DarkOwl’s historical archive of darknet marketplace data provides a unique opportunity to look-back and compare the AlphaBay Market that was taken down by authorities in 2017 to the features associated with this newly launched marketplace, which shares the same name and is purportedly being ran by the same circle of people.
During the summer of 2017, one of the most intriguing and well-orchestrated international law enforcement efforts in history converged to take down some of the most successful darknet markets to-date. One of these, AlphaBay Market, was the most prominent and popular darknet market since the Silk Road. At its height, AlphaBay’s daily sales ranged between $600,000 and $800,000 USD across 300,000 listings for illicit goods, offered by over 40,000 vendors and viewed by some 200,000 users.
Operation Bayonet, which would ultimately lead to the shutdown of several prominent marketplaces, began with Dutch police seizing another lesser-known market called Hansa Market. After compromising Hansa, authorities secretly operated the market for almost a month. While the Dutch focussed their efforts on Hansa, United States FBI operatives coordinated with international police to DDoS AlphaBay and seize its assets, enabling the Royal Thai Police to locate and arrest its administrator, Alexander Cazes (a.k.a. alpha02).
When AlphaBay became inaccessible as a result, thousands of its buyers and vendors flocked to the then law enforcement-ran Hansa market to continue their operations. Dutch police, operating servers across the Netherlands, Lithuania, and Germany, capitalized on the eight-fold surge of users visiting the market in the weeks following. The authorities used the time to gather information on high value targets and identified delivery addresses for sizable orders, passing along 10,000 international addresses of buyers to Europol.
In cooperation with the FBI, the Royal Thai Police took steps to organize the extradition of the 24-year old Canadian administrator back to the United States. However, after Cazes was held for exactly a week at the Narcotics Suppression Bureau in Bangkok, reports of his apparent suicide surfaced. Bangkok vowed to conduct an autopsy, while US authorities had no interest in verifying the legitimacy of the suspect’s death.
Alexander Cazes’ criminal indictment details how the US Justice Department successfully confiscated his and his wife’s assets, including bank accounts, personal and market cryptocurrency accounts, and luxurious personal possessions in Bangkok – all by supposedly linking his online personas to his real life through a haphazardly leaked email address, [email protected].
When authorities carried out the warrant and arrest in his apartment in Bangkok, his laptop was left unencrypted and the admin account for the market and server logged in. Authorities also simultaneously executed search warrants for the market’s server hardware located in Quebec, Canada.
Cazes did not run AlphaBay singlehandedly. They worked closely with a “security administrator” and second in command known as DeSnake, or simply “DS” for short. According to our historical darknet records, DeSnake had connections in Russia although his true identity and location was not publicly known.
In 2016, an angry user of AlphaBay known as “Kinger” stated that alpha02 had left the market in late 2015, sold his stake to DeSnake, and DeSnake was supposedly acting as admin for its final two years. Kinger’s ominous threat suggested they knew his real life identity and his citizenship was actually Dutch.
“PS: DeSnake, if you read this, we know who you are and where you reside. We know you're a Dutch guy who acts like he's Russian. Should you attempt to exit scam with AlphaBay, rest assured your dox will be posted.” - user known as "Kinger"
There were also at least half a dozen moderators that helped administer the market and its discussion forum, moderated disputes between buyers and vendors, and promoted the market on Reddit (prior to the shutdown of the DNM subreddit). The indictment from 2017 listed them individually by their monikers and many have been arrested.
The authorities were not the only ones to identify and/or attempt to uncover the key players (aka staff) at AlphaBay Market. In the spring of 2017, the Alpha Organization paid an extortionist threatening to dox alpha02 and a couple of his moderators at least $45,000 USD, although the veracity of the information the extortionist had has not been verified.
More information about potential players of FBI interest can be found in historical DarkOwl records, including one that states that the FBI “publicized a list of AlphaBay identities that they had identified, including Trappy, DeSnake, Disc0, and several other members of the Alphabay ‘team.’ From owner (DS) all the way down to public relations manager, Trappy.” (Source: Document Archived in DarkOwl Vision)
As recently as last year, a California Court sentenced Brian Herrell, a Colorado native and AlphaBay moderator who operated under the moniker “Botah” to 11 years in prison for racketeering and for his connections to AlphaBay. Upon his initial arrest, reports suggested he faced up to 20 years for his involvement in the marketplace.
Prior to AlphaBay, Alexander Cazes had a reputable history on the darknet – specifically in the carding community. A senior member from the carding community Ranklez claimed he had evidence to suggest Cazes wasn’t alpha02. Ranklez and alpha02 had a history in the carding community as Ranklez sold alpha02 fullz for conducting identity theft.
For months after its shutdown, users across the darknet theorized whether all of it was an exit scam or something more elaborate and sinister. When AlphaBay’s Reddit moderator and public relations manager, Trappy was arrested, he claimed alpha02 and DeSnake were the same person. The whole saga was confusing and unsettling for many, including Cazes’ parents, who claimed the skill set of Cazes in real life (e.g. his company Canadian EBX, etc) was more in alignment with the qualities DeSnake portrayed than alpha02. (Source: DarkOwl Vision)
In early August 2021, DeSnake resurfaced on Dread, the popular Reddit-like discussion forum on the darknet administrated and moderated by users, Hugbunter and Paris. Dread staff “vouched” for DeSnake to skeptical darknet users with DeSnake signing documents using their historical PGP key.
Interestingly, AlphaBay’s former moderator “Disc0” also chimed in, but using a lowercase “d” this time.
DeSnake promoted the return of the infamous AlphaBay marketplace with services hosted on both Tor and I2P – including detailed instructions and encouragement for users to explore the market on the peer-to-peer network instead of Tor, calling their Tor services “mirrors” of the main market on I2P.
The new AlphaBay market’s Tor service has been unstable since its launch, with frequent 503 errors, user registration issues, and login timeouts. The I2P eepsite also rarely successfully loads. After almost two months of operation, the market has a handful of vendors, with only a couple of hundred listings across drugs and fraud goods. DeSnake claims there have been 15,000 user accounts created, 450 vendors registered, and over 400 listings published as of the time of writing.
The service on Tor appears to be hosted alongside Dread services and features both the Dread waiting queue and clock-captcha for DDoS protection. The marketplace was offline last week, when Dread and its sister services were under heavy DDoS and inaccessible.
While disc0 vouched for DeSnake on Dread they are not Staff on the revived market or its associated forum, claiming they are retired from such work. The new AlphaBay appears to be moderated by the personas TheCypriot, tempest, and wxmaz. All of the moderators speak very formally with impeccable English and gush with unbridled passion about the need for a new concept of decentralized marketplaces, the complex tradeoffs and advantages of peer-to-peer networks, and a deep desire to establish a greater sense of community. DeSnake’s posts are particularly “wordy” with extensive lengthy posts on Dread and the market’s About and FAQ section. They sign every post and reply officially with the phrase “Thank You.”
Like the historic AlphaBay, the market’s forum is located on the same domain as the market and has limited discussions. Most of the forum is marked private until the user formally introduces themselves in accordance with the rules outlined by DeSnake. There is a “Admin” account as was the case with the historical AlphaBay forum, and DeSnake also has their own personal account. DarkOwl believes this account may be maintained by DeSnake based on the observation that they leave a similar “Thank You.” at the end of every post.
DarkOwl has been unable to assess how the larger darknet community (outside of Dread) feels about the new Alphabay Market. AlphaBay historically had a vocal and persistence presence on Darknet Market Avengers forum which unfortunately, has been offline for several weeks. There are no new threads mentioning AlphaBay’s return on The Hub.
Users on the Russian-speaking forum, XSS have been the most critical of DeSnake and AlphaBay. In a thread titled, “AlphaBay вернулся!” [Translated: “AlphaBay is back!”] users comments were generally critical of the legitimacy of the marketplace, with comical references like “Welcome to the FBI HQ” posts.
DeSnake joined the conversation, creating an account with his moniker on September 12, 2021 in attempts to mitigate the marketplace’s potential reputation damage. DeSnake repeatedly pointed to their vouches from Dread and old PGP key pasted to Ghostbin, paste site.
Unfortunately, DeSnake’s contributions written in a mixture of English and Russian backfired and senior members of XSS berated them for their lack of operational security and inability to properly understand the dynamics of the Russian language.
“Your brand is irrelevant, long forgotten, your missing period as you should know is a lifetime in these circles, your name means nothing, you actually start with negative trust and momentum rather than popping up with a completely new name and brand not linked to the dumpster fire that went down before. So your either dAFeDz, or you have fallen victim to a serious and advanced case of autism after getting your covid vaccination. Either way none of your weird over explanation means anything because before we get to any of that we have to deal with the mental retardation and poor judgment that lead you to relaunch like this. But since youre not who youre trying to be we can skip it"
– XSS user’s reply to DeSnake directly on the AlphaBay is back thread
Even Reddit users on the surface web have mixed feedback. One user openly joked they would stick to purchasing their drugs on social media.
During this research, DarkOwl discovered a surface web domain that mirrors much of the information DeSnake shared on Dread, but with a Tor link to the market that is not in the mirrors.txt verified links list from AlphaBay. The surface web domain is likely setup specifically to direct users to a phishing site where their credential information can be stolen.
There is a Dread thread in the AlphaBay subdreadit stating that AlphaBay is not on Telegram or the surface web validating the theory this is likely a phishing domain. No information about the domain could be ascertained as it is protected by Cloudflare.
The links section on the surface web AlphaBay domain asserts that all the information on Dread is false, stating that DeSnake’s Dread account had been compromised by “mr_white.” The moniker mr_white belongs to the administrator and owner of the popular darknet marketplace, White House Market (WHM) themed after Breaking Bad’s main character, Mr. White.
Some users claim that mr_white and his team from WHM are to blame for last week’s DDoS while others speculate that HugBunter himself could be mr_white.
While DarkOwl generally avoids engaging in or commenting on speculative darknet drama, there are several things about the re-emergence of AlphaBay and DeSnake that don’t add up. While DeSnake very well could be legitimate, the sheer fact the authorities confiscated the market’s servers and Cazes’s unencrypted laptop should bring significant suspicion whether this new darknet marketplace is legitimate, or simply another covert law enforcement operation.
For this reason, our analysts have shared some observations of note that potentially point to something larger transpiring than a simple relaunch of the former marketplace. Notably:
Registration for the market and the forum seem unnecessarily complicated, including errors if the pin code started with ‘0’ and asking for the user’s “real name.” The concept of a real name is irrelevant in the darknet unless the administration is possibly trying to catch someone not in the “right-state-of-mind” slip-up and actually put their real name into that field.
The DDoS protection and bot detection measures are excessive for a brand new marketplace. While navigating the domain manually, DarkOwl analysts regularly had to reset their Tor circuit and refresh their identity to simply view the vendor listings.
The market includes an outrageous number of strict rules delineated as “global AlphaBay” versus rules specifically for “buyers” and “vendors.” There are no weapons allowed (where the previous AlphaBay had a weapons category), no Fentanyl sales allowed (where the previous AlphaBay had a ‘Fent and RCs’ category), no COVID-19 vaccine or cures can be offered, no ransomware sold or advertised, and no Commonwealth of Independent States (CIS) related countries activities allowed.
The “About-Us” and Frequently Asked Questions (FAQ) sections are a laborious read with over 13,000 words combined – 8,200 for the FAQ section alone. Conversely, the original AlphaBay’s FAQ was a mere 277 words.
The overt exclusion of CIS countries is peculiar, especially given that DeSnake and alpha02 were openly active in Russian carding communities. According to DarkOwl Vision’s archived documents, Russian speakers were present on the original AlphayBay forum and in interviews alpha02 spoke of how they “work with our Russian colleagues to enable each of us to enrich our base of vendors and buyers,” and clearly was not excluding users located in Russia.
AlphaBay now only accepts the cryptocurrency Monero, and heavily promotes that users access it via I2P instead of Tor, calling their Tor services “mirrors” to the main I2P eepsite. DeSnake’s detailed instructions for installing I2P on Dread fail to mention the potential risks of peer discovery and de-anonymization through known techniques like Eclipse and Sybil attacks in conjunction with flood-fill takeovers. Interestingly, the last known Monero-I2P-centric market was Liberitas, which went offline in June 2019 after a very short stint on the I2P network.
DarkOwl could not confirm any prior darknet experience from the moderators DeSnake has installed as Staff on the market and forum.
The new AlphaBay Marketplace refuses donations. It is unheard of that a darknet service would decline and discourage donations. A fully-functional darknet marketplace will indeed provide sufficient financial resources in the future; yet refusing them from the start is unreal.
Additional language analysis reveals other questionable inconsistencies. For example, in the FAQ and About-Us, there are several mentions of DeSnake’s operational security (OPSEC) prowess and over-the-top digs at law enforcement, e.g. “dirty playing by LE with their parallel construction.” Interestingly, the phrase “parallel construction” has appeared many times in post-AlphayBay (2017) conversations on other English-speaking and Russian forums.
Given how security conscious DeSnake was previously, which they self-proclaimed as operating under the mindset of ‘the agencies are after me’,” it is unlikely that they would have been comfortable writing in such recognizable patterns and thereby potentially exposing speech and language nuances.
In a similar vein, DeSnake’s extensive writing samples include multiple instances where the “British” spellings of words like “honoured” and “minimised” are included similar to how alpha02 wrote in his interview with Joshua G in April 2015 on Deep Dot Web, but “decentralized” is still spelled with a “z.” While there are very few English-speaking historical writing samples from DeSnake, as they were most active on Russian-speaking forums like TCF and Evolution, an analysis of historical AlphaBay market records never included any British-English spellings such as these.
Furthermore, darknet users rarely draw so much attention to themselves. DeSnake has broken this mold with their dramatic return to the public eye that included interviews with the media and identity verification through a potentially compromised PGP key.
DarkOwl has assigned assets to monitoring and collecting data from the new AlphaBay Marketplace, despite their increased crawler detection measures and ongoing server instability. Our analysts will continue to follow this market’s presence and reputation on the darknet, and provide further updates as this story unfolds.