Operation Bayonet (darknet)

Last updated
Operation Bayonet
Operation NameOperation Bayonet
TypeDrug Enforcement
Roster
Executed byCanada, Germany, Lithuania, Netherlands, Thailand, United States
# of Countries Participated7+
Mission
TargetDark Markets: Alpha Bay Onion Service and Hansa Onion Service
Timeline
Date begin2016?
Date end2017?
Results
Accounting

Operation Bayonet was a multinational law enforcement operation culminating in 2017 targeting the AlphaBay and Hansa darknet markets. [1] [2] [3] Many other darknet markets were also shut down. [4]

Contents

Methodology

Investigators from several law enforcement agencies including the FBI, DEA, and Europol located Canadian Alexandre Cazes, the alleged founder of AlphaBay, due to a series of operational security errors:

AlphaBay target

Law enforcement took at least one month to obtain a US warrant, then over one month to obtain foreign warrants, prepare for and execute searches and seizures in Canada and Thailand: [5]

Hansa target

Hansa Investigation

Dutch police discovered the true location of the Hansa onion service after a 2016 tip from security researchers who had discovered a development version. [15] The police quickly began monitoring all actions on the site, and discovered that the administrators had left behind old IRC chat logs including their full names and even a home address, and they began to monitor them. Although the administrators soon moved the site to another unknown host, they got another break in April 2017 by tracing bitcoin transactions, which allowed them to identify the new hosting company, in Lithuania.

Hansa Seizure

On June 20, 2017, German police arrested the administrators (two German men) and the Dutch police were able to take complete control of the Hansa site and to impersonate the administrators. Their plan, in coordination with the FBI, was to absorb users coming over from the upcoming AlphaBay website shutdown. The following changes were made to the Hansa website to learn about careless users:

  • All user passwords were recorded in plaintext (allowing police to log into other markets if users had re-used passwords). [15]
  • Vendors and buyers would communicate via PGP-encrypted messages. However, the website provided a PGP encryption convenience feature which the police modified to record a plaintext copy. [15]
  • The website's automatic photo metadata removal tool was modified to record metadata (such as geolocation) before being stripped off by the website. [15]
  • Police wiped the photo database, which enticed vendors to re-upload photos (now capturing metadata). [15]
  • Multisignature bitcoin transactions were sabotaged, which at shutdown would allow police to confiscate a larger amount of illicit funds. [15]
  • Police enticed users to download a Microsoft Excel file (disguised as a text file) that, when opened, would attempt to ping back to a police webserver and unmask the user's IP address. [15] [16] [17]

Service Shutdowns

Per the plan, AlphaBay was shut down on July 4, 2017, and as expected a flood of users substituted to the Hansa marketplace, until its subsequent shutdown on July 19/20 2017. During this time, law enforcement allowed the Hansa userbase (then growing rapidly from 1000 to 8000 vendors per day [18] ) to make 27000 illegal transactions in order to collect evidence for future prosecution of users. [15] [19] Dutch local cybercrime prosecutor Martijn Egberts claimed to have obtained around 10,000 addresses of Hansa buyers outside of the Netherlands. [20]

After the shut down of Hansa, the site displayed a seizure notice and directed users to the Operation's onion service [21] to find more information about the operation.

Participating law enforcement agencies

Most of the involved countries are part of the Virtual Global Taskforce (VGT), however additional law enforcement agencies played a role.

List

See also

Related Research Articles

Most Internet censorship in Thailand prior to the September 2006 military coup d'état was focused on blocking pornographic websites. The following years have seen a constant stream of sometimes violent protests, regional unrest, emergency decrees, a new cybercrimes law, and an updated Internal Security Act. Year by year Internet censorship has grown, with its focus shifting to lèse majesté, national security, and political issues. By 2010, estimates put the number of websites blocked at over 110,000. In December 2011, a dedicated government operation, the Cyber Security Operation Center, was opened. Between its opening and March 2014, the Center told ISPs to block 22,599 URLs.

DarkMarket was an English-speaking internet cybercrime forum. It was created by Renukanth Subramaniam in London, and was shut down in 2008 after FBI agent J. Keith Mularski infiltrated it using the alias Master Splyntr, leading to more than 60 arrests worldwide. Subramaniam, who used the alias JiLsi, admitted conspiracy to defraud and was sentenced to nearly five years in prison in February 2010.

The dark web is the World Wide Web content that exists on darknets that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.

<span class="mw-page-title-main">Operation Onymous</span> International police operation targeting darknet markets

Operation Onymous was an international law enforcement operation targeting darknet markets and other hidden services operating on the Tor network.

Agora was a darknet market operating in the Tor network, launched in 2013 and shut down in August 2015.

<span class="mw-page-title-main">Evolution (marketplace)</span> Former darknet market

Evolution was a darknet market operating on the Tor network. The site was founded by an individual known as 'Verto' who also founded the now defunct Tor Carding Forum. Evolution was active between 14 January 2014 and mid-March 2015.

<span class="mw-page-title-main">AlphaBay</span> Defunct darknet marketplace

AlphaBay was a darknet market operating at different times between September 2014 and February 2023. At times, it was both an onion service on the Tor network and an I2P node on I2P. After it was shut down in July 2017 following law enforcement action in the United States, Canada, and Thailand as part of Operation Bayonet, it was relaunched in August 2021 by the self-described co-founder and security administrator DeSnake. The alleged original founder, Alexandre Cazes, a Canadian citizen born on 19 October 1991, was found dead in his cell in Thailand several days after his arrest, with police suspecting suicide.

TheRealDeal was a darknet website and a part of the cyber-arms industry reported to be selling code and zero-day software exploits.

A darknet market is a commercial website on the dark web that operates via darknets such as Tor and I2P. They function primarily as black markets, selling or brokering transactions involving drugs, cyber-arms, weapons, counterfeit currency, stolen credit card details, forged documents, unlicensed pharmaceuticals, steroids, and other illicit goods as well as the sale of legal products. In December 2014, a study by Gareth Owen from the University of Portsmouth suggested the second most popular sites on Tor were darknet markets.

DeepDotWeb was a news site dedicated to events in and surrounding the dark web featuring interviews and reviews about darknet markets, Tor hidden services, privacy, bitcoin, and related news. The website was seized on May 7, 2019, during an investigation into the owners' affiliate marketing model, in which they received money for posting links to certain darknet markets, and for which they were charged with conspiracy to commit money laundering. In March 2021 site administrator Tal Prihar pleaded guilty to his charge of conspiracy to commit money laundering.

Grams was a search engine for Tor based darknet markets launched in April 2014, and closed in December 2017. The service allowed users to search multiple darknet markets for products like drugs and guns from a simple search interface, and also provided the capability for its users to hide their transactions through its bitcoin tumbler Helix.

The Russian Anonymous Marketplace or RAMP was a Russian language forum with users selling a variety of drugs on the Dark Web.

Playpen was a darknet child pornography website that operated from August 2014 to March 2015. The website operated through the Tor network which allowed users to use the website anonymously. After running the website for 6 months, the website owner Steven W. Chase was captured by the FBI. After his capture, the FBI continued to run the website for another 13 days as part of Operation Pacifier.

Hansa was an online darknet market which operated on a hidden service of the Tor network.

<span class="mw-page-title-main">Dream Market</span> Online black market

Dream Market was an online darknet market founded in late 2013. Dream Market operated on a hidden service of the Tor network, allowing online users to browse anonymously and securely while avoiding potential monitoring of traffic. The marketplace sold a variety of content, including drugs, stolen data, and counterfeit consumer goods, all using cryptocurrency. Dream provided an escrow service, with disputes handled by staff. The market also had accompanying forums, hosted on a different URL, where buyers, vendors, and other members of the community could interact. It was one of the longest running darknet markets.

Childs Play [sic] was a website on the darknet featuring child sexual abuse material that operated from April 2016 to September 2017, which at its peak was the largest of its class. The site was concealed by being run as a hidden service on the Tor network. After running the site for the first six months, owner Benjamin Faulkner of North Bay, Ontario, Canada, was captured by the United States Department of Homeland Security. For the remaining eleven months the website was owned and operated by the Australian Queensland Police Service's Task Force Argos, as part of Operation Artemis.

<span class="mw-page-title-main">Dread (forum)</span> Online discussion forum hosted on the dark web

Dread is a Reddit-like dark web discussion forum featuring news and discussions around darknet markets. The site's administrators go by the alias of Paris and HugBunter.

Boystown was a child pornography website run through the Tor network as an onion service. It launched in June 2019 and was shut down by authorities in April 2021. Four German administrators of the site confessed and were sentenced to long prison sentences in December 2022.

Hydra is a Russian language dark web marketplace, founded in 2015, that facilitated trafficking of illegal drugs, financial services including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services. On April 5, 2022, American and German federal government law enforcement agencies announced the seizure of the website's Germany-based servers and cryptocurrency assets. Before its closure, it had been the longest-running dark web marketplace. The United States Department of Justice has indicted one Russian man for his role in running the servers for the website.

Operation SpecTor was an operation coordinated by Europol, which involved nine countries, including the United States, Austria, France, Germany, and the Netherlands to disrupt fentanyl and opioid distribution. The operation targeted and took down the darknet market "Monopoly Market."

References

  1. McMillan, Robert; Viswanatha, Aruna (13 July 2017). "Illegal-Goods Website AlphaBay Shut Following Law-Enforcement Action". Wall Street Journal . Archived from the original on 24 September 2020. Retrieved 11 March 2018.
  2. Statt, Nick (14 July 2017). "Dark Web drug marketplace AlphaBay was shut down by law enforcement". The Verge. Archived from the original on 15 July 2017. Retrieved 11 March 2018.
  3. Greenberg, Andy (20 July 2017). "Global Police Spring a Trap on Thousands of Dark Web Users". WIRED. Archived from the original on 24 September 2020. Retrieved 3 March 2018.
  4. "Massive blow to criminal Dark Web activities after globally coordinated operation". 20 July 2017. Archived from the original on 24 September 2020. Retrieved 20 July 2017.
  5. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 "Forfeiture Complaint". Justice.gov. 20 July 2017. p. 27. Archived from the original on 23 September 2020. Retrieved 23 July 2017.
  6. Cox, Joseph (July 20, 2017). "Alleged Dark Web Kingpin Doxed Himself With His Personal Hotmail Address". Vice . Vice Media. Archived from the original on November 9, 2020.
  7. McCarthy, Kieren (July 20, 2017). "Alphabay shutdown: Bad boys, bad boys, what you gonna do? Not use your Hotmail..." The Register . Situation Publishing. Archived from the original on July 20, 2017.
  8. 1 2 3 "Dead Canadian fugitive lived in Thai luxury". Bangkok Post . July 14, 2017. Archived from the original on July 14, 2023. Retrieved October 15, 2021.
  9. Ngamkham, Wassayos (July 12, 2017). "Canadian drug suspect found hanged in cell". Bangkok Post . Archived from the original on July 14, 2023. Retrieved October 15, 2021.
  10. "RCMP's 'Dark Web' investigation leads to searches in Montreal, Trois-Rivières". Montreal Gazette . Postmedia Network. July 5, 2017. Archived from the original on July 5, 2017.
  11. Swenson, Kyle (July 18, 2017). "Suspected AlphaBay founder dies in Bangkok jail after shutdown of online black market". The Washington Post . Archived from the original on July 20, 2017.
  12. "Thailand seizes $21 million in assets from dead founder of dark net marketplace AlphaBay". Reuters . Thomson Reuters. July 24, 2017. Archived from the original on June 9, 2018.
  13. "Sessions on dark web Alphabay and Hansa shut down". BBC News . BBC. July 20, 2017. Archived from the original on July 23, 2017.
  14. "9 nations join probe into 'darknet' site". Bangkok Post . July 24, 2017. Archived from the original on July 14, 2023. Retrieved July 24, 2017. NSB poised to pounce on more suspects
  15. 1 2 3 4 5 6 7 8 "Operation Bayonet: Inside the Sting That Hijacked an Entire Dark Web Drug Market". Wired. 2018-03-08. Archived from the original on 2024-03-12. Retrieved 2024-03-12.
  16. Cox, Joseph (August 25, 2017). "This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves". The Daily Beast . Archived from the original on March 12, 2024. Retrieved March 12, 2024.
  17. pxx51092 (July 25, 2017). "DON'T open the xlsx locktime file, beacon image confirmed in it with Hansa's server IP address". reddit. Archived from the original on October 9, 2017.{{cite news}}: CS1 maint: numeric names: authors list (link)
  18. "Underground Hansa Market taken over and shut down". Politie (Dutch Police). 20 July 2017. Archived from the original on 21 July 2017. Retrieved 21 July 2017.
  19. Riggs, Mike (2017-07-26). "Five Lessons from the Hansa and AlphaBay Busts". Reason Hit&Run. Archived from the original on 2017-07-29. Retrieved 2017-07-26.
  20. Satter, Raphael; Bajak, Frank (2017-07-21). "Dutch 'darknet' drug marketplace shut down". Portland Press Herald. Archived from the original on 2017-07-22. Retrieved 2017-07-22.
  21. DeepDotWeb (31 October 2016). "Dutch National Prosecution Service and police launch Hidden Service in global Darknet enforcement operation". Archived from the original on 1 November 2016. Retrieved 26 July 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.