One Year After AlphaBay And Hansa: How The Market Dissolves But Only By A Fraction

It was on July 4th, 2017, that AlphaBay the titan of the dark web went dark.

AlphaBay was the largest underground market, and a popular place for people to buy drugs, stolen credit cards, counterfeit documents, and cyber-crime kits. While AlphaBay wasn't as large as many experts have expected, the site was successful because it can capitalize the market gap where the likes of Dream and Olympus have failed.

AlphaBay was only one player among many on the underground. But since it was steady and reliable, organized, efficient and had a good uptime in a world where dark web websites go down multiple times each day, AlphaBay was considered to be the center power of the underground economy.

So then it was, business day like usual, only before it disappeared all in a sudden.

On the first hours, users delivered their complaints to popular forums, including the dark web community on Reddit. They were complaining about the downtime, wondering if others were also experiencing the same issue. After hours passing without any clarification, people became worried.

They were restless.

With more hours passing without status of their orders and the site, users became frustrated, They demanded answers, instantly.

There is no question about it. The dark web has many notorious websites that come and go. As a sophisticated market, AlphaBay held buyers' money while transactions are finalized. At its height. AlphaBay had more than 40,000 vendors and generated more than $1 billion in trade.

With practically nobody can track who owns what and who is whom, rumors about possible exit scam started to rise. People started suggesting that AlphaBay's administrator intentionally shut down the site and ran away with all the money, just like how other markets have done before it.

But since no one can explain what really had happened in the first couple of weeks, secondary markets started to show some new life. People began promoting them, including the alternative platform called Hansa.

Hansa website home page

Hansa was younger than AlphaBay, but still it had earned some great reputations.

With AlphaBay down without anyone knowing what happened, Hansa quickly took AlphaBay's place as the reliable market on the dark web. This started what wass called the AlphaBay refugees, where many AlphaBay users started populating Hansa.

Users grew from 1000 to 8000 vendors per day. At its peak, Hansa had thousands of dealers offering more than 24,000 drug product listings, from cocaine to MDMA and heroin, as well as a smaller trade in fraud tools and counterfeit documents. They all made 27,000 illegal transactions in just a brief of time.

But then suddenly, on July 20th, the U.S. Attorney General broke the news about AlphaBay:

The authorities said that Alphabay had been taken down in a coordinated effort between the Department of Justice, Europol, and other international law enforcement agencies. So clearly here, Alphabay didn't exit scammed like what many have speculated. AlphaBay was seized, and that was what really happened.

The website's co-founder Alexander Cazes was arrested, before committing suicide in a jail restroom at the Narcotics Suppression Bureau building in Laksi district in Bangkok.

And before most Hansa and former AlphaBay users could ever react, the authorities made another move: they took control of Hansa.

Hansa was in the authorities' crosshair since 2016, the time when AlphaBay was still up and running. After a 10-month operation, the Dutch police that was onto the trail of Hansa, decided a different approach: they didn't want to take down the site like they did with AlphaBay.

Instead, they want to control of it.

After the German police arrested two German men who here Hansa's administrators, the Dutch police took complete control of the site by impersonating the administrators.

The undercover operation spied on Hansa's buyers and sellers, discreetly altering the site's code to fetch more identifying information of its users. The authorities even went as far as tricking users to open a file on their computers to reveal their true location.

The police has allowed Hansa to operate as normal, unknowingly by its users that the site has been compromised. The strategy was to allow the compromised Hansa to absorb as many AlphaBay users as it can, and having all of their transactions recorded by the authorities.

As a result, the authorities claimed to successfully made one of the biggest blow against the dark web in its short history: millions of dollars worth of confiscated bitcoins, more than a dozen of arrests on the site's top drug dealers, and a huge database of Hansa user information (including 10,000 addresses of Hansa buyers outside of the Netherlands) that authorities say should haunt anyone who bought or sold things on the site during its last month online.

Caught by surprise, the community scrambled and went into panic mode.

Vendors suddenly ceased their orders, buyers quickly deleted their accounts, and Reddit community about the dark web marketplace started sharing their paranoid state of the police preparing themselves to raid their homes. It was a chaos on both the deep web and the surface web.

Hansa - AlphaBay
International police operation took down AlphaBay and Hansa dark web markets

As time goes by, the heat started to cease. All those remaining 'untouched; users that were experiencing uncertainty, started to breathe a sigh of relief.

Just how deep web markets have seen before this, users started to move to other sites, despite some skepticism and hesitation, before founding themselves happy with one footing. But still, the fall of two of the largest dark web marketplaces have struck fear deep into the hearts of users.

Adding that with the unstable dark web, and multiple denial of service attacks, most markets there can only live a few months at a time before completely blacking out.

So here, a year following AlphaBay and Hansa's shut down, the marketplace have become largely decentralized, all without one clear leader. The takedowns collapsed the infrastructure, dissolving the market as users mistrust the markets as much as they believe that law enforcement would have operated some of those markets to trick them, just like how they did with Hansa.

The result is cybercriminals began to retreat into older and specialized platforms to buy and sell. The marketplaces have reshaped into smaller forums and individual chats as threat actors find new ways to evade law enforcement.

Business goes on like usual, but It's simply taking a different form.

According to Digital Shadows researchers, they have observed more than 5,000 Telegram links shared across criminal forums and dark web websites. Out of these, there were 1,667 invitation links to join new groups. All that happened in just 6 months after Hansa's takeover.

Read: Dark Web's Big Notorious Drug Marketplaces Gone Offline With No Prior Notification

List of active, arrested and identified vendors and buyers, from the Dutch Police’s hidden service

Why is this happening? Why didn't it stop there?

The answer is simple: one market down, more will follow. Two markets down, even more will flourish.

The dark web criminal community is not powered by one single entity. Taking down Alphabay and Hansa is disruptive and effective, but to only allow other criminal minds equivalent who work in parallel networks to be undisturbed. With two great marketplaces down, those networks can operate with a chance to seize a larger segment of the market.

Dark web marketplaces often work independently. What's more the distinction between traditional crime and cybercrime is blurry. After all, the marketplaces are just the operations that centralized their economy, but they are not the system itself.

So as long as the system exists, the world will definitely see growing marketplaces lurking at some points in the dark web.

Administrators of those smaller markets, P2P networks and forums, have been integrating processes to facilitate trust among their users. They have adopted blockchain DNS, user vetting, site access restrictions, and domain concealment supplement to build a sense of security.

What's more, wary of law enforcement posing as users, those places regulate activity with "forum lifecycles," which limit new users' access and set posting restrictions until they reach a certain level of activity. New users might even require positive feedback from other members until these limitations are lifted. There are also places where access is restricted and require members to pay for premium subscriptions or have multiple referral invitations from established participants. Others create a hierarchy: the older they are as members, the more they prove legitimacy, the more they're allowed to post.

This is how the economic lesson comes true: "where there is demand there will be supply."

Continue reading: A 'Darknet Map' Concludes Drug Markets Have Little Influence On Global Illicit Drug Trade