Policing the Dark Alleys of the Internet: The Takedown of AlphaBay and Hansa

Photo: RichVintage/Getty

On July 5, Thai police arrested a man in Bangkok named Alexandre Cazes, a 26-year-old Canadian, for running an expansive online criminal bazaar called AlphaBay. Previously only known to law enforcement by his online moniker DeSnake, Cazes reportedly made the mistake of using his personal Hotmail email address to communicate with users who had forgotten their login passwords, revealing his real identity to police. Cazes was arrested on behalf of U.S. authorities under charges relating to narcotics distribution, identity theft, money laundering, and other crimes. A week after his arrest, he was found dead in what was reported as a suicide, hanging in his cell at the Thai Narcotics Suppression Bureau while awaiting extradition to the U.S.

At the time of his arrest, Thai police seized his open laptop that was already logged into the server hosting the AlphaBay website – giving authorities control over the site as well as access to a ledger of Cazes’ assets totaling some $23 million.

According to the July 20 announcement by the U.S. Department of Justice, AlphaBay, which was created in 2014, boasted some 200,000 users, 40,000 different vendors for roughly 250,000 toxic chemicals and illegal drugs, including opioids, 100,000 listings of stolen and fraudulent identification documents, as well as counterfeit goods, hacking toolkits, firearms and other illicit commodities. With the site hosting an estimated $600,000 to $800,000 a day in transactions, AlphaBay was comparatively 10 times the size of the reported $1.2 billion Silk Road online illicit marketplace, which was seized in November 2013 with some 14,000 listings for illicit goods and services – the largest so-called darknet marketplace at the time.

After Cazes’ arrest, AlphaBay’s servers were seized with the help of law enforcement authorities in Thailand, Lithuania, Canada, France and the UK, inhibiting users from accessing the site.

However, there was one key difference from the 2013 Silk Road bust. After the Silk Road was taken down, criminal users simply migrated to other darknet illicit markets such as Silk Road 2, Agora, and Evolution. This time, law enforcement turned to a new tactic.

“In the past we have seen how dark market sites taken down by law enforcement agencies have almost immediately been replaced by new marketplaces where vendors and buyers moved quickly to continue selling and buying illegal commodities,” Robert Wainwright, Executive Director of Europol told The Cipher Brief. “This can be frustrating, and we and our partners therefore decided to strategically exploit this criminal behavior by acting against two top markets in a coordinated strike to maximize disruptive impact.”

The AlphaBay operation coincided with a parallel operation by Dutch authorities that, with the help of law enforcement from Lithuania and Germany, covertly seized the servers of another large illicit darknet site, called Hansa Market, in June. Instead of shutting the site down, however, Dutch police continued to run it covertly while monitoring the traffic. Therefore, once AlphaBay was shut down, Dutch authorities were able to observe an eight-fold increase of users migrating to Hansa Market, sweeping up information such as usernames and passwords of thousands of buyers and sellers of illicit goods and services in the process, which will enable follow-on investigations.

“I believe that the AlphaBay/Hansa case is a perfect model of international coordination and joint international effort and it paves the way for future similar operations,” says Wainwright, who helped facilitate the international coordination during the operation. Europol provided the primary platform for information exchange between multiple national law enforcement agencies. “The coordinated takedown was really special, and the investigation behind it one of the most sophisticated law enforcement operations against cybercrime that we’ve ever seen. It allowed us to gather significant amounts of intelligence, arrest administrators, and seize sites at the same time.”

The takedowns of AlphaBay and Hansa Market were a significant victory of law enforcement, but other darknet marketplaces will reemerge – that is the nature of criminal activity. “Transnational organized crime poses a serious threat to our national and economic security,” Acting FBI Director Andrew McCabe said in the Justice Department announcement. “Whether they operate in broad daylight or on the darknet, we will never stop working to find and stop these criminal syndicates.”

But, while the operation might not be the finish line in combating criminal vendors online, it has created a psychological impact on users who once thought they were operating beyond the reach of law enforcement.

“It is significant that the AlphaBay/Hansa case plants the seeds of doubt about just how anonymous criminal actors really are on the darknet,” says Frank Cilluffo and Sharon Cardash from George Washington University’s Center for Cyber and Homeland Security. “Keep in mind that trust, between and among criminal actors, is the coin of the underworld. Anything that erodes that confidence in turn undermines illicit enterprise, and is a step towards thwarting it.”

Though law enforcement authorities may have relied on Cazes to make a simple mistake – using a personal email account – to seize AlphaBay, police around the world are using a number of methods to continuously shed light on shadowy darknet marketplaces.

The technical safe havens of encrypted browsers like Tor allow obscured hosting (such as hidden services on .onion sites) and permit criminals to enjoy a level of anonymity. Law enforcement has therefore turned to traditional methods of investigation adapted to the digital platform: going undercover by posing as criminals, such as arms dealers, for example, in criminal forums, hacking sites to reveal the identities of criminals who visit, tracking financial transactions through the blockchain ledger attached to bitcoin – a popular cryptocurrency used in darknet marketplaces – as well as tracking and physically interdicting the postal delivery of illicit goods such as drugs and weapons.

Cooperation between law enforcement is key in combatting criminality on the darknet, as agencies continuously gather intelligence until the time comes to act.

“Whether and when to round up bad actors, rather than string them along, is an age-old question for law enforcement officials,” say Cilluffo and Cardash. “In the internet era, the means may be somewhat different, but the principles and equities at play in this decision remain much the same. At some point, however, the arguments in favor of takedown will outweigh those against – and when they do, the darkest corners of the web are illuminated and a signal is sent, that criminal activity is a risky business – just as it has always been.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.

Listen to Levi discuss this feature on today’s episode of The Cipher Brief Daily Podcast.