The Pantheon of the Darknet, or What Lies Ahead for the Deep Web After a Wave of Illegal-Market Closures

At the end of September, the US Department of Justice and Europol announced the successful completion of one of the largest operations in the history of combating crime on the darknet. In the course of it, American and European law enforcement arrested 179 suspected drug traffickers and seized $6.5 million in cash and in cryptocurrency.

The operation, code-named DisrupTor, involved authorities from the United States, Canada, the United Kingdom, Austria, Cyprus, Germany, the Netherlands, Sweden and Australia.

In addition to large sums of money, law enforcement seized more than 500 kg of illicit substances, including 111 kg of fentanyl. According to FBI Director Christopher Wray, this amount of fentanyl would be enough for about 5.5 million lethal doses.

Details and circumstances remain unclear, but according to the U.S. Department of Justice, this operation became possible thanks to the shutdown of the darknet marketplace Wall Street Market (WSM) in May 2019. After its liquidation, authorities obtained the data necessary to identify sellers.

The events around WSM became one link in a series of closures of a number of deep-web markets in recent years. The reasons for the shutdowns were linked not only to law-enforcement intervention but also to exit scams. Forklog recalls the most notable of these events.

Wall Street Market

In May 2019 Europol announced the completion of an operation conducted jointly by the Federal Criminal Police of Germany, the National Police of the Netherlands, the FBI, the US Department of Homeland Security and a number of other organizations.

Its result was the closure of WSM, whose user base numbered 1.15 million people, of whom 5,400 were listed as sellers of illegal substances, stolen data, counterfeit documents and malware. On the WSM site there were 63 thousand listings, making it one of the largest of its kind.

During the operation, German authorities conducted three arrests and seized €550,000 in cash, a six-figure sum in Bitcoin and Monero, several vehicles, computers, hard drives and other physical evidence.

At the same time Europol reported the closure of the platform Silkkitie (Valhalla), which was based in Finland and operating since 2013. Some of its users moved on to other markets, including WSM. In the liquidation of Silkkitie, authorities also seized a large amount of Bitcoin.

The WSM saga was notable for the fact that shortly before the platform’s closure its administrators executed an exit scam, siphoning off more than $14 million of user funds.

Suspicions that they were going to take such a step emerged weeks before Europol’s announcement, when funds from the main Bitcoin wallets of WSM began moving to external addresses. The previous wallets were used as an escrow system: buyers deposited funds there, which sellers could withdraw after a period of time following the completion of the transaction, subject to the absence of complaints.

As the administrators of WSM claimed, this was a temporary Step taken because of server problems. The server allegedly did not synchronise with the Bitcoin blockchain, making withdrawals impossible.

Soon the WSM site was removed from the Deep Dot Web darknet-resource catalogue, and users, apparently resigned to the loss of funds, began renaming the listings of goods for sale, warning others that it’s best not to deal with this platform.

But this was not all. One of the administrators under the alias Med3l1n began to extort users, threatening to hand over the wallet addresses they used to interact with the platform. For silence, he demanded 0.05 BTC. As darknet researcher @5auth suggested, Med3l1n turned out to be among WSM employees who did not receive their share of the stolen Bitcoin.

Most likely a customer support staff member who didn’t get a cut of the other stolen cryptocurrency.

— Caleb (@5auth) April 20, 2019

Probably attempts to extract something from users were not very successful, because a few days later the same moderator posted login credentials to the Dread forum for the WSM admin panel. This gave access to the platform’s backend and, accordingly, to user data to anyone, including law enforcement officers.

Of much greater concern to users: The same mod has posted his login credentials to Dread. This gives anyone to sign in to WSM as the mod and access all information pertaining to users and their orders that isn’t encrypted. He also gave the server IP address up. pic.twitter.com/YD3kuBAYk5

— Patrick Shortis (@Patrick_Shortis) April 24, 2019

Intriguing reflections about the probable reasons for the WSM operators’ exit scam suggested that their motives lay in the previously announced closure of Dream Market, another large and popular darknet market at the time.

Under normal circumstances, the shutdown of Dream Market would have been a boon for competing markets, which would have drawn its many users. Yet on the same day that Dream Market’s closure was announced, Europol, the FBI and other law enforcement agencies carried out mass arrests of darknet sellers.

Apparently, the WSM administrators understood that sharply expanding the user base would attract unwanted attention from authorities. In such circumstances, the safest exit for them was the exit scam as an alternative to potentially lengthy prison terms.

Dream Market

In April 2019, the Manhattan District Attorney’s Office announced the arrest of members of the Sinmed group, the largest dealer of narcotics on Dream Market. As the office stated, Sinmed sold counterfeit Xanax to residents of 43 states, which itself leads to quick dependence, and laundered $2.3m of proceeds using cryptocurrency.

Today we’re announcing the takedown of a storefront on the dark web that made, sold, and shipped fake Xanax 💊 to buyers in 43 states, and laundered $2.3M of the proceeds using cryptocurrency.

Watch Live: https://t.co/Qg6EpGwyVl pic.twitter.com/dPxE8mFP9Z

— Cyrus Vance, Jr. (@ManhattanDA) April 16, 2019

The message coincided with Dream Market admins’ announcement of the platform’s forthcoming closure due to ongoing DOS attacks. But even in March some darknet commentators suggested that the market, which had been operating since late 2013, had been compromised by law enforcement, urging users not to log into their accounts.

The demise of the darknet: how and why Bitcoin marketplaces disappear on the Tor network

Indirect confirmation of this is that as early as August 2017, accounts of several Dream Market sellers were seized by Dutch police. No official statements were made, but researchers suspected that this was possible because narcotics traffickers used the same credentials on Dream Market as on other platforms.

One of those caught was Frenchman Gal Vallerius. He was arrested in 2017 at Atlanta airport while heading to the World Beard and Mustache Championship.

Gal Vallerius. Photo: Bleeping Computer.

Investigation showed that Vallerius, who used the darknet alias OxyMonster, created on Dream Market his own tipping system, declining to use the platform’s internal payment system which employed a transaction-anonymisation mechanism.

Tracing the movement of OxyMonster’s funds, police found that 15 of 17 outgoing tipping transactions from his tip jar went to wallets on LocalBitcoins. A similarity was also found between Vallerius’s and OxyMonster’s writing styles on Twitter and Instagram.

During the arrest, Vallerius’s laptop was seized, on which investigators found additional evidence of his involvement in drug distribution, including a PGP key he used to sign messages, Dream Market credentials and bitcoin wallets linked to OxyMonster accounts. The Frenchman also had accounts on other darknet marketplaces, including Evolution, Valhalla, TradRoute, Hansa and AlphaBay.

In June 2018, Vallerius pleaded guilty to drug distribution, and in October 2019 a Miami court sentenced him to 20 years in prison.

AlphaBay, Hansa and other accomplices

This was not the first time that the largest darknet markets closed almost simultaneously. After Silk Road’s dramatic fall in 2013, a similar fate befell its successor Silk Road 2.0 in November 2014 and other illegal platforms closed as part of the large-scale international operation Onymous.

History of Silk Road: how Bitcoin lifted the darknet economy to a new level

Later the same fate befell Agora, which voluntarily ceased operations in 2015, and then AlphaBay, which dominated in 2015–2016. The latter was ten times larger than Silk Road and was dismantled by law enforcement in 2017. Its closure was described as the largest intervention against an illegal online market in history at the time. It was claimed to have occurred by direct order of US President Donald Trump.

“He [Trump] gave us a few directives. One was to shut down international criminal organisations operating on the internet. This is exactly what we want to report today – the closure of the largest darknet site to date,” said then-US Attorney General Jeff Sessions.

During the AlphaBay operation, the administrator’s identity was established as a Canadian resident, Alexander Kazes. In July 2017 he was arrested in Thailand and soon found dead in a Bangkok prison. The presumed cause of Kazes’s death was suicide.

One platform AlphaBay users migrated to was Hansa, but Dutch police were already waiting there. In the Hansa case, it is notable that after receiving a tip in autumn 2016, authorities decided not merely to dismantle one of the illegal markets but to secretly seize it and strike at the entire darknet industry. The operation, in which the United States, Germany and Lithuania, among others, participated, received the codename “Stiletto” and ended with the discreet arrest of Hansa’s administrators and the platform’s takeover by authorities.

The patient gathering of information and monitoring of Hansa paid off in April 2017, when one of the administrators used a Bitcoin address previously exposed in the marketplace’s chat to conduct a transaction. With the help of Chainalysis software, investigators established that the cryptocurrency passed through a Dutch company and landed in an account of another company in Lithuania.

This allowed arrests to be made and data to be downloaded from servers and transferred to police-controlled accounts in the Netherlands, as well as the site9;s code to be rewritten to enable monitoring of user activity. The changes went largely unnoticed by users.

Gert Ras and Marinus Bokelo — heads of the operation “Stiletto”. Photo: Wired.

The Dutch police said that the Hansa capture operation was the most successful attack on darknet sites in history. They obtained information on 420,000 users, including about 10,000 home addresses, and passed it to Europol for distribution to police stations across Europe and the world. They also arrested 10 members of Hansa’s leadership and moved roughly 1,200 Bitcoins (read more about this story at the linked source).

Another example of successful cross-border cooperation by law enforcement was the closure of CyberBunker – one of the world’s largest darknet-hosting providers, including the Wall Street Market mentioned above.

Based in a five-storey underground bunker near the German border with Belgium, CyberBunker was the brainchild of the eccentric Dutchman Herman-Johan Xennt. For a higher price, Xennt guaranteed the most secure hosting for clients, even if their content was delicate or prohibited.

CyberBunker offered clients “bulletproof” hosting. Photo: The New Yorker.

In the early 2000s, the company founded by Xennt participated in mass spam campaigns of phishing sites and provided hosting for sites selling prescription-free medicines. CyberBunker also hosted WikiLeaks founder Julian Assange’s project during this period.

Another well-known client, The Pirate Bay, was hosted on CyberBunker until 2010, when a Hamburg court ordered the company to end its cooperation with the pirate site.

In 2014 the project hosted the darknet platform Cannabis Road, and from 2016 to 2018 the Fraudsters forum, which dealt with counterfeit passports and money.

From 2015 to 2018 among CyberBunker clients was the darknet marketplace Flugsvamp, which accounted for up to 90% of all online trade in illegal substances in Sweden.

The largest client, however, was WSM — from 2016 to 2019 the turnover of drugs sold there exceeded €36 million.

Xennt was arrested on 26 September 2019 following a raid by German special forces. For the first time in Germany, police arrested not the darknet sellers themselves but those who made their crimes possible (read more about this story at the linked source).

Gert Ras and Herman-Johan Xennt — operators of CyberBunker. Photo: The Sunday World.

In this same category of ‘accomplices’ was the darknet information site Deep Dot Web. In May 2019, US authorities charged its alleged co-owners and administrators, Israeli nationals Tal Prihar and Michael Fan, with money laundering. It is believed they posted referral links to darknet marketplaces and earned commissions (2–4%) on purchases made by users. According to the investigation, from November 2014 to April 2019 Prihar and Fan earned 8,155 BTC.

One of the latest marketplaces to fade into history was Empire Market. According to some reports, its administrators weekly paid the organizer of DDoS attacks up to $15,000 not to attack, but another interested aggressor emerged, forcing them to close the market.

Business models and defence methods may change, but the ingenuity of darknet-market creators remains undiminished. As history shows, after the closure of one market, several competing ones rush to fill the gap, satisfying demand for illegal goods, while law enforcement resumes the hunt.

Subscribe to ForkLog news on Telegram: ForkLog FEED — all the news feed, ForkLog — the most important news and polls.