Cybersecurity: Crime and Espionage

Cybercrime Roundup: International Takedown of Two Online Illicit Marketplaces

By Sarah Tate Chambers
Wednesday, August 2, 2017, 12:00 PM

On July 5, AlphaBay, an online marketplace specializing in the sale of illegal goods and services, went offline. Users and vendors wondered what had happened. A little over two weeks later, the Department of Justice announced the coordination of an international takedown of AlphaBay that coincided with the Dutch government’s takedown of Hansa, a similar website.

AlphaBay

Launched in September 2014, AlphaBay was an eBay-like marketplace where users could purchase myriad illicit goods and services, including illegal drugs, malware, computer hacking tools, firearms, and money-laundering services. These transactions were cloaked in anonymity because AlphaBay could be accessed only via special browsers, such as Tor, that can route to .onion websites. Tor obscures a user’s IP address by routing the inquiry through various computers, concealing the originator’s digital identity from all computers but the destination.

AlphaBay recognized limits to its anonymity. On its Frequently Asked Questions page the website said:

Some people have really asked [whether AlphaBay is legal] . Of course not. We are an anonymous marketplace selling drugs, weapons and credit cards. Make sure you access the website through Tor or through a VPN to ensure anonymity. We take no responsibility if you get caught, so protecting yourself is your responsibility.

Whatever the limitations of AlphaBay’s ability to provide anonymity to its users, its size surpassed all other online illicit marketplaces. During the Justice Department press conference announcing AlphaBay's takedown, FBI Acting Director Andrew McCabe said that AlphaBay was roughly 10 times larger than Silk Road, an online illicit marketplace that the federal government took down in 2013. At the time of its closure, the site had 40,000 vendors, 200,000 users, and more than 350,000 listings for illicit goods and services.
 

Daily Operations

For a site with so much traffic, AlphaBay was a rather small operation. It had eight to 10 staff members, including a “security administrator,” several “moderators,” a “public relations manager,” and several “ScamWatchers” (who “watched out for phishing attempts and other scams against other AlphaBay users”).

Cryptocurrency was the only form of payment allowed on AlphaBay. Much like the Silk Road, users transferred cryptocurrency from their AlphaBay account to the site’s address, where the funds were held in escrow until the user notified AlphaBay that she or he had received the item or service. Before the funds were transferred out of escrow, AlphaBay took its cut—between 2 to 4 percent depending on the seller’s “history, volume, and trust level on the site.” This turned a lucrative profit. According to the forfeiture complaint:
       

Between May 2015 and February 2017, Bitcoin addresses associated with AlphaBay conducted approximately 4,023,480 transactions, receiving approximately 839,087 Bitcoin and sending approximately 838,976 Bitcoin. This equals approximately US$450 million in deposits to AlphaBay. CAZES’s 2-4% commission on Bitcoin transactions likely conducted with those funds would equal between $9-18 million[ . . .].

These transactions could be traced because Bitcoins are recorded on the “blockchain”—a distributed ledger that keeps a record of the exchanges of funds between different addresses. It does not, however, identify the person to whom each address belongs. So, without additional information, the transactions could not be traced to particular individuals.

Since Bitcoins can be traced via address through the ledger, AlphaBay offered “tumblers” and “mixers,” which “obscure transaction histories by combining, splitting[,] and re-combining Bitcoins through a series of wallets controlled by the tumbler or mixer” to help conceal the identity of vendors and users.

 

Undercover Buys

While AlphaBay attempted to maximize users’ anonymity, it could not guarantee anonymity. The indictment demonstrated the limits of user anonymity: the location of several vendors was disclosed when law enforcement made undercover purchases from the site. From May 2016 to June 2017, law enforcement purchased and received from vendors on AlphaBay: marijuana, heroin, fentanyl, methamphetamine, several state driver’s licenses, and an ATM skimming device. Those transactions provided the bulk of the material for the indictment against the alleged owner and operator of AlphaBay, but the government had to identify and locate the owner before it could attempt to take down the site.

The Takedown

Purportedly a guide to accessing and safely using AlphaBay, Alphabaymarket.com provides tips to help AlphaBay users protect their anonymity. Those tips included:

If Alexandre Cazes, the alleged owner and operator of AlphaBay, had taken those steps seriously, he might still be anonymous.

Cazes’s mistakes involved his use of several different online identifiers on both AlphaBay and elsewhere on the web: the monikers “Alpha02” and “Admin,” the email “[email protected],” and a company called EBX Technologies (EBX Tech). By using several of these identifiers on other sites outside AlphaBay, he left a trail of breadcrumbs to his true identity.

Page 1 of AlphaBay

On June 1, Cazes was indicted in the Eastern District of California. The charges included:

  • RICO conspiracy
  • Narcotics conspiracy
  • Six counts of distributing a controlled substance
  • Conspiracy to commit identity theft
  • Four counts of unlawful transfer of false identification documents
  • Conspiracy to commit access device fraud
  • Trafficking in device-making equipment
  • Money-laundering conspiracy

Once indicted, law enforcement had the difficult task of arresting Cazes when his equipment was in an unencrypted state.
 

Search and Seizure

Those who followed the Ross Ulbricht trial may recall the lengths that agents and prosecutors went to in order to apprehend Ulbricht while his computer was open, allowing them to receive the computer in an unencrypted state. If Ulbricht had closed his computer, the encryption would have turned the computer into—in the words of an FBI computer scientist—“a brick.” (The examination of that FBI computer scientist, Thomas Kiernan, is a great read. It starts at Page 65 and picks up here on Page 8.)

While the details of Cazes’s apprehension are not as clear, the forfeiture complaint hints that the situation may have been similar. Royal Thai Police searched Cazes’s home in Bangkok, Thailand. According to the complaint:

At the time of his arrest, law enforcement discovered CAZES’ laptop open and in an unencrypted state. The laptop was in CAZES’ bedroom and logged into to server that hosted the AlphaBay website—CAZES was logged in under the username “Admin” and had accessed the data center hosing the AlphaBay site in order to execute a reboot command after AlphaBay went offline as a result of a law enforcement-created service outage.

Cazes was taken into custody by the Royal Thai Police, and he allegedly committed suicide about a week later. Cazes was found dead in his cell before a hearing about extradition to the United States.

 

Forfeiture Complaint

After Cazes’s death, the U.S. attorney in the Eastern District of California filed a civil forfeiture complaint to facilitate proper handling of the assets seized in the criminal case. Those assets include:

  • a 2013 Lamborghini Aventador LP700-4;
  • a Porsche Panamera S;
  • a Mini Cooper;
  • a BMW motorcycle;
  • funds held at various banks under the names Alexandre Cazes and Sunisa Thapsuwan (Cazes’s wife);
  • property located in Bangkok, Phuket, Cyprus and Antiqua;
  • cryptocurrencies including Bitcoin, Ethereum, Zcash and Monero.

Hansa

Once AlphaBay was shut down on July 5, users "flocked” to another online illicit marketplace—Hansa, to use the word of then-FBI Acting Director McCabe. According to a Europol press release, Hansa saw an eightfold increase in new members after AlphaBay went down. Unbeknownst to the users, however, the Dutch National Police had covertly taken control of Hansa on June 20. This allowed for collection of intelligence not only on Hansa users but also on those who were driven from AlphaBay. From the Europol press release, it appears that not only was significant intelligence collected but also that it was shared with the international coalition that coordinated to produce this unprecedented double takedown.

 

Looking Ahead

This takedown can be read as touching several Justice Department priorities. First, it has consistently emphasized the importance of taking down criminal computer networks and their operators. As the largest online marketplace for illegal goods and services, this fits squarely within that priority.

Additionally, Attorney General Jeff Sessions has consistently prioritized drug-trafficking prosecutions. During the press conference, Sessions highlighted three U.S. citizens who died as a result of taking synthetic opioids bought on AlphaBay.

The ability of these drugs to so instantaneously end these promising lives is a reminder to us all of just how incredibly dangerous these synthetic opioids are—especially when they are purchased anonymously from the darkest places on the internet.

This is likely one of the most important criminal cases of the year. Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity by ‘going dark.’ This case, pursued by dedicated agents and prosecutors, says you are not safe.  You cannot hide. We will find you, dismantle your organization and network.  And we will prosecute you.

I believe that because of this operation, the American people are safer—safer from the threat of identity fraud and malware, and safer from deadly drugs.

 This case is the perfect combination of two of the department’s current priorities: dismantling cybercrime computer networks and drug-trafficking organizations.

The department’s work also includes the prosecution of various AlphaBay vendors, including:

As several of these vendors sold drugs that caused the death of others, it will be interesting to watch whether they receive heightened sentencing under the “death results” statute. Last year, the Justice Department highlighted this statute as an “effective tool in the effort to disrupt and dismantle drug trafficking organizations throughout the country.”

In the closing words of then-Acting Director McCabe:

Our critics will say, as we shutter one site another site emerges. And they may be right. But that is the nature of criminal work—it never goes away, you have to constantly keep at it, and you’ve got to use every tool in your toolbox. And that is exactly what we’ll do.

We’ve learned a lot over the years about taking down international criminal syndicates and that same experience applies to organizations that are facilitated on the dark net. We know that removing top criminals from the infrastructure is not a long-term fix. There’s always a new player waiting in the wings, ready to fill those shoes.

It is like demolishing a building, hacking away at individual walls and beams only does so much. But using federal statutes to prosecute these individuals is akin to blowing up the foundation with dynamite. Once the infrastructure implodes, it becomes difficult for the group to function. And with the weight of this kind of operation, the organization crumbles. So, we will keep doing this great work. And we will continue to count on our federal counterparts and our international partners to be right here with us.