He escaped the Dark Web’s biggest bust. Now he’s back

The US Department of Justice announced that AlphaBay was being shut down four years ago. It was the largest dark web marketplace bust in history. Alexandre Cazes (26 years old) was arrested by Thai police in Bangkok. The FBI also seized AlphaBay’s central server in Lithuania. This wiped out a market that sold hard drugs and hacked data worth hundreds of millions to its more than 400,000 registered users. The FBI described the site's disruption as a landmark operation.
The fate of one player in the massive black market scheme was not explained. He was AlphaBay’s former number two administrator, security specialist and self-described cofounder. He went by the name DeSnake. DeSnake seems to have relaunched AlphaBay, four years after the demise of his market. He's back after four years of being absent from the public eye and is not hiding his excitement about it.

DeSnake talks to WIRED in an extended chat interview about how he managed to escape the AlphaBay takedown, what prompted him to resurface now and his plans for the once-dominant online black marketplace. After proving his identity, DeSnake signed a public message with DeSnake’s original PGP Key, which was verified by multiple security experts, he communicated with WIRED using encrypted text messages.

DeSnake wrote, "The greatest reason I am returning to AlphaBay is to make it more than a marketplace that got busted and the founder claimed to have committed suicide." Cazes, who was arrested in Thailand for apparent suicide, was found dead in his Thai prison cell one week later. DeSnake believes that Cazes was killed in prison. After reading a presentation by the FBI about Cazes' arrest, DeSnake claims he was motivated to rebuild AlphaBay. "AlphaBay's name was cast in poor light after the raids. "I am here to make amends."

DeSnake's messages were filled with practical paranoia. This was both personal and for his plans to revamp AlphaBay’s technical protections. DeSnake claims he uses male pronouns. For instance, the revived AlphaBay allows users to purchase and sell with Monero only. This cryptocurrency is far more difficult than Bitcoin's blockchain, which has been known to allow for powerful financial tracking. AlphaBay's dark website is now accessible via Tor, just like the original AlphaBay. However, I2P, which DeSnake recommends, allows users to access it. Although he did not provide any evidence, he repeatedly expressed his concern that Tor could be susceptible to surveillance.

DeSnake claims that his security measures, both within AlphaBay as well as on a personal basis, go far beyond the one he used for Cazes' predecessor. He went online under the handle Alpha02. Cazes was caught partly through Bitcoin blockchain analysis which confirmed his position as AlphaBay boss. This trick would have been much more difficult with Monero, if it wasn't impossible. DeSnake claims that this new safeguard will make it harder for AlphaBay to be removed from the dark internet. "I had given [Cazes] many of the 'holy grils' of anonymity but he chose only certain methods/ways while he branded others as overkill," DeSnake wrote in his apparently foreign-inflected English. "In this game, there is no overkill."

DeSnake attributes his freedom to an extreme operational security program. According to DeSnake, his computers at work run an "amnesiac operating system" such as the Tails Linux distribution, which is security-focused and designed to store no data. He claimed that he does not store any incriminating data on USB drives or hard drives, encrypted or unencrypted. DeSnake claims that he has a USB-based "kill button" device that can wipe his computers' memories and turn them off in seconds, if they ever escape his control.


DeSnake also makes sure to shut it down completely every time he leaves AlphaBay. This is to avoid any chance of his computer being stolen. DeSnake wrote that the "biggest problem in that regard" is human needs. You make sacrifices. It becomes second-nature once you get used it.

Law enforcement took the laptops of Ross Ulbricht and Alexandre Cazes. Ross Ulbricht is currently serving a life sentence for operating the original dark internet drug market, Silk Road. While they were running, they logged into administrator accounts at the dark web sites they managed. DeSnake claims, however, that even if his laptop was seized, his work computer could not be implicated in any way.

All of these technical and operational protections might not be as important as a geographic one. DeSnake claims that he is located in a country that does not allow extradition, which would be beyond the reach US law enforcement. AlphaBay’s new boss, AlphaBay, describes his former life in the Soviet Union and previously sent Russian-language messages on the original AlphaBay forums.

Since long, it has been believed that AlphaBay may have connections to Russia. It has always prohibited the sale of data from victims in ex-USSR countries. This common rule among Russian hackers was meant to protect them from Russian law enforcement scrutiny. Alexandre Cazes, who wrote under the Alpha02 name on the site, sometimes signed off with a Russian phrase to stay safe. However, when Cazes was later found in Thailand, many believed that AlphaBay's Russian fingerprints were being used to mislead investigators.

DeSnake claims that he and other participants in the original AlphaBay are now beyond Western law enforcement's reach. He writes about AlphaBay’s prohibition against selling stolen data from ex-Soviet citizens. "We did it for the security of our other staff members. [Cazes] accepted it as a means to protect himself."

DeSnake claims that DeSnake has been to "several continents" in the past four years and had "zero problems." This leads him to believe that DeSnake's years of freedom are not due to his physical location, but because he technically outmaneuvered law enforcement agencies that were following him. However, DeSnake may have misled WIRED to further his evade of these agencies.

WIRED reached out the Justice Department officials who were involved in the 2017 investigation into AlphaBay. One of them was also a participant in that original investigation. They either declined to respond or refused to comment.

Although few of DeSnake’s claims can be verified, he has at the very least enjoyed unusual longevity as a dark-web market operator. Flashpoint Security claims it has witnessed evidence and descriptions that DeSnake was operating under the same pseudonym first as a credit card-focused cybercriminal on websites like Evolution and Tor Carder Forum, before becoming a market administrator himself since at least 2013.

In the fall 2014, DeSnake appeared first on AlphaBay's forums. He is a vendor of credit-card fraudalso known by "carding"tools, and was looking for a new home after Evolution administrators took their users' money in an "exit scam." According to him, he became friends with Alpha02 quickly by using an unconventional method. He claimed he "popped" a shell on AlphaBay and hack the website. He then gained access to its server and was able to run his commands. He says he didn't exploit the breach but instead helped the administrator to fix it. Soon, he was the site's second-most senior admin and security leader. DeSnake states that he took care of security and other admin tasks. "He took care all the rest."

Cazes was eventually arrested almost three years later and the site was taken offline. This happened partly because of a trail that started when AlphaBay founder Leaked his personal email address in the meta of a welcome message to new members on its forums. DeSnake claims that he fixed the problem early on by changing the forum software. DeSnake states that "I still find it shocking" that Cazes had included his personal email address. "He was a great carder, and he knew better than opsec."

Since its return, dark web vendors and buyers have not returned to AlphaBay's. It now has less than 500 listings after the relaunch, as opposed to 350,000 at AlphaBay’s 2017 peak. These low numbers are likely due to DeSnake insisting on Monero payments, skeptical dark internet users who wait to see if AlphaBay is legit, and a torrent of distributed denials-of-service attacks which have taken the site offline. DeSnake claims that dark web markets usually gain new users when another market is shut down or busted by law enforcement. This has not happened since AlphaBay's return.


DeSnake is trying to lure users with the promise of AlphaGuard, a still-unproven system that allows users to withdraw funds even if the infrastructure servers are taken by authorities.

DeSnake explains that AlphaGuard will rent out and set up new servers when it discovers AlphaBay's are offline. DeSnake claims AlphaGuard will hack other websites and place data on servers to provide users with "withdrawal codes", which they can use to protect the cryptocurrency they have stored on AlphaBay. DeSnake wrote that "it is a system to guarantee users can withdraw funds and settle disputes, as well as go without any cent lost if there are raids." It's unstoppable."

DeSnake also says that he is in the beginning stages of a long-term strategy to create a decentralized marketplace system. It would be a BitTorrent to the Napster of the dark web markets. Open source programmers and server administrators who manage hundreds of thousands of servers independently would receive a share of the profits from hosting dark web markets. This would ensure that there is no single point for failure in this ambitious plan. DeSnake states that AlphaBay would be one of those "brands" that will be hosted on the network. However, any market or vendor could set up their own market, with encryption features that would ensure that each market or store is under the control of an administrator, even though its code is replicated across many machines.

DeSnake is familiar with the decentralization project from his first posts to AlphaBay forums. He acknowledges that it is still years away. He sees it as a way for AlphaBay to be invulnerable against future law enforcement takedowns, and to compensate the dark web's users who lost millions when the original AlphaBay Server was seized. DeSnake wrote that money made in this way is an investment in the future AlphaBay. "This is a pretty clear statement when it comes to ideology. This is because we want to live up to the AlphaBay name. It is our way of recompense the darknet for all that has happened."

Flashpoint analyst Ian Gray who closely follows dark web markets, believes that all the defensive wizardry DeSnake refers toboth AlphaGuardand the decentralization projectare largely unproven talk. For the decentralization plan to be considered legal, it would need the support of a large number network operators and developers. Gray notes that DeSnake doesn't have any code for AlphaGuard or that system. He also questions why he would launch AlphaBay again four years later without making any progress towards his decentralization goals. Gray states that DeSnake has not demonstrated much beyond launching a marketplace. "I distrust DeSnake and I believe there is a general distrust across the communities."

Gray refers to a thread on XSS (largely Russian cybercrime forum), where many commenters express their doubts about DeSnake returning, with some suggesting that he is being controlled by law enforcement. "Lol! How many honest comrades will DeSnake need to turn in now to escape the punishment cell? One commenter asked in Russian. Another commented, "It's fake. 99.9% sure. Feds opening it again."

A former US law enforcement official who was involved in the original AlphaBay probe, but did not want to be identified, expressed doubts. The former official stated that if he were a vendor or user of this site, he would be concerned about it being set up for an exit scheme or some other honeypot operation. He also said that they are not aware of any ongoing law enforcement activities that could be targeting the site.

Nicolas Christin, a dark web-focused computer scientist at Carnegie Mellon University checked DeSnake’s PGP key against one found in his archive of messages. He says that the key could be under control of law enforcement agencies or DeSnake could have been a law enforcement cooperator. The Dutch police took control of Hansa, the second largest dark web marketplace at that time, and retook AlphaBay's 2017 downfall. Christin states that it is unlikely that DeSnake has been compromised. However, she does not rule out the possibility.

DeSnake argues that if the law enforcement had reached him and launched the new AlphaBay to make it a honeypot they would have just reused the original AlphaBay code. He claims that he rebuilt it from scratch instead. He also points out that a Monero-only site for dark web buyers would be far more effective than one that accepts Bitcoin.

In a message to Dread users, he said that "With all that said, you decide for yourselves whether you ride with us to the top" I understand if it is not for you, but you will soon see that we are the original AB. We have never been 'compromised" in any way.

If DeSnake's AlphaBay is indeed legitimate, it could prove to be the antithesis of a honeypot. A highly motivated digital black marketplace that seems far beyond the reach of US law enforcement. This could mean that DeSnake's long track record as one of the most prominent dark web players is not ending.

This story first appeared on wired.com