The Hunt for the Dark Web’s Biggest Kingpin, Part 6: Endgame

There are references to suicide. You can call the suicide and crisis hotline.

Paul Hemesath spent a few hours by the rooftop pool of the Athenee, scrolling on his iPad through the responses to the disappearance of the world's largest-ever dark.

There were rumors that the site's administrators had taken millions of dollars' worth of the market's currency. The site might be down for technical reasons, according to others. Few people believed the truth. One user wrote that people have always been wrong about exit scam. I hope the same thing happens. Keep the faith until we know otherwise.

Vendors and buyers went looking for a new market after AlphaBay's faithful or not. Hansa was AlphaBay's main competitor and it was already growing fast.

The Dutch police waited for them back in the Netherlands. They had been monitoring Hansa's marketplace for two weeks and surveilling its users. The Driebergen conference room, where the small team of undercover investigators had continued to work in shifts around the clock, had become a college dorm. There were chips, cookies, chocolates, and energy drinks at the table.

The head of investigations for the Dutch National Police visited to see their landmark operation in action. After 10 minutes, he was offended by the smell and left. Someone brought in a product. A team member said that it didn't work.

Hansa's market was doing well. In the days before AlphaBay was taken down, it was adding nearly a thousand new users a day. The number went up to more than 4,000 a day after AlphaBay went down. On the next day, there were more than 5000. Two days later, 6000.

The Dutch team was logging a thousand transactions a day as AlphaBay's users were absorbed by the market. The police were briefly overwhelmed by the huge amount of paperwork that had to be tracked and sent to Europol. They decided to stop new registration for a whole week. They said that they were dealing with technical issues due to the influx of Alphabay refugees. Some Hansa users started selling their accounts on web forums because they were so eager to join.

In the middle of that week, on July 13, one of the parts of Bayonet suddenly appeared. The Wall Street Journal broke the news that AlphaBay had been taken down and that the site's administrator had been found dead in a Thai jail cell.

The Dutch police were not mentioned in the article. When the Dutch reached out to the FBI, they were surprised and relieved to find that the Americans were willing to keep quiet. Half of their one-two punch would remain hidden until the Dutch decided to pursue it.

Driebergen paused new registration on Hansa a week ago. The number of new user sign-ups increased rapidly.

The operation could not continue indefinitely. They could see the moment when they would have to take off their masks, reveal their coup, and destroy the market they'd worked so hard to build. They were not intercepting all of the mail that was being used to sell drugs.

The more risks they were willing to take, the less they had to lose if they were discovered.

The Dutch team held "evil plan" meetings throughout the operation to come up with devious schemes to track and identify the users of the market they controlled. They came up with a list of tactics and ordered the actions to be most likely to blow their cover. They began to practice their boldest ideas as they reached their final destination.

Hansa had long ago implemented a standard feature for dark-web markets, designed to protect their vendors: When sellers uploaded images for their product listings, the site automatically stripped those images of their metadata. Early on, the Dutch sabotaged that feature by recording images' data before it was stripped. They found that the majority of the vendors rarely updated their listings or posted new photos.

The police took over the site a few weeks ago. Vendors will have to re-upload images for their listings after they claimed that a server had failed. The Dutch police were able to get the data from a lot of new images. They were able to get the locations of 50 more dealers.

Despite their use of anonymity software, the Driebergen team came up with an idea for how to get the addresses of the site's sellers. A kind of horse was involved. Hansa's administrators said that they would give an excel file to vendors that would allow them to retrieve their bitcoins even if the site was taken down. When only a small number of Hansa's dealers took up the offer, the police tried to add more helpful information to it, like buyer statistics that would let the sellers track and rank their best customers. The Dutch cops tricked the site's users into thinking they had detected suspicious activity on their server and warned them that they risked losing their funds if they didn't download the backup file.

The files the team was pushing on vendors were functioning as a secret digital beacon all the time. There is an image of the Hansa logo on the left side of the spreadsheet. When the spreadsheet was opened, the police designed the excel file to fetch the image from their own server. They were able to see the address of every computer that asked for it. There were 64 sellers on the market.

The Dutch team turned their attention to the staff of the marketplace who were directly working for them. The team lead, Petra Haandrikman, said that one of the moderators was very emotional and dedicated to the site. While hatching a plan to try to arrest him, the Dutch team felt a sense of admiration and affection for this hard worker.

He got a promotion. Hansa would only get a raise if he agreed to become a third admin of the site. The person who moderated was very happy. If he wanted to become an admin, they would have to arrange a meeting in person or get his mailing address so that they could send him a two-factor authentication token, a physical stick plugged into a PC, to prove his identity.

The tone of his next message suddenly changed. He said that he had made a promise to himself that if his bosses at Hansa ever asked for his identifying information or tried to meet him in person, he would immediately quit and wipe his devices. He was going to follow that promise. He said good bye.

The admins now had an opening to fill because of the Moderator's decision to save him from a prison sentence. They started advertising that they were looking for a new moderator. At the end of a series of questions about qualifications and experience, they would ask "successful" applicants for their address so that they could mail them a two-factor verification token. The people who were eager for the job gave the location of their homes. One would-be moderator wrote a joke about not sending the cops to his address. Hansa support was always helpful.

Savvier dark-web users didn't give out their home addresses. If they needed to deny the package was theirs, they would send the address of a "drop" away from their homes.

The Dutch police sent the two-factor token hidden in the packaging of a teddy bear to those who provided a drop address. The panda was supposed to be an innocuous disguise to hide the token, a sign of their new employers' attention to op espionage.

The Dutch cops wanted their targets to take the stuffed panda home as a souvenir. The recipients were unaware that each one contained a small gps tracker.

After running Hansa for 27 days, the Dutch prosecutors decided it was time to give up their game over the objections of several members of the Driebergen team.

In a press conference at the Dutch police's national headquarters in The Hague, the head of the agency pressed a button to shut down the website. An agent with a laptop sent a simultaneous command to the server that pulled Hansa offline. The news about the action against AlphaBay and Hansa was announced in a press conference by the US Justice Department. The dark web's users were given the chance to be warned. It's not safe. He spoke from a packed room of reporters and cameras. We will dismantle your organization. We will bring you to justice.

The AlphaBay site rematerialized with a notice covered in law enforcement agency logos and words that would be familiar to any Silk Road user: "This hid site has been seized."

The Dutch message on Hansa said that the site had been seized and controlled. Those under investigation, those who had been identified, and those who had been arrested were listed under three categories in the Dutch seizure notice. People who are active at dark markets are tracked. Is it possible that you're one of them? You have our attention, then.

After exposing their operation, the Dutch team in Driebergen decided to try the usernames and passwords they had collected from Hansa on the largest surviving dark-web drug bazaar. Twelve of the site's dealers had used their Hansa credentials there. They were able to immediately take over those accounts and lock out the vendors, as well as posting panicked messages on public forums suggesting that Dream had been compromised as well.

The Dutch police's Marinus Boekelo said that all of that carefully coordinated agitprop and disruption was intended to sow fear and uncertainty across the dark-web community.

The intended effect was immediate. I think I will be sober for a while. One person wrote that they weren't trusting any markets.

One person wrote that they should not make new orders on any dark net market.

One person asked if it was a wrap for the darknet.

People who think they are screwed and want to flee the country should do so immediately.

Many of the dark web's users were justified in being paranoid. The Dutch ran Hansa for almost four weeks. After shutting down the site, they seized 1,200 bitcoins from Hansa, worth tens of millions of dollars, thanks in part to silently sabotaging the site's implementation of a feature called multi-signature transactions. More than 10,000 home addresses were included in the amount of data they had collected.

More than a dozen of Hansa's top dealers were arrested within a year. The Dutch police fed their dark-web data into a database controlled by Europol, which in turn gave it to law enforcement agencies around the world.

It's difficult to track the indirect effects of that data explosion. Grant Rabenn, who served as custodian of the files the Justice Department had assembled from Bayonet, said he received requests for that information from agencies across the US.

There would be a lot of busts on the dark web. JCODE, or Joint Criminal Opioid and Darknet Enforcement, pulled together agents from the FBI, Department of Homeland Security, US Postal Inspection Service, and half a dozen other federal agencies to carry out these operations. According to the FBI, those enforcement campaigns resulted in more than 220 arrests, 160 "knock and talks", and the seizure of more than 1,700 pounds of drugs.

The Hansa side of the operation cost a lot. A group of Dutch police were required to become dark-web kingpins because of the large amount of manpower and resources needed for Bayonet. They had been facilitating the sale of narcotics to unknown buyers for over a month. They had compromised Hansa as well.

The Dutch police may have felt that they were tainting their work. Some people feel unconflicted about their roles. Petra Haandrikman said that it was exciting. The Dutch prosecutors already reviewed the case and gave them the go-ahead. The police were able to push the operation as far as possible with a clean conscience after that.

Hansa's users applauded when it was pointed out that the Dutch police banned the opiate Fentanyl while they were in control. It was just a few days before the end of their undercover operation. For more than three weeks, there was no guarantee that all of the orders would be stopped.

The police decided to watch the narcotics sales rather than shut Hansa down.

Gert Ras said that they would have taken place regardless.

DeSnake welcomed you to the re- opening of AlphaBay.

The dark web's observers have been trying to figure out how much Bayonet disrupted the interchangeability of markets. By the time AlphaBay was taken down, law enforcement agencies had been playing a game with a new market constantly ready to absorb the users of the previous.

The AlphaBay and Hansa busts had more long-term effects than previous dark-web takedowns, according to one study. When the Silk Road and Silk Road 2 were seized, most of the drug vendors showed up on other dark-web drug sites. The vendors who fled Hansa after Bayonet's one-two punch didn't reappear, or if they did, they had to scrub their identities and reputations. The Hansa Market shutdown stood out in a positive way, according to the TNO report. The first signs of police intervention are visible.

DeSnake welcomed you to the re- opening of AlphaBay.

Nicolas Christin is a researcher of dark-web drug markets with a long track record. He and his fellow researchers conservatively estimated that AlphaBay was generating between $600,000 and $800,000 a day in sales before it was shut down. Dream Market, the next inheritor of the dark web's refugees, grew to become almost as big as AlphaBay before the market quietly dropped offline in 2019.

AlphaBay was generating as much as $2 million a day in average sales before it was shut down, according to Chainalysis. According to Chainalysis, the Russian-language dark-web site, which was taken offline by German law enforcement in April 2022, took in more than $1.7 billion in digital currency in 2011. Its black-market sales were difficult to differentiate from its money-laundering services. Cazes' site was 10 times the size of Silk Road when it was taken down, according to the FBI.

Christin predicts that the dark web's memory of Bayonet will fade as long as there are buyers for illegal, lucrative, and often addictive goods.

He says that history has shown that the ecosystems is very resilient. It was a one-two punch. That doesn't seem to have had a big impact on the environment.

On the day that the Hansa takedown was announced, some users were ready to return to the dark web, and their need for another fix began to make itself felt. The same person who posted on the dark-net market forum that they would be "sober for a while" ended their message with a note of persistence.

The anonymous user wrote that things would stay stable. The great game of whack-a-mole continues.

Just as I was writing about AlphaBay's downfall, something happened that surprised me.

Ghostbin is a site for publishing anonymous text-based messages. AlphaBay is back, you know what I mean.

DeSnake was AlphaBay's number two administrator and security specialist. To prove his identity, DeSnake signed the message with his PGP key, which showed that the writer of the message had a long, secret series of characters. The signature from DeSnake's messages was confirmed by multiple security researchers. At the very least, the author was AlphaBay's long- lost lieutenant, who had gotten a hold of his key.

AlphaBay is a professionally-run, anonymous, secure marketplace for buying and selling products and services. He wrote that the staff of the new AlphaBay had 20 years of experience in computer security, underground businesses, darknet market management, customer support and evading law enforcement.

AlphaBay reappeared when I entered the site's address into a browser. It was the same market as the one last seen, but it wasn't AlphaBay. Now that he had taken over from Alpha02, DeSnake allowed transactions only in the privacy-focused Monero, not the other way around, to prevent theBlockchain analysis that had played such a central role in AlphaBay's takedown.

I reached out to DeSnake for an interview and wrote to his account. Within 24 hours, I was exchanging messages with the dark web's new leader.

After Cazes died in jail and the rest of AlphaBay's staff scattered, DeSnake came back only now. He was going to retire after AlphaBay was seized, but he changed his mind after seeing a video of Cazes' arrest at the conference.

The biggest reason I am coming back is to make the AlphaBay name remembered more than the marketplace which got busted and the founder made out to have committed suicide. After the raids, the nameAlphaBay was put in bad light. I am here to apologize.

According to DeSnake, Cazes was murdered in jail. He said that he and Alpha02 had created a contingency plan that would reveal Alpha02's identity to DeSnake if he disappeared for a period of time. DeSnake wouldn't say whether that help would have come in the form of a legal defense fund or helicopter gunship.

Cazes would not have killed himself before their plan went into effect. He said that he was a fighter. We had a backup plan that was backed by funds and worked, but he was killed.

Since taking down the original AlphaBay, DeSnake has developed a number of countermeasures that have been used to capture Cazes. When his computer was unlocked, DeSnake didn't use the bathroom. He claimed to use an "amnesiac" operating system to avoid storing incriminating data, as well as "kill switches" to destroy any remaining information that law enforcement could find on his machines. If the ones that run the site are seized, he designed a system called AlphaGuard that will automatically set up a new server.

He wrote that he is based in a former USSR country that is beyond the reach of Western governments. He claimed that AlphaBay's ban on victimizing people from that part of the world was genuine and designed to protect him and other actual post-Soviet citizen AlphaBay staffers from local law enforcement.

It was done for the security of other staff members. Cazes decided to embrace it as a way to keep himself safe.

DeSnake claimed that he had traveled through countries with US treaties and never been caught. He credited that track record in part to his careful money-laundering, though he wouldn't reveal his methods.

Anyone who believes any currency method is safe is a fool. He stated that everything is tracked. It costs you a lot to do what you do. You pay taxes if you are a legitimate business. You pay taxes in different ways if you do this.

DeSnake was shocked when he found out that his email address had been leaked. I am still shocked that he put his personal email on there. He was a good carder.

He said that Cazes' failure to hide his money trails was a more grievous mistake. The previous AlphaBay boss was warned by DeSnake about the need to take more precautions against financial surveillement. Alpha03 didn't listen.

DeSnake wrote that he disgarded some of the advice he received as "overkill". There is no excess in this game.

At the end of several weeks of on-and-off chats with DeSnake about how he planned to win this next round of the dark web's cat and mouse game, he shared some news: the mice had scored another small victory.

DeSnake sent me a bunch of links to websites that were protected from the internet's bad guys. The Italian police agency that investigated Deep Sea and Berlusconi Market was hacked. There was an inside view into law enforcement's secret work to take down those sites that was published by the hacker.

One slide deck caught my attention. The presentation was from Chainalysis. The ability to trace Monero in a majority of cases was one of the tricks Chainalysis offered law enforcement. Chainalysis turned a free tool it had acquired, WalletExplorer, into a honeypot, and turned over identifying information to law enforcement about people who used the tool to check the authenticity of their coins.

I had been looking for a solution to the mystery of the "advanced analysis" trick Chainalysis had used to locate the AlphaBay server inLithuania.

The Italian presentation confirmed that Chainalysis can identify the addresses of some of the wallet's internet Protocol addresses. It was able to do so by quietly monitoring transactions. This appeared to be the very practice that had led to a scandal in the company's earliest days, when it was revealed that Chainalysis was running its own Bitcoins to collect the addresses of users

The tool called Rumker was described in one slide as being able to identify the addresses of anonymous services. The slide read, "Although many illegal services run on the Tor network, suspects are often negligent and run their digital currency on clearnet."

Did AlphaBay make a mistake? The secret weapon that pinpointed that dark-web giant's address was called Rumker.

Michael Gronager did not deny the presentation's legitimacy when I asked about it. He sent me a statement that said that open protocols are monitored to keep the space safe and that permission-less value transfer networks are needed to flourish.

If it was the tool that was used to locate AlphaBay, it would have been burned. The person who leaked it exposed the vulnerabilities of theBitcoin protocol. Dark-web administrators like DeSnake will be more careful in the future to prevent their cryptocurrencies wallet from revealing their addresses to other people

There will be other vulnerabilities that can be exploited. The cat and mouse game is going on. Every Alpha that's taken down will have another waiting in the shadows ready to take their place.

This story is excerpted from the book, which is available from Doubleday.

We might earn a commission if you buy something using links. Our journalism is supported by this. You can learn more.

Reymundo Perez III is the author of the chapter illustrations.

The photo was obtained from the same source as the one pictured.

There is an article in the December/January issue. Don't forget to subscribe now.

We want to know what you think about this article. Send a letter to the editor towired.com