Threat Management, Malware

International operation takes down AlphaBay, Hansa dark web markets

Working with the support of Europol, the FBI, the U.S. Drug Enforcement Agency (DEA) and the Dutch National Police brought down two of the top three darkweb markets, AlphaBay and Hansa darkweb, Thursday.

The globally coordinated, sophisticated operation, in the works for months, severely hobbled the underpinnings of a criminal economy that has seen 350,000 illicit commodities traded. Among the items sold – cybercrime malware.

"The AlphaBay market was known to offer a wide range of malicious software, including Philadelphia Ransomware, CTBlocker, Stampado and Blackmail Bitcoin Ransomware (amongst many others), while on Hansa, people could buy the source code of another notorious ransomware, CryptoLocker," said Cylance Senior Threat Researcher Marta Janus, who expects ransomware attacks to "at least slow in the coming weeks" now that both markets are shut down.

"This is an outstanding success by authorities in Europe and the U.S.," Rob Wainwright, executive director of Europol, said in a press conference in Washington, where he joined U.S. Attorney General Jeff Sessions, Acting FBI Director Timothy McCabe and DEA Deputy Director Chuck Rosenberg. 

"The capability of drug traffickers and other serious criminals around the world has taken a serious hit today after a highly sophisticated joint action in multiple countries. By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the darkweb. There are more of these operations to come.”

McCabe noted the threat of transnational organized crime to national and economic security. “Whether they operate in broad daylight or on the dark net, we will never stop working to find and stop these criminal syndicates," he said.  

Calling the probe, "one of the important criminal investigations of the year,” Sessions said criminals will find no refuge in the dark net. "The Department will continue to find, arrest, prosecute, convict, and incarcerate criminals, drug traffickers and their enablers wherever they are," he said. 

“The so-called anonymity of the dark web is illusory,” said the DEA's Rosenberg. “We will find and prosecute drug traffickers who set up shop there, and this case is a great example of our commitment to doing exactly that. More to come.”

"Users of illicit markets on the Dark Web are wrong if they think the forum administrators are capable of protecting their identities,” said Chris Doman, security researcher at AlienVault. "The administrator of the previous big forum that was busted - Silk Road - revealed his identity a number of times. And police were sitting happily on the servers reading users unencrypted messages for some time before the site was shut down.”

Doman said “it looks like the same thing has happened again with the AlphaBay and Hansa marketplaces today.”

Europol had supplied Dutch authorities with an investigative lead into Hansa in 2016 that eventually led to the arrest of the markets two administrators in Germany and seizure of its servers located in the Netherlands as well as Germany and Lithuania. Dutch police more recently had gathered information on high value targets and had identified delivery addresses for sizable orders, passing along 10,000 international addresses of buyers to Europol.

Simultaneously, a U.S. operation, Bayonet, led by the FBI and the DEA pegged the identity of AlphaBay's administrator, a 25-year-old Canadian named Alexandre Cazes, aka Alpha02 and Admin, living in Thailand, who was arrested on July 5 (and a week later apparently took his own life in a Thai prison). That site was shuttered and authorities froze and seized millions of dollars in cryptocurrencies as well as servers in Canada and the Netherlands.

“In AlphaBay's case, the administrator used his personal email on password reset emails. And police have copies of messages users of Hansa sent to each other," said Doman.

Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, said ultimately, he wasn't surprised that the authorities were able to bring down the markets considering that AlphaBay, which operated as a hidden service on the Tor network, "has been compromised on two separate occasions resulting in their API being compromised and over 210,000 private messages leaked.”

When you are conducting business with criminals,” he said, “you must expect to some degree that your business is on shaky footing anyway."

Still, the shutdowns represent progress in the ongoing fight against cybercriminals. “If confirmed, the AlphaBay takedown is a hugely positive step. Digital Shadows monitors hundreds of criminal forums on a day to day basis and AlphaBay had established itself as a prominent ‘go to' platform for the trade in illegal goods,” said Rick Holland, vice president of strategy at Digital Shadows. “Substantial sums of money were held in escrow on the platform which means many thousands of cyber criminals are out of pocket.”

Catalin Cosoi, chief security strategist at Bitdefender, the company that supplied the Hansa lead Europol forwarded to Dutch authorities, lauded “the incredible effort from international authorities,” noting that Bitdefender's role in the investigation.  

The takedown demonstrated the effectiveness of a coordinated operation in diminishing cybercriminals.

“Coordinated closure of two of the most popular underground marketplaces shows the level of sophistication and, most importantly, the willingness of international law enforcement agencies to combat cybercrime jointly,” said Andrei Barysevich, director of advanced collection at Recorded Future.  

“With the intensity of the cyberthreat ramping up and causing chaos around the world – it is reassuring to hear about the collaboration between national and international law enforcement agencies,” said Andrew Clarke, EMEA director at One Identity.

It is the collective force of shared intelligence that will reduce the economic and personal damage that recent cyberthreats have caused, said Clarke, who noted that “as well as providing a platform for illicit money making activities, the dark web has facilitated trading of cyberattack tools such as ransomware tool-kits that can be used be a novice cybercriminal to extract money from a victim.”

Although Clarke said “the take-down of part of this infrastructure will play a significant role in slowing down and ultimately mitigating completely this type of threat to our digital way of life,” Holland warned that although shuttering darkweb sites “undermine the confidence of cybercriminals in trading platforms and disrupt the ebb and flow of their trade,” it doesn't spell the end of the line for those who frequent or create the markets, which are far to lucrative to abandon. “We have already seen users migrating to other established sites. Since AlphaBay was taken down we have seen former AlphaBay vendors advertising their products on other marketplaces, including Hansa and Dream Market. Some AlphaBay users have created a new iteration of the marketplace, dubbed GammaBay,” said Holland. “Additionally, sellers have leveraged their AlphaBay vendor ratings as a measure of their trustworthiness and reputation.”

While acknowledging that the “shutdown of these two sites will dramatically affect the underground marketplace ecosystem in the short term as buyers flock to other sites,” Wilhoit agreed that “Individuals with nefarious intentions must either migrate to another underground shop with less reputation, or they must find alternate business techniques, such as selling on deep web forums.”

That relocation, Holland said, “is made easier as many established vendors and regular customers would have already had multiple accounts across the major markets. So whilst this action (if confirmed) is a step in the right direction, this is an ongoing battle and law enforcement will seek to stay one step ahead of the cybercriminals.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.