Seize and Desist?

The State of Cybercrime in the Post-AlphaBay and Hansa Age

Authors: Rick Holland, Rafael Amado, Michael Marriott

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 1
Table of Contents

Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
A Fork in the Road: The three possible routes in 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Missed Opportunity: Existing markets are failing to capture market share . . . . . . . . . . . . . . . . . . . . . . 5
Barriers to Entry: The limited emergence of viable new markets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Hidden costs to running a marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Getting it right takes time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Adapt or Fail: Increased adoption of alternative techniques and technologies . . . . . . . . . . . . . . . . . . . 8
Blockchain: Steady but not explosive growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
New measures to improving site security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Trading Channels: Alternative communication networks gaining traction . . . . . . . . . . . . . . . . . . . . . . . . 11
Out of Sight, But Not Out of Mind: Risks remain for businesses and consumers . . . . . . . . . . . . . . . . . 13

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 2
Executive Summary

When law enforcement announced the seizure of AlphaBay in July 2017, the United States Attorney General Jeff
Sessions described the operation as:

“one of the most important criminal investigations of the year…because of this operation, the American people are safer
– safer from the threat of identity fraud and malware, and safer from deadly drugs.” 1

The timing and coordination of the law enforcement operation, known as Operation Bayonet, was a clear success and
has contributed to multiple subsequent arrests.2 Almost one year later, the marketplace model appears to be in decline,
but the risks to businesses and consumers have not subsided. Instead, this paper demonstrates that cybercriminals have
taken to incorporating new processes, technologies, and communication methods to continue their activities.

• AlphaBay left a gap, albeit not as large as we may have assumed. Despite boasting over 40,000 vendors
and an estimated $1 billion in trade, AlphaBay was just one player within a much broader ecosystem.
Russian-speaking cybercrime, in particular, has been largely undisrupted.

• Existing marketplaces have failed to capitalize on the gaps. Within the English-speaking underground, the
Dream and Olympus markets have fallen short of satisfying the demands that AlphaBay once catered to.

• There are barriers to entry for new markets. Despite the residual demand for the services AlphaBay
provided, there are significant barriers to entry for people wanting to set up their own marketplaces. While it is
relatively easy to set up a marketplace, there are challenges with fostering trust amongst users, as well as hidden
monthly running costs.

• Blockchain experiences steady growth. Well-known criminal sites, such as Joker‘s Stash, have adopted
blockchain hosting. Another market using this decentralized technology, OpenBazaar, has experienced a growth
of four thousand new users in the last four months. Adoption of this technology is still in its infancy, but this is one
to look out for in future.

• Cybercriminals have increasingly shifted towards peer-to-peer networks and chat channels. Over the
last six months, we’ve observed over 5,000 Telegram links shared across criminal forums and dark web sites, of
which 1,667 were invite links to new groups. To a lesser extent, Discord is also being embraced by cybercriminals,
with 743 invites observed across criminal forums and dark web sites across the last six months. This retrenchment
away from the centralized marketplace in favor of a more diffuse model has been an ongoing trend that pre-dates
Operation Bayonet.

• Risks remain for organizations and consumers beyond the marketplace. There are four areas of concern
that are still present in the cybercriminal ecosystem despite the demise of AlphaBay and Hansa: 1) payment card
fraud, 2) account takeover, 3) counterfeits, and 4) insider threats.

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 3
A Fork in the Road
The three possible routes in 2017
For the English-speaking community, the seizure of AlphaBay and Hansa in Operation Bayonet meant tens of
thousands of vendors and buyers had to look elsewhere to continue conducting their business. At the time of
AlphaBay’s disappearance in early July 2017 - when conflicting rumors of exit scams, site technical problems, and law
enforcement action crippled online discussion boards - we assessed that the post-AlphaBay future could take one of
three forms3:

1. An older, established market would replace AlphaBay. Historically, when popular marketplaces
disappear, users simply migrate to other well-known sites. The effects of law enforcement action are therefore
relatively short-lived, becoming a game of “whack-a-mole” where cybercriminals are always one step ahead.

2. A new marketplace would emerge from AlphaBay’s ashes. Some users were so fond of their former
haunt that they tried to form a new iteration of the site called GammaBay. Others suggested forming a new
site altogether. However, creating and maintaining a new marketplace is fraught with difficulties. Fostering
trust among a cybercriminal community that has grown increasingly nervous and skeptical of law enforcement
honeypot sites is a major challenge. Another barrier is the cost associated with building and operating an online
marketplace. Buyers and sellers are discerning, and sites like AlphaBay and Hansa need dedicated
administrators, support personnel, and technical knowledge to deliver the level of service required to be
successful.

3. Users would abandon the marketplace model and look for alternative solutions. Conducting online
transactions on underground marketplaces has always entailed a high degree of risk. Site owners often perform
exit scams and steal funds from customers, sellers sometimes renege on their promises, and the threat of law
enforcement always looms large. The AlphaBay and Hansa takedown revelations served to further disillusion
a large section of the cybercriminal community. This strengthened calls for new technologies and processes,
including increasing security and anonymity through the direct peer-to-peer (P2P) communication already
favored on more specialized forums, or enforcing more stringent vetting procedures for new members. Some
even entertained ideas of a more radical, fully-decentralized marketplace model, manifested in sites such as
OpenBazaar.

Almost one year since the AlphaBay and Hansa takedowns, no single marketplace has risen to the top, at least among
the English-speaking community. Mistrust and fear are rife, and this has, in part, prevented a new marketplace
(the second scenario) from flourishing. While some users have pined for the decentralized marketplace model, the
cybercriminal community has instead focused its efforts on decentralizing by conducting transactions across a variety
of chat and messaging networks, while also adapting their technologies and processes to increase the security,
reliability, and trust of existing sites. This retrenchment away from the centralized marketplace in favor of a more
diffuse model has been an ongoing trend that pre-dates Operation Bayonet. With no major alternative to AlphaBay
and Hansa, increasing numbers of users are turning to these alternative platforms.

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 4
Missed Opportunity
Existing markets are failing to capture market share
At first it seemed to be business as usual; former AlphaBay vendors quickly began advertising their products on
other markets such as Hansa and Dream. The conversation quickly turned to which of these two sites would assume
AlphaBay’s mantle. However, Operation Bayonet’s clever use of Hansa to lure and capture AlphaBay “refugees” made
the online community very jittery. Rumors soon began flying about other potential law enforcement-controlled dark
web sites. Dream Market was a particular concern. Users were alarmed at the suspiciously low amount of downtime
experienced by the site, and many suspected it was in the hands of the police (Figure 1).

Figure 1: A post on reddit from 20 July 2017 claiming Dream Market was being operated by law enforcement

Although Dream Market may have seemed to be the natural successor to AlphaBay and Hansa, a combination of
poor user experience, uncommunicative administrators, and fear of law enforcement means the site has failed to
capture market share. Claims by users that their funds have disappeared, and the memory of Operation Bayonet, have
diminished trust in the site. As one user stated, while Dream is still live, it’s more of a “zombie” market: “the body is alive,
but the brain is dead and gone” (Figure 2).

Figure 2: A post on the Olympus dark web market’s forum section

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 5
Missed Opportunity
Existing markets are failing to capture market share

Olympus marketplace
Since February 2018, a relatively new site known as “Olympus” showed real promise of cementing itself as the most
popular dark web market (Figure 3). Its pleasing pastel color scheme, easy to navigate user interface, and
implementation of Monero cryptocurrency payments meant it developed a strong reputation. Trust, however, is a
fragile thing, and a miscalculation by the Olympus administrator saw the site’s reputation crumble in an instant.

On April 23, 2018 Olympus’ administrator claimed they were in the process of hacking Dread (Figure 4). Dread is – or
at least was – a reddit-style community run by a user (HugBunter) who was infamous for pointing out security flaws in
other dark web marketplaces.4

Figure 3: A screenshot of the Olympus market Figure 4: A post on Olympus market’s forum section

This was not a “hack” in the traditional sense. Instead, the Olympus administrator allegedly acquired access to the
Dread servers from an insider. What was significant about this incident was that the user community of Dread rallied
behind HugBunter, with the consensus being that Olympus was in the wrong and Dread was the innocent victim.
In the end, the moderators of Olympus issued an apology to the Dread administrators for their actions. Tellingly,
Olympus was aware of the damage it had caused to its own reputation, stating that it “will hire a good PR within the
next few days.”

Just as with legitimate businesses, a positive public image is important to drive revenue. At the time of writing,
Olympus was no longer accessible, and another potential successor to AlphaBay and Hansa seems to have bitten the
dust.

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 6
 Barriers to Entry
The limited emergence of viable new markets
The Olympus saga is a timely reminder of how trust can
make or break a marketplace. Prospective customers
fear exit scams, law enforcement stings, and unreliable
vendors. Therefore, overcoming trust is a significant
barrier to any new player in the marketplace game. But
it’s not the only hurdle.
Figure 5: A post on Nethingoez from May 2018

Hidden costs to running a marketplace Getting it right takes time

At the time of AlphaBay’s seizure, there were 40,000
With the burdens of trust and profitability clear, it often takes
vendors on the site. The beauty of their eBay-style
time for viable markets to establish themselves. One market
model was that many vendors who were unable to
that looks well placed to overcome these burdens is market[.]
run and manage their stores could list their items for
ms. This site (Figure 6), run by founders of the prestigious
free. AlphaBay would take a 2-4% commission on these
exploit[.]in forum, has been in development since 2015. The
transactions in return. With an estimated $1 billion
exploit forum already has the reputation and the trust among
in trade across their vast userbase, this was enough
the cybercriminal community to make it a success. However,
revenue to pay staff; cover web development; bullet-
the current beta mode has a relatively small userbase (just 451
proof hosting; distributed denial of service (DDoS)
members and 79 items for sale), and is still not fully developed.
protection; run a bug bounty program;5 and have a
This shows that a successful marketplace cannot be created
healthy profit remaining.
overnight.
For those looking to create their own marketplace,
these features and services are all readily available
online, but they come at a cost both in terms of time
and money. Even setting up and running a relatively
rudimentary dark web market does not guarantee
profit or success. The following taxonomy illustrates
the set-up, monthly, and annual costs of a basic dark
web marketplace, based on the price of services widely
advertised online. This financial burden is often borne
out across criminal forums, with administrators seeking
new ways to drive profitability. Users, like in Figure 5,
are creating new membership packages to keep their
sites operational and avoid going under. Running a
marketplace is not as straightforward as some may
assume. Figure 6: The market[.]ms marketplace

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 7
Adapt or Fail
Increased adoption of alternative techniques and technologies

With dark web markets struggling to fill the void left by AlphaBay and the high barriers to entry for establishing
new marketplaces, the trend has been for users to retreat back to more specialized forums. Even before Operation
Bayonet, there have been other forums specifically dedicated to hacking and security, which often act as a platform
for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as
ransomware variants, exploit kits, compromised accounts, and payment card data. These sites work on a direct transfer
system where vendors and customers will communicate directly to arrange payment, often through messaging
services such as Jabber. Sellers advertise their products on these forums, and then direct users to dark web sites or
private channels to arrange payment. Since the takedowns of AlphaBay and Hansa, administrators of these forums
have been incorporating alternative technologies and processes for added security and trust among users. These four
are blockchain DNS, user vetting and site restrictions, domain concealment, and migration to chat and peer-to-peer
networks.

Blockchain DNS

User vetting and site access restrictions

Domain concealment

Migration to chat and P2P networks

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 8
Adapt or Fail
Increased adoption of alternative techniques and technologies

Blockchain: Steady but not explosive More than simply combatting law enforcement action,
growth Blockchain technology has allowed users to imagine
alternative models for decentralized marketplaces – the
In July 2017 the Joker’s Stash (Figure 7), a popular
site known as Tralfamadore being a notable example
Automated Vending Cart (AVC) site offering stolen
already in operation. Blockchain serves as the back-end
payment card details, shifted from a Tor domain to a
for Trafalmadore, storing the necessary databases and
decentralized Blockchain domain name system (DNS).
code to support front-end user interfaces. All transactions
As well as a .onion domain, Joker’s Stash now hosted a
are made using cryptocurrency and recorded as smart
.bazar domain that required users to install a Blockchain
contracts on the blockchain. This addresses problems
DNS browser extension or add-on. The site was not the
with user trust; if all transactions are permanently and
first to implement decentralized DNS – a group called
immutably recorded, vendors who attempt to scam other
The Money Team also created a .bazar domain in January
users can be more easily identified.6
2016.

Despite this promising model, Tralfamadore has failed to

attract a significant user uptake. A similar story occurred
with another blockchain market, OpenBazaar, where its
userbase has increased steadily but not spectacularly in
2018 (Figure 8). While it’s too early to burst the blockchain
bubble, its adoption has been limited outside of a few
AVCs such as Joker’s Stash and has not been the solution
many were seeking.

Figure 7: A screenshot of Joker’s Stash

Stolen account stores and AVCs have been experi-

menting with peer-to-peer DNS technology as a way of
hiding their malicious activity and bullet-proofing their
offerings. As Blockchain domains do not have a central
authority, and registrations contain a unique encrypted
hash of each user rather than an individual’s name or
address, it is much harder for law enforcement to take
down criminal sites.
Figure 8: OpenBazaar growth of items for sale and users,
February-June 2018

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 9
Adapt or Fail
Increased adoption of alternative techniques and technologies

New measures to improving site security

There have been changes to processes too, with criminals having to find ways to balance the advantages of promoting
and publicizing a store with retaining good operational security. One way of achieving this is to advertise the store
without revealing the domain. A recent example of this is the Genesis Market,8 an emerging criminal market that
provides more effective ways to impersonate a victim’s browser activity, focusing on individual bots rather than huge
botnets, and monetizing them in a completely different way. This store only shares the site’s URL with prospects via
private message.

Another challenge for site operators is how to vet and limit your userbase to ensure only reputable and genuine users
have access. Operation Bayonet has made forum users hyper-sensitive to the threat of law enforcement posing as sellers.
One increasingly popular form of site regulation within these communities has been the creation of a forum lifecycle.
This is a process of limiting new users’ access to a forum through mechanisms such as posting limits and area access
restrictions. For the latter, newer users might require a certain level of positive feedback from other members to progress
to certain areas of the site.

Alternatively, they may need to pay for a premium subscription, or have multiple invitations or referrals from established
members. In addition to reducing the likelihood of potentially subversive users from infiltrating the site, these
mechanisms also have a strategic objective: by establishing a hierarchy, older, more established users can post more,
and hence sell more to maintain their ‘top vendor’ status.

Trading Channels: Alternative communication networks gaining traction

One of the most noteworthy shifts since Operation Bayonet has been that cybercriminals have largely reverted to chat
networks to conduct their trade. Often sellers will advertise their service or product on a particular forum, but rather
than communicate directly with sellers on the forum or through its private messaging service, buyers are encouraging
interested parties to reach out to them directly on alternative chat networks and messaging platforms. The primary
channels are Telegram, Discord, Skype, Jabber, and IRC. With buyers and sellers spread widely across an increasingly
decentralized community, the belief is that it will be more difficult for law enforcement operations such as Operation
Bayonet to succeed again, which was facilitated by having users congregated into a single, central location such as a
marketplace.

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 10
 Adapt or Fail
Increased adoption of alternative techniques and technologies
Telegram
We’ve observed a notable increase in the use of
Telegram, with over 5,000 Telegram links shared across
criminal forums and dark web sites over the past six
months. Of these, 1,667 were invite links to new groups.
These covered a range of services, including cashing out,
carding, and crypto currency fraud.
Within these Telegram channels, sellers post advertise-
ments of their products and services as they would
normally do on a marketplace or forum (Figure 9). Buyers
can then contact the seller directly in a private chat
message and conduct the transaction using cryptocur-
rencies or electronic payment services.
Figure 9: Two examples of Telegram channels used to buy and
sell compromised accounts and payment cards
Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com
One such example is the OL1MP marketplace (Figure 10),
a Telegram-based marketplace that provides cashing out
services. Cashing out is a way to monetize stolen payment
card information. Users can easily select the type of good
or service, like drugs or vacations, they wish to purchase
with their stolen cards.8
OL1MP ties in this automated effort with a human touch.
As with most marketplaces, reviews are important for
attracting new customers. In fact, extra discounts are
available for those individuals who post pictures and
positive comments from their carded vacations.
Figure 10: The OL1MP Telegram market,
with options “About the project, Escrow,
Dope Shops, Services, Holidays, Taxi”
11
Adapt or Fail
Increased adoption of alternative techniques and technologies

Discord
The sentry[.]mba forum has also joined this move to
new platforms. This forum was a popular site for users
looking to purchase proxies and configuration files for
Sentry MBA, a popular credential stuffing tool favored by
cybercriminals. For several months, the site made use of
a new Discord channel, providing a better user interface
and automated bots to make transactions easier.

Discord channels have not had quite the same pickup as

Telegram – we observed 743 invite links across criminal
forums and dark web sites over the last six months. There
are added challenges for cybercriminal sites looking to
use Discord: in March 2018, Sentry MBA had their Discord
server deleted (Figure 11), forcing them to set up a new
Figure 12: Sentry.MBA forum’s latest Discord channel
server that only became operational in late May 2018 released
(Figure 12).

Figure 11: A tweet by Sentry MBA demonstrating the

difficulties of using Discord for criminal purposes.

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 12
Out of Sight, But Not Out of Mind
Risks remain for businesses and consumers
As it stands, the marketplace model appears to be in decline, but it would be naive to assume that law enforcement
efforts such as Operation Bayonet have drastically reduced cybercriminal risks to both businesses and consumers.
Instead, as recent developments have shown, cybercriminals have taken to incorporating new processes, technolo-
gies and communication methods to continue their operations. Cybercrime will find a way.

To better understand the risks to businesses and consumers, it’s important to consider the types of data and services
advertised within dark web markets and forums, and how cybercriminals are adapting so that they can continue
making profit. Aside from offering drugs and weapons, cybercriminal marketplaces also facilitated the trade of
payment card data, counterfeits, compromised accounts, and insider threat information. With the shift towards new
processes, technologies, and communication methods, cybercriminals have increasingly taken to using specialist sites
and forums (for example AVCs, carding, and hacking forums) to advertise their services, before conducting transac-
tions on private communication channels. Moreover, we’ve noticed an increase in cybercriminals using Telegram
and Discord channels as standalone platforms to advertise their products, connect buyers and sellers, and facilitate
payment.

For businesses and consumers, preventing your data from circulating within the cybercriminal ecosystem is a major
challenge. The increased security mechanisms and technologies now add further hurdles. Nevertheless, here are four
general tips that can help reduce the chances of your data falling into unsavory hands:

Know where your most sensitive data resides, and then understand how a cybercriminal would monetize that data.
With this baseline understanding, you can move on to the following steps:

1. Monitor the open, deep, and dark web for mentions of your business, brand, or personal information.

2. Increase your monitoring to cover peer-to-peer platforms and messaging channels that are increasingly being
used by cybercriminals.

3. Use unique and strong passwords on your most sensitive or personal accounts, and enable multifactor authenti-
cation to prevent account takeovers.

4. Don’t forget about third parties. Contractors and suppliers with privileged access to your sensitive information
are also a weak point. Monitor and secure your supply chain networks in the same way you would your own
employees and assets.

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 13
 End Notes

1. https://www.justice.gov/opa/pr/alphabay-largest-online-dark-market-shut-down
2. http://www.bbc.co.uk/news/uk-43965622
3. https://www.digitalshadows.com/blog-and-research/cybercrime-finds-a-way-the-limited-impact-of-alphabay-and-hansas-
demise/
4. https://www.digitalshadows.com/blog-and-research/the-other-side-of-the-counter-ddos-social-engineering-spambots-
and-insider-risks-to-criminal-locations/
5. https://www.cyberscoop.com/alphabay-bug-private-messages-darkweb/
6. https://www.digitalshadows.com/blog-and-research/the-future-of-marketplaces-forecasting-the-decentralized-model/
7. https://www.digitalshadows.com/blog-and-research/genesis-botnet-the-market-claiming-to-sell-bots-that-bypass-finger-
printing-controls/
8. https://www.digitalshadows.com/blog-and-research/ol1mp-a-telegram-bot-making-carding-made-easy-this-holiday-sea-
son/

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 14
About Digital Shadows
Digital Shadows provides insight into an organization’s
external digital risks and the threat actors targeting them.
Digital Shadows SearchLight™ service combines scalable
data analytics with human analysts to monitor for cyber
threats, data leakage, and reputation risks. Digital Shadows
continually monitors the Internet across the visible, deep and
dark web, as well as other online sources to create an
up-to-the minute view of an organization and provide it with
tailored threat intelligence. The company is jointly
headquartered in London and San Francisco. For more
information, visit www.digitalshadows.com.

London San Francisco

Columbus Building, Level 6, 332 Pine St. Suite 600,

7 Westferry Circus, San Francisco, CA 94104
London, E14 4HD
+1 (888) 889 4143
+44 (0) 203 393 7001

info@digitalshadows.com

Seize and Desist? The State of Cybercrime in the Post-AlphaBay and Hansa Age · www.digitalshadows.com 15