After our update post last Friday discussing Dream Market, our analysts have continued to track what's happening around the recent law enforcement takedowns of the two largest darknet marketplaces, AlphaBay and Hansa. Data from our DarkOwl Vision platform revealed interesting statistics around the volume of darknet marketplace activity.
A recap of the marketplace takedowns
This past week, authorities revealed the seizure of two of the largest darknet markets, AlphaBay and Hansa. News of the seizure began circulating after AlphaBay mysteriously disappeared almost two weeks ago, bringing about the speculation of what many thought might be a massive exit scam. AlphaBay moderators Trappy and BigMuscles soothed market vendors and buyers on forums such as Reddit, claiming that AlphaBay was only down for server updates. After a few days of downtime and no indication of a timeline of when the market would return, longtime AlphaBay loyalists began flocking to Hansa, the second most popular darknet marketplace, in order to keep their businesses afloat. However, unbeknownst to and unfortunately for them, Dutch law enforcement had by this time already confiscated Hansa servers nearly a month prior with the arrest of two German Hansa administrators.
Dutch authorities reported in a press briefing last Thursday that by keeping Hansa operational after the arrest of the owners, they had been able to use the marketplace as a trap to catch vendors and customers fleeing AlphaBay. The authorities said that in the days after AlphaBay went down, the number of vendors operating on Hansa Market jumped from 1,000 on an average day to 8,000. Authorities leveraged this influx and used the time to gather information on high value targets, successfully identifying delivery addresses for sizable orders and passing 10,000 international addresses to Europol.
On Monday of last week, reports surfaced of an apparent suicide of one of the creators of AlphaBay, Alexander Cazes, in a Thailand prison just hours before he was scheduled to meet with his extradition lawyer. The two were to discuss Cazes' charges from U.S. Department of Justice for running an illegal darknet market, among a number of others, including money laundering. Cazes, also known as alpha02 and infamous VIP carder on The Carding Form, ceased to use the alpha02 moniker as of late 2014 and communicated on AlphaBay simply as Admin.
The whereabouts of Cazes' colleague and co-owner of AlphaBay, DeSnake, a security and hacking specialist, are currently unknown.
The Hansa takedown was the pinnacle of an investigation regarding drug dealers and traffickers in the Netherlands. In October, the Dutch police issued a warning to those active on darknet markets, listing targeted, active vendors' monikers, the names of over a dozen vendors they had arrested, and a list of targeted buyers. Their .onion site (below) is regularly updated to reflect recently apprehended vendors.
The latest updates
Over the past week, there has been a sense of panic across darknet market enthusiasts. Rumors are circulating that other markets, like Dream Market, are also compromised and all activity on darknet marketplaces should cease until the situation is more clear. Some are being more aggressive, commenting things like, “the darknet is falling over…” and suggesting shifts to peer-to-peer (P2P) markets, such as OpenBazaar and BitBay.
Even more extreme are those such as harshfang who on Reddit claimed that all of Tor is compromised. Harshfang said he would be looking into P2P based alternatives, like I2P and HORNET, in the near future. Could this be the direction the darknet is headed? Here at OWL Cybersecurity, we are successfully indexing data from I2P sites and other darknet platforms with our OWL Vision engine.
One could surmise this panic could potentially lead to a decrease in the use of Tor in coming months. While the scale on metrics.torproject.org is rather large, there appears to be a noticeable decrease in the number of “directly connecting users” since early July. We suspect this number will decline until the dust settles and new, more secure markets are established.
A decrease in darknet market volume
Our analysts took a look at data from DarkOwl Vision, our database of darknet content (DARKINT), to see if there was a similar correlation to the number of hidden services over a similar time period as the users chart above.
While the total number of hidden services crawled by the engine increased by 3% over the last six weeks, the total number of sites we classified as MARKETS had a notable decrease, over 20% across the same time period. Clearly not all of these sites are hidden services related to the AlphaBay and Hansa marketplaces, but it is conceivable that the recent law enforcement operations and subsequent takedowns have prompted the preemptive shutdown of a number of vendor operated sites, such as the two dozen or so listed vendors listed on the Dutch police run darknet site mentioned earlier in this post. Further supporting this theory is the fact that our analysts surveyed the top twenty most popular vendors shops of the darknet, such as Dutch Drugs, The French Connection, and DeepStatus, and over 40% of them are not currently operational.
Over the next week we will continue to watch the shape and size of the Darknet as a result of this incredible law enforcement effort and bring you more updates as they become available.
Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.