The takedown of the Hansa dark web marketplace, done live on national TV by Dutch police, was possible because officers had been running the site themselves – and on Thursday they detailed how they did it.

In 2016, security shop Bitdefender tipped off the Dutch plod that Hansa, one of the most popular dark web markets, was being hosted in the Netherlands. Hansa’s popularity was largely down to its multi-signature Bitcoin handling, which stopped buyers getting ripped off by not releasing payment until an order arrived.

Dark web markets like Hansa, which sell drugs, stolen credit card data, and other forms of nastiness, have been a frustration for police around the world. Thanks to Tor, these online souks are difficult to trace and shut down but – after getting the tip – the Dutch decided to go several stages further and try to destroy the reputation of these kinds of markets, get all of the vendors, and confiscate their Bitcoin.

“We wanted the world to know that you cannot count on staying anonymous online and commit a crime – even on the dark web,” Gert Ras, head of the Netherlands National High Tech Crime Unit, told the Kaspersky Security Analyst Summit this week.

Digging

In October 2016, the cops managed to make a copy of the Hansa private server and reconstructed it on their own network. By digging around they worked out how to use the administrator’s pages and found chat logs that identified two individuals running the site as German nationals.

After contacting the German police, they were told that the two were already under investigation for running an ebook pirating operation. But the scan also tipped off the Hansa administrators that something could be wrong and they shut down the Dutch operation and moved it elsewhere out of the jurisdiction of the Netherlands.

However, the authorities got lucky. The admins sloppily used the same Bitcoin wallet to pay their new hosting company as they did for their Dutch hosting supplier, and the site was traced to Lithuania.

The police managed to get a wiretap on those involved and found out a host of information, including the amount of traffic from the Hansa servers, the names of four site moderators, and the login details for the private chat service they used.

A cunning plan

Around this time the FBI got in contact. The Feds were going after the biggest dark web market, Alphabay, and had found out that some of its infrastructure was hosted in the Netherlands. The two forces agreed to cooperate and hatched a cunning plan – they would publicly shut down Alphabay, wait until everyone flooded to the Hansa site, and catch them at it.

On June 20 last year, the police acted. The two German administrators were arrested at their homes and interrogated. They quickly admitted to running the site and handed over login credentials for their accounts, allowing the police to take full control and move the Hansa servers back to their jurisdiction.

“We copied over the web server, did the same with the coin service and started a new Bitcoin wallet, and linked it to Hansa database,” investigator Marinus Boekelo said. “We only suffered three minutes downtime, but that wasn’t easy. It took three days of 16-hour shifts to get it done.”

Hansa was now being run by the police, but official drug dealing is frowned upon. So they altered the administrator's page to include boxes for shipment tracking numbers, shipping addresses and extra information, and advised sellers to keep it updated.

Intercepted

When dealers entered information, a special drug squad unit intercepted the packages and the information was also spread around EUROPOL so other EU police forces could make their own arrests. They also set a backup Excel spreadsheet for dealers on the site, added lots of business information like turnover and sales rates, and bundled in a “beacon” that revealed the dealer’s IP address.

They also claimed that a hard drive containing the images of illegal products had crashed, and asked dealers to resend pics of their merchandise. Very few stripped out the image’s metadata and some even had the geolocation data in place, showing exactly where it had been taken.

On July 4, the feds moved and arrested the administrator of Alphabay, getting not only the man behind the site but also his unencrypted laptop and passwords. The following day the site was taken down and people flooded to Hansa.

Membership of the market jumped sevenfold and traffic was so heavy they had to close new registrations for a while because the servers couldn’t cope. The cops kept all message logs, encryption keys and currency transactions.

On July 20, during simultaneous press conferences in the Netherlands and US, the servers were shut down on air. The police seized over 2,500 Bitcoins and details of over 26,000 transactions. Hundreds of arrests followed and Ras has promised to share the data with whichever police force wants it. ®