finally, you probably guessed it by now, but 1991 is the birth year of Cazes.
All of these elements are public (or at least were at some point) and could have been found by anyone with a little bit of research. From there, law enforcement agencies were able to find all the needed proofs to obtain a warrant for the various location and proceed to the searches and arrest.
When the police raided Alpha02’s house in Thailand, he was on his computer, trying to put back online the market. He was logged in various places, such as on the market’s forum as admin. On his computer, multiple text files with the access credentials to numerous servers, cryptocurrencies wallets and accountability documents have been found; allowing the police to seize the coins. They also found out that he was very active on a forum named RooshV as “rawmero” where he has been observed to be very public about his wealth.
Amount other things, law enforcement agencies seized multiple villas, a Lamborghini, a Porsche Panamera, a lot of cash, a bunch of Bitcoins, Etherum, Monero and Zcash (approximately $8.8M). According to the documents found on the computer, Cazes estimated his fortune to a net worth of $23,033,975. None of it could be linked with a lawful source. He owned a company called “EBX Technology” and was pretending to be an investor who made a fortune with Bitcoin. As a matter of fact, EBX’s bank account had a little or no activity. Maybe he thought that buying some economic citizenship in Antiguan would protect him… Big mistake.
Some figures on Alphabay and the future of dark markets
AlphaBay ran from July 2015 to July 2017. The market was in pre-launch until December 2015, where it became available publicly. During this time, the estimated traded volume is hundred of millions of dollars. Based on the net worth of the Cazes’ fortune and on the fees collected by the service (from 2% to 4% per sale, depending on the vendor’s volume and other things), we can estimate the flow of money somewhere between $575,849,375 and $1,151,698,750. This is, of course, a vague estimation which is not accurate since Cazes had to pay staff, servers, … In the same time, he may have made some investment making him earning money, etc...
As a comparison, the flow of money represents multiple times Silk-Road whose ex-administrator of this website was sentenced this year to a life sentence, without the possibility of parole. This may explain why Cazes’s decided to kill himself. As of June 2017, no less than 369,000 items were on sale on the market. Including various type of drugs, firearms, credit cards numbers, etc. According to the data we crawled, Hansa had only 114,728 items during its whole life, but if we remove the deleted ones, only 69,970 were purchasable when it was closed; which makes a big difference between the two markets.
On top of that, law enforcement agencies declared war on these platforms during the press conference:
You cannot hide. We will find you. Dismantling organisation and network, and we will prosecute you.
The hunt is on, and the wave of arrest which is coming is not going to make that better for the criminals. Still, some new solutions or leader markets will emerge, and the criminals might eventually continue their business. In any case, the following months will be interesting.