Months of preparation and coordination have resulted today, 20 July 2017, in the takedown of two of the largest criminal Dark Web markets, AlphaBay and Hansa.
Two major law enforcement operations, led by the Federal Bureau of Investigation (FBI), the US Drug Enforcement Agency (DEA) and the Dutch National Police, with the support of Europol, have shut down the infrastructure of an underground criminal economy responsible for the trading of over 350 000 illicit commodities including drugs, firearms and cybercrime malware. The coordinated law enforcement action in Europe and the US ranks as one of the most sophisticated takedown operations ever seen in the fight against criminal activities online.
“This is an outstanding success by authorities in Europe and the US,” Rob Wainwright, the Executive Director of Europol, said today, while appearing alongside the US Attorney General, Acting FBI Director and Deputy Director of the US Drug Enforcement Administration (DEA), at a special press conference in Washington DC. “The capability of drug traffickers and other serious criminals around the world has taken a serious hit today after a highly sophisticated joint action in multiple countries. By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the Dark Web. There are more of these operations to come,” he added.
Dimitris Avramopoulos, European Commissioner for Migration, Home Affairs and Citizenship, said: “The Dark Web is growing into a haven of rampant criminality. This is a threat to our societies and our economies that we can only face together, on a global scale. The take-down of the two largest criminal Dark Web markets in the world by European and American law enforcement authorities shows the important and necessary result of international cooperation to fight this criminality. I congratulate the American and Dutch authorities for their successful work, as well as Europol for centrally supporting this endeavour. Our fight against criminal activities online and offline will continue and intensify.”
Julian King, EU Commissioner for the Security Union, said: “This latest success demonstrates not just the growing threat posed by increasingly sophisticated criminal enterprises exploiting the largely unregulated space occupied by the internet but also the vital role of international cooperation among law enforcers, the private sector, national authorities and international organisations in making all of us safer from global, borderless menaces.”
Popular Dark Web marketplaces
AlphaBay was the largest criminal marketplace on the Dark Web, utilising a hidden service on the Tor network to effectively mask user identities and server locations. Prior to its takedown, AlphaBay reached over 200 000 users and 40 000 vendors. There were over 250 000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100 000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. A conservative estimation of USD 1 billion was transacted in the market since its creation in 2014. Transactions were paid in Bitcoin and other cryptocurrencies. Hansa was the third largest criminal marketplace on the Dark Web, trading similarly high volumes in illicit drugs and other commodities. The two markets were created to facilitate the expansion of a major underground criminal economy, which affected the lives of thousands of people around the world and was expressly designed to frustrate the ability of law enforcement to bring offenders to justice.
The investigations
Europol has been supporting the investigation of criminal marketplaces on the Dark Web for a number of years. With the help of Bitdefender, an internet security company advising Europol’s European Cybercrime Centre (EC3), Europol provided Dutch authorities with an investigation lead into Hansa in 2016. Subsequent enquiries located the Hansa market infrastructure in the Netherlands, with follow-up investigations by the Dutch police leading to the arrest of its two administrators in Germany and the seizure of servers in the Netherlands, Germany and Lithuania. Europol and partner agencies in those countries supported the Dutch National Police to take over the Hansa marketplace on 20 June 2017 under Dutch judicial authorisation, facilitating the covert monitoring of criminal activities on the platform until it was shut down today, 20 July 2017. In the past few weeks, the Dutch Police collected valuable information on high value targets and delivery addresses for a large number of orders. Some 10 000 foreign addresses of Hansa market buyers were passed on to Europol.
In the meantime, an FBI and DEA-led operation, called Bayonet, was able to identify the creator and administrator of AlphaBay, a Canadian citizen living a luxurious life in Thailand. On 5 July 2017, the main suspect was arrested in Thailand and the site taken down. Millions of dollars worth of cryptocurrencies were frozen and seized. Servers were also seized in Canada and the Netherlands.
Law enforcement strategy
In shutting down two of the three largest criminal marketplaces on the Dark Web, a major element of the infrastructure of the underground criminal economy has been taken offline. It has severely disrupted criminal enterprises around the world, has led to the arrest of key figures involved in online criminal activity, and yielded huge amounts of intelligence that will lead to further investigations. But what made this operation really special was the strategy developed by the FBI, DEA, the Dutch Police and Europol to magnify the disruptive impact of the joint action to take out AlphaBay and Hansa. This involved taking covert control of Hansa under Dutch judicial authority a month ago, which allowed Dutch police to monitor the activity of users without their knowledge, and then shutting down AlphaBay during the same period. It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform. In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay. As a law enforcement strategy, leveraging the combined operational and technical strengths of multiple agencies in the US and Europe, it has been an extraordinary success and a stark illustration of the collective power the global law enforcement community can bring to disrupt major criminal activity.
Europol as a central hub
Europol has played a coordinating and de-conflicting role in both investigations. From the outset, Europol’s European Cybercrime Centre (EC3) provided technical and forensic support to the Hansa marketplace investigation. In addition Europol’s technical expertise was made available to the Dutch investigators in clouding on-the-spot deployment, as they gained control of Hansa. Subsequently to this, intelligence packages were prepared and sent out to law enforcement partners across 37 countries, spawning many follow-up investigations across Europe and beyond. Some of the intelligence extracted contains relevant information regarding the destination of drugs and is meant to inform the relevant countries about planned shipments of drugs. Overall more than 38 000 transactions have been identified and Europol sent more than 600 communications. To ensure smooth coordination between the two investigations into AlphaBay and Hansa, Europol hosted a coordination meeting with leading law enforcement partners. Overall, 12 different agencies sat down together and collectively mapped out and agreed the overall strategy for the two operations.
In early July, Europol hosted a command post staffed with representatives from the US FBI, DEA and Department of Justice, working alongside specialist staff from EC3. This command post was the central hub for information exchange during the AlphaBay operation. Europol’s secure communication channels were used to exchange information between and receive data contributions from partners. Europol continues to support the FBI, DEA, the Dutch National Police and other partners on the forensic work that needs to be performed on huge amounts of seized material.
SOURCE: EUROPOL
The Department of Justice issued this press release today about the AlphaBay takedown:
The Justice Department today announced the seizure of the largest criminal marketplace on the Internet, AlphaBay, which operated for over two years on the dark web and was used to sell deadly illegal drugs, stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and toxic chemicals throughout the world. The international operation to seize AlphaBay’s infrastructure was led by the United States and involved cooperation and efforts by law enforcement authorities in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, as well as the European law enforcement agency Europol.
On July 5, Alexandre Cazes aka Alpha02 and Admin, 25, a Canadian citizen residing in Thailand, was arrested by Thai authorities on behalf of the United States for his role as the creator and administrator of AlphaBay. On July 12, Cazes apparently took his own life while in custody in Thailand. Cazes was charged in an indictment (1:17-CR-00144-LJO), filed in the Eastern District of California on June 1, with one count of conspiracy to engage in racketeering, one count of conspiracy to distribute narcotics, six counts of distribution of narcotics, one count of conspiracy to commit identity theft, four counts of unlawful transfer of false identification documents, one count of conspiracy to commit access device fraud, one count of trafficking in device making equipment, and one count of money laundering conspiracy. Law enforcement authorities in the United States worked with numerous foreign partners to freeze and preserve millions of dollars’ worth of cryptocurrencies that were the subject of forfeiture counts in the indictment, and that represent the proceeds of the AlphaBay organization’s illegal activities.
On July 19, the U.S. Attorney’s Office for the Eastern District of California filed a civil forfeiture complaint against Alexandre Cazes and his wife’s assets located throughout the world, including in Thailand, Cyprus, Lichtenstein, and Antigua & Barbuda. Cazes and his wife amassed numerous high value assets, including luxury vehicles, residences and a hotel in Thailand. Cazes also possessed millions of dollars in cryptocurrency, which has been seized by the FBI and the Drug Enforcement Administration (DEA).
According to publicly available information on AlphaBay prior to its takedown, one AlphaBay staff member claimed that it serviced over 200,000 users and 40,000 vendors. Around the time of takedown, there were over 250,000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100,000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms and fraudulent services. Comparatively, the Silk Road dark web marketplace, which was seized by law enforcement in November 2013, had reportedly approximately 14,000 listings for illicit goods and services at the time of seizure and was the largest dark web marketplace at the time.
“This is likely one of the most important criminal investigations of the year – taking down the largest dark net marketplace in history,” said Attorney General Jeff Sessions. “Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity using the dark net. The dark net is not a place to hide. The Department will continue to find, arrest, prosecute, convict, and incarcerate criminals, drug traffickers and their enablers wherever they are. We will use every tool we have to stop criminals from exploiting vulnerable people and sending so many Americans to an early grave. I believe that because of this operation, the American people are safer – safer from the threat of identity fraud and malware, and safer from deadly drugs.”
“Transnational organized crime poses a serious threat to our national and economic security,” said Acting Director Andrew McCabe of the FBI. “Whether they operate in broad daylight or on the dark net, we will never stop working to find and stop these criminal syndicates. We want to thank our international partners and those at the Department of Justice, the DEA and the IRS-CI for their hard work in demonstrating what we can do when we stand together.”
“The so-called anonymity of the dark web is illusory,” said Acting Administrator Chuck Rosenberg of the DEA. “We will find and prosecute drug traffickers who set up shop there, and this case is a great example of our commitment to doing exactly that. More to come.”
“AlphaBay was the world’s largest underground marketplace of the dark net, providing an avenue for criminals to conduct business anonymously and without repercussions,” said Chief Don Fort of IRS-CI. “Working with our law enforcement partners – both domestically and abroad – IRS-CI used its unique financial and cyber expertise to help shine a bright light on the accounts and customers of this shadowy black marketplace, and we intend to continue pursuing these kinds of criminals no matter where they hide.”
“This ranks as one of the most successful coordinated takedowns against cybercrime in recent years,” said Executive Director Rob Wainwright of Europol. “Concerted action by law enforcement authorities in the United States and Europe, with the support of Europol, has delivered a massive blow to the underground criminal economy and sends a clear message that the dark web is not a safe area for criminals. I pay tribute to the excellent work of the United States and European authorities for the imaginative and resourceful way they combined their efforts in this case.”
AlphaBay operated as a hidden service on the “Tor” network, and utilized cryptocurrencies including Bitcoin, Monero and Ethereum in order to hide the locations of its underlying servers and the identities of its administrators, moderators, and users. Based on law enforcement’s investigation of AlphaBay, authorities believe the site was also used to launder hundreds of millions of dollars deriving from illegal transactions on the website.
An investigation conducted by FBI Atlanta and the U.S. Attorney’s Office in the Northern District of Georgia identified an AlphaBay staffer living in the United States. That investigation is ongoing.
The investigation into AlphaBay revealed that numerous vendors sold fentanyl and heroin, and there have been multiple overdose deaths across the country attributed to purchases on the site.
According to a complaint affidavit filed in the District of South Carolina against Theodore Vitality Khleborod and Ana Milena Barrero, an investigation into an overdose death on February 16, in Portland, Oregon, involving U-47700, a synthetic opioid, revealed that the drugs were purchased on AlphaBay from Khelborod and Barrero. According to another complaint affidavit filed in the Middle District of Florida against Jeremy Achey, an investigation into a fentanyl overdose death in Orange County, Florida, on February 27, revealed that the lethal substance was purchased on AlphaBay from Achey.
Charges contained in an indictment and/or complaint are merely allegations, and the defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
This operation to seize the AlphaBay site coincides with efforts by Dutch law enforcement to investigate and take down the Hansa Market, another prominent dark web market. Like AlphaBay, Hansa Market was used to facilitate the sale of illegal drugs, toxic chemicals, malware, counterfeit identification documents, and illegal services. The administrators of Hansa Market, along with its thousands of vendors and users, also attempted to mask their identities to avoid prosecution through the use of Tor and digital currency. Further information on the operation against the Hansa Market can be obtained from Dutch authorities.
The operation to seize AlphaBay’s servers was announced by Attorney General Jeff Sessions; Deputy Attorney General Rod Rosenstein; Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division; U.S. Attorney Phillip A. Talbert for the Eastern District of California; Acting Director Andrew G. McCabe of the FBI, Acting Administrator Chuck Rosenberg of the DEA and Europol Executive Director Robert Mark Wainwright.
The case is being investigated by the FBI including FBI Sacramento Field Office and DEA, with substantial assistance from the IRS-CI. U.S. Immigration and Customs Enforcement’s Homeland Security Investigations also assisted in the investigation. The case against Cazes was prosecuted by Assistant U.S. Attorneys Paul A. Hemesath and Grant B. Rabenn of the U.S. Attorney’s Office for the Eastern District of California, and Trial Attorneys Louisa K. Marion and C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section. Substantial assistance was provided by the Department of Justice’s Office of International Affairs and Special Operations Division. Additionally, the following foreign law enforcement agencies provided substantial assistance in the operation to seize AlphaBay’s infrastructure: Royal Thai Police, Dutch National Police, Lithuanian Criminal Police Bureau (LCPB), Royal Canadian Mounted Police, United Kingdom’s National Crime Agency, Europol, and French National Police.