Just as criminals conduct business in the dark allies of cities, they also trade in illicit products such as drugs, guns, and counterfeit documents through online bazaars hidden behind anonymizing technology in a place known as the darknet. Last month, law enforcement agencies led by U.S. and Dutch authorities took down two of the largest known darknet marketplaces, AlphaBay and Hansa Market, with Europol facilitating the international coordinated effort. The Cipher Brief’s Levi Maxey spoke with Robert Wainwright, the Executive Director of Europol, about how the operation to take down AlphaBay and Hansa played out and why international cooperation is so important in disrupting criminal marketplaces online.
The Cipher Brief: What were AlphaBay and Hansa Market, and why are such illicit marketplaces a serious security risk? Are their products primarily for petty criminals, or does this facilitate transnational organized crime and possibly even terrorism?
Robert Wainwright: AlphaBay was the largest criminal marketplace on the darknet, utilizing a hidden service on the Tor network to effectively mask user identities and server locations. Prior to its takedown, AlphaBay reached over 200,000 users and 40,000 vendors. There were over 250,000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100,000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services.
A conservative estimate of transactions – in bitcoin and other cryptocurrencies - in the market since its creation in 2014 reached $1 billion. Hansa was the third largest criminal marketplace on the darknet, trading similarly high volumes in illicit drugs and other commodities. The two markets were created to facilitate the expansion of a major underground criminal economy, which affected the lives of thousands of people around the world and was expressly designed to frustrate the ability of law enforcement to bring offenders to justice.
In general, almost all types of illicit goods are now bought and sold via online platforms that offer the same ease of use and shopping experience as most legal online platforms. The mature Crime-as-a-Service model underpinning cybercrime continues to provide tools and services across the entire spectrum of cyber criminality, from entry-level to top-tier players and any other seekers, including parties with other motivations such as terrorists. The boundaries between cybercriminals and other groups continue to blur. While the extent to which extremist groups currently use cyber techniques to conduct attacks appears to be limited, the availability of cybercrime tools and services, and illicit commodities such as firearms on the darknet, provide ample opportunities for this situation to change.
TCB: Could you describe the law enforcement operation against the two illicit sites?
Wainwright: In the past we have seen how dark market sites taken down by law enforcement agencies have almost immediately been replaced by new marketplaces where vendors and buyers moved quickly to continue selling and buying illegal commodities. This can be frustrating, and we and our partners therefore decided to strategically exploit this criminal behavior by acting against two top markets in a coordinated strike to maximize disruptive impact. This involved taking covert control of Hansa under Dutch judicial authority – which allowed Dutch police to monitor the activity of users without their knowledge – and then shutting down AlphaBay during the same period. As expected, this led to thousands of displaced users from AlphaBay switching to Hansa, which, by then, was under covert police control. The strategy yielded significant intelligence dividend, which is the basis of multiple new investigations.
TCB: This was a major international operation, involving cooperation between national law enforcement authorities. What role did Europol play?
Wainwright: Europol played a central coordinating role in both cases. The combined criminal activity of these sites was huge and, therefore, the FBI, the U.S. Drug Enforcement Administration, and the Department of Justice, as well as the Dutch police and Europol were actively investigating the sites, vendors and buyers. In order to be as effective as possible, it was necessary to coordinate and de-conflict all of these investigations, which was a highly complex task but one that is typical of Europol’s main activities. We have supported the investigations by facilitating the international police cooperation and secure information exchange, we have hosted operational meetings and we have analyzed and cross-checked the intelligence generated.
TCB: There is often a need to balance gathering intelligence on illicit activities and taking action such as seizing sites and arresting administrators, which can be to the detriment of further intelligence collection. At what point did law enforcement think it was time to take action against the two dark web marketplaces?
Wainwright: I believe that the AlphaBay/Hansa case is a perfect model of international coordination and joint international effort and it paves the way for future similar operations. The coordinated takedown was really special, and the investigation behind it one of the most sophisticated law enforcement operations against cybercrime that we’ve ever seen. It allowed us to gather significant amounts of intelligence, arrest administrators, and seize sites at the same time. This outstanding success was only possible through the joint efforts of the Department of Justice, the FBI, the U.S. Drug Enforcement Administration, the Dutch police and Europol. Between us we have moved the bar higher for the degree of sophistication and impact of international law enforcement action against criminal activity online.
TCB: Some argue that shutting down illicit dark web sites is a “whack-a-mole” approach where criminal customers simply take their business to other sites that pop up, for example, after the Silk Road bust. What kinds of policies or operational approaches need to take place to better disrupt these online marketplaces?
Wainwright: Through the AlphaBay/Hansa operations, the capability of drug traffickers and other serious criminals around the world has taken a serious hit. By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the darknet. There are more of these operations to come. Despite the difficulties, law enforcement agencies will constantly work to identify criminals taking advantage of the darknet or technical tools. We first saw the Silk Road, and now AlphaBay and Hansa, fall. It’s only a question of time before more administrators, vendors and buyers will be identified and prosecuted. We are also realistic in accepting that new markets will emerge. But I think we have succeeded in our primary objective of making criminal enterprise on the darknet a more risky environment as a whole. Weeks on from the operation we are still seeing the aftermath in the criminal community, with vendors and buyers now palpably more nervous and less assured about what to do, where to go, and whom to trust.
