This article was published on August 28, 2017

Study: Hansa Market takedown really scared online drug dealers


Study: Hansa Market takedown really scared online drug dealers

Of the dark net drug vendors who migrated from shut down marketplaces AlphaBay and Hansa Market to Dream Market, more than half didn’t go through the trouble of taking any evasive action, concludes Dutch research institute TNO.

Earlier this year, the FBI took over AlphaBay, an infamous dark web drug market, and subsequently took it down. This would not have been a big deal – law enforcement already brought down several dark web marketplaces – were it not for the fact that it was part of a larger coordinated action.

Messages left by law enforcement on the taken-down marketplaces

Operation Bayonet was designed to herd drug vendors to Hansa Market, another dark web marketplace. Hansa Market had previously been silently taken over by Dutch police, meaning they could nab all the data of migrating vendors and collect data on transactions before shutting it down as well.

Planning the operation like this was a smart move by law enforcement, since shutting down of dark net markets is known to lead to a kind of ‘waterbed-effect’ in which vendors and buyers simply migrate to other platforms. By staying one step ahead and keeping a popular compromised market online, law enforcement collected 10,000 postal addresses and tens of thousands of messages.

In an effort to evaluate the success of this operation, TNO kept the tally of how many vendors migrated from AlphaBay and Hansa Market to Dream Market, and “whether or not they changed their behavior after the police operation.”

Screencap from TNO’s report.

The researchers ended up with two main findings.

First, they found that while the takedown of AlphaBay in the beginning of July led a massive influx of vendors on Dream Market, the takedown of Hansa did not. What this probably means is that vendors were becoming wary of changing marketplace after finding out they could be compromised by law enforcement strategy – a resounding success for Operation Bayonet.

Second, and this is striking: Of the vendors that moved from either AlphaBay or Hansa (or both) to Dream Market, 54 percent didn’t even bother to change their username and PGP setups. The vendors, afraid of losing customers by giving up the reputation coupled to their username or PGP key, just moved their whole shop over to the new market. This is bad news for buyers, as the physical identity of vendors carries over and can potentially incriminate new buyers.

This did change after the sting was publicized. According to Rolf van Wegberg, who co-authored the study and spoke to TNW on the phone, the difference was striking. Suddenly, the amount of blank-slate new vendors on Dream Market shot up. Van Wegberg says they can’t conclusively prove that this means vendors were starting over – they could just be completely new vendors – but that they strongly suspect it’s the case.

The researchers will be keeping track of new vendors on Dream Market in the months to come, to find out if the effects of this type of intervention holds out in the long run.

Van Wegberg also told me of another interesting future investigation that could strike fear into the hearts of online drug vendors. Using text analysis, his team is going to try to match new vendors to old accounts, potentially linking blank-slate vendors to their previously, potentially compromised accounts by the way they communicate.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with