If you hadn’t already heard, two of the three largest darknet drug markets got taken down recently; Hansa and Alphabay. Alphabay was doing somewhere in the region of 220-300 million USD in trade per year. Hansa was all set to be the next Alphabay.
There’s an important difference in the two takedowns and some interesting details in how the police handled the two markets. I haven’t seen a proper breakdown of the technical stuff anywhere so I thought I’d write up a blog post.
Alphabay
It looks like this was a pretty straightforward breach of OPSEC (operational security). The guy who was running it leaked his hotmail address. A subpoena was put in and the pieces were put together from there. Like some kind of idiot, he was living a lavish lifestyle in a country where lavish lifestyles stick out like a sore thumb (Thailand). The guy ended up taking his own life in a cell in Bangkok which is pretty depressing.
Hansa
Hansa is a fascinating story. The Dutch police somehow figured out that the Hansa servers were in Lithuania. They took control of the marketplace in June and ran it for a solid month and during that month exposed at least 10,000 buyers addresses. How they figured out that the server was in Lithuania is not yet clear and if it was through a weakness in Tor, we can expect to see more seizures of this nature. I don’t think this is the case or we would have seen more takedowns and / or more high level dealer arrests already.
Anatomy of a drug deal
A typical darknet market purchase goes like this: Buyer gets some bitcoin. Sends that bitcoin to a “market wallet”, possibly through a mixing service to hide the source. They browse around, pick their dealer of choice and place the order. They need to send the delivery address to the dealer. In order to prevent the market from seeing their address, PGP encryption is used. Now PGP encryption is a bit of a pain in the arse. I’ve put a link to my PGP key in my email signature since founding InvizBox and have received a total of zero PGP encrypted email messages. So the markets make it easy for people to PGP encrypt their address by providing an “encrypt” type checkbox. After that, the dealer decrypts the address and sends the drugs. The market typically holds on to the funds in escrow until the buyer confirms that they received the drugs and leaves some Amazon style feedback (“best drugs ever”), then the market releases the bitcoin to the dealer less a fee.
When Alphabay was taken down around the 4th of July, their users flocked to Hansa because of it’s perceived security. Hansa was using a feature of bitcoin called “multisig” which meant that the market couldn’t do a runner with all the money it was holding in escrow (called an “exit scam”). Since buyers were going to have to choose a different market, with it’s nice multisig feature Hansa seemed like the obvious choice and so people flocked into a market that was controlled by the police.
How the Dutch police exploited control over Hansa
The Dutch police did at least 3 things to maximise the damage they could do:
1) Took a copy of login password
2) Took a copy of buyers addresses that lazily checked the “encrypt” checkbox
3) Did a switcheroo with some PGP keys for dealers where they wanted to catch buyers
Let’s look at each one in turn.
Took a copy of login password
Sounds like it is. When a buyer / dealer logged in with password “iselldrugs123” they took note of it then tested to see if that password worked on other markets with the same username. Pretty smart. Many dealers and some buyers would have used their PGP key for login and these people wouldn’t have been exposed by this method.
Encrypt checkbox
This relied on people being lazy and relying on the marketplace to encrypt their address. From reading on reddit it sounds like a lot of people were lazy. If the Dutch police are to be believed it was over 10,000 people over the course of that month. Pretty sure there will be some sweaty palms and knocks on doors over this.
PGP key switcheroo
This one was going to catch out even those who weren’t lazy unless they had previously stored the correct dealer key before. Some buyers did realise the change had occurred (there was at least one thread on reddit warning about it before the big reveal). It’s not clear to me how long the switcheroo was successful for, if at all.
All in all it was a pretty impressive operation from the Dutch police to locate and run the market. A month seems on the excessive side to me, but of course I don’t have all the background details.
There is now rampant speculation that the largest remaining market, Dream, has also been compromised.