For anyone who has watched the last few years of cat-and-mouse games on the dark web's black markets, the pattern is familiar: A contraband bazaar like the Silk Road attracts thousands of drug dealers and their customers, along with intense scrutiny from police and three-letter agencies. Authorities hunt down its administrators, and tear the site offline in a dramatic takedown—only to find that its buyers and sellers have simply migrated to the next dark-web market on their list.
So when Dutch police got onto the trail of the popular dark-web marketplace Hansa in the fall of 2016, they decided on a different approach: Not a mere takedown, but a takeover.
In interviews with WIRED, ahead of a talk they plan to give at Kaspersky Security Analyst Summit Thursday, two Netherlands National High Tech Crime Unit officers detailed their 10-month investigation into Hansa, once the largest dark-web market in Europe. At its height, Hansa's 3,600 dealers offered more than 24,000 drug product listings, from cocaine to MDMA to heroin, as well as a smaller trade in fraud tools and counterfeit documents. In their probe into that free-trade zone, which would come to be known as Operation Bayonet, the Dutch investigators not only identified the two alleged administrators of Hansa's black market operation in Germany, but went so far as to hijack the two arrested men's accounts to take full control of the site itself.
The NHTCU officers explained how, in the undercover work that followed, they surveilled Hansa's buyers and sellers, discreetly altered the site's code to grab more identifying information of those users, and even tricked dozens of Hansa's anonymous sellers into opening a beacon file on their computers that revealed their locations. The fallout of that law enforcement coup, the officers claim, has been one of the most successful blows against the dark web in its short history: millions of dollars worth of confiscated bitcoins, more than a dozen arrests and counting of the site's top drug dealers, and a vast database of Hansa user information that authorities say should haunt anyone who bought or sold on the site during its last month online.
"When a dark market is taken down, everyone goes to the next one. It's a whack-a-mole effect," says Marinus Boekelo, one of the NHTCU investigators who worked on the Hansa operation. By secretly seizing control of Hansa rather than merely unplugging it from the internet, Boekelo says he and his Dutch police colleagues aimed not only to uncover more about Hansa's unsuspecting users, but to deal a psychological blow to the broader dark-web drug trade. "We thought maybe we could really damage the trust in this whole system," he says.
While the Hansa takeover at times involved the close cooperation of American and German law enforcement, neither the US Department of Justice nor the German Federal Criminal Police Office responded to WIRED's requests for comment, leaving some elements of the NHTCU's account without independent confirmation. What follows is the Dutch police's own, candid description of their experience digging into—and ultimately running—one of the world's top online narcotics trafficking operations.
Despite its dramatic turns, the Hansa investigation started in a traditional fashion: with a tip. A security company's researchers believed they had found a Hansa server in the Netherlands data center of a web-hosting firm. (Security firm BitDefender has claimed some involvement in the Hansa operation. But the NHTCU declined to reveal the name of the security company or the web-hosting firm, along with several other details they say they're keeping under wraps to protect methods and sources. Even the names of the two German men charged with running Hansa remain secret, since German law protects the names of prosecuted individuals until their trial.)
As Boekelo tells it, the security firm had somehow found Hansa's development server, a version of the site where it tested new features before deploying them in the live version that handled its formidable load of thousands of visits from drug shoppers every day. While the live Hansa site was protected by Tor, the development server had somehow been exposed online, where the security firm discovered it and recorded its IP address.