Dark Net Trap

AlphaBay and Hansa

AlphaBay and Hansa, two of the top three most trafficked darknet markets have been taken down in a coordinated action by Europol, DEA, FBI and other security forces. There are a number of innovations in going after darknet markets and protected accounts that are on display.

The AlphaBay complaint.

DarkNet Market Takedown Tradecraft

Silk Road: administration and encrypted laptop

Each DNM takedown shows improved security forces tradecraft. With Silk Road 1 there was the use of cameras (to photograph Ross Ulbricht’s laptop screen, should he activate the lock screen) and physically tackling Ross away from his device before he could lock it. This allowed the security forces to gain access to the encrypted laptop when it was in an unencrypted state and recover the files they would need. They also made sure to capture him at a time when he was actively engaged in the criminal activity they wanted him for — administering the Silk Road website.

AlphaBay Server Disk Encryption

The security forces caused the server to shutdown. This forced Cazes to access the AlphaBay forums to reply to upset users. Additionally he was forced to access the servers to attempt to reboot them to bring them back online.

As part of a serious infosec hygiene error, Cazes had the passwords for the servers stored in unencrypted text files. For future darknet market drug lords, learn to use the KeePass program which will allow storage of sensitive data in encrypted format. Password managers are a critical element of infosec hygiene.

Hansa Trap

The second major DNM tradecraft improvement is the use of the Hansa market as an intelligence collection mechanism. On June 20th the Dutch police seized the Hansa market and kept it up and running for a month (until July 20th.) During that month the Dutch police were using the market as an intelligence collection trap, storing all the information they could get about new users and vendors, existing user and vendors, trades, etc. When the FBI cause AlphaBay to go down on July 5th, the displaced users looked for a new home. Hansa appeared to be just such a home, and indeed there was an 8 fold increase in new users. This deliberate staggered takedown allowed the security forces to collect additional information about drug addicts and non violent vendors who supply them with high quality products that don’t cause harm to others.

what made this operation really special was the strategy developed by the FBI, DEA, the Dutch Police and Europol to magnify the disruptive impact of the joint action to take out AlphaBay and Hansa. This involved taking covert control of Hansa under Dutch judicial authority a month ago, which allowed Dutch police to monitor the activity of users without their knowledge, and then shutting down AlphaBay during the same period. It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform. In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay. As a law enforcement strategy, leveraging the combined operational and technical strengths of multiple agencies in the US and Europe, it has been an extraordinary success — Source

The First and Last Mistake

A mistake made in December 2014 was reported to the police in December 2016. This single minor error was enough to bring him down. The Internet is forever. Mistakes, once made, can resurface at any time. The real error was to not create a compartmented persona to handle all things AlphaBay.

Failing to create a special persona with an email address, false name and identity, used only for managing the AlphaBay dark net market was the root cause problem. A compartmentation failure meant that any security mistakes, infosec errors, or other problems would immediately link the darknet market to a real identity. This real identity would then be liable for criminal activity. As I have said again, and again, and again:

Compartmentation is your last line of defense.

In this case Alexandre Cazes made the mistake of running AlphaBay using the same email address that he used in his personal life, one that was exposed via dumped email lists of hacked accounts, as well as via popular sites.

That email address was leaked a few times from the AlphaBay site. The leaked email was also linked to a number of other sites, which could be found by searching the email dumps from hacked sites. Then poor infosec hygiene, such as password reuse, comes into play.

Which, given the frequency of the email and password combo, allowed for some indepth snooping.

Use a Password Manager for Unique Passwords for each Account

Great use of two factor authentication with PayPal. Unfortunately in this case, it reveals the phone numbers which are linked to the owner of the PayPal account and the PayPal account is linked with dirty money. Bad compartmentation means that security failures in other areas become catastrophic, rather than localized. Compartmentation is how you implement impact containment for security failures. Something that would have helped Alexandre Cazes significantly.

Conclusion: Safe Places For Drug Addicts Attacked

Alexandre Cazes is dead. Great job ridding the world of a non violent drug distribution channel that virtually eliminated risk and significantly reduced harm to addicts.

Support more work like this.

Update: some more links for the pimp_alex_91 email account found by jean marc manach.

Alexandre makes fun of a poor phishing attempt on his PayPal account:

Name: Alex

Age: 17