By Alois Afilipoaie and Patrick Shortis
Subject Between June and July 2017, two law enforcement actions targeted the cryptomarkets AlphaBay and Hansa Market, closed them, and arrested their operators, seizing millions of dollars in assets in the process. These operations, dubbed ‘Operation Bayonet’ (AlphaBay) and ‘Operation GraveSac’ (Hansa) saw a shift in the strategy and tactics that law enforcement agencies are using to target cryptomarket activity on the Tor network.4 By deconstructing the operation, this situational analysis aims to provide pertinent lessons on how law enforcement agencies have adapted their approach towards tackling cryptomarkets.
History of the Operations
- On June 20th, 2017 the Netherlands National High Tech Crime Unit (NHTCU) infiltrated Hansa Market and took over the site’s operations (Operation GraveSac), without alerting users or disrupting illicit sales.5 This was done with the help of private cybersecurity company Bitdefender that supplied information that enabled the NHTCU to compromise a server in the Netherlands. This action led to German authorities arresting the two Hansa Market administrators, who provided information on another server in Germany and the main server’s location in Lithuania. A link was then set up between the servers in Lithuania and the Netherlands that allowed law enforcement to create a realtime copy of the market database within NHTCU jurisdiction. They also obtained the cryptomarket source code that enabled them to modify the site and thus improve their intelligence collection capabilities.
- A takedown operation on July 5th (Operation Bayonet) headed by U.S. law enforcement agencies closed AlphaBay and revealed 25-year-old Canadian Alexandre Cazes as the site’s administrator ‘alpha02’. He was arrested in Thailand pending extradition to the United States. Despite being the largest cryptomarket at the time, law enforcement made no official announcements of the arrest, leaving the user community to speculate about the market’s downtime.7 Initial reaction was that the administrators had performed an exit-scam, a theory that gained traction when members of the community noticed large bitcoin transactions they suspected as originating from the cryptomarket’s wallet.
- Following the shutdown of AlphaBay, Hansa Market saw an eight-fold increase in new registrations.9 The administrators (NHTCU) announced they would temporarily close registration to cope with the influx and continue to fulfil orders.10 This kind of action had been previously taken by cryptomarkets that experienced large jumps in their user base following rival market closures and therefore it did not raise the suspicions of Hansa’s community.
- Cazes committed suicide in his Thai prison cell on July 12th and news broke out shortly afterwards that linked his arrest and subsequent death to a law enforcement operation that had taken down AlphaBay. At this point the cryptomarket community was still unsure about law enforcement’s involvement in AlphaBay’s closure. Users were also unaware of any law enforcement links between AlphaBay and Hansa Market.
- On July 20th the US Federal Bureau of Investigations (FBI) and Europol released a joint statement confirming the operations and posted seizure notices on both Hansa and AlphaBay. Europol claimed that during the 27 days the NHTCU had control of Hansa as part of Operation GraveSac they monitored approximately 1,000 daily transactions. Additionally, they gathered 10,000 postal addresses along with thousands of messages from Hansa customers. Regarding Operation Bayonet the FBI estimated over 200,000 customers, 40,000 vendors and over 350,000 listings on AlphaBay.12 This included 250,000 listings in illegal drugs plus over $1bn in total transactions since its inception in 2014, making it the largest cryptomarket to date.