Skip to main content

Operation Bayonet: Inside the Sting That Hijacked an Entire Dark Web Drug Market

Dutch police detail for the first time how they secretly hijacked Hansa, Europe's most popular dark web market.

How Dutch Police Took Over Hansa a Top Dark Web Market
HOTLITTLEPOTATO

For anyone who has watched the last few years of cat-and-mouse games on the dark web's black markets, the pattern is familiar: A contraband bazaar like the Silk Road attracts thousands of drug dealers and their customers, along with intense scrutiny from police and three-letter agencies. Authorities hunt down its administrators, and tear the site offline in a dramatic takedown—only to find that its buyers and sellers have simply migrated to the next dark-web market on their list.

So when Dutch police got onto the trail of the popular dark-web marketplace Hansa in the fall of 2016, they decided on a different approach: Not a mere takedown, but a takeover.

In interviews with WIRED, ahead of a talk they plan to give at Kaspersky Security Analyst Summit Thursday, two Netherlands National High Tech Crime Unit officers detailed their 10-month investigation into Hansa, once the largest dark-web market in Europe. At its height, Hansa's 3,600 dealers offered more than 24,000 drug product listings, from cocaine to MDMA to heroin, as well as a smaller trade in fraud tools and counterfeit documents. In their probe into that free-trade zone, which would come to be known as Operation Bayonet, the Dutch investigators not only identified the two alleged administrators of Hansa's black market operation in Germany, but went so far as to hijack the two arrested men's accounts to take full control of the site itself.

'We thought maybe we could really damage the trust in this whole system.'

Marinus Boekelo, NHTCU

The NHTCU officers explained how, in the undercover work that followed, they surveilled Hansa's buyers and sellers, discreetly altered the site's code to grab more identifying information of those users, and even tricked dozens of Hansa's anonymous sellers into opening a beacon file on their computers that revealed their locations. The fallout of that law enforcement coup, the officers claim, has been one of the most successful blows against the dark web in its short history: millions of dollars worth of confiscated bitcoins, more than a dozen arrests and counting of the site's top drug dealers, and a vast database of Hansa user information that authorities say should haunt anyone who bought or sold on the site during its last month online.

"When a dark market is taken down, everyone goes to the next one. It's a whack-a-mole effect," says Marinus Boekelo, one of the NHTCU investigators who worked on the Hansa operation. By secretly seizing control of Hansa rather than merely unplugging it from the internet, Boekelo says he and his Dutch police colleagues aimed not only to uncover more about Hansa's unsuspecting users, but to deal a psychological blow to the broader dark-web drug trade. "We thought maybe we could really damage the trust in this whole system," he says.

While the Hansa takeover at times involved the close cooperation of American and German law enforcement, neither the US Department of Justice nor the German Federal Criminal Police Office responded to WIRED's requests for comment, leaving some elements of the NHTCU's account without independent confirmation. What follows is the Dutch police's own, candid description of their experience digging into—and ultimately running—one of the world's top online narcotics trafficking operations.

Pulling Loose Threads

Despite its dramatic turns, the Hansa investigation started in a traditional fashion: with a tip. A security company's researchers believed they had found a Hansa server in the Netherlands data center of a web-hosting firm. (Security firm BitDefender has claimed some involvement in the Hansa operation. But the NHTCU declined to reveal the name of the security company or the web-hosting firm, along with several other details they say they're keeping under wraps to protect methods and sources. Even the names of the two German men charged with running Hansa remain secret, since German law protects the names of prosecuted individuals until their trial.)

As Boekelo tells it, the security firm had somehow found Hansa's development server, a version of the site where it tested new features before deploying them in the live version that handled its formidable load of thousands of visits from drug shoppers every day. While the live Hansa site was protected by Tor, the development server had somehow been exposed online, where the security firm discovered it and recorded its IP address.

Advertisement
Gert Ras (left) and Marinus Boekelo (right).Manuel Velásquez Figueroa

The Dutch police quickly contacted the web host, demanded access to its data center, and installed network-monitoring equipment that allowed them to spy on all traffic to and from the machine. They immediately found that the development server also connected to a Tor-protected server at the same location that ran Hansa's live site, as well as a pair of servers in another data center in Germany. They then made a copy of each server's entire drive, including records of every transaction performed in Hansa's history, and every conversation that took place through its anonymized messaging system.

Even that massive security breach shouldn't have necessarily exposed any of the site's vendors or administrators, since all of Hansa's visitors and admins used pseudonyms, and sites protected by Tor can only be accessed by users running Tor, too, anonymizing their web connections. But after poring through the contents of the servers, the police found a major operational slip-up: One of the German servers contained the two alleged founders' chat logs on the antiquated messaging protocol IRC. The conversations stretched back years, and amazingly, included both admins' full names and, for one man, his home address.

Setting the Trap

Hansa's two suspected admins, the Dutch cops had discovered, were across the border in Germany—one 30-year-old man in the city of Siegen, and another 31-year-old in Cologne. But when the NHTCU contacted the German authorities to request their arrest and extradition, they discovered the pair were already on the radar of German police, and under investigation for the creation of Lul.to, a site selling pirated ebooks and audiobooks.

That gave the Dutch investigators an idea: Perhaps they could use the existing German investigation as cover for their own operation, letting the German police nab their suspects for e-book piracy and then secretly taking over Hansa without tipping off the market's users. "We came up with this plan to take over. We could use that arrest," says Gert Ras, the head of the NHTCU. "We had to get rid of the real administrators to become the administrators ourselves."

Just as the NHTCU's elaborate trap started to take shape, however, it was also falling apart: The Hansa servers the Dutch cops were watching suddenly went silent. Ras and Boekelo say they suspect that their copying of the servers somehow tipped off the site's admins. As a result, they had moved the market to another Tor-protected location, shuffling it in Tor's vast deck of anonymized machines around the globe. "That was a setback," Ras says.

Advertisement

Even then, remarkably, the Dutch cops could have simply cut their losses, asked the Germans to arrest Hansa's administrators, and likely used clues from their computers to find the site's servers and shut them down. Instead, they decided to stick with their stealthy takeover plan, and spent the ensuing months poring over evidence—even as the site continued its brisk narcotics trade—in an attempt to locate the Hansa servers again and quietly hijack them. Finally in April 2017, they got another lucky break: The alleged administrators had made a bitcoin payment from an address that had been included in those same IRC chatlogs. Using the blockchain analysis software Chainalysis, the police could see that payment went to a bitcoin payment provider with an office in the Netherlands. And when the police sent that bitcoin payment firm a legal demand to cough up more information, it identified the recipient of that transaction as another hosting company, this time in Lithuania.

Two For One

Not long after pinpointing those servers for the second time, the NHTCU learned of another surprising windfall: The FBI contacted them to tell them that they'd located one of the servers for AlphaBay, the world's most popular dark-web drug market at the time—far larger than Hansa—in the Netherlands. American investigators were closing in and wanted to pull the plug, just as the Dutch were planning to commandeer Hansa.

The Dutch police quickly realized that after AlphaBay was shut down, its refugees would go searching for a new marketplace. If their scheme worked, AlphaBay's users would flood to Hansa, which would secretly be under police control. "Not only would we get this effect of undermining the trust in dark markets, we'd also get this influx of people," Ras says. They'd be able to surveil a far larger portion of the dark-web economy, he says, and instill a sense in users that there was nowhere to hide. Even fleeing to another marketplace wouldn't let them escape law enforcement's reach.

With the pieces of the takeover plan in place, the Dutch police sent a pair of agents to the Lithuanian data center, taking advantage of the two countries' mutual legal assistance treaty. On June 20, in a carefully timed move designed to catch the two German suspects at the keyboard, the German police raided the two men's homes, arrested them, and seized their computers with their hard drives unencrypted. The Germans then signaled the Dutch police, who immediately began the migration of all of Hansa's data to a new set of servers under full police control in the Netherlands.

"We coordinated with the Germans, so that when they busted in the door we immediately started our action," says Boekelo. "We didn’t want to have any downtime."

Under questioning in a German jail, the two men handed over credentials to their accounts, including the Tox peer-to-peer chat system they had used to communicate with the site's four moderators. After three days, Hansa was fully migrated to the Netherlands and under Dutch police control. No users—or even those moderators—appeared to have noticed the change.

Total Control

For the next month, the Dutch police would use their position at the top of Europe's largest dark-web market to pull off increasingly aggressive surveillance of its users. They rewrote the site's code, they say, to log every user's password, rather than store them as encrypted hashes. They tweaked a feature designed to automatically encrypt messages with users' PGP keys, so that it secretly logged each message's full text before encrypting it, which in many cases allowed them to capture buyers' home addresses as they sent the information to sellers. The site had been set up to automatically removed metadata from photos of products uploaded to the site; they altered that function so that it first recorded a copy of the image with metadata intact. That enabled them to pull geolocation data from many photos that sellers had taken of their illegal wares.

The administrators' internal control panel for Hansa, showing a list of disputed sales that had been escalated from the site's four moderators.NHTCU

As they tell it, the police eventually became so brazen that they staged a fake server glitch that deleted all the photos from the site, forcing sellers to re-upload photos and giving Dutch authorities another chance to capture the metadata. That ruse alone snagged the geolocated coordinates of more than 50 dealers.

Advertisement

In perhaps its most intrusive move of all, the NHTCU says it essentially tricked users into downloading and running a homing beacon. Hansa offered sellers a file to serve as a backup key, designed to let them recover bitcoin sent to them after 90 days even if the sites were to go down. The cops replaced that harmless text document with a carefully crafted Excel file, says Boekelo. When a seller opened it, their device would connect to a unique url, revealing the seller's IP address to the police. Boekelo says that 64 sellers fell for that trap.

Throughout the trickery, Hansa thrived under the NCHTU's secret control. The undercover agents had studied the logs of the real admins' conversations with their moderators and the site's users long enough to convincingly impersonate them, Ras and Boekelo say. In fact, a whole team of officers took turns impersonating the two admins, so that when disputes between buyers and sellers escalated beyond the moderators' authority, undercover agents were ready to deal with them even more efficiently than the real admins had. "The quality really went up," says Ras. "Everyone was very satisfied with the level of service they got."

Springing the Trap

That competence also made Hansa the natural destination when AlphaBay suddenly winked out of existence in early July of last year. As drug buyers became impatient, eventually more than 5,000 a day of them flocked to Hansa, eight times the normal registration rate, the NHTCU says—all of whom immediately fell under police surveillance.

One week after Alphabay first went down, the Wall Street Journal reported that the site's servers had been seized in a law enforcement raid and that its founder, Canadian Alexandre Cazès, had apparently committed suicide in a Thai prison. The news threw the dark web community into chaos. The resulting flood of Alphabay refugees became so large that the NHTCU shut down new registrations for ten days. The police were bound by Dutch law to track and report every transaction occurring on the site under their control to Europol; with roughly 1,000 illegal transactions occurring every day on their watch, the paperwork was becoming unmanageable.

After AlphaBay's shutdown, users poured into Hansa, which was under the Dutch police's full control.NCHTU

During their time as black market administrators, the Dutch police only banned one product on Hansa: the highly dangerous opioid Fentanyl. All other drugs on the site continued to flow freely, a circumstance over which Ras and Boekelo seem surprisingly unconflicted. "They would have taken place anyway," says Ras without hesitation, "but on a different market."

After 27 days and about 27,000 transactions, however, the NHTCU decided to hang up its ledger. It unplugged Hansa, replacing the site with a seizure notice and a link to the NHTCU's own Tor site showing a list of identified and arrested dark-web drug buyers and sellers. "We trace people who are active at Dark Markets and offer illicit goods or services," the site read. "Are you one of them? Then you have our attention."

Fallout

The Dutch police came away from their Hansa takeover with concrete rewards: They obtained at least some data on 420,000 users, including at least 10,000 home addresses, which they've turned over to Europol to be distributed to other police agencies around Europe and the world. Since the takedown, Ras says, they've arrested a dozen of Hansa's top vendors, with more arrests planned for coming weeks. They seized 1,200 bitcoins from Hansa, worth about $12 million by today's exchange rates. Since Hansa used bitcoin's multi-signature transaction function to protect funds from police seizure, that confiscation was only possible because the NHTCU had taken over the site and sabotaged its code to disable that feature during Hansa's last month online.

Advertisement

The Dutch police say they've also performed roughly 50 "knock-and-talks," in-person visits to buyers' homes to let them know they've been identified by their dark-web drug purchases, though they say only one high-volume buyer has been arrested so far. "We want people to be aware," says Ras. "We have the data. It's here, and it's not going away."

'Everyone was very satisfied with the level of service they got.'

Gert Ras, NHU

As for the operation's impact on the overall drug trade, the police point to a study by the Netherlands Organization for Applied Scientific Research, which found that the Hansa hijacking did have a significantly different outcome from previous dark-web takedowns. While most drug vendors who fled AlphaBay showed up soon after on other dark web drug sites, those who fled Hansa didn't—or if they did, they recreated their online identities thoroughly enough to escape recognition. "Compared to both the Silk Road takedowns, or even the AlphaBay takedown, the Hansa Market shut down stands out in a positive way," the report reads. "We see the first signs of game-changing police intervention."

Other dark-web trackers aren't so sure. Nicolas Christin, a researcher at Carnegie Mellon, says it's tough to measure the long-term impact of the Hansa operation, as drug buyers and sellers still flock to alternative sites like Dream Market, the new top dark-web drug site after Hansa and AlphaBay's desmise, and even to invite-only sites created by individual sellers. "I think in the short term, it created a lot of upheaval," Christin says. "Whether it was sustained, I really don't know."

As for Hansa's users themselves, opinion seems split. "Looks like I'll be sober for a while. Not trusting any markets," one user wrote on Reddit's darknet-focused forum the day the Hansa takedown was announced last summer.

But some insisted that the dark web would bounce back, even from the most elaborate sting operation it had ever seen. "Things will stabilize, they always do," that anonymous user wrote. "The Great Game of whack-a-mole never ends."

Caught in the Dark Web

This story has been updated to include BitDefender's claim of involvement.

// // //