Markets: AlphaBay (v1)

The AlphaBay marketplace was reportedly initially launched in its beta-state during July of 2014 according to some sources and was later opened as a fully operational, publicly available market later in the year on December 22. Within the first three months of the market becoming fully operational, it gained approximately 14,000 global users, and saw a massive influx of new users in the following months after the Evolution marketplace shut down in an exit-scam in mid-March of 2015, bringing up the total user count to over 200,000 by October which, during the time, made it the fastest growing and largest dark-net market in history, though its popularity and size was briefly surpassed by the Hydra marketplace after its’ seizure.

The markets’ founder and head administrator, “alpha02”, who was later identified as Alexandre Cazes during the sites’ seizure by law enforcement during July of 2017, instated a refugee vendor from Evolution going by the moniker “DeSnake” as his administrator and security lead after he hacked the marketplace and aided alpha02 with patching the security flaws instead of exploiting them, according to DeSnake.

AlphaBay started out as a rather ordinary marketplace with common features like a standard Bitcoin payment system, integrated escrow, availability only on the tor network, and et-cetera, though they were more liberal in comparison to most other markets as to what they allowed to be sold on their market as weapons, including firearms, were not prohibited for sale and were frequently sold by vendors on the marketplace. However, later on, the administrators added new and unique features which made it the most innovative marketplace during its’ time, including an “auto-shop”, which significantly simplified the process of credit card-related fraud, and a Monero payment system was implemented at the end of August in 2016, which did not replace the current Bitcoin payment system, but was available for use alongside of it.

The feature that could easily be argued to be the most notable, was the smart contract platform that was implemented during May of 2015. For a $5 fee per each initiated contract, two different parties could make any sort of deal they desired, whether it be related to a service such as hacking, or a specific order that comes with additional terms and conditions for drugs or weapons, or anything else for the most part. The smart contract platform had an escrow system, and had a feature where disputes could be raised if one party isn’t satisfied with the product or service that was agreed to be delivered by the other party. The dispute system was similar to that of PayPal’s, and the outcome of the dispute would be decided by an AlphaBay moderator. If one party was found to have not delivered their part of the agreement, it would negatively impact their reputation, whereas users who successfully completed contracts would have their “completed contract” count increased. alpha02 warned that users who have too many failed contracts could be banned.

AlphaBay first gained wide-spread media attention on March 28, 2015 when Vice initially reported what appeared to be legitimate Uber accounts being sold by a vendor on the market for as little as $1 each, which caused great concern among Uber users as the company denied there being any kind of data breach. It once again received significant media attention during October of the same year after the U.K based telecommunications company, TalkTalk, was compromised and customer information which included personal information and banking details were being sold on the market shortly after the company refused to pay the ransom demanded by a group claiming to be responsible for the attack.

Although a plethora of hacked data was available for sale on the AlphaBay marketplace, and despite the implementation of many security features such as requiring all vendors to setup 2-Factor-Authentication, the site itself suffered several security breaches. The most notable of incidents took place during April, 2016, when an API was implemented to allow users to retrieve certain information from their accounts without logging onto the site, however, there was a bug in the API that sent users private messages from any account on the marketplace instead of their account information, which some people claimed to have been able to see messages sent by market staff members, login details for hacked Netflix accounts, download links for digital products, and even unencrypted shipping information belonging to buyers who did not use PGP.

During January of the following year, a somewhat similar incident took place when a hacker claimed to have used “two high-risk bugs” in the markets’ internal messaging system which allowed them to hijack over 200,000 private messages sent by its’ users within the last thirty days of when the attack took place. The hacker, using the moniker “Cipher0007”, made their announcement on Reddit detailing what they were able to do with the exploit and alleged that they were ignored by market staff and decided to go the markets’ sub-Reddit in order to raise attention about the issue. They also sent screenshots of some of the private messages to the sub-Reddit’s moderators, which included compromising information such as names, addresses, and tracking numbers. The market staff paid the hacker and claimed to have closed the loophole within four hours after the announcement was made on Reddit.

After having been operational to some extent for approximately three years, AlphaBay was seized on July 5 and shut down by law enforcement on July 17, 2017 as part of their “Operation Bayonet”. The seizure of AlphaBay was the result of a series of operational security (OPSEC) mistakes made by its’ owner, Alexandre Cazes, who was arrested on July 5, and later found dead in his jail cell seven days afterwards, which police claimed was a suicide. His arguably largest mistake was using his personal email address, [email protected], as the “From” email for account password resets on his market, which also appeared in the “Welcome” email header sent to marketplace users in 2014. The email address was linked to his LinkedIn profile, where he would frequently boast about his financial success, and to his legitimate computer repair business, EBX technologies, which, according to American prosecutors, he used as a cover business to “justify his banking activity and substantial cryptocurrency holdings”.

The discovery of his personal email address by law enforcement made it incredibly easy to find out who was running AlphaBay, and it wasn’t long until they discovered the servers hosting the market located in Canada, which were directly linked to his identity. On the day of his arrest, DEA and Thai police worked together in order to stage a car accident in his neighbor to distract him while causing an artificial crash on the markets’ servers, which resulted in them successfully obtaining his unencrypted laptop where he was logged into both the AlphaBay market and forum. Police found an unencrypted personal net-worth statement on his laptop which mapped all of his global assets across many different jurisdictions, which greatly simplified the process of total asset-seizure.