The past year has been one of the most tumultuous for the dark web, as massive law enforcement efforts have untangled and disbanded several large criminal operations — but did these operations actually make a difference?
On July 4, 2017, the Amazon of the dark web went dark. Alphabay, the largest underground market ever seen, and a popular shop for drugs, stolen credit cards, counterfeit documents, and cyber-crime kits, was largely considered the bellwether market for the underground economy; Alphabay was steady and reliable — efficiently run and highly organized, with incredible uptime in a world where sites go down multiple times each day.
Everything was running smoothly, business as usual. And then it disappeared.
At first users ambled over to the then-popular dark web watering holes of the Reddit communities, complaining about downtime and checking that other users were also facing access issues. As the hours piled up, users became more restless, trading complaints about incomplete orders-in-progress. As the downtime stretched into days, users became riotous, demanding answers from the site’s moderators.
Whispers spread about a possible exit scam — a suggestion that market administrators had shut down the site intentionally to run off with all of the money held in escrow. Dark web markets are sophisticated ecommerce platforms — markets hold buyer funds in escrow while transactions are finalized.
Alphabay admins could have easy run off with a hefty sum in Bitcoin from unfinalized orders and left their users high and dry, as many markets had done before.
One week later, and Alphabay showed no signs of life. Vendors began promoting pop-ups on secondary markets, slowly driving users to an alternative platform — Hansa. Hansa was newer than Alphabay but had earned itself a respectable reputation for having a good user interface, relatively reliable service, and few scams.
This influx of users — so-called Alphabay refugees — built rapidly into a strain on the Hansa systems. In a scramble to locate vendors and familiar faces, Hansa took on the effect of a crowded airport after the planes have been grounded — vaguely organized chaos, idle shouting, and a fair amount of frustration.
And then, on July 20th, the US Attorney General broke the news: Alphabay had been taken down in a coordinated effort between the Department of Justice, Europol, and other international law enforcement agencies. Alphabay hadn’t exit scammed, it had been seized.
Before users could react, law enforcement dropped a second bombshell: Hansa, the market Alphabay refugees had been flooding to, had been under the control of Dutch police for more than a month.
One user wrote this, immediately following the takedown:
I’ve said this for weeks…stay away from the DNM’s and erase all you can. […] Just be happy you had a good time with the DNM’s and get the FK outta here. P.s. Delete your reddit account too. I will. Cheers fellas.
Chaos, disappearances, and a rushing undercurrent of uncertainty.
Then, slowly but surely, normalcy returned.
Users moved on to other markets (with a healthy dose of hesitation and skepticism), new markets launched and failed, and the community found its footing. Autumn brought new instability to the dark web markets, as a relentless wave of denial of service attacks rendered the remaining markets inaccessible for more than a month.
All this took place while users restlessly traded conspiracy theories and questioned whether any additional markets had been compromised by law enforcement. In the background, Bitcoin ricocheted between incredible spikes and huge dips — hitting $20,000 in December before crashing to $6,900 just weeks later.
No market has yet taken Alphabay’s or Hansa’s places. The marketplaces have become largely decentralized, without a clear leader. The veteran of the group, a site called Dream, is rife with conflict and complaints, regular reports of scamming, and still regarded with a sense of mistrust; as much as users are unwilling to believe that law enforcement would operate a market for more than a year, there’s still a lingering suspicion in the minds of many that Dream has been compromised for a long time, and that another takedown could come at any time.
The markets, somehow, despite it all, are doing just fine.
Why didn’t the takedowns work?
They did, kinda.
The takedowns were incredibly disruptive for certain dark web communities. They prompted an unparalleled scramble among vendors, buyers, and site operators — more opportunities for mistakes and slip-ups under law enforcement’s watchful eye.
The takedowns collapsed the infrastructure of the largest dark web market thus far, and led to the capture of the site’s founder, Alexandre Cazes. Cazes was identified because of a mistake he’d made in the initial weeks after Alphabay’s launch.
As with so many other cyber-crime cases, the devil was in the details: Cazes used a personal email account in his welcome messages for the first weeks after Alphabay’s launch. Cazes, a Canadian national, was arrested at his home in Thailand, only to be found dead in his cell a few days later under suspicious circumstances.
The takedowns were effective in disrupting the largest underground bazaars. They are a tribute to the efforts of cooperation and parallel investigations from international law enforcement. They sent a clear message to the dark web criminal community: we’re here, we’re on to you. You’re next.
Why, then, are the markets still up and running?
If the takedowns were effective, why are criminal communities still thriving online? If this move caused so much initial chaos, why wasn’t it more disruptive long term? Why did everything go back to normal?
Well, there are few answers to those questions.
- The dark web criminal community is not a single entity. Taking down Alphabay is the equivalent of arresting a mob boss (or maybe a consigliere) in a major city: disruptive, effective, but ultimately a single strike. When one operation is taken down, parallel criminal networks abound, undisturbed, and now with a chance to seize a larger segment of the market.
- The takedown only affected certain sectors of the criminal underground. Within the illicit community as a whole, the major factions — drugs, fraud, counterfeits, weapons — often operate independently. The factions that used these major platforms as a home base, like the drug vendors, were at a greater loss when the site went down.
- The distinction between traditional crime and cyber crime is increasingly blurry. The dark web is a distribution platform and an operating hub — a place to develop tradecraft, recruit team members, and hire consultants. These communities undergird the existing operations and provide a centralized system, but they are not the system itself. Cyber crime provides an effective, scalable extension of existing criminal business models.
What happens next?
These communities are resilient and will persist because they can adapt to technology. These takedowns, while unprecedented, are milestones that build the history of the dark web. We must understand them in context, and not sensationalize as the end of all things — the dark web always finds a way.