grandeduc - Fotolia

Dark web markets' shutdown may lead to more arrests

Cooperation between law enforcement from around the world led to the shutdown of the AlphaBay and Hansa dark web markets and potential leads of illegal vendors.

In a coordinated effort, law enforcement agencies in six countries, plus Europol, shut down two illicit dark web markets and gathered communications on vendors and users, which experts said could lead to more prosecutions.

The takedown of the AlphaBay dark web market was credited to an FBI and Drug Enforcement Agency operation named Bayonet. And in the announcement by the U.S. Department of Justice, Attorney General Jeff Sessions called it "the largest takedown in world history." Sessions highlighted the sale of illegal drugs on the site, noting AlphaBay housed "more than 40,000 illegal vendors ... for more than 200,000 customers."

"This is likely one of the most important criminal investigations of this entire year. I have no doubt of that," Sessions said in a statement. "Make no mistake, the forces of law and justice face a challenge from criminals and transnational criminal organizations who think they can commit their crimes with impunity by going dark. This case pursued by dedicated agents and prosecutors says you are not safe. You cannot hide. We will find you. Dismantling organization and network, and we will prosecute you."

Experts were not as bullish as Sessions and noted, in all likelihood, while the shutdown of AlphaBay may hamper illicit operations in the short term, new dark web markets will arise in the future.

Marta Janus, senior threat researcher at Cylance Inc., based in Irvine, Calif., said the shutdown of these dark web markets should at least slow down ransomware attacks in the coming weeks.

"But could we expect that malware sales or any other illegal activities in the Tor network will now cease to exist? Unfortunately, no," Janus told SearchSecurity. "As history reveals, sooner or later, another market will appear and take over as the favorite place to exchange drugs, weapons and harmful code, just like AlphaBay took over the legacy of Silk Road -- that was closed in 2013 and grew to even greater proportions. Where one market closes, many smaller ones are sure to open, diluting the market share and causing further headaches for law enforcement."

Michael Marriott, research analyst at Digital Shadows, based in San Francisco, said failures in operational security that contributed to the arrest of AlphaBay's founder could instill some fear in cybercriminals.

"This will act as a reminder to aspiring criminal marketplace owners about how difficult it is to secure their digital footprints. Furthermore, in the short term, this will have sowed a seed of doubt among users of dark web markets, who will be wary about turning to new platforms," Marriott told SearchSecurity. "Nevertheless, it is unlikely that this will prevent new shops being created on the dark web in the long term."

Ilia Kolochenko, CEO of web security company High-Tech Bridge, based in Switzerland, said this effort may lead to cybercriminals setting up dark web market honeypots of sorts for law enforcement.

"I think that the cybercrime industry has learned the lesson, and now virtually everyone will become paranoid. This can significantly complicate any other investigations and covert operations," Kolochenko told SearchSecurity. "Black hats can easily create a new platform with fake data and forged transactions of illegal goods to mislead the law enforcement and frame up innocent people. This success can ultimately become a Pyrrhic victory."

Attorney General Sessions announces shutdown of AlphaBay dark web market by FBI and DEA.
Attorney General Jeff Sessions announces shutdown of AlphaBay dark web market by FBI and DEA.

Hansa and the ethical gray area of running dark web markets

The press release by Europol said the focus of the European investigation into these dark web markets focused more on the Hansa market, where authorities ran an intelligence-gathering effort to catch AlphaBay "refugees" coming to Hansa before the site was shut down.

"Enquiries located the Hansa market infrastructure in the Netherlands, with follow-up investigations by the Dutch police leading to the arrest of its two administrators in Germany and the seizure of servers in the Netherlands, Germany and Lithuania," Europol said in its press release. "Europol and partner agencies in those countries supported the Dutch National Police to take over the Hansa marketplace on 20 June 2017 under Dutch judicial authorization, facilitating the covert monitoring of criminal activities on the platform until it was shut down today, 20 July 2017. In the past few weeks, the Dutch Police collected valuable information on high value targets and delivery addresses for a large number of orders. Some 10,000 foreign addresses of Hansa market buyers were passed on to Europol."

While experts noted it is not uncommon for law enforcement to keep dark web markets running in order to gather intelligence, there can be ethical and legal concerns.

According to Hector Monsegur, director of assessment services at Seattle-based Rhino Security Labs and former black hat hacker, the ethical questions about law enforcement running dark web markets in this way have come up "several times over the last few years whenever a big operation like this one actually unfolds."

"The FBI previously operated similarly to the Dutch police in hijacking a popular dark web onion dedicated to pedophilia content and kept the site functional for quite some time. This allowed the FBI to collect further information about users who frequented the Tor onion in question and lead to convictions," Monsegur told SearchSecurity. "The real answer is that this situation is one of those gray areas that probably has not been properly vetted or challenged in court yet, and will continue to be a trend for law enforcement from here on out."

Atiq Raza, CEO of Virsec Systems Inc., based in San Jose, Calif., said it was a "smart and practical move" for law enforcement to gather information from the Hansa market.

While these sites seem like centralized businesses, they really just connect thousands of independent criminal enterprises that can easily do business elsewhere. The only chance of this being effective is to go after the endpoints -- not just shutting down the hub.
Atiq RazaCEO of Virsec Systems

"While these sites seem like centralized businesses, they really just connect thousands of independent criminal enterprises that can easily do business elsewhere. The only chance of this being effective is to go after the endpoints -- not just shutting down the hub," Raza told SearchSecurity. "Any undercover investigation has to deal with this ethical fine line. Having said that, one hopes that the focus of temporarily running these sites was to identify users, not facilitate transactions."

Marriott said the intelligence-gathering should outweigh the ethical considerations.

"Nevertheless, the potential gray legal areas could be used by criminal defendants as legal proceedings take place," Marriott said. "Hansa was seized and controlled for several weeks before AlphaBay was shut down, but law enforcement waited until former AlphaBay users migrated to Hansa in order to maximize the impact. Given the thousands of vendors who migrated to the marketplace, the intelligence gain is likely to have been significant."

Monsegur said the intelligence gained could lead to hundreds, if not thousands, of convictions," but will also make future dark web markets harder to crack.

"For now, just like every other major event in the dark web, the communities will disband, people will change pseudonyms, server operators will change technologies and capabilities, and people will try again," Monsegur said. "Eventually, you'll have AlphaBay and Hansa 2.0 and other iterations coming into existence. The difference now is that those new communities and administrators will probably be much harder to crack and identify. What we're witnessing is a very expensive trial and error. As law enforcement agencies become smarter in their detective work and tactics, so will drug market operators."

Next Steps

Learn how the deep web is used to exploit protected health info.

Find out why Tor vulnerabilities may make the dark web too risky for black markets.

Get info on darknet technology from Tor Project CEO Andrew Lewman.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing