Dark Drugs Markets after operation Bayonet: Finito Basta?

The Hague, 20 July 2017 – After the sophisticated Law Enforcement operation Bayonet, that had its apotheosis after 27 days, the Dark Market eco system seems to have taken a serious blow. The most ingenious part of operation Bayonet is the fact that Hansa Market was taken over by the National High Tech Crime Unit of the Netherlands in order to collect information. As a result, personal information about identities is collected of hundreds of vendors who want to setup their market at Hansa after closing AlphaBay.

On July 6th 2017, AlphaBay disappeared without any clear explanation by the Law Enforcement community regarding a take down, or by the administrators regarding an exit scam. I did not seem to be an exit scam, at least not one like we have seen by Evolution before. So the question remained: why did AlphaBay disappear after 2,5 years of successful operations, leading to an dominant market position. Why did the Coca-Cola amongst marketplaces shut down so unexpectedly?

Today, July 20th 2017, the answer is there! It was a rather ingenious international Law enforcement operation, where the DEA, the FBI and the National High Tech Crime Unit of The Netherlands took leading roles.

Current view of AlphaBay: http://pwoah7foa6au2pul.onion

Why ingenious?

After operation Onymous in 2015 we learned about an heavy influx from a closed down dark market to another prominent existing market place. In those days, Silk Road 2.0 was taken down, and within days Agora and Evolution gained 20% more users. We witnessed a so-called ‘waterbed-effect’.

After operation Onymous on 6 November 2014 and the exit scam of Evolution on 19 March 2015, the Dark Web became rather calm and peaceful, AlphaBay grew from scratch early 2015 to the biggest Dark Market running for 2,5 years. As a result, its trading volume was about 20 times that of what Silk Roads have ever been. So, the question was: what is the best next step to take. Taking down dark markets like the Silk Roads seem not te be very effective, and at the same time doing nothing is also not an option.

Relatively under the radar, quite a number of arrests have been made the last years in many countries. A substantial number of these cases started based on information that became available by the take down of Silk Road 1.0. So, information from 2013 seemed to be still relevant for police investigations, in cyberspace.

This operation is ingenious, because collecting new and unencrypted information was in the design of the operation. Vendors from AlphaBay that went to Hansa market are identified. This information will cover almost any serious vendor and will be useful for police investigations in different countries for the coming years, like the information obtained during Silk Road 1.0 take down did the last four years.

Hansa Market in “better” days

Drugs, drugs, drugs?

Early results of our research into the size and nature of trade on Dark Markets showed that on average 80% of the trade on these markets consists of drug transactions. This more than substantial fraction, legitimates an operation like we have seen the last few week. Serious vendors (up to 1MEUR per year) are to be identified. Maybe they are not yet visited by a law enforcement officer, but it is very probably their names and locations are available in international dark web database. Starting a completely new business will be rather impossible, since quite a number of actors conducted their activities from home. Continuation of the trade coincides with taking a very high risk regarding the continuity of the business.

Policing the Dark Web

Although the Dark Web is rather calm and peaceful since early 2015, a substantial number of arrests have been made. This is due to the fact that the knowledge and experience how to use mistakes by Dark Web actors by police investigators, is getting to an actionable level. It is expected that this knowledge is further established at local and regional level, to seriously prosecute cybercriminals. At the same time global international operations continue to disrupt the global eco-system by attacking their infrastructures (like AlphaBay, Hansa Market) next to collecting relevant data to identify and hopefully prosecute these criminals.

Job done?

Not at all. The other 20% covers weapons, counterfeit documents and more and more fully digital products and services. Especially the last part that can be categorized as cybercrime-as-a-service is interesting regarding its criminal business cases. Sadly, enough each operation since the take-down of Silk Road 1 subsequently created unwanted improvements in technologies and security measures. That resulted in further professionalization of the Dark Web business: more facilitating services, like bitcoin mixers. New and less traceable cryptocurrencies are invented. Single vendor markets are popping up and last but not least the uptake of ransomware as a fully digital attack is fueled by a rather toxic cocktail of technologies: bitcoin and other cryptocurrencies on the one hand and anonymization technologies, like the TOR-protocol, on the other hand.

Collaboration between law enforcement community and academia, like Carnegie Mellon University, Delft University of Technology or TNO, has brought relevant insights to focus operations on evidence-based intervention strategies. Given the used technologies and modus operandi are getting more and more advanced, this collaboration will get next level. Many grand challenges are left to disrupt the full cybercrime ecosystem. Our research therefore, will focus on those challenges. We keep you posted!

Media attention after operation Bayonet (only in Dutch)

  • NRC: Overdag een 9-tot-5-baan, ’s nachts een drugsdealer – LINK
  • Nieuwsuur: Vijf vragen over de politie-actie op het dark web – LINK
  • TUDelft: Darknet training concepts validated by Hans Market takedown – LINK
  • Netkwesties: Triomf voor Team High-Tech Crime – LINK
  • DeepDotWeb: Law Enforcement Arrested The First Hansa Users In The Netherlands – LINK
Scroll to Top