The Ripple Effect of the Hansa Takedown

By on Mar 19, 2018

For nearly a decade we have witnessed the systemic rise and fall “dark net” markets. Each time a site is taken down by law enforcement, we see other, opportunistic ones capitalize on buyers looking for new places to purchase illegal goods. Last year we explored the takedowns of the popular black markets AlphaBay and Hansa and saw a noticeable hesitation. Something about these takedowns had an impact, if even short term, among buyers and sellers on dark net markets. After examining the flow of crime across the dark web following these two sites under siege, we have found that these takedowns had noticeable impact.

AlphaBay was a massive marketplace and has been the top market since the year following the Silk Road takedown. Once AlphaBay was stopped last year, we began tracking cybercriminal response and saw the migration to smaller markets, including Hansa, which had an influx of of new vendors and buyers shortly after AlphaBay disappeared. This is similar behavior to what we saw after the Silk Road takedown. Orphaned users needed a new home and migrated to newer markets such as Dark Market Reloaded, Evolution, Silk Road 2.0, and eventually AlphaBay. Some of these turned out to be scams—as seen with Evolution—or were subject to law enforcement takedowns—as was the case with Silk Road 2.0 with Operation Onymous. Dark net markets are no strangers to risk.

Although AlphaBay was a large takedown, it had a similar impact to many dark net market exits before it. However, the follow-up Hansa takedown was an unexpected blow and likely a heavy psychological hit. Criminals predictably flocked to several other markets, including Hansa. Law enforcement was ready for them as they had hijacked the two administrators’ accounts, migrated the market to a different infrastructure and got full control of Hansa for almost a month over the course of the operation. During this period, law enforcement successfully worked on a trap that undermined the trust of a lot of buyers and sellers. Criminals were unaware, migrating from market to market and assuming they were untouchable in a game of wack-a-mole. They were proven wrong. By using a variety of methods, the law enforcement agencies involved identified a large portion of vendors and buyers, disrupting both confidence and trust.

After it was publicly announced that Hansa was under the control of law enforcement, panic started to spread in the dark net market community and on social media. Even vendors on other markets were no longer trusted. Reports on Reddit came out that their PGP keys were somehow changed, creating much confusion. In the eyes of the paranoid, everyone was compromised. In spite the increased distrust, many markets survived, including one of the largest dark markets today, Dream Market. However, migration to these markets was slow. The seemingly business-as-usual takedown of AlphaBay, followed up by the complete takeover of Hansa, had made its mark.

Dark markets continue to grow and survive. As long as the profitability of dark net markets is viable, they will continue to emerge. Stolen digital data, which drives much of the profits, will continue to be a key motivator. As long as there is a market, we must secure our data. This effort starts by being diligent about protecting our assets.

There are a few key ways to reduce risk. For businesses and individuals, this includes maintaining proper procedures and practices that ensure good security hygiene. Never share data unless the requester is trusted and sharing is absolutely necessary. And always use a security infrastructure that safeguards the data centers or cloud storage your organization uses to collect and store crucial data.

To learn more about our fight against cybercrime, be sure to follow us at @McAfee and @McAfee_Labs.

About the Author

Charles McFarland

Charles McFarland is a Senior Research Scientist. He has been working in the security industry since 2006, focusing on technical training and specialized in encryption technologies before moving on to threat intelligence research. In past research, he has focused on underground markets, and actor behavior. Currently, he is focused on Ransomware campaigns and the actors ...

Read more posts from Charles McFarland

Subscribe to McAfee Securing Tomorrow Blogs