Operation Bayonet (darknet)

Operation Bayonet
Operation NameOperation Bayonet
TypeDrug Enforcement
Roster
Executed byCanada, Germany, Lithuania, Netherlands, Thailand, United States
# of Countries Participated7+
Mission
TargetDark Markets: Alpha Bay Onion Service and Hansa Onion Service
Timeline
Date begin2016?
Date end2017?
Results
Accounting

Operation Bayonet was a multinational law enforcement operation culminating in 2017 targeting the AlphaBay and Hansa darknet markets.[1][2][3] Many other darknet markets were also shut down.[4]

Methodology

[edit]

Investigators from several law enforcement agencies including the FBI, DEA, and Europol located Canadian Alexandre Cazes, the alleged founder of AlphaBay, due to a series of operational security errors:

  • About the time the service first began in December 2014, Cazes used his Hotmail address [email protected] as the 'From' address in system generated welcome and password reset emails, which he also used for his LinkedIn profile and his legitimate computer repair business in Canada.[5]
  • Cazes used a pseudonym, Alpha02, to run the site which he had previously used (e.g., in carding and tech forums) since at least 2008, and variously advertised this identity as the "designer", "administrator" and "owner" of the site.[5][6]
  • When Cazes was arrested, he was logged into his laptop performing an administrative reboot on an AlphaBay server in direct response to a law-enforcement-created artificial system failure; furthermore, encryption was wholly absent on that laptop.[5][7]
  • Cazes' laptop reportedly contained an unencrypted personal net worth statement mapping all global assets across multiple jurisdictions, conveniently leading police to complete asset seizure.[5]
  • The servers were hosted at a company in Canada directly linked to his person.[5]
  • The servers contained multiple constantly open (unencrypted) hot cryptocurrency wallets.[5]
  • Cazes' flashy use of proceeds to purchase property, passports and luxury cars and frequent online boasting about his financial successes, including posting videos of himself driving luxury cars acquired through illegal proceeds, not only revealed his geographical location, but also made denying connection to the service impossible.[5]
  • Assets acquired through proceeds were held in a variety of accounts directly linked to Cazes, his wife and companies they owned in Thailand (the jurisdiction in which they lived), as well as directly held personal accounts in Liechtenstein, Cyprus, Switzerland and Antigua.[5]
  • Cazes' statements about the goal of the site — "launched in September 2014 and its goal is to become the largest eBay-style underworld marketplace" — helped to legally establish intent.[5]

AlphaBay target

[edit]

Law enforcement took at least one month to obtain a US warrant, then over one month to obtain foreign warrants, prepare for and execute searches and seizures in Canada and Thailand:[5]

  • Early May 2017: Law Enforcement verifiably active on the site since at least this period.[5]
  • 1 June 2017: Warrant issued by United States District Court for the Eastern District of California for racketeering, narcotics trafficking, identity theft and access device fraud, transfer of false ID, trafficking in illegal device making equipment, and conspiracy to commit money laundering.[5]
  • 30 June 2017: Warrant is issued for Cazes' arrest in Thailand at US request.[8][9]
  • 5 July 2017:
    • Canadian police raid EBX Technologies in Montreal, Cazes' Canadian company and the reported location of the physical servers, as well as two residential properties in Trois-Rivières.[10]
    • Cazes is arrested in Bangkok at his dwelling at Phutthamonthon Sai 3 Road in Thawi Watthana district which is searched by the Royal Thai Police, with the help of the FBI and DEA.[5][8]
  • 12 July 2017: Cazes' suspected suicide by hanging while in custody at Thailand's Narcotics Suppression Bureau headquarters in Laksi district, Bangkok, was reportedly discovered at 7AM. He was due to face US extradition.[5][8]
  • 16 July 2017: Cazes' wife was reported as having been charged with money laundering.[11][12]
  • 20 July 2017; U.S. Attorney General Jeff Sessions announces shutdown of the site.[13]
  • 23 July 2017: Narcotics Suppression Bureau chief is interviewed and suggests that more suspects will be arrested soon.[14]

Hansa target

[edit]

Hansa Investigation

[edit]

Dutch police discovered the true location of the Hansa onion service after a 2016 tip from security researchers who had discovered a development version.[15] The police quickly began monitoring all actions on the site, and discovered that the administrators had left behind old IRC chat logs including their full names and even a home address, and they began to monitor them. Although the administrators soon moved the site to another unknown host, they got another break in April 2017 by tracing bitcoin transactions, which allowed them to identify the new hosting company, in Lithuania.

Hansa Seizure

[edit]

On June 20, 2017, German police arrested the administrators (two German men) and the Dutch police were able to take complete control of the Hansa site and to impersonate the administrators. Their plan, in coordination with the FBI, was to absorb users coming over from the upcoming AlphaBay website shutdown. The following changes were made to the Hansa website to learn about careless users:

  • All user passwords were recorded in plaintext (allowing police to log into other markets if users had re-used passwords).[15]
  • Vendors and buyers would communicate via PGP-encrypted messages. However, the website provided a PGP encryption convenience feature which the police modified to record a plaintext copy.[15]
  • The website's automatic photo metadata removal tool was modified to record metadata (such as geolocation) before being stripped off by the website.[15]
  • Police wiped the photo database, which enticed vendors to re-upload photos (now capturing metadata).[15]
  • Multisignature bitcoin transactions were sabotaged, which at shutdown would allow police to confiscate a larger amount of illicit funds.[15]
  • Police enticed users to download a Microsoft Excel file (disguised as a text file) that, when opened, would attempt to ping back to a police webserver and unmask the user's IP address.[15][16][17]

Service Shutdowns

[edit]

Per the plan, AlphaBay was shut down on July 4, 2017, and as expected a flood of users substituted to the Hansa marketplace, until its subsequent shutdown on July 19/20 2017. During this time, law enforcement allowed the Hansa userbase (then growing rapidly from 1000 to 8000 vendors per day[18]) to make 27000 illegal transactions in order to collect evidence for future prosecution of users.[15][19] Dutch local cybercrime prosecutor Martijn Egberts claimed to have obtained around 10,000 addresses of Hansa buyers outside of the Netherlands.[20]

After the shut down of Hansa, the site displayed a seizure notice and directed users to the Operation's onion service[21] to find more information about the operation.

Participating law enforcement agencies

[edit]

Most of the involved countries are part of the Virtual Global Taskforce (VGT), however additional law enforcement agencies played a role.

  • The server where Alphabay was located was traced back to Lithuania, leading to the Lithuanian law enforcement's involvement in the operation.
  • The founder of the site, Alexandre Cazes, was arrested in Thailand, which resulted in the Thai police involvement.

List

[edit]

See also

[edit]

References

[edit]
  1. ^ McMillan, Robert; Viswanatha, Aruna (13 July 2017). "Illegal-Goods Website AlphaBay Shut Following Law-Enforcement Action". Wall Street Journal. Archived from the original on 24 September 2020. Retrieved 11 March 2018.
  2. ^ Statt, Nick (14 July 2017). "Dark Web drug marketplace AlphaBay was shut down by law enforcement". The Verge. Archived from the original on 15 July 2017. Retrieved 11 March 2018.
  3. ^ Greenberg, Andy (20 July 2017). "Global Police Spring a Trap on Thousands of Dark Web Users". WIRED. Archived from the original on 24 September 2020. Retrieved 3 March 2018.
  4. ^ "Massive blow to criminal Dark Web activities after globally coordinated operation". 20 July 2017. Archived from the original on 24 September 2020. Retrieved 20 July 2017.
  5. ^ a b c d e f g h i j k l m n "Forfeiture Complaint". Justice.gov. 20 July 2017. p. 27. Archived from the original on 23 September 2020. Retrieved 23 July 2017.
  6. ^ Cox, Joseph (July 20, 2017). "Alleged Dark Web Kingpin Doxed Himself With His Personal Hotmail Address". Vice. Vice Media. Archived from the original on November 9, 2020.
  7. ^ McCarthy, Kieren (July 20, 2017). "Alphabay shutdown: Bad boys, bad boys, what you gonna do? Not use your Hotmail..." The Register. Situation Publishing. Archived from the original on July 20, 2017.
  8. ^ a b c "Dead Canadian fugitive lived in Thai luxury". Bangkok Post. July 14, 2017. Archived from the original on July 14, 2023. Retrieved October 15, 2021.
  9. ^ Ngamkham, Wassayos (July 12, 2017). "Canadian drug suspect found hanged in cell". Bangkok Post. Archived from the original on July 14, 2023. Retrieved October 15, 2021.
  10. ^ "RCMP's 'Dark Web' investigation leads to searches in Montreal, Trois-Rivières". Montreal Gazette. Postmedia Network. July 5, 2017. Archived from the original on July 5, 2017.
  11. ^ Swenson, Kyle (July 18, 2017). "Suspected AlphaBay founder dies in Bangkok jail after shutdown of online black market". The Washington Post. Archived from the original on July 20, 2017.
  12. ^ "Thailand seizes $21 million in assets from dead founder of dark net marketplace AlphaBay". Reuters. Thomson Reuters. July 24, 2017. Archived from the original on June 9, 2018.
  13. ^ "Sessions on dark web Alphabay and Hansa shut down". BBC News. BBC. July 20, 2017. Archived from the original on July 23, 2017.
  14. ^ "9 nations join probe into 'darknet' site". Bangkok Post. July 24, 2017. Archived from the original on July 14, 2023. Retrieved July 24, 2017. NSB poised to pounce on more suspects
  15. ^ a b c d e f g h "Operation Bayonet: Inside the Sting That Hijacked an Entire Dark Web Drug Market". Wired. 2018-03-08. Archived from the original on 2024-03-12. Retrieved 2024-03-12.
  16. ^ Cox, Joseph (August 25, 2017). "This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves". The Daily Beast. Archived from the original on March 12, 2024. Retrieved March 12, 2024.
  17. ^ pxx51092 (July 25, 2017). "DON'T open the xlsx locktime file, beacon image confirmed in it with Hansa's server IP address". reddit. Archived from the original on October 9, 2017.{{cite news}}: CS1 maint: numeric names: authors list (link)
  18. ^ "Underground Hansa Market taken over and shut down". Politie (Dutch Police). 20 July 2017. Archived from the original on 21 July 2017. Retrieved 21 July 2017.
  19. ^ Riggs, Mike (2017-07-26). "Five Lessons from the Hansa and AlphaBay Busts". Reason Hit&Run. Archived from the original on 2017-07-29. Retrieved 2017-07-26.
  20. ^ Satter, Raphael; Bajak, Frank (2017-07-21). "Dutch 'darknet' drug marketplace shut down". Portland Press Herald. Archived from the original on 2017-07-22. Retrieved 2017-07-22.
  21. ^ DeepDotWeb (31 October 2016). "Dutch National Prosecution Service and police launch Hidden Service in global Darknet enforcement operation". Archived from the original on 1 November 2016. Retrieved 26 July 2017.