AlphaBay, the Largest Online 'Dark Market,' Shut Down
Thursday, July 20, 2017
For Immediate Release
Office of Public Affairs
‘Dark Net’ Site Was Major Source of Fentanyl and Heroin, Linked to Overdose Deaths, and Used By Hundreds of Thousands of People to Buy and Sell Illegal Goods and Services Anonymously over the Internet
The Justice Department today announced the seizure of the largest criminal marketplace on the Internet, AlphaBay, which operated for over two years on the dark web and was used to sell deadly illegal drugs, stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and toxic chemicals throughout the world. The international operation to seize AlphaBay’s infrastructure was led by the United States and involved cooperation and efforts by law enforcement authorities in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, as well as the European law enforcement agency Europol.
On July 5, Alexandre Cazes aka Alpha02 and Admin, 25, a Canadian citizen residing in Thailand, was arrested by Thai authorities on behalf of the United States for his role as the creator and administrator of AlphaBay. On July 12, Cazes apparently took his own life while in custody in Thailand. Cazes was charged in an indictment (1:17-CR-00144-LJO), filed in the Eastern District of California on June 1, with one count of conspiracy to engage in racketeering, one count of conspiracy to distribute narcotics, six counts of distribution of narcotics, one count of conspiracy to commit identity theft, four counts of unlawful transfer of false identification documents, one count of conspiracy to commit access device fraud, one count of trafficking in device making equipment, and one count of money laundering conspiracy. Law enforcement authorities in the United States worked with numerous foreign partners to freeze and preserve millions of dollars’ worth of cryptocurrencies that were the subject of forfeiture counts in the indictment, and that represent the proceeds of the AlphaBay organization’s illegal activities.
On July 19, the U.S. Attorney’s Office for the Eastern District of California filed a civil forfeiture complaint against Alexandre Cazes and his wife's assets located throughout the world, including in Thailand, Cyprus, Lichtenstein, and Antigua & Barbuda. Cazes and his wife amassed numerous high value assets, including luxury vehicles, residences and a hotel in Thailand. Cazes also possessed millions of dollars in cryptocurrency, which has been seized by the FBI and the Drug Enforcement Administration (DEA).
According to publicly available information on AlphaBay prior to its takedown, one AlphaBay staff member claimed that it serviced over 200,000 users and 40,000 vendors. Around the time of takedown, there were over 250,000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100,000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms and fraudulent services. Comparatively, the Silk Road dark web marketplace, which was seized by law enforcement in November 2013, had reportedly approximately 14,000 listings for illicit goods and services at the time of seizure and was the largest dark web marketplace at the time.
“This is likely one of the most important criminal investigations of the year – taking down the largest dark net marketplace in history,” said Attorney General Jeff Sessions. “Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity using the dark net. The dark net is not a place to hide. The Department will continue to find, arrest, prosecute, convict, and incarcerate criminals, drug traffickers and their enablers wherever they are. We will use every tool we have to stop criminals from exploiting vulnerable people and sending so many Americans to an early grave. I believe that because of this operation, the American people are safer – safer from the threat of identity fraud and malware, and safer from deadly drugs.”
“Transnational organized crime poses a serious threat to our national and economic security,” said Acting Director Andrew McCabe of the FBI. “Whether they operate in broad daylight or on the dark net, we will never stop working to find and stop these criminal syndicates. We want to thank our international partners and those at the Department of Justice, the DEA and the IRS-CI for their hard work in demonstrating what we can do when we stand together.”
“The so-called anonymity of the dark web is illusory,” said Acting Administrator Chuck Rosenberg of the DEA. “We will find and prosecute drug traffickers who set up shop there, and this case is a great example of our commitment to doing exactly that. More to come.”
“AlphaBay was the world’s largest underground marketplace of the dark net, providing an avenue for criminals to conduct business anonymously and without repercussions,” said Chief Don Fort of IRS-CI. “Working with our law enforcement partners – both domestically and abroad – IRS-CI used its unique financial and cyber expertise to help shine a bright light on the accounts and customers of this shadowy black marketplace, and we intend to continue pursuing these kinds of criminals no matter where they hide.”
“This ranks as one of the most successful coordinated takedowns against cybercrime in recent years,” said Executive Director Rob Wainwright of Europol. “Concerted action by law enforcement authorities in the United States and Europe, with the support of Europol, has delivered a massive blow to the underground criminal economy and sends a clear message that the dark web is not a safe area for criminals. I pay tribute to the excellent work of the United States and European authorities for the imaginative and resourceful way they combined their efforts in this case.”
AlphaBay operated as a hidden service on the “Tor” network, and utilized cryptocurrencies including Bitcoin, Monero and Ethereum in order to hide the locations of its underlying servers and the identities of its administrators, moderators, and users. Based on law enforcement’s investigation of AlphaBay, authorities believe the site was also used to launder hundreds of millions of dollars deriving from illegal transactions on the website.
An investigation conducted by FBI Atlanta and the U.S. Attorney’s Office in the Northern District of Georgia identified an AlphaBay staffer living in the United States. That investigation is ongoing.
The investigation into AlphaBay revealed that numerous vendors sold fentanyl and heroin, and there have been multiple overdose deaths across the country attributed to purchases on the site.
According to a complaint affidavit filed in the District of South Carolina against Theodore Vitality Khleborod and Ana Milena Barrero, an investigation into an overdose death on February 16, in Portland, Oregon, involving U-47700, a synthetic opioid, revealed that the drugs were purchased on AlphaBay from Khelborod and Barrero. According to another complaint affidavit filed in the Middle District of Florida against Jeremy Achey, an investigation into a fentanyl overdose death in Orange County, Florida, on February 27, revealed that the lethal substance was purchased on AlphaBay from Achey.
Charges contained in an indictment and/or complaint are merely allegations, and the defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
This operation to seize the AlphaBay site coincides with efforts by Dutch law enforcement to investigate and take down the Hansa Market, another prominent dark web market. Like AlphaBay, Hansa Market was used to facilitate the sale of illegal drugs, toxic chemicals, malware, counterfeit identification documents, and illegal services. The administrators of Hansa Market, along with its thousands of vendors and users, also attempted to mask their identities to avoid prosecution through the use of Tor and digital currency. Further information on the operation against the Hansa Market can be obtained from Dutch authorities.
The operation to seize AlphaBay’s servers was announced by Attorney General Jeff Sessions; Deputy Attorney General Rod Rosenstein; Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division; U.S. Attorney Phillip A. Talbert for the Eastern District of California; Acting Director Andrew G. McCabe of the FBI, Acting Administrator Chuck Rosenberg of the DEA and Europol Executive Director Robert Mark Wainwright.
The case is being investigated by the FBI including FBI Sacramento Field Office and DEA, with substantial assistance from the IRS-CI. U.S. Immigration and Customs Enforcement’s Homeland Security Investigations also assisted in the investigation. The case against Cazes was prosecuted by Assistant U.S. Attorneys Paul A. Hemesath and Grant B. Rabenn of the U.S. Attorney’s Office for the Eastern District of California, and Trial Attorneys Louisa K. Marion and C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section. Substantial assistance was provided by the Department of Justice’s Office of International Affairs and Special Operations Division. Additionally, the following foreign law enforcement agencies provided substantial assistance in the operation to seize AlphaBay’s infrastructure: Royal Thai Police, Dutch National Police, Lithuanian Criminal Police Bureau (LCPB), Royal Canadian Mounted Police, United Kingdom’s National Crime Agency, Europol, and French National Police.
Updated December 11, 2017
He Escaped the Dark Web's Biggest Bust. Now He's Back
DeSnake apparently eluded the DOJ's takedown of AlphaBay. The admin talked to WIRED about his return—and the resurrection of the notorious underground marketplace.
By Andy Greenberg
Sep 23, 2021 07:00 AM10 min. readView original
Just over four years ago, the US Department of Justice announced the takedown of AlphaBay, the biggest dark web market bust in history. Thai police arrested the site's 26-year-old administrator, Alexandre Cazes, in Bangkok, and the FBI seized AlphaBay's central server in Lithuania, wiping out a marketplace that was selling hundreds of millions of dollars a year worth of hard drugs, hacked data, and other contraband to its 400,000-plus registered users. The FBI called the disruption of the site a “landmark operation.”
But the fate of one key player in that massive black market scheme was never explained: AlphaBay's former number-two administrator, security specialist, and self-described cofounder, who went by the name DeSnake. Now, four years after his market's demise, DeSnake appears to be back online and has relaunched AlphaBay under his own singular leadership. After four years off the radar, he's not keeping quiet about his return.
In an extended chat interview, DeSnake tells WIRED how he walked away unscathed from the takedown of AlphaBay, why he has resurfaced now, and what his plans are for the resurrected, once-dominant online black market. He communicated with WIRED via encrypted text messages, from a frequently changing series of pseudonymous accounts, after proving his identity by signing a public message with DeSnake's original PGP key, which multiple security researchers verified.
"The biggest reason I am returning is to make the AlphaBay name be remembered as more than the marketplace which got busted and the founder made out to have committed suicide," DeSnake writes. Cazes was found dead of an apparent suicide in a Thai jail cell a week after his arrest; like many in the dark web community, DeSnake believes Cazes was murdered in prison. He was driven to rebuild AlphaBay, he says, after reading about an FBI presentation on the circumstances of Cazes' arrest that he deemed disrespectful. "AlphaBay name was put in bad light after the raids. I am here to make amends to that."
A kind of practical paranoia permeated DeSnake's messages to WIRED, both on a personal level and in his plans for AlphaBay's revamped technical protections. (DeSnake says he uses male pronouns.) The revived version of AlphaBay, for instance, allows users to buy and sell only with the cryptocurrency Monero, which is designed to be far more difficult to trace than Bitcoin, whose blockchain has proven to sometimes allow powerful forms of financial tracking. AlphaBay's dark web site is now accessible not only via Tor, like the original AlphaBay, but also I2P, a less popular anonymity system that DeSnake encourages users to switch to. He repeatedly described his wariness that Tor may be vulnerable to surveillance, though he provided no evidence.
DeSnake says his security practices—both the ones he's applying within AlphaBay and on a personal level—go far beyond those of his predecessor, Cazes, who went by the online handle Alpha02. Cazes was caught, in part, through Bitcoin blockchain analysis that confirmed his role as AlphaBay's boss, a trick that would be far more difficult, if not impossible, with Monero. DeSnake argues that new safeguards like these will make AlphaBay that much harder to remove from the dark web this time around. "I had given [Cazes] many 'holy grails' of anonimity, but he chose to use only certain things while he branded other methods/ways as ‘overkill,’" DeSnake writes, in his seemingly foreign-inflected and occasionally misspelled English. "In this game there is no overkill."
DeSnake credits his ongoing freedom to an operational security regimen that borders on the extreme. He says his work computers run an "amnesiac" operating system, like the security-focused Tails distribution of Linux, designed to store no data. He claims, in fact, not to store any incriminating data on hard drives or USB drives at all, encrypted or not, and declined to explain further how he pulls off this apparent magic trick. DeSnake also claims to have prepared a USB-based "kill switch" device designed to wipe his computers' memory and shut them off in seconds if they ever leave his control.
To avoid the risk of his PC being grabbed while he's logged into AlphaBay, DeSnake says he also shuts it down entirely every time he steps away from it, even to take a bathroom break. "Biggest issue in that regard is the human needs … I would say that is the biggest inconvenience," DeSnake writes. "You make sacrifices. Though once you get used to it, it becomes second nature."
After all, law enforcement seized the laptops of Alexandre Cazes and Ross Ulbricht—the latter is serving a life sentence for running the original dark web drug market known as Silk Road–while they were open, running, and logged into administrator accounts on the dark web sites they oversaw. DeSnake, by contrast, makes the very bold claim that his work PC could not implicate him even if seized.
But all of those technical and operational protections may matter less than a simple geographic one. DeSnake claims to be located in a non-extradition country, beyond the reach of US law enforcement. In messages to WIRED, AlphaBay's new boss describes having lived in the former USSR, and he previously wrote Russian-language messages to users on the original AlphaBay's forums.
AlphaBay has long been rumored to have some sort of connections to Russia or Russians. Its rules have always banned the sale of data stolen from victims in former USSR countries, a common prohibition among Russian hackers intended to shield them from Russian law enforcement scrutiny. And when Alexandre Cazes wrote under the Alpha02 moniker on the site, he sometimes signed off with a Russian phrase for “stay safe.” But when Cazes was later tracked down in Thailand, many assumed AlphaBay's Russian fingerprints had been designed to mislead investigators.
DeSnake now claims, however, that he and others involved in the original AlphaBay do in fact remain beyond the reach of Western law enforcement. "You do not shit where you sleep," he writes of AlphaBay's rule against selling the stolen data of ex-Soviet citizens. "We did that for security of other staff members. [Cazes] decided to embrace it as a way to secure himself."
Regardless, DeSnake claims that he has traveled to "several continents within the last 4 years" and "had zero problems," leading him to believe that his years of freedom have been a result not only of his location but of having technically outmaneuvered the law enforcement agencies tracking him. Of course, everything DeSnake told WIRED may itself be misdirection designed to help him further evade those agencies.
When WIRED reached out to Justice Department officials, including one who participated in the original investigation of AlphaBay that resulted in its 2017 takedown, they either didn't respond or declined to comment.
While few of DeSnake's claims can be confirmed, he has at least enjoyed unusual longevity for a dark web market operator. Security firm Flashpoint says it has seen evidence and descriptions of DeSnake operating under the same pseudonym—first as a credit-card-focused cybercriminal on sites like Evolution and Tor Carder Forum before becoming a market administrator himself—since at least 2013.
DeSnake first appeared on the original AlphaBay's forums in the fall of 2014, a vendor of credit card fraud—also known as "carding"—tools and guides, looking for a new home after the administrators of Evolution absconded with their users' money in a so-called "exit scam." He says he quickly befriended Alpha02 by an unorthodox method: He claims he "popped a shell" on AlphaBay, hacking the website and gaining a foothold to run his own commands on its server. Rather than exploit that breach, he says, he helped the administrator fix it and soon became the site's number-two admin and security lead. "I took care of the security and certain admin stuff," DeSnake says. "He took care of the rest."
Nearly three years later, Cazes was arrested and the site torn offline, thanks in part to a trail of evidence that began when the AlphaBay founder leaked a personal email address in the metadata of a welcome message to new users on its forums, a problem DeSnake says he had fixed early on by switching the site's forum software. "I am still in disbelief to this day that he had put his personal email on there," DeSnake says. "He was a good carder and he knew better opsec."
Dark web buyers and vendors haven't exactly flocked back to AlphaBay's since its return. A few weeks into the relaunch, it has just under 500 listings, compared to more than 350,000 at AlphaBay's 2017 peak. Those low numbers likely stem from DeSnake's insistence on accepting only Monero, from skeptical dark web users waiting to see if the new AlphaBay is legitimate, and from a barrage of distributed denial-of-service attacks that have knocked the site offline since its launch. But DeSnake argues that dark web markets typically gain an influx of new users only when another popular market shuts down or is busted by law enforcement; neither has happened since AlphaBay came back.
In the meantime, DeSnake wants to attract users with promises of a still-unproven system he calls AlphaGuard, designed to let users withdraw their funds even if authorities once again seize the servers that run AlphaBay's infrastructure.
As DeSnake describes it, AlphaGuard will automatically rent and set up new servers if it detects that AlphaBay's are being taken offline. He even claims that AlphaGuard will automatically hack other websites and plant data on their servers to give users "withdrawal codes" they can use to save the cryptocurrency they've stored on AlphaBay in case of a takedown. "It is a system to ensure users can withdraw funds, settle disputes, and generally go without a cent lost if raids happen," DeSnake writes, "even if it happens on all servers at the same time. It is unstoppable."
If that AlphaGuard feature doesn't sound aspirational enough, DeSnake says he's also in the early stages of a long-term plan to implement a fully decentralized marketplace system, essentially a BitTorrent to the current dark web markets' Napster. In that hyper-ambitious plan, open source programmers and server operators who independently run hundreds or thousands of servers would be paid a portion of profits for hosting markets that would form a vast dark web network with no single point of failure. AlphaBay, DeSnake says, would be one of the "brands" hosted on that network, but any vendor or market could choose to set up their own, with encryption features that would keep each market or store under that administrator's control even as its code is duplicated across a vast array of machines.
DeSnake has discussed that decentralization project since his earliest posts to the AlphaBay forums, and he acknowledges that it's still years away. But he sees it as a way to both make AlphaBay invulnerable to future law enforcement takedowns and to pay back the dark web's users for the millions they lost when the original AlphaBay server was seized. "When it comes to the money making this is investment in the future of AlphaBay," DeSnake writes. "When it comes to ideology I think that is pretty clear. The reason is to make good to the AlphaBay name … this is our way to reimburse the darknet scene for what has happened."
But all of the defensive wizardry that DeSnake describes—both AlphaGuard and the decentralization project—remain largely unproven talk, says Flashpoint analyst Ian Gray, who closely monitors dark web markets. The decentralization plan, for instance, would require collective buy-in from a large number of developers and network operators for what would likely be seen as an essentially illegal project. Gray points out that DeSnake hasn't published any code for either that system or AlphaGuard, and questions why he would relaunch AlphaBay four years after its takedown without any real progress toward his decentralization dream. "He hasn't really demonstrated anything besides launching a marketplace," Gray says. "I'm distrustful of DeSnake, and I think across the communities there's a general distrust."
Gray points to a thread on the largely Russian cybercrime forum XSS, where many commenters expressed their skepticism about DeSnake's return, some implying that he's being controlled by law enforcement. "Lol, how many honest comrades will DeSnake have to turn in now to leave the punishment cell?" one commenter asked in Russian. "It's fake and 99.9% sure and feds opening it again," another wrote.
One former US law enforcement official involved in the original AlphaBay investigation, who asked not to be named, also expressed doubts. "If I were a vendor or user on this site, I would be very concerned with it being either set up for an exit scam or some type of honeypot operation," the former official said, noting that they're not aware of any ongoing law enforcement operations that may be targeting the site.
Nicolas Christin, a dark-web-focused computer scientist at Carnegie Mellon University, verified DeSnake's PGP key against a copy found in his own archive of messages. But that key, he says, could be in the control of law enforcement agencies, or DeSnake himself could have become a law enforcement cooperator. After all, at the same time as AlphaBay's 2017 takedown, the Dutch police took over and controlled Hansa, the second-largest dark web market at the time. "It's unlikely," Christin says of theories that DeSnake is compromised, "but not impossible."
DeSnake counters that if law enforcement had gotten to him and launched the new AlphaBay as a honeypot, they would have simply reused the original AlphaBay's code. Instead, he says, he rewrote it from scratch. And he points out that the Monero-only restriction for the site would make it far less effective for trapping unsuspecting dark web buyers than a site that simply accepts Bitcoin.
"With all of that said you decide for yourself whether you ride the wave with us to the top and beyond," he wrote in a message to users on the dark web market forum Dread. "I understand if you decide not to but over time you will be proven that we are the original AB and we have never been 'compromised' in any way shape or form."
If DeSnake and his revitalized AlphaBay are in fact legit, they may prove to be the opposite of a honeypot: A highly motivated digital black market seemingly beyond the grasp of US law enforcement. And that might well mean that the long track record of one of the dark web's oldest players still has no clear end in sight.
Updated 9-23-2021, 1:10 pm EDT: This story was updated to correct the timing of when Alexandre Cazes was found dead.
More Great WIRED Stories
THIS IS POSSIBLY "DeSnake" HE WAS RECENTLY A COURIER FOR COCAINE TRAFFICKING WITH SOME OF THE OTHERS INVOVED...
LINK #1: https://www.facebook.com/jordan.abrams.75
LINK #2: https://www.instagram.com/jordansiny1/
HE ALSO HAS BEEN INVOLVED WITH THE COCAINE TRAFFICKING WITH THIS SHELL COMPANY https://www.mphclub.com TRANSPORTING ROUGHLY 20 KILOS IN LUXURY AUTOMOBILES...
HE NOW USES MONERO SPECIFICALLY BECAUSE, OF THE ANONYMITY AND, HAS CREATED MULTIPLE SYNTHETIC IDENTITIES TO TRAVEL AROUND THE WORLD IT IS BELIEVED HE TRAVELS THROUGHOUT THE EUROPEAN UNION...