On July 5 american federal police took down the biggest darknet market Alphabay, which led to its administrator a 26-year old Alexandre Cazes committing suicide in a Thai jail. A few weeks later Dutch police seized the second biggest Hansa market which produced an apocalyptic atmosphere among the darknet market user community. To complicate the matters even further there have been reports that the third biggest market Dream is also compromised and users have been warned not to use it.
Many traders and big buyers are now afraid that their identities have been revealed and are more or less expecting a police bust anytime now.
The faith in the ability of Tor network to provide any sort of anonymity has been seriously shattered not only among users of darknet markets but also among other users of the Tor anonymizer. And let's not forget that it also has a more legitimate use and has been the instrument of civil-right activists and opposition of the oppressive regimes which seem to be on the rise worldwide.
So let's put the rumors aside and analyze what really happened and how compromised the network really is.
The case of Ross Ulbricht
To start with we should remember the beginnings of darknet market phenomenon and the fall of the (in)famous Silk Road. Recently, on May 31 the punishment for Silk Road administrator Ross William Ulbricht was confirmed by the United States Court of Appeals. Ulbricht got life imprisonment without possibility of parole. The harshness of the sentence is obvious if we compare it for instance with the one of George Jacob Jung, portrayed by Johhny Depp in 2001 movie Blow. Man who was high in command of the powerful Pablo Escobar's Medellin cartel, responsible for 85 percent of cocaine smuggled into the US in 70s and early 80s, got a 60-year sentence in mid 90s, after repeated offence of drug smuggling, last time involving 796 kilograms of cocaine. After that he was released on parole, than rearrested for a parole violation, and finally released from prison under a month ago, on July 3. Ulbricht however is not likely to experience the outside life ever again.
It is pretty obvious there's a set of double standards for traditional drug traffickers as opposed to darknet market administrators, who do not have to actually see any of the drugs, guns and murders that are normal in that line of business. If anything it reflects the massive frustration of the authorities by their inability to actually prevent Internet drug trade. Until now.
So what changed?
Psychological Warfare
When Silk Road got busted it practically instantly propelled several of the lesser markets into the big game. Not unlike the mythical monster of Hydra who grows two heads when you cut one off. But this time the police used a different approach waiting to take down the biggest markets together and thus suggest that Tor is unsafe and cannot be used for running illegal operations. But this is actually the act of psychological warfare, an attempt to deal a blow to internet drug trade that will be hard to recover from. If we use the available information on the busts it becomes quite obvious that instead of using some major technological advancement that deanonymized Tor, the police was actually following the inevitable trail of mistakes left for them by overconfident darknet admins (just like in Silk Road case).
Alphabay
The indictment against the now deceased Alphabay admin Alexandre Cazes reveals that police uncovered his real identity in the very beginning of Alphabay market in 2014, due to almost unbelievably stupid mistake. In the header of welcome email user would receive upon registration the admin left an email address "Pimp_Alex_91@hotmail.com". Yes his name was Alexander and he was born in 1991, but even that is not all; he reused the same name on Alphabay (alpha02) that he used on another forum which contained the same email. The connection was easy to make and from there police was able to trace him and discover he was not just sloppy with page administration but also unbelievably careless with money, buying millions of dollars worth of property and expensive vehicles (he owned six Lamborghinis). So the real question is not how they found him, but why it took them three years to take down Alphabay? And the answer is of course in the psychological mindfuck game they were preparing.
Hansa
The fall of Hansa is not the result of a simple OPSEC mistake but neither is a result of deanonymizing the network. The chain of events can be reconstructed from the Dutch police interviews. After massive investigation of the internet traffic, possibly using well described route of traffic correlation attack, or as this interview (English translation on Reddit) suggests by an actual tip, the police was able to physically locate the servers in Netherlands and Lithuania. The Netherlands server has already been deserted by the time they reached it but Europol action was able to seize the active one in Lithuania. Since they had the information that Alphabay is about to go down, Dutch police did the unprecedented thing and actually ran the market for around 27 days in order to get access not only to Hansa users but also "refugees" from Alphabay. Among the interesting things is the fact that Hansa users were warned on Reddit some two weeks ago by Reddit user /u/luckydukyquack. Of course once the massive migration was over and the time was right police terminated the market.
Dream
The same user that warned about Hansa seizure warned that the third largest, Dream market was also compromised some twelve days ago, and then again recently. However, it has been known for some time that Dream team (I had to :) left a massive security hole by leaving an IP address in their code. That is something that does not pass unnoticed by law enforcement. So, regardless of market still being operational it should be considered infiltrated and is most likely being ran by the police.
Should We be Rejoicing the Markets are Down?
By no means, even if you consider drug prohibition as necessary, unlike the regular drug trade the Internet markets are not connected to high levels of armed violence. Selling drugs over the Internet makes streets much safer and it makes your kids much safer if they choose to use drugs. The US attorney general Jeff Sessions cited two fentanyl deaths from drugs obtained over the Internet when he announced the demise of two biggest darknet markets. But in reality there is hardly a stronger case for internet drug trade than fentanyl epidemics. If you use opioids like heroin nowadays it is very likely you will eventually run across some synthetic ones from the deadly chemical family of fentanyl, often masked as heroin. People are dying in serious numbers from it. But unlike the street, on darknet users had the support of review system and forums, with many dedicated individuals testing the products and publishing the results. Now users can only rely on of honesty street dealers and armed gangsters. Make your own conclusion about what is safer.
Are Markets Down for Good?
No, they will come back stronger than ever, but will have to technically reorganize - maybe in the direction of P2P networking which would make traffic based attack less likely. Also, they would have to be ran by much smarter people.
Links in the text:
https://www.justice.gov/opa/press-release/file/982821/download
https://www.reddit.com/r/DarkNetMarkets/comments/6ogs83/how_alphabay_was_taken_down_due_to_a_simple_opsec/
https://krebsonsecurity.com/2017/07/exclusive-dutch-cops-on-alphabay-refugees/
https://security.stackexchange.com/questions/147402/how-do-traffic-correlation-attacks-against-tor-users-work
https://www.bnr.nl/cookiewall?target=%2Fplayer%2Faudio%2F10064595%2F10326740
https://www.reddit.com/r/AlphaBayMarket/comments/6m8wl6/hansa_is_compromised_as_well/
https://www.reddit.com/r/AlphaBayMarket/comments/6m8wl6/hansa_is_compromised_as_well/
http://thehackernews.com/2017/07/dream-market-darkweb.html