sign in sign up
<<
Home , AlphaBay, Dark web, Dream Market, Evolution (marketplace), Hansa (market)

DARK WEB SOLUTIONS

EXAMINING THE EFFECTS OF OPERATION BAYONET ON

Rolf van Wegberg Thijmen Verburgh Jorrit van den Berg Mark van Staalduinen

RECENTLY, DURING OPERATION BAYONET TWO LEADING UNDER- With regard to the effects of operation GROUND MARKETS ON THE DARK WEB TOOK CENTER STAGE IN A Bayonet, three questions stand out: JOINT POLICING EFFORT OF THE FEDERAL BUREAU OF INVESTIGATION 1) How did the police carry out this innovative intervention? (FBI) AND THE NATIONAL HIGH TECH AND DARK WEB UNIT OF 2) Did it work? and THE DUTCH POLICE. IN A COORDINATED SWEEP, THE FBI SUCCEEDED 3) Was this all legal? IN THE TAKEOVER AND SUBSEQUENTLY TAKE DOWN OF ALPHABAY, WHILE THE DUTCH POLICE TOOK OVER, RAN AND SHUT DOWN Because more details are still coming MARKET. BY PLANNING THESE ACTIONS SEQUENTIALLY, THE POLICE to light about the operation itself, and AGENCIES EXPECTED CRIMINALS ACTIVE ON ALPHABAY TO MAKE THEIR ultimately the question on the legality of the operation will be put before the WAY TO HANSA MARKET – WHICH AT THAT MOMENT WAS OPERATED BY courts, we will focus on the second THE DUTCH POLICE. THIS PUT THE POLICE AGENCIES IN A PERFECT question: did it work? POSITION TO NOT ONLY DISRUPT THE ECOSYSTEM, BUT ALSO TO COLLECT VALUABLE DATA ON THOUSANDS OF USERS. DARK WEB SOLUTIONS

IN ONLY EIGHT MONTHS’ TIME DREAM MARKET NEARLY DOUBLED ITS USER BASE TO ALMOST 16000 USERS

Leveraging on the insights of previous intervention: lowering crime across the In a period of just eight months, take-downs - like 1.0 and 2.0 ecosystem. Police agencies seem Dream Market nearly doubled its user cases - we know that a typical result of a determined to break with this ‘tradition’ base to almost 16,000 users (Figure 2). take-down is that users ‘migrate’ to other and have changed their method of Looking at the timing, we can state that markets and carry on with their illegal intervention to tackle precisely this the steep influx of users in July was business operations. Researchers from unwanted side-effect. So, did it work? probably the direct result of Operation Carnegie Melon UniversityI (CMU) studied Bayonet – in which AlphaBay went down the overall trade-volume on other To observe the first effects of Operation on July 4th and Hansa Market was shut underground markets after both Silk Bayonet, we studied the user-base on down on July 20th – making Dream Market Road take-downs. Although the trade- another underground market: Dream the leading underground market. volumes changed, they increased instead Market. This Market was established at of decreased. Noteworthy are also the the end of 2013 and has grown steadily findings of sociologist Ladegaard,II who ever since, making it a perfect market for linked the media-attention to both our analysis. At the beginning of this year take-downs to this increased sales-vol- we recorded around 8,500 Dream Market ume. In conclusion, we can say that users. Up until July 2017 Dream Market take-downs often result in a so-called had about 20 new users per day. ‘waterbed-effect’ or a game of ‘Whack-a- That changed significantly from July Mole’. An intervention aimed at one part onwards, when Dream Market began of the underground market ecosystem, acquiring more than 60 new users per results in the growth of another part, day. On some days as many as 180 new without reaching the objective of the users registered (Figure 1).

NEW USERS PER DAY ON DREAM MARKET IN 2017

200 180 160 140 120 100 80 60 40 20 0

1 Jan 2017 1 Apr 2017 1 Feb 2017 1 Mar 2017 1 May 2017 1 June 2017 1 July 2017 1 Aug 2017

Figure 1 DARK WEB SOLUTIONS

USERS ON DREAM MARKET IN 2017

18000 16000 14000 12000 10000 8000 6000 4000 2000 0

Jan 2017 Apr 2017 Feb 2017 Mar 2017 May 2017 June 2017 July 2017 Aug 2017

Figure 2

However, looking at the number of users Figure 3 shows the breakdown of newly of AlphaBay – where, according the US registered vendors on Dream Market. Attorney-General Sessions over 40,000 There are two striking facts: 1) whilst vendors were selling to more than many vendors migrated from AlphaBay to 200,000 buyersIII - and Hansa Market Dream Market, almost none did so from prior to their takedown, certainly not all Hansa Market to Dream Market; 2) users ‘migrated’ to Dream Market. unexpectedly, many of the newly regis- Nevertheless, the increase of users is tered vendors were completely ‘new’ and consistent with earlier take-down effects. without any reputation or track-record. To properly assess the detailed effects of Operation Bayonet, we looked specifically When we look at the ‘migrated’ vendors, at the newly registered vendors on Dream so the 117 users that were active on Market (n=195), their background and AlphaBay, Hansa or even both, the whether or not they changed their question arises: Did they put any effort behaviour after the police operation. into evasive measures after both take-downs? After obtaining the usernames of the 195 vendors that registered on Dream Market between July 1st and August 15th, we used (a specific Dark Market ) to map specific character- istics of these vendors. Utilizing Grams, BREAKDOWN OF NEWLY REGISTERED VENDORS ON DREAM MARKET (N=195) we determined where the vendor ‘migrated’ from: AlphaBay, Hansa Market, both, or whether they migrated to Dream Market from another market. We also determined if the username of the vendor 9% was used before on underground markets, making this vendor to the 40% regular buyer look like a ‘new’ vendor NEW without any reputation. Next, we identi- fied vendors that changed usernames, HANSA (only) but stuck to their PGP-key, or that stuck ALPHABAY (only) to their username but changed PGP-keys. BOTH 50%

1%

Figure 3 DARK WEB SOLUTIONS maand 2017

BREAKDOWN OF EVASIVE STRATEGIES OF MIGRATED VENDORS TO DREAM MARKET (N=117)

26%

PGP-switch 26% OF USERS 54% Username-switch BOTH CHANGED NONE 14% THEIR PGP-

6% KEYS AND 14% CHANGED Figure 4 THEIR Figure 4 shows that more than half of a panicking community of users trying to USERNAMES the ‘migrated’ users did not take any start over, whether with a new username, noticeable evasive measures. However, a new PGP-key or a more thorough start we can see that 26% of users changed over altogether. their PGP-keys and 14% changed their usernames. As a username and PGP-key We can assess this scenario even further are valuable assets in an anonymized by looking at these elements of migration setting – like underground markets - pattern and evasion measures longitudi- users do not change PGP-keys or nally. By doing so, we can see if the usernames unless they really have to. behaviour of these vendors after the The number of evasive measures, AlphaBay take-down – where no police combined with the number of ‘new’ infiltration took place – differs from the vendors are a strong indicator that this Hansa takedown – where the police police intervention has achieved more infiltrated, disabled on than might be apparent at first sight, personal messages and could see when looking more closely at the influx of everything being said and done for three users to Dream Market. It hints towards weeks without arising any suspicion.

BREAKDOWN OF EVASIVE STRATEGIES OF MIGRATED VENDORS TO DREAM MARKET (N=117)

140 120 100 80 60 40 NEW 20 ALPHABAY 0 HANSA 2 Aug 2017 4 Aug 2017 6 Aug 2017 8 Aug 2017 1 July 2017 3 July 2017 6 July 2017 7 July 2017 9 July 2017 17 July 2017 27 July27 2017 July31 2017 25 July25 2017 21 July21 2017 15 July 2017 19 July 2017 11 July 2017 13 July 2017 13 July 2017 29 July 2017

Figure 5 DARK WEB SOLUTIONS

CUMULATIVE NUMBER OF EVASIVE MEASURES BY NEWLY REGISTERED VENDORS ON DREAM MARKET ON DATE (N=47)

30 25 20 15 10 5 PGP-switch 0 USERNAME-switch 6 July 2017 7 July 2017 2 Aug 2017 4 Aug 2017 6 Aug 2017 8 Aug 2017 9 July 2017 11 July 2017 13 July 2017 15 July 2017 17 July 2017 19 July 2017 21 July 2017 13 July 2017 25 July 2017 27 July 2017 29 July 2017 31 July 2017

Figure 6

Figure 5 shows the cumulative number When a vendor ‘starts over’ they lose of newly registered vendors during our their track-record, reputation and period of analysis in July and August. clientele. Like a Michelin star restau- Noticeably the influx of AlphaBay rant changing its name, location and ‘migrants’ stays relatively stable during phone-number: their business will the time-period described. However, the implode. number of ‘new’ vendors increases, whilst the number of Hansa migrants We have to see if the effects of this stagnates at the same time: immediately innovative intervention hold out in the following the Hansa Market take-down. long run, but for now the effects are This is accompanied by a complete remarkable in the light of earlier Dark standstill in newly registering vendors on Web-interventions. 22nd and 23rd of July. All this builds to a picture of a panicking community right after the Hansa take-down. TNO.NL This scenario is further supported by the evasive measures (Figure 6). Right after the Hansa takedown, the username- switch stagnates. In turn, vendors apparently take a more drastic measure: starting over.

In summary, we see the first signs of game-changing police intervention. Compared to both the Silk Road take- downs, or even the AlphaBay takedown, the Hansa Market shut down stands out in a positive way. Sharply contrasting the waterbed-effect of previous law enforce- I Soska & Christin (2015). Measuring the Longitudinal of the Online Marketplace ment efforts on underground market, Ecosystem, Proceedings of the 24th USENIX Security users do not just move along after the Symposium, https://www.usenix.org/system/files/ conference/usenixsecurity15/sec15-paper-soska- Hansa Market shutdown. Few simply updated.pdf ‘migrate’; whilst some take precautions II Ladegaard (2017). We Know Where You Are, What You Are like changing their username and/or Doing and We Will Catch You: Testing Deterrence Theory PGP-key, there are many that start over in Digital Drug Markets, The British Journal of TNO Criminology, https://doi.org/10.1093/bjc/azx035 completely. This may sound like a minor Rolf van Wegberg detail in such a complicated intervention, III https://www.justice.gov/opa/pr/ researcher -largest-online-dark-market-shut-down but the opposite is the case. E [email protected] 17-9099 aug 2017