Being one of the largest darknet marketplaces at the time of takedown, Hansa enjoyed a fair share of market vendors and customers.
Even so, its magnitude was much smaller than that of AlphaBay, which was the most massive and widely used market until it was shut down last summer around the same time as the Hansa takedown.
Hansa was running its business as usual until it was taken down by the Dutch authorities in 2017 with the help of international enforcement agencies. In the days and months before the market went down, a series of efforts were pressed by the authorities to gain control of the site by seizing its servers.
The market was said to have offered 24,000 drug products from 3,600 dealers who shipped worldwide to different customers. But its operations were dramatically overthrown by special agents from the Netherlands National High Tech Crime Unit (NHTCU) who took part in the investigation.
This particular darknet market takedown was an international matter of interest to many other countries. The 10-month investigation brought to book two administrators who operated from Germany, with their servers located miles away from their residence.
What the investigators were after was not just a takedown but more of a takeover to humiliate darknet users. In their understanding, if they took full control of the market before the takedown, the level of trust in the darknet market would fall drastically, and at the same time, they would get a better understanding of the market’s operations.
Operation Bayonet was one of the most successful in the history of darknet market takedowns, where previously Silk Road was seen as the epitome of the fight. Since then, more markets have risen and maintained the game as the customers and vendors continue their activities.
How It All Started
It was back in 2016 when Hansa Market was thriving in its business across Europe and beyond. The Dutch law enforcement was in search of Hansa’s servers to take the market down and mitigate any form of drug sale facilitated by the site.
One cybersecurity researcher from believed he had found the primary servers belonging to Hansa Market. He tipped Dutch law enforcement that he had found the servers in the Netherlands data center of a web hosting firm.
According to one of the officer from the NHTCU, the security expert’s suspicion turned out to be a lead to the Hansa servers in the Netherlands. On further investigation, the security team in the Netherlands—in cooperation with those from Germany—were able to find that the servers were being used to test new features before they’re taken to use in Hansa Market.
It was just in the preliminary stages that all these events were taking place without the real administrators having to notice any involvement by the police. The same Netherlands firm hosted the actual Hansa site but in another area and protected by Tor.
The officers explained that they ordered the firm to install network monitoring equipment which assisted them to spy remotely on all traffic in the system.
Data collected by the equipment helped the Dutch-led team discover that the development server was connected to a Tor-protected server which hosted the real Hansa. One Netherlands National High Tech Crime Unit investigator who worked on the case explained that they made a copy of all the servers they had access to which contained transaction data along with the conversations of the two Hansa admins.
During that time, no Hansa vendor or customer was affected by the ongoing investigations as their accounts were logged in Tor-protected links with their pseudonyms.
The police continued analyzing the content of the servers in a bid to fetch a clue that may lead them to the next catch. Luckily, one of the Germany-based servers contained almost all the chat logs of the two alleged administrators.
To their surprise, they were able to see the full name and home address of one of the administrators which were a significant breakthrough to the case.
The hunting game began to apprehend the pair of administrators without alerting their site moderators.
The Man Hunt
Now that the officers in charge of the case had a clear glimpse of the whereabouts of the Hansa administrators, the man hunt immediately begun.
One of the Hansa administrators lived in Siegen while the other in Cologne.
Dutch police contacted their counterparts in Germany for the arrest of the two suspected administrators. To their surprise, the two Hansa administrators were on the German police radar for allegedly having an online site (lul.to) that sold pirated ebooks and audiobooks.
The whole scenario gave the Dutch law enforcement a better idea of not arresting the two suspects in the name of Hansa but instead as operatives of the lul.to site. It would be an excellent cover for their plan to roll out as stipulated without raising any alarm to Hansa users, giving them time to migrate to new servers for full control.
As the NHTCU continued to venture more in taking over the administration of Hansa market by keeping a close eye on the servers, a setback just hit their process.
With minimal expectation, the Hansa servers went silent, making the officers believe their cover had been blown. How it happened is still a maze to the officers; the only possibility was an error when they were copying the server’s data, which may have tipped the two administrators.
Hansa Market had been migrated from their initial servers to another Tor-protected one by shuffling and making it anonymous in their location. This left the Dutch authorities with no option other than arresting the two suspects to assist in the investigations.
In the following months, the Dutch officers kept analyzing the initial data collected to assist them to locate the new server location without calling for alarm. This allowed Hansa Market to continue with its business, as usual, selling illegal goods and drugs.
As time went by and months passed without a breakthrough in the case, options started running thin. This gave the Dutch-led team a sleepless night as they tried to catch up with the two Hansa administrators.
But in April of 2017, they got another breakthrough in the hunt for the two Hansa admin suspects. It was observed that they had made a Bitcoin payment using an address that was in the IRC chat logs fetched from the servers initially.
Having this at hand, the law enforcement team used a blockchain analysis software known as Chainalysis to locate the source. It was discovered that the funds had been sent to a Bitcoin payment provider in the Netherlands.
This prompted the police to demand more information regarding the transaction from the firm. They came to learn that the transaction was made to a hosting firm in Lithuania, which was not on their radar in the investigation.
The police agents now had a path to follow. Not taking anything to chance, they started their investigation into the Lithuanian firm. This would provide a platform for the investigators to take full control of the darknet market.
In the course of the time Dutch police spent trying to collect more data on Hansa servers, the U.S. Federal Bureau of Investigation contacted them. It was on a case the FBI was investigating on another darknet market, AlphaBay, where they had found their servers.
AlphaBay was then the largest market in action, and having the FBI’s help was a plus in the effort to bring down Hansa Market.
Since the FBI was closing up their case on AlphaBay, its closure would course a lot of customers to migrate to the next big market which was Hansa; hence catching more drug vendors in the process.
The Dutch had to be fast in their process and careful not to mess with their undercover action. As the FBI finalized their AlphaBay case, the Dutch started their investigation to the Lithuania data center.
Two months had passed now to June 20, when the Germans went ahead to arrest the two Hansa administrators since they had their home addresses. It was planned to be a raid to arrest them with their computers on and their hard storage unencrypted, which would greatly assist the Dutch in completing the takeover.
The Germans immediately signaled the Dutch law enforcement to go ahead with migrating the Hansa servers, which would be entirely controlled by them.
As the two NHTCU officers leading the team explained, it was clear that no downtime on the market was expected as the transition would be smooth and coordinated.
With the two suspects in German authorities’ custody, intensive interrogation was conducted until they surrendered their Hansa credentials. They also gave details sent over Tox, which was used as a communication channel between the two administrators and their four site moderators.
It only took three days for a complete takeover to migrate the servers without Hansa customers’ suspicions.
The Death Trap
Now having everything under police control, it was show time with full force.
Their experts started rewriting the site’s code to favor their investigations accordingly, as it included getting details of the vendors and customers.
They changed some functions that would encrypt messages with users’ PGP keys so they could save the data preemptively.
This would enable them to monitor communication between vendors and their customers and maybe provide shipping addresses which would be used to locate them later.
Since the website had also been set up not to take or store image metadata, the security officers changed the code to fetch the data. Metadata would help them get information on time and location in which the image was captured.
This prompted them to remove the drug images on the site, where the vendors were to upload new pictures, therefore, their details were captured. It was taken as a code error that deleted all the pictures in vendors’ account, hence no suspicion on the activity.
In another daring move, NHTCU made the Hansa users download a home beacon file which would produce their real IP address. The file was altered from one that the initial administrators provided as a backup key, which would assist them to recover their Bitcoins in case the site was taken down.
The trap caught unaware almost 64 sellers who opened the file and ran it on their computers only to give the Dutch a cutting edge in arresting more drug traffickers.
All along, the “Hansa administrators” were in good terms with their moderators and the business thriving.
The Dutch specialist studied the two suspects’ conversations to improve the market’s service by settling the disputes that would usually be handled by moderators. Everything went as planned and the end was nearing for the takedown as they had already taken over.
Having the best service, people started registering new accounts, and with the FBI having taken down AlphaBay, a large number of new users was expected. To their expectations, more than 5,000 new users registered per day, more than five times normally.
Things were not well with dark web users who had lost their money with the seized AlphaBay, plus a big bombshell was awaiting on the Hansa takedown. The Dutch shared their findings with Europol to facilitate the arrest of the drug traffickers.
A lot of drugs and other illegal products were sold in the market in the surveillance of the police; the only product banned was fentanyl.
After 27 days of intensive surveillance, the Dutch decided to shut down the site since they had gotten almost all they wanted. They replaced the site with a notice that law enforcement had seized the market, along with a message to darknet market users warning that the authorities were attentive to their activities.
After the closure of the market, the Dutch police were able to get data on more than 400,000 users, which provided information on more than 10,000 home addresses which would be used to locate them.
With the help of Europol, the Dutch agents behind the case said they were able to arrest a lot of drug traffickers in the name of vendors and customers. The Dutch police were also able to seize more than 1,000 Bitcoins belonging to vendors and customers in the market.
The two NHTCU agents say they have arrested one huge volume buyer and are warning more to stop the illegal business as they are under surveillance.
The takedown of Hansa Market had a significant impact on users who remain skeptical in registering and using darknet-based markets.
Other means of communication, like direct messaging in ICQ, Jabber, and others, have been opted since then by drug vendors and their customers.
Latest posts by Steve (see all)
- Two Dark Web Traffickers Arrested for Importing Fentanyl from China - April 19, 2018
- Indonesian Student Busted for Allegedly Buying Ecstasy with Bitcoin - April 19, 2018
- Inside the Operation That Brought down Hansa Market - April 10, 2018