Analysis A US Federal Bureau of Investigation veteran has spoken out on the international police ops that led to the takedown of dark web drug souks AlphaBay and Hansa, giving an insider's look at the process.
Joseph Campbell served for 25 years in the FBI, where he led criminal investigations into child exploitation and the trade in contraband prior to moving over to the private sector in April, 2016. Campbell worked in the bureau at the time of the earlier Silk Road bust in 2013.
The FBI vet says the takedowns may help discourage the trade of illicit material in the digital underground – while conceding that other such markets are nonetheless likely to spring up.
The AlphaBay bust, like the Silk Road takedown, was facilitated by targeting site administrators. What has changed in the four years since the Silk Road bust has been improvements in the pooling of intelligence with international partners, such as Europol.
Law enforcement agencies historically have a reputation for playing catchup against cybercriminals. The AlphaBay and Hansa takedown is an example of law enforcement proactively taking action and planning ahead. Followup police action is promised.
The takedown of AlphaBay redirected users to a market that was already under covert law enforcement control. This allowed law enforcement to collate data on suspects who might otherwise have slipped under the radar.
AlphaBay facilitated numerous illicit activities, including narcotics trafficking and the sale of stolen personal and financial information, firearms and malware, before it was dismantled earlier this month. Hansa experienced an eight-fold increase in the number of users following the 4 July takedown of AlphaBay, according to the US Department of Justice.
Hansa, ranked the world's third-largest underground marketplace, specialised in sales of the same illicit goods and services as AlphaBay.
But unbeknown to its users, the market had been under the covert control of Dutch law enforcement officers since 20 June, when the two operators of the website were arrested. In the coordinated takedown, Dutch authorities obtained the usernames and passwords of thousands of Hansa users. Police plan to use the data they collected to run follow-up investigations. The shutdown of Hansa is the result of more than a year of investigative work.
Questions have been raised as to why, if cops had control of AlphaBay, they didn't use this access to monitor its users in the same way that Hansa customers were put under surveillance. Campbell didn't work on the AlphaBay investigation but he was able to explain that the FBI – as with other undercover investigations – would have weighed the intelligence benefits of letting the marketplace continue, against the negative aspects of allowing criminality to proceed and the harm caused to victims, through ongoing child abuse activity, for example.
The FBI operates seized fronts to secure additional information about the criminals using them, a practice that pre-dates the advent of dark web marketplaces and has been used in drug market investigations (and others) for many years.
The closures of both AlphaBay and Hansa mark the shuttering of two of the largest dark web markets. The multinational law enforcement effort included the FBI and DEA in the US, police and other agencies in Thailand, the Netherlands, Lithuania, Canada, the UK, and France, as well as partners in Europol.
The next step in the investigation will be "following the money" to identify methods the operators used to launder their proceeds into the legitimate economy, a trail Campbell pursued as an agent and now works to prevent as a consultant to the banking industry in his position as a director in management consulting firm Navigant's Global Investigations & Compliance Practice.
Millions of dollars worth of cryptocurrencies were frozen and seized as part of the AlphaBay takedown. "The goal is to seize criminals' assets after finding out where they came from," Campbell told El Reg. "It's similar to traditional money laundering investigations – where money can flow into and out of offshore accounts – but it can be a bigger challenge to understand source of funds."
AlphaBay was 10 times the size of the Silk Road. Cybersecurity experts expect to see a short-term downturn in illicit activity on the dark web following the AlphaBay and Hansa takedowns, but most – like threat intel firm Digital Shadows – expect the market to rebound in one form or another.
Andrei Barysevich, director of advanced collection at threat intel firm Recorded Future, said: "The coordinated closure of two of the most popular underground marketplaces shows the level of sophistication and, most importantly, the willingness of international law enforcement agencies to combat cybercrime jointly."
"The successful takedown of AlphaBay and Hansa marketplaces – the largest police operation since SilkRoad – has already significantly disturbed the underground economy, and I expect to see the level of cybercrime go down in the short term. Despite recent news, we don't expect criminals to abandon dark web marketplaces, as the business opportunity of exposure to hundreds of thousands of buyers is too lucrative, and as we have seen before, eventually new market leaders will arise, filling the void."
Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, added: "Hansa and AB [AlphaBay] were two of the most prolific underground marketplaces that distributed and sold drugs, credit card numbers, and malware. The shutdown of these underground marketplaces are becoming more commonplace. The shutdown of these two sites will dramatically affect the underground marketplace ecosystem in the short term as buyers flock to other sites.
Police were sitting happily on the servers reading users' unencrypted messages for some time before Silk Road was shut down.
"Individuals with nefarious intentions must either migrate to another underground shop with less reputation, or they must find alternate business techniques, such as selling on deep web forums. Ultimately, this isn't wholly surprising – considering AB has been compromised on two separate occasions resulting in their API being compromised and over 210,000 private messages leaked. When you are conducting business with criminals, you must expect to some degree that your business is on shaky footing anyway," he added.
Online intelligence, surveillance, human sources and complaints from scam victims all play a role in the investigation of dark web marketplaces, according to Campbell.
As previously reported, AlphaBay's administrator, Alexandre Cazes, used his personal email on password reset emails, compounding the error by using the same email on LinkedIn and to run a legal business.
Chris Doman, security researcher at AlienVault, commented: "Users of illicit markets on the Dark Web are wrong if they think the forum administrators are capable of protecting their identities.
"The administrator of the previous big forum that was busted – Silk Road – revealed his identity a number of times. And police were sitting happily on the servers reading users' unencrypted messages for some time before the site was shut down."
AlphaBay had established itself as a prominent "go to" platform for the trade in illegal goods, with substantial sums of money held in escrow on the platform, meaning many thousands of cyber criminals have been left out of pocket as a result of the site's takedown.
Some AlphaBay users have created a new iteration of the marketplace, dubbed GammaBay. Additionally, sellers have leveraged their AlphaBay vendor ratings as a measure of their trustworthiness and reputation. "This relocation is made easier as many established vendors and regular customers would have already had multiple accounts across the major markets," according to Digital Shadows.
"Takedowns like this undermine the confidence of cybercriminals in trading platforms and disrupt the ebb and flow of their trade," said Rick Holland, VP of Strategy at Digital Shadows. "This is an ongoing battle and law enforcement will seek to stay one step ahead of the cyber criminals."
Patrick Martin, a cybersecurity analyst at RepKnight, predicted sites like Dream Market will fill the gap created by this week's takedowns. He described AphaBay and Hansa as part of a much larger group of underground bazaars whose products range far beyond narcotics.
"Many people mistakenly believe the dark web is only about drugs, guns and illicit material – a world away from everyday life, and a world never likely to affect normal society. The truth though is that the dark web is a massive marketplace for corporate and consumer data like credit card details, login credentials and intellectual property – meaning that everyone is at risk from the dark web.
"The good news for law enforcement monitoring the dark web is that they can see users switch to new dark web sites, and use that as evidence of a repetitive pattern or modus operandi of crime, and we'll hopefully see more convictions in court. However, gathering evidence in this way is time consuming, and in the meantime, business and consumer data remains at risk," he added. ®
Sponsored: Ransomware has gone nuclear