AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals

On Thursday morning, the Department of Justice, Europol, and Dutch authorities announced a coordinated law enforcement takedown of AlphaBay and Hansa Market, two of the three largest dark web marketplaces used to buy and sell illicit goods and services.

AlphaBay has been offline since July 5, the same day that founder Alexander Cazes was arrested in Bangkok and a week before his apparent suicide. With the dark web’s most popular marketplace suddenly unavailable, many users turned to Hansa, a market that touted its security-focused approach. Unfortunately for those users, Dutch law enforcement had seized control of Hansa on June 20 following the arrest of two administrators in Germany, and law enforcement has been covertly monitoring the market’s activity over the past month.

2017-07-20_HansaSeized.png
The dark web markets AlphaBay and Hansa Market were both taken down in a coordinated law enforcement effort that was announced Thursday morning.

As Europol noted, this joint effort against the two markets helped to “magnify the disruptive impact” of the operation.

“It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform,” Europol wrote in its press release. “In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay.”

2017-07-20_HansaPractices.png
Database trade is the top trending cybercrime practice associated with Hansa Market over the past year, according to SurfWatch Labs’ data.

With both AlphaBay and Hansa Market now out of the picture, Dream Market is the reigning leader, according to SurfWatch Labs’ threat intelligence data.

How Cazes was Caught and AlphaBay Taken Down

Cazes, who was also known as “Alpha02” or “Admin” on the market, founded AlphaBay in 2014 and ran the site along with a team of eight to 10 individuals, according the unsealed indictment. Over the two-and-a-half-year period the site was operational, AlphaBay grew to become the largest dark web market in history and collected tens of millions of dollars in commissions.

2017-07-20_AlphaBayPractices.png
When AlphaBay was shuttered in early July, it had approximately 370,000 listings for sale across various categories such as fraud, drugs, counterfeit items, software and malware, and more.

However, Cazes made numerous mistakes while running AlphaBay that other malicious actors will be paying close attention to, said SurfWatch Labs chief security strategist Adam Meyer.

“As I read the indictment detailing the AlphaBay takedown in particular, I see a list of mistakes being disclosed by the operators of the market that will certainly be scrutinized by criminal elements in order to ensure they are not repeated in future efforts,” Meyer said. “In similar ways that malware instances are shared, tweaked and reused, those who operate illegal marketplaces — or have the desire to due to its profitability — are certainly taking detailed notes for future efforts.”

As the court documents noted:

  • Cazes’ personal email, “Pimp_Alex_91@hotmail.com,” was included in the header of an AlphaBay welcome email that was sent to new users in December 2014. The email was also included in the header of AlphaBay password recovery emails sent in late 2014.
  • Law enforcement then discovered the email address belonged to a Canadian-born man named Alexandre Cazes with a birthdate of October 19, 1991.
  • A December 2008 post on the online tech forum “http://www.commentcamarche.com” was subsequently found in which a user going by the name “Alpha02” posted information in French on how to properly remove a virus from a digital photo. That post included both the name “Alexandre Cazes” and the email “Pimp_Alex_91@hotmail.com.”
  • The email addresses was also tied to a PayPal account registered in Cazes’ name.
  • When Cazes was arrested, law enforcement discovered his laptop open and in an unencrypted state, as well as logged into the server that hosted the AlphaBay site. While searching the computer they found several open text files with passwords for the AlphaBay site and servers, which allowed law enforcement to seize all the information and cryptocurrency on those servers.

At the time of his arrest, a financial statement on Cazes’ computer put his net worth at $23,033,975. Cazes attempted to justify his wealth through a front company called EBX Technologies, but the indictment noted that the company’s website “is barely functional” and that the company’s bank records show “little to no business income or banking activity.”

What’s Next for the Dark Web?

Dark web market takedowns are significant, Meyer said, but they’re also a part of the now-established cycle of popular markets being disrupted by law enforcement or exit scams only to have new markets rise in their absence.

“While the law enforcement take down of AlphaBay and Hansa are certainly heavily impactful to underground merchants, rest assured new marketplaces will be established and new protocols will be implemented,” Meyer said.

It was just a little over a year ago that the then-number-two most popular market, Nucleus Market, suddenly went offline in an apparent exit scam, helping to bolster both AlphaBay’s and Hansa’s user base. With those two markets now gone, Dream Market has become the temporary king, but that will likely change in the coming months as new markets and new operators step in to fill the void — until the cycle repeats again.

IRS and Cybercriminals Battle Over Billion Dollar Tax Fraud Industry

While new initiatives by the Internal Revenue Service (IRS) are making it harder for cybercriminals to successfully file fraudulent tax returns, those measures have not slowed down the theft of employee W-2 information this year.

The SurfWatch Labs analyst team has observed groups of malicious actors sharing concerns about government efforts to combat fraud, as well as tips on how those protections can be circumvented, in several discussion threads on popular dark web markets. Several of those actors suggested teaming up with other seasoned cybercriminals in order to share tactics and improve their success rates in the face of the new measures. “We’re gonna have to join forces if we are going to beat the odds this year,” wrote one actor on a now-deleted tax fraud discussion thread. Another actor in a separate thread echoed those sentiments: “The process has become much more difficult over the past couple of years, but [it’s] still doable to some extent. Not like in the good ‘ole days though.”

Another actor expressed concern over new verification codes to be included on 50 million W-2 forms during the 2017 tax season — up from two million forms using the codes last year. “My guess is if this is successful, then within 2 years it will be on every W2,” the actor wrote.

An actor in a tax fraud discussion thread speculating that the verification codes used on some W-2 forms may become more widespread in the future.

The IRS has partnered with certain Payroll Service Providers this tax season to provide a 16-digit code designed to help verify the accuracy of millions of W-2s. However, as the IRS noted in its announcement, the verification rollout is only a test and “omitted and incorrect W-2 Verification Codes will not delay the processing” of returns filed this year. Other more tangible efforts to combat tax fraud include the IRS holding any refunds claiming the Earned Income Tax Credit or the Additional Child Tax Credit until February 15 to provide more time to verify the accuracy of returns, and the requirement of an individual’s date of birth and previous-year’s adjusted gross income when using tax software for the first time. Some states also ask for additional identification information, such as driver’s license numbers, in order to file their returns.

Additional anti-fraud efforts have come largely because of the large volume of fraudulent tax returns filed each year. Over the first nine months of 2015, the IRS confirmed that 1.2 million fraudulent tax returns made it into the agency’s tax return processing systems. Attempts to combat the massive amount of fraud resulted in 787,000 fraudulent returns over the same period in 2016 — a nearly 50 percent drop. It’s too early to say how 2017 will fare in terms of the number of fraudulent returns and the total cost to the IRS. What is clear is that cybercriminals are continuing to target tax-related information such as W-2s despite those changes — and they’re having great success.

As I’ve noted in other articles, cybercriminals follow the path of of least resistance and most profit. While cybercriminals face more resistance than in the past, their motivation, opportunity and capability are clearly still there.

Tax-related cybercrime is cyclical, and cyber threat intelligence around the subject peaks around this time every year. However, this past February was the most active month in terms of the volume of data SurfWatch Labs has collected around tax fraud since May 2015, and that spike in 2015 was due to a large amount of threat intelligence data surrounding the theft of taxpayer information from the IRS’ “Get Transcript” service.

The amount of SurfWatch Labs’ tax-related cyber threat intelligence data peaked in February (data through March 6, 2017).

Much of the recent data directly relates to phishing incidents that have resulted in the theft of employee W-2 information. As we wrote in a blog early last month, malicious actors are using the same simple but effective phishing tactics that led to last year’s wave of successful W-2 thefts. This week we saw the number of organizations that have publicly confirmed breaches due to W-2 phishing surpass 100 for the year, and that number does not even include the numerous organizations that had W-2 information stolen through other means, such as data breaches or incidents at tax preparation firms or payroll providers.

That stolen W-2 information is then used to file fraudulent tax returns, commit other forms of identity theft, or sold on various dark web markets for around $10 each. That can translate into a decent profit for a cybercriminal actor who can successfully dupe a handful of payroll or human resource employees into handing over hundreds — or thousands — of W-2 forms at a time.

A vendor from AlphaBay says they have “tons” of stolen W-2 tax forms for sale for only $10 each.

But as we noted above, W-2 forms are now only part of the information needed to successfully dupe the IRS. Many returns will also need information such as the individual’s date of birth and previous year’s adjusted gross income. That information can be harder to come by, and how to best obtain that information is one of the key discussion points on the cybercriminal forums observed by our analysts.

“How do I get to know the AGI [Adjusted Gross Income]?” one actor asked the group in a discussion thread on a dark web forum. Another actor, who claims to have gone solo this year after previously being part of a group engaged in tax fraud, said information such as AGI generally requires other forms of data collection or social engineering. “You’ll have a tricky time getting it,” the actor warned. Later, the actor advised that AGI can often be found in an individual’s car note or home loan documentation.

An actor responding to previous posts about finding AGI figures, as well as the value of targeting 1120S corporate tax forms.

In a separate thread, the same actor wrote a long post that is part inspirational pep talk to wannabe fraudsters frustrated by the recent changes, part FAQ on how to best perform tax fraud. We won’t share the full details of that post here (including details such as which financial institutions and methods work best for receiving fraudulent tax return payments), as this post is meant to help illuminate the thought process of cybercriminals, not to serve as a walkthrough on how to successfully commit tax fraud. Nevertheless, the section on how to find an individual’s AGI is worth noting due to the lengths the actor claims to go — and may now need to go — in order to pull off a successful season of tax fraud.

The actor explained, “For everyone I targeted, I started researching them 6 months ago” by looking through public data for things like birth announcements (to “add that baby child credit”) or for minor offenses such as driving under the influence (to find people who have jobs “in the good bracket” that are also more likely to be “one of the last minute tax filers”).

“Lots of social engineering goes into this as well,” the actor wrote. “I have even been so bold to call some, pretending to solicit them into ‘free tax assistance’ [to] find out when they plan on filing.”

An actor offering advice on how to scout targets for tax fraud.

That extra legwork is why listings on dark web markets that include information such as AGI tend to sell at much higher prices than those without. For example, the listing below, which “contains all info needed for filing [a] tax refund,” was priced at $50, five times the price of a listing selling only stolen W-2 information.

A listing on the Hansa Market selling W-2 information along with the victim’s date of birth and the previous year’s adjusted gross income.

These discussions indicate that efforts made by the IRS, financial institutions, and others have made the practice of filing fraudulent tax returns more difficult for cybercriminal actors. Despite those efforts, a number of tax-related breaches continue to occur and a great deal of effort continues to be made by malicious actors to successfully bypass those protections and steal a slice of that lucrative tax pie.

As one actor reminded everyone: “Tax fraud is a billion dollar entity. Take your cut along with the others. Don’t be dissuaded.”

Top Dark Web Markets: HANSA, Piracy and Exit Scams

HANSA Market is the third most popular dark web market this year, according to data from SurfWatch Labs. It’s a new and growing market focused on the security of its users. Previously in this series we’ve talked about Alpha Bay and the problem of stolen credentials and Dream Market and the cybercrime-as-a-service model. As we turn our attention to HANSA, it’s an opportunity to reflect on how these dark web markets work — and the reason there has been so much turnover the past few years.

Hansa_books
Piracy is one of the top trending cybercrime categories on HANSA market. This includes pirated software, video games, movies, books and other media as well as credentials for related accounts. In the screenshot above a vendor is selling a collection of 21 ebooks by a popular author for just $4.99.

HANSA was created in response to the many exit scams that have occurred over the past few years. Most dark web markets require buyers to deposit money (bitcoins) before they can purchase. Once a market becomes popular, there can be a significant amount of bitcoins in limbo, and owners are often tempted to shut the market down and take all the money that has built up. HANSA created a system that they claim ensures that no exit scam is possible.

“After recent exit scams of various marketplaces (e.g. Evolution, BlackBank) we wanted to create a market where it is impossible for either admins or vendors to run away with your funds,” the admins wrote. “Most markets operate the same: Blindly deposit money into your account, wait for confirmations and then make the purchase. … On HANSA you do not have to deposit Bitcoins before your purchase. Every order is simply a Bitcoin transaction itself.”

How Do Exit Scams Work?

Not long ago — before the FBI took down Silk Road and creator Ross Ulbricht was sentenced to life in prison — there was a dream of a victimless black market where users could Anonymously purchase illicit goods such as drugs beyond the reach of intrusive government laws. But as Wired’s Andy Greenberg wrote in January, that dream is now largely dead due to the many exit scams and the turnover in marketplace leaders over the past few years:

The result has been that the libertarian free-trade zone that the Silk Road once stood for has devolved into a more fragmented, less ethical, and far less trusted collection of scam-ridden black market bazaars. Instead of the Silk Road’s principled—if still very illegal—alternative to the violence and unpredictable products of street dealers, the dark web’s economy has become nearly as shady as the Internet back alley politicians and moralizing TV pundits have long compared it to.

The most striking example of this is the Evolution Market exit scam. In March of 2015, the Evolution marketplace halted bitcoin withdrawals from the site for a week, using the excuse of technical difficulties as the owners, known as Verto and Kimble, let the virtual coffers build. Then they closed up shop and walked away with an estimated $12 million in bitcoin.

An admin for the market summed up the bad news to fellow users in a Reddit post, “I am so sorry, but Verto and Kimble have fucked us all.”

In April 2016, a year after the disappearance of Evolution, Nucleus Market, at the time the number two most popular dark web marketplace, suddenly vanished. Rumors of an exit scam abound.

However, not all exit scams are so high profile. Most exit scams are actually done by individual vendors, as Motherboard’s Jon Christian noted.

“It turns out that a logistical problem with darknet markets is that when a vendor throws in the towel, it’s very tempting for him or her to stop mailing drugs, but continue pocketing customers’ payments for as long as possible,” Christian wrote. “If you’ve built up a good reputation on a darknet market’s seller rating system — which, like eBay, is based on feedback from other users — why not keep pulling in cash until the review system catches up with you?”

Escrow Payments and Finalizing Early

Many markets offer protection to buyers against this type of scam in the form of escrow payments. A neutral third party such as the market holds the money until the buyer has received the goods. After the buyer receives the order, payment is released. In the case of disputes, marketplace admins often act as an arbiter. However, many buyers and sellers use something known as “Finalize Early.” Essentially, the buyer releases the funds from escrow before receiving the goods or services. Some vendors abuse this trust.

HANSA does not offer the option to Finalize Early, ensuring that extra layer of protection is behind all market transactions.

While this policy helps protect buyers from vendor exit scams, there is still the concern that the market itself may perform an exit scam. In fact, this is one reason why some vendors prefer Finalizing Early. With numerous transactions in escrow, the market can at any time be holding a significant amount of bitcoins, and that can be tempting to steal. Finalizing Early lets those vendors receive payment immediately.

Multisignature Transactions

This is where multisignature escrow applies. HANSA uses a 2-of-2 multisignature escrow process (vendor-HANSA). As they explain, “Funds can only be accessed by the vendor after the buyer finalizes a transaction and can never be accessed by the site staff. Theft from either party is impossible.”

In January HANSA announced that it now supports 2-of-3 multisig transactions (buyer-vendor-HANSA) as well.

“The only flaw our market had in the past was the loss of Bitcoins in cases like the vendor losing his/her Bitcoin private key or him/her refusing to refund buyers in cases of disputes,” HANSA announced. “Fortunately this has happened very rarely and we have reimbursed the buyer every time out of our own pocket. Still, this can be avoided.”

With 2-of-3 multisig transactions, money is transferred into an escrow fund shared by the buyer, the seller and HANSA. Once two out those three parties approve the transaction, the funds are released.

This isn’t a new system. In fact, Evolution offered multisignature transactions designed to stop the exact kind of exit scam they eventually performed, but not many buyers used the feature.

As a moderater of the DarkNetMarket subreddit noted after the Evolution theft, “Maybe this will open more people’s eyes to the benefits of multisig.” Then he added, “Nah, who am I kidding? When has an event like this ever changed anything?”

The disadvantage is that the process can seem complicated and may turn away some users, which may be one of the reasons why HANSA is not quite as popular as AlphaBay and Dream Market — although at the moment it remains as one of the more trusted and stable dark web markets.