Operation Bayonet
Act 1
What do you mean, the Gin Rin Kohaku isn’t available? It’s listed right there on your website!
It was a drizzly July day in 2017 in the Thawi Watthana neighborhood of Bangkok. It’s a mostly middle-class suburb, but it’s also home to a few upscale gated homes. In one of those, Quebec native Alexandre Cazes, was about to rip his koi fish dealer a new one.
Unfortunately, someone else just bought her. We have a wide variety of other fish available, if you’d like—
I don’t want a Sanke, or a Showa, or an Ochiba. Alexandre interrupted. I want a Kohaku, and I want the one with the silver scales. It’s the friggin’ king of koi.
I apologize, sir. But we won’t be getting another Gin Rin Kohaku until the fall harvest season—
Well maybe I’ll just go to Japan and get one myself! Alexandre hung up.
The koi pond was proving to be yet another headache in a project full of them. Alexandre was currently building a house 20 minutes away from this one. It would be the fourth house the Canadian would own in his adopted home of Thailand. He also had a villa in Cyprus, and another in Antigua and Barbuda. This home would be the most expensive yet—worth $7.6 million, in fact.
Not that Alexandre couldn’t afford it. The 26-year-old was worth a cool $23 million, and he liked to flaunt his wealth. He had expensive taste in cars, clothes, and travel. He knew that once his palatial mansion was finished, all the hassles would be worth it.
SFX: car crashing into gate.
What the fuck was that? Alexandre looked out the window. Some dipshit had just crashed their car into his front gate. Perfect. As if he didn’t already have enough on his plate.
Without even putting on a shirt, Alexandre raced outside to sort things out.
Outside, neighbors had come out of their homes to watch the car’s three occupants, who were having a heated argument. How do you not even know how to make a three-point turn? one of them shouted. That’s like the first thing they teach you in driver’s school!
Alexandre stormed up to the driver. What the hell is going on here? he demanded. I’m gonna need your insurance information.
Sure thing, Mr. Cazes, the driver replied.
Wait a minute. How did they know his name?
Suddenly, a van pulled into the driveway. The door opened, and federal agents in raid jackets streamed out.
Oh fuck.
Alexandre ran for it, making a beeline for a field where he’d recently photographed a three-foot long monitor lizard. He didn’t stand a chance. The feds nabbed him and put him into the van. More of them went inside to search the house.
Alexandre’s neighbors were shocked. Alexandre and his wife had mostly kept to themselves, but all that money definitely attracted attention. His neighbors thought he worked in the hotel industry.
They had no idea that Alexandre was actually the mastermind behind AlphaBay, the biggest online marketplace on the dark web—in fact, he had left his unencrypted laptop logged onto his admin account, which the feds discovered shortly after busting him. It wasn’t the first of Alexandre’s security lapses, either.
Alexandre’s arrest was definitely a coup for law enforcement, but it was just the beginning. Alexandre was just one of the first dominoes to fall in what would become the biggest dark web bust of all time.
On this episode: the eBay of drugs, multinational sting operations, and the origins of the dark web. I’m Keith Korneluk, and this is Modem Mischief.
INTRODUCTION
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of the dark web and Operation Bayonet.
ACT 1
A year or two before his arrest, Alexandre pulled into his driveway in a brand new Porsche Panamera. The sleek black luxury vehicle retails for almost 90 grand—with upscale versions costing double that.
He went inside and logged into the forums for RooshV. If you’re not familiar with RooshV, congratulations. RooshV’s real name is Daryush Valizadeh, and he’s a blogger, pickup artist, and proud member of the alt-right “manosphere.” He’s most famous for his “Bang” series of books that explained how to pick up women from different countries, everywhere from Brazil to Iceland.
On the forums, Alexandre went by the username “Rawmeo,” (as in Romeo but Raw) and averaged more than a post per day. One of his most popular posts was a thread prompting users to name “the most beta thing they’d ever done.” Another was a 7,500 word opus describing how he kept girls on the side and monitored his wife’s weight.
But today, the only thing on his mind was the car. He began to type. Just got my new wheels. Tricked out Panamera with all the specs. Thai girls love super cars.
Bullshit, someone replied. The only thing sadder than owning a Porsche is lying about owning a Porsche.
Alexandre was pissed. They wanted proof? He went back outside, hopped in the car, and filmed himself driving around the block. When he pulled back into the driveway, he flipped off the camera. Inside, he uploaded the video to the forums.
That’ll show ‘em.
Finally, a few forum users typed a “nice wheels” or a “congratulations.” One of them was still skeptical. They wanted to know how he paid for all the luxury cars and homes he loved to flex about. He’d told them he earned everything from smart investments in cryptocurrency, but they weren’t buying it.
Alexandre smirked. We all have our business, he typed back. Let’s leave it at that.
Alexandre was born in 1991 in Quebec. He was a brilliant kid with an IQ of 142, and he skipped a grade in school. He excelled at computer programming, and by 14 he was a hacker.
Alexandre didn’t party. According to his parents, he never even smoked a cigarette, and harped on his father to kick the habit.
Otherwise, Alexandre was what you might call “morally flexible.” He loved money and was obsessed with making it. A friend would later say that he always figured Alexandre would cook up some sort of scam.
His time on the RooshV forums radicalized him, too. In another RooshV post, he complained that Quebec was overrun with welfare moochers and Muslim refugees, who he said “breed like bedbugs.” He wanted a more “traditional” society, and a “traditional” wife.
In 2008, an 18-year-old Alexandre visited Thailand and fell in love with the country, and in 2012 he moved there. He met a woman named Sunisa Thapsuwan on a match- making site and married her.
For work, Alexandre did software development—at least officially. He set up a company called EBX Technologies, which he claimed was a web developer that helped small businesses set up websites. But the dark web and the potential for riches was just too much to resist.
The dark web is a small fraction of the deep web, a term for all the places on the internet that aren’t accessible by search engines like Google. This is mostly benign content, like your Netflix user account, or password-protected email accounts.
The dark web refers to the few thousand websites that use encryption software, including browsers like Tor, I2P, and Freenet to mask their IP addresses.
There’s always been a demand for the ability to use the Internet anonymously. Versions of the dark web have always existed. The modern Internet traces its origins to Arpanet, a system that was created in 1969 that allowed computers to communicate over phone lines. Almost immediately, Arpanet users were creating unlisted pages on their servers.
In 1971 or 1972, before Ross Ulbricht and Alexandre Cazes were even born, students at Stanford used Arpanet to score weed from students at MIT. Yes, the first online transaction was a drug deal.
The modern dark web began with the introduction of anonymous web browsers. The most well-known of these is the Tor browser.
Research on the Tor browser began in the late 1990’s, as a joint project between the U.S. Naval Research Laboratory and the Defense Advanced Research Projects Agency, or DARPA, the Pentagon’s research and development division.
Tor browsers mask their users’ identities by sending their IP requests through several random servers all around the world. It’s called “onion routing”—“Tor” actually stands for “the onion router,” and Tor webpages all end with a .onion suffix.
There are several reasons why government and law enforcement needed a way to browse the web anonymously. Undercover cops and spies could use it to report to their superiors without being detected. Dissidents in authoritarian countries could use Tor to access the web without fear of retribution.
But most of all, Tor browsers would allow law enforcement to monitor illegal activity, without a government IP address showing up on a site’s servers.
The Tor network was released in 2002, and its code was made available with a free and open software license. It receives funding from a variety of organizations, including DARPA. The Tor browser followed in 2008, making it even easier to set up a website and start doing business. Soon, the government’s anonymous web browser had became a haven for human traffickers, child pornographers, and terrorists.
In 2015, Interpol began investigating a dark web human trafficking organization called Black Death Group. Two years later, a Black Death member named Lukasz Pawel Herba was arrested for kidnapping a British model, whom he intended to put up for auction.
Besides anonymous web browsers and PGP encryption, the other innovation that needed to happen in order for sites like AlphaBay to exist was the creation of an untraceable digital currency. When Satoshi Nakamoto mined the first bitcoin in 2009, it gave drug traffickers a way to do business that couldn’t be traced—or so they thought.
Just two years after Bitcoin was created, Ross Ulbricht started the Silk Road—we covered the rise and fall of the dark web’s first drug marketplace in our two-part first episode.
When the Silk Road was shut down in 2013, it was just a temporary setback for the online drug and contraband industry. Almost immediately, several other dark web marketplaces popped up in its place, with names like Silk Road 2.0—founded by former Silk Road staffers—Sheep Marketplace, and Black Market Reloaded.
All of these sites differed from the Silk Road in one major way. For Silk Road’s founder Ross Ulbricht, a devoted libertarian, making money wasn’t the only goal. He also wanted to create a community of people with shared political beliefs.
But the dark market drug website admins who came after Ulbricht didn’t have such lofty ideals. For them, it was all about money.
Sometimes, they even stole directly from their users. In Sheep Marketplace’s case, the site was shut down in late 2013 after a vendor allegedly stole $6 million in bitcoin from an escrow account. Alexandre and the AlphaBay admins would face similar allegations during the site’s lifespan.
All in all, the dark web was the perfect place for someone who wanted to make a fortune and didn’t care how they did it. Alexandre Cazes founded AlphaBay in 2014. For him, selling drugs was simply a means to an end.
Alexandre was more ambitious than most of the other “rip and run” marketplaces that took the Silk Road’s place. For starters, AlphaBay offered more goods and services. In addition to drugs, users could buy stolen credit card numbers, fake IDs, guns, even online fraud tutorials. That’s right, you could buy step by step instruction manuals in everything from how to phish people’s email accounts to stealing their banking information.
AlphaBay did ban two things, however: child pornography and hitman services. Those would attract too much heat.
If Silk Road was the Amazon of drugs, Alexandre wanted AlphaBay to become eBay. On AlphaBay, users could place bids on what they wanted to buy. Also like eBay, vendors had pages that displayed ratings. The more transactions they completed, the better their reputation.
All of this made AlphaBay stand out in the post-Silk Road chaos. Within 90 days of its launch, AlphaBay had 14,000 new users.
But not everything was going smoothly. All of the work fell on Alexandre. A lot was on his plate. First, there was the issue of website security. As the administrator of a dark web drug marketplace, Alexandre had to worry about law enforcement, but also had to stay one step ahead of the hackers and scammers who frequented his site.
When he wasn’t overseeing its security, he was doing all the programming, promotion on Reddit and other forums, and resolving disputes between vendors and buyers. Just like eBay, sometimes packages got lost in the mail.
It was all so much that he barely had time to enjoy his cars, villas, and mistresses.
On AlphaBay, Alexandre went by the handle Alpha02. In the fall of 2014, he logged onto his account and felt his blood run cold. Someone had “popped the shell” by hacking the site and running their own commands on his server.
What the hell? Was someone just fucking with him? Did they want a ransom? Or was it a cop?
One thing was certain, Alexandre had to act fast to plug the leak and find the SOB who had caused it.
As Alexandre started studying the server logs, a message appeared in his inbox, from a user named DeSnake. He was an AlphaBay user who’d been active on the carding forums, where people exchanged tools to commit credit card fraud.
Before AlphaBay, DeSnake was an active member of the credit card fraud community on sites like Evolution and Tor Carder as early as 2013. He’d eventually ascended the ranks and become a market administrator himself.
Alexandre had no idea who DeSnake really was, or if he could trust him.
He did find out what he wanted: a job. Alexandre had no choice. He brought DeSnake onboard as AlphaBay’s security administrator. DeSnake could hack, and he had experience running a website. And now Alexandre had someone to share the workload.
Over time, Alexandre and DeSnake put the awkwardness of their initial meeting behind them. It certainly helped that AlphaBay continued to grow and grow. A year after launch, it was the biggest drug site on the dark web. By 2016, it was ten times bigger than the Silk Road ever was. It grew to accept other cryptocurrencies, like Etherium and Monero.
By 2017, the site had 400,000 active users generating between $600,000 and $800,000 in transactions a day. Alexandre earned a commission of 2-4% on each transaction, adding up to tens of millions of dollars.
But even with his new head of security, AlphaBay continued to be vulnerable to breaches.
In 2016, Alexandre launched a feature that allowed AlphaBay users to access their profile without having to log onto the site, so they could look at their messages, check their balance, withdraw funds, and view their past transactions.
A Redditor noticed that by changing the message ID, you could access anyone’s private messages. For a site based on anonymity, the consequences could be devastating.
Fortunately, only a tiny fraction of messages over a year old had been accessed. Alexandre rewarded the Redditor and closed the exploit.
A year later, a hacker named Cyper0007 discovered another security flaw that allowed him to steal 218,000 private messages, which included buyers’ and sellers’ first and last names, nicknames, addresses, and tracking numbers for shipments. Alexandre was forced to pay off Cypher0007 to get him to share his methods.
Alexandre’s dreams of founding his own Thai digital drug kingdom were becoming a reality. But all of these security breaches had ominous implications for AlphaBay's future. And now law enforcement was taking notice.
ACT 2
When it came to fighting crime on the dark web, the FBI had come a long way in a short time. The first official FBI investigation into a dark web marketplace, Operation Onion Peeler, began in 2013 and resulted in the Silk Road takedown. If Onion Peeler taught them one thing, it was how outdated their policing methods were.
Law enforcement was learning that cooperation was more important than ever. Dark web drug trafficking was an inherently international affair. A site like The Silk Road might have its servers in one country, the dealer in another, and the buyer in a third altogether. Typical dick measuring contests just weren’t an option.
The FBI was also learning that traditional war on drugs techniques were obsolete. Going after the small fish like dealers and buyers, flipping them, and using them to catch the big fish wasn’t going to cut it.
On the dark web, buyers and dealers were almost always anonymous to each other. Instead of targeting small-timers, law enforcement would have to go after the kingpins.
Obviously, the fact that everyone was using Tor browsers and PGP encryption made it extremely difficult to identify them. Often, the best way to nail a dark web drug kingpin was the same technique used by law enforcement for centuries: wait ‘til they make a mistake.
By 2016, the FBI was well-aware of AlphaBay and its activities. The online drug trade hadn’t slowed down after Silk Road like the FBI had hoped. Worse, America was in the throes of the opioid epidemic. Sites like AlphaBay were becoming a bigger and bigger part of the supply, especially the synthetic opioid supply.
There were dozens of opioid dealers operating on AlphaBay, with 21,000 listings. In 2017, authorities arrested a six-person group of dealers who were purchasing fentanyl from China, pressing it into pills, and selling it on the dark web. They’d sold hundreds of thousands of pills.
AlphaBay had already been linked to several overdoses in America. Users on its own message boards described ODing in detail.
In one gruesome episode, two thirteen-year-old best friends in Park City, Utah obtained a small amount of a synthetic opioid called “pink,” or U-47700. They got it from one of their older sisters, who ordered it on AlphaBay. The middle schoolers overdosed and died two days apart from each other.
The pressure to shut down AlphaBay was mounting.
The FBI’s Sacramento field office was heading the AlphaBay investigation, which it was calling Operation Bayonet. Special Agent Nicholas Phirippidis was in charge. He was proud of the name Operation Bayonet, which he came up with himself. Not only did it sound badass, it was also a pun on multiple levels—“bay” for AlphaBay and “net” for the Internet. Best of all, it wasn’t taken.
Phirippidis went undercover on AlphaBay. He hoped to make a few purchases and nab some well-respected drug dealers in the community. He created a username and signed up for an account.
He got a ping from his email inbox. It was the typical “Welcome to the site” message, like you’d get when you sign up for any website. But when Phirippidis opened it, he couldn’t believe his eyes.
It was sent from a regular Hotmail address. There it was: pimp-alex91@hotmail.com.
No way. Whoever sent the email wasn’t actually using their real email address, were they? Surely this was some low-level employee who’d fucked up royally.
Phirippides did some digging and discovered that the Hotmail address was connected to a LinkedIn account and a PayPal account for the owner of a Canadian company called EBX Technologies. A little more digging uncovered a name: Alexandre Cazes.
Phirippides and the team then discovered a forum post Alexandre had written on a tech blog in 2008, in which he gave advice about removing a virus from a digital photograph. The post contained the pimp-alex91@hotmail.com address. It also was made with the username Alpha02, the same one Alexandre was using on AlphaBay.
After learning Alexandre was living in Thailand most of the time, law enforcement began cooperating with the Royal Thai Police. Further monitoring led investigators to Alexandre’s bitcoin wallet. There, they were able to match transactions to ones he’d made on AlphaBay.
By the summer of 2017, Phirippidis and his team had everything they needed to indict Alexandre. But first, in the spirit of cooperation, they passed along news of their impending bust to another investigation in the Netherlands.
Operation Bayonet was about to get bigger.
In Europe, most countries have dedicated cyber crime fighting units. Many of them are coordinated by Europol, the EU’s top law enforcement body. In the Netherlands, dark web drug trafficking and other cyber crime is fought by the National High Tech Crime Unit.
By the time the tip about Alexandre’s arrest and the impending AlphaBay shutdown reached the NHTCU, the NHTCU was already almost ten months deep into an investigation of another dark web drug marketplace, Hansa.
Hansa was the second-biggest after AlphaBay. It was founded in Germany in August 2015, one of the many dark web drug marketplaces that tried to fill the void left by the Silk Road.
It was named after the Hanseatic League, a medieval confederation of merchant guilds that banded together to remove restrictions on trade. It stretched from the Netherlands all the way to Russia. With its orange merchant ship logo, the dark web Hansa hoped to be a modern, digital free-trade haven.
Hansa was home to tens of thousands of listings for all sorts of illegal narcotics including fentanyl, cocaine, and heroin, as well as counterfeit and fraud-related goods.
The Hansa investigation was called Operation GraveSac, and the lead investigating officer was Superintendent Petra Haandrikman. She was a 20 year veteran of the Dutch National Police Agency and had recently been promoted to the top spot in the NHTCU.
Haandrikman and her team understood how difficult the game was. If you shut down one dark web marketplace, several more would pop up in its place. Like cutting off the head of a hydra. Or as one of her officers described it, a “whack-a-mole” effect.
The investigation into Hansa started with a tip, most likely from a private cybersecurity firm called BitDefender – officially the source of the tip is classified, but BitDefender has claimed some involvement in the case.
A researcher at probably-BitDefender discovered that the development site for Hansa was exposed online. The development site was where the admins could test out new features before making them live. Somehow, the dev site’s IP address had wound up on the surface web.
The NHRCU contacted the dev site’s Netherlands ISP and installed software that allowed them to monitor it. Soon, they discovered it was connected to a Tor server running the live Hansa site – their holy grail. It was also connected to two servers in Germany. They made copies of all three.
It was a bold move. Maybe too bold. Soon, Hansa switched IP addresses and slipped away into the digital ether. Haandrikman figured that the Hansa admins must have noticed someone copying their servers and split. Whatever the cause, it was a setback.
But the Dutch National Police still had the three copied servers and everything on them. Fortunately for them, one of the German servers included lengthy chat logs between Hansa’s alleged co-founders. The chat logs even included the admins’ home shipping addresses.
One was a 30-year-old in Siegen and the other was a 31-year-old from Cologne. Since their trials are ongoing, their names haven’t yet been disclosed to the media.
Haandrikman contacted German police and learned that the two Hansa admins were already known to them for running another dark web marketplace, Lul.to, which specialized in pirated ebooks and audiobooks.
She had enough to arrest the German admins right then and there. But like the FBI, the NHTCU was evolving its tactics to fight dark web drug trafficking. Simply shutting down Hansa wouldn’t be enough. She wanted to make users feel unsafe buying drugs online.
The plan was bold: if they could somehow take control of Hansa without the site’s users realizing it, they could document thousands of drug deals. That could lead to dozens, even hundreds of arrests.
But first, she needed to find Hansa’s new server.
Superintendent Haandrikman and her team studied the German administrators’ cryptocurrency purchases. Many cryptocurrency purchases are documented by something called blockchain. It creates a digital record of when and where cryptocurrency changes hands. If a cryptocurrency owner wasn’t careful, these transactions could be linked to their public profiles.
They discovered a bitcoin transaction that matched one of the addresses in the German admins’ chat logs. By using blockchain analysis software they discovered that the payment was made via a bitcoin provider in the Netherlands. They contacted the provider and learned that the transaction ended up on a server in Lithuania. For the second time, they’d located Hansa’s elusive server.
It was around this time that the Dutch learned about Operation Bayonet. Not only did they have everything they need to take over Hansa, they knew that the AlphaBay shutdown would send its 40,000 dealers and 200,000 customers headed their way.
Alexandre’s arrest was scheduled for July 5th, just weeks away. Haandrikman would have to act fast to take over Hansa before AlphaBay went down.
They flew to Lithuania, now the third country involved in the Hansa operation. They knew that once the German admins were arrested, it was only a matter of time before Hansa would disappear again – unless they could act. They would have to migrate the Hansa server from its current location to another one under their control, without anyone noticing.
On June 20th, 2017, Superintendent Haandrikman arrived at the Lithuanian server company, where they set up a base of operations.
Over 1.5 thousand kilometers away, German authorities would be making their arrests in Siegen and Cologne. The teams had to assemble at the same time and make the arrests simultaneously. Only then could Haandrikman begin the server migration. If the arrests went wrong, it was entirely possible the German admins could erase the site or alert its users. If they failed, Hansa would slip away again.
From the server company, Haandrikman was on a three-way call with authorities in Siegen and Cologne. German police in both cities gathered around the two admins’ apartments. They waited for the signal.
The German commander gave the go-ahead. Haandrikman heard two sets of doors crashed in and tons of shouting in German.
The Germans took the Hansa admins into custody. So far as Haandrikman could tell, the admins hadn’t alerted anyone on Hansa that they were made. In another stroke of luck, their hard drives were unencrypted.
In Lithuania, it was go-time. The computer engineers migrating Hansa’s servers to the Netherlands. Haandrikman prayed that the Hansa admins weren’t currently torching their hard drives. They watched the progress bar slowly tick toward completion.
The migration took three days. Under police questioning, the Hansa admins gave up their credentials to their accounts, including chat logs for a peer-to-peer messaging system with the site’s four moderators.
The NHTCU now had control of Hansa, just in time for the FBI and Royal Thai Police to bust Alexandre Cazes and shut down AlphaBay.
Two weeks later on July 4th, DeSnake, AlphaBay’s head of security, logged on to his computer and tried to log onto the site, but it was gone.
What the fuck?
DeSnake logged onto Reddit’s main dark web subreddit, which at that point still existed, and read the chatter.
People were understandably freaking out. AlphaBay had vanished, and along with it millions of dollars worth of cryptocurrency. There had been no word from the site’s admins. It looked like a classic “exit scam,” like the ones that ended the other post-Silk Road dark web marketplaces.
It looked like the site’s admins suddenly shut down the site and absconded with everyone’s money.
DeSnake wasn’t entirely sure about that. He knew Alexandre Cazes and knew that his ambition was much bigger than an exit scam. Alexandre had wanted to build the eBay of dark web drugs. It said so on AlphaBay’s FAQ page.
DeSnake sensed that Alexandre had gotten busted and the exit scam was a setup. He was right. Like the Dutch National Police, the FBI wanted to strike a psychological blow and make dark web drug buyers and sellers feel like there was no such thing as a safe online drug deal.
But for now, DeSnake knew that he had to leave AlphaBay behind and disappear.
By taking down AlphaBay, Operation Bayonet had whacked the biggest mole on the dark web. The second-biggest, Hansa, was now scurrying towards a trap set by Dutch police. But the Dutch had no idea how big things were about to get.
ACT 3
It was eight days after the arrest of Alexandre Cazes in Thailand. He was in custody at the Narcotics Suppression Bureau, an imposing white and tan marble building in suburban Bangkok surrounded by a high fence.
Alexandre was an unusual prisoner for the NSB, a Canadian citizen who was being prosecuted in California.
Alexandre had been in frequent contact with his Fresno-based lawyer. Alexandre had agreed to be extradited to the United States to face prosecution. There, he would enter a “not guilty” plea. The plan was for Alexandre’s lawyer to argue that Alexandre wasn’t responsible for what was sold on the site. He didn’t sell drugs or contraband himself. He just earned a commission on sales.
They were optimistic that this defense would sway the judge.
On the morning of June 13th, a humid day in the low 90s, a guard at Thailand’s Narcotics Suppression Bureau headed towards Alexandre’s cell to take him to his court appearance. For the last several days, the guard’s main job was ferrying Alexandre between his cell and the phone bank.
Overall, Alexandre had been in good spirits. Cheerful, even. Definitely not acting like someone who was facing life behind bars.
But today, when the guard arrived at the cell, he found Alexandre lying on the floor with a towel wrapped around his neck. He appeared unconscious.
The guard opened the cell door and rushed over to Alexandre. Mr. Cazes, are you OK? No response.
Get a doctor! The guard yelled. Down the hallway, more guards scrambled towards the phone.
The guard checked Alexandre’s pulse and found none. He flipped him over and began performing CPR, delivering chest compressions and rescue breaths.
Finally, the EMTs arrived, put Alexandre on a stretcher, and took him to the infirmary. But he was dead. Suicide.
With Alexandre dead, the FBI and the Royal Thai Police lost their main link to the AlphaBay community and all the information he might have possessed.
But Alexandre had made yet another security lapse. At his Thawi Watthana villa, investigators discovered that Alexandre also hadn’t encrypted his laptop, and was still logged into his admin account on AlphaBay. They also discovered documents listing all his assets. Overall, he was worth $23 million, including $8 million in cryptocurrency.
When it was taken down, it had 250,000 listings for drugs and toxic chemicals, and 100,000 listings for stolen and fraudulent identification documents, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services.
The site was home to 40,000 dealers and 200,000 buyers. Haandrikman and her team began referring to them as the “Alphabay Refugees.” They needed a new home and quickly gravitated toward Hansa.
In the Netherlands, Superintendent Petra Haandrikman and her team were ready. Since migrating Hansa’s server from Lithuania to the Netherlands, they had created a duplicate version of the site, then deleted the original.
From their four-story brick headquarters building in Utrecht, near one of the city’s famous canals, Haandrikman and her team controlled Hansa.
But now, they had a different job: running it.
To the officers in the NHTCU, it wasn’t strange to be running Hansa and facilitating thousands of drug deals. They rationalized that if they weren’t running Hansa, the drugs would be sold on some other site. Just like in the U.S., in the Netherlands it was perfectly acceptable for cops to buy drugs from a dealer, and then arrest the dealer for selling them said drugs.
This is a common law enforcement tactic on the dark web. In 2016, Elizabeth Nolan Brown estimated that half of all child pornography sites were run by law enforcement.
Running Hansa was also a handy way to keep track of who was buying drugs. During that summer in 2017, the Dutch police captured thousands of addresses belonging to both dealers and buyers. They regularly began knocking on buyers doors just to let them know they were onto them.
The NHTCU had spent months preparing to take over Hansa. They studied the German admins’ chat logs and felt confident they could imitate them in this online undercover operation. Haandrikman’s team felt they were so well-versed in the admins’ personalities that they impersonated them round the clock, in shifts.
They began by contacting the site’s four moderators, who at this point were still unaware that the site was being run by cops.
They convinced the moderators that the impending arrival of AlphaBay refugees was a good opportunity to tweak some of the site’s rules, and educate their new users on the way things worked. They’d enforce the bans on child pornography and firearms sales.
One of Hansa’s mods approached them about banning the sale of fentanyl, the dangerous synthetic opioid responsible for uncountable overdoses and deaths. Haandrikman was all too happy to oblige.
Next, there was the issue of how to accommodate the new AlphaBay refugees. At this point, there were around 5,000 new requests for membership a day.
The site actually had the bandwidth for this uptick, but Haandrikman and her team didn’t. The sheer volume of transactions from Hansa’s new users were too much to keep up with. They couldn’t simply open the floodgates to thousands of transactions daily.
Instead, they shut down membership registration for ten days. This way, they could examine transactions looking for patterns. If a lot of orders were coming from a particular location, there was a good chance it was a high level dealer on the site.
Haandrikman and her team of investigators and digital forensics experts began recording Hansa’s drug deals.
On Reddit, the wayward AlphaBay refugees griped about the bottleneck. One Redditor even offered to sell their Hansa account for $40.
During the ten-day hiatus, Haandrikman and her team made several modifications to Hansa’s code to help them better track its users.
They unencrypted Hansa users’ passwords and began storing them.
They also unencrypted Hansa users’ PGP keys. PGP stands for “Pretty Good Privacy.” It’s a digital encryption service where users have unique “keys” they must exchange in order to communicate.
Unencrypting the PGP keys allowed them to record Hansa dealers’ and buyers’ private messages, which might include home addresses, shipping information, even their real names.
Haandrikman’s officers came up with ways to trick Hansa users into identifying themselves. Before Dutch police took over the site, Hansa had a feature that automatically scrubbed metadata from images uploaded to the site. This let users post photos of their wares, just like on eBay.
They removed that feature. Then, they staged a fake “server glitch” that wiped everyone’s photos from the site. They sent out an email prompting everyone to re-upload their photos, metadata intact.
But the most brazen trick Haandrikman’s team pulled off was also the most devious. Many AlphaBay users were still frustrated that they’d lost the bitcoin they’d had in escrow, and they feared that Hansa’s admins might pull a similar “exit scam.”
Haandrikman’s officers created a harmless looking Excel document and sent it to all of Hansa’s members. In case the site went dark, they claimed, the Excel doc contained a key that would allow them to recover their lost bitcoin up to 90 days later.
In fact, the Excel document contained a “homing beacon” that revealed the Hansa user’s IP address through its Tor encryption. Sixty-four Hansa users fell for that trick.
When they weren’t tweaking Hansa’s code to entrap its users, the Dutch cops actually had to run Hansa’s business operations. While sites like the Silk Road, AlphaBay, and Hansa aspired to be the Amazons and eBays of the dark web, in reality their transactions were far less secure.
Soon, they found themselves running Hansa’s customer service department, resolving disputes between dealers and sellers. Not wanting to give the Hansa community any reason to be unhappy with Hansa, and thus bring more attention to themselves, they made sure to be prompt, responsive, and fair.
It was much better customer service than the Hansa users were used to, and they showed their appreciation on Reddit, Twitter, and message boards.
But eventually, things had to come to an end. Twenty-seven days after they first took over Hansa, they shut the site down. In that time, they had overseen a total of 27,000 transactions. This netted them an estimated 10,000 addresses involved in criminal operations. The information they had gathered would mean years of prosecutions. Maybe even enough to make a dent in the online drug trade.
When Hansa’s users logged onto the site that day, they were unable to log onto their accounts and access the cryptocurrency in their bitcoin accounts. They found a message in a big bold font: “This site has been seized, and controlled since June 20.” Below that, the Dutch National Police identified themselves, along with the Germans, the Lithuanians, the FBI, and Europol.
The message continued: “We trace people who are active at Dark Markets and offer illicit services. Are you one of them? Then you have our attention.”
They’d even updated Hansa’s logo, adding insult to injury. Now, the orange merchant ship was keeling over onto its side, sinking under the water.
ACT 4
In the weeks following the seizure of AlphaBay and Alexandre’s suicide, the FBI and the Justice Department took a victory lap. In a press conference on June 20th, Attorney General Jeff Sessions called it “one of the most important cases of the year.”
As the biggest dark web drug marketplace at the time, AlphaBay was doing between $600,000 and $800,000 a day daily. Operation Bayonet shut down its operations and seized millions of dollars in bitcoin.
The AlphaBay shutdown led to several arrests of both dealers and site employees for years afterwards. In September 2020, Bryan Conner Herrell, an AlphaBay admin who went by the names “Botah” and “Penissmith,” was sentenced to 11 years in prison for his work on the site. A PR representative received three years.
In 2021, Ohio-native Larry Harmon pled guilty to federal charges related to his cryptocurrency laundering service, which helped AlphaBay users move $300 million in bitcoin.
Alexandre Cazes’s wife Sunita Thapsuwan didn’t escape punishment either. Prosecutors suspected her of running the site along with Alexandre and charged her with money laundering in 2017.
In the Netherlands, Dutch police shut down Hansa and arrested dozens of dealers and buyers. Many of their criminal cases are ongoing. Their investigation also created leads for arrests in several other countries.
But did the shutdowns of AlphaBay and Hansa actually make a difference in the dark web drug trade
University of Manchester criminology professor Patrick Shortis estimates that it took the market about a month to recover. Just like the Dutch police predicted, buyers and sellers moved to other websites. The whack-a-mole effect was real.
If anything, Operation Bayonet and Operation GraveSac taught the next dark web drug entrepreneurs valuable lessons about operational security and best business practices. In August 2019, White House Market launched. “White House” was a reference to Breaking Bad’s Walter White.
Inspired by Hansa’s good customer service while it was under police control, White House Market offered similarly dependable support. It also switched the means of exchange to exclusively Monero, a cryptocurrency supposedly much more secure than bitcoin.
White House Market was the main dark web drug marketplace until October 2021, when users voluntarily shut it down. The site’s admin, mr_white, explained that the founders had met their goals, but some speculated that they wanted to avoid prosecution.
And what rose up to take White House Market’s place? None other than AlphaBay.
In December 2021, AlphaBay’s former head of security, DeSnake, approached Wired and gave an exclusive interview. They didn’t identify themselves, but they did provide DeSnake’s personal PGP encryption code as proof it was really them.
DeSnake was bringing AlphaBay back. The site launched that month, offering even more protection and encryption than White House Market had. DeSnake had learned from Alexandre’s mistake and was keeping his laptop encrypted. When he had to leave it unattended, he always logged out – even when he went to the bathroom.
In the interview, DeSnake said that there was no such thing as overkill when it came to online security. With the resurrected AlphaBay, he offered what every other dark web drug marketplace couldn’t: a safe place where dealers could sell anonymously.
But DeSnake’s motives weren’t just financial. He wanted payback.
DeSnake had seen how much the FBI gloated. Special Agent Phirippides played Alexandre’s arrest video at a conference at Fordham University, providing mocking commentary to the audience’s delight.
Of course, it’s also possible that DeSnake is cooperating with police. It’s also possible that police are impersonating DeSnake for an elaborate honeypot operation to once again trick users into giving themselves up. On the Internet, you just never know.
I’m Keith Korneluk, and you’re listening to Modem Mischief.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the follow button in your favorite podcast app right now so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. Tell your friends, your enemies, link to the show in your next darknet drug deal. And another way to support us is on Patreon. For as little as $5 a month you’ll receive an ad-free version of the show plus monthly bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka AlphaBear69. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. And slide into our DM’s. Thanks for listening!