Markets: Hansa

Hansa Market was founded in August of 2015, was taken over by Dutch law enforcement shortly after the arrest of its’ administrators that took place on June 20 of 2017, and was later shut down during the following month on July 19/20. Hansa was a Multi-signature marketplace that offered a Bitcoin payment system, and many other features commonly available on dark-net markets, along with many new and innovative features, such as the automatic removal of meta-data from images uploaded by vendors, automatic encrypted PGP messaging, and a feature that allowed vendors to recover their funds from the market for up to 90 days by downloading a text file containing the recoverable information. Hansa was said to have been created in response to the many exit-scams that were taking place by markets. It aimed to make exit-scamming impossible by only providing Multi-Signature escrow, and not providing any options for buyers to “finalize-early” to decrease the risk of buyers being scammed. It briefly became the second largest dark-net market during its’ time with approximately 3,600 active sellers and over 24,000 active drug listings with many more for fraud-related tools and counterfeit documents.

Dutch police received a tip from a security research team who identified the server that hosted the beta version of the site, which was used to test features for the market before they went public, and unlike the server hosting the live version of the market, the server was not protected by the tor network. Police immediately contacted the data center hosting the server and demanded that they get access to it and, after gaining access to it, discovered extensive IRC chat logs between the two administrators that revealed both of their real names and one of their home addresses. They found and obtained access to the server hosting the live version of the market at the same time. After Dutch police discovered the two men were under investigation by German law enforcement for their creation of Lulz.io, a site that hosted illegal ebooks and copyrighted content, they came up with the idea of taking over the market in order to obtain information about buyers and sellers while the German investigation served as a cover. Not too long afterwards, they were contacted by the American FBI informing them of the seizure of the AlphaBay market, which made their idea even more appealing as they were expecting a huge influx of new users to the market which would serve as an opportunity to gain tons of information on the many buyers and vendors from AlphaBay, and to have a wider insight into the dark-net economy. The two administrators were arrested by German police after their homes were raided and their unencrypted laptops were seized on June 20.

During the takeover, police moved Hansa Market to their servers and obtained the login credentials from the two arrested administrators who were in German police custody during the time. The first thing they did as the new administrators was modify the sites’ code in order to collect as much information about its’ users as possible. They changed the login functionality so that instead of passwords being stored in encrypted hashes on the server, they were logged in plain text, disabled the automatic PGP messaging functionality so that information exchanged between buyers and sellers, including home addresses, were visible to law enforcement, and disabled the sites’ meta-data cleaning feature so that they could extract more meta-data from sellers. They even deleted all of the images for product listings on the site while blaming a glitch so all sellers would have to re-upload images for their product listings in order to maximize the collection of meta-data. They also disabled the markets’ Multi-Signature escrow, which allowed them to seize 12,000 Bitcoins from the market that were valued at approximately 12 million dollars during the time.

The most effective method of identifying the markets’ vendors was by replacing the wallet recovery function that required users to download a text file with a malicious excel file they created that when opened, would automatically open a browser and direct users to a particular URL they set up in order to collect their real IP addresses. They reportedly identified 64 vendors using this method, including 12 of the markets’ top vendors.

They also had an entire force of police who operated the accounts of the two administrators so they could provide very fast support to users in comparison to other markets in order to gain more trust and popularity. Dutch police were required by law to report all transactions on the site directly to interpol, which became a hassle as the site reached up to approximately 1000 transactions per day.

After 27 days of running the site, law enforcement finally decided to shut the market down and placed a seizure notice on the front page which included a link to a list of buyers and sellers they identified, and displayed a message stating “we trace people who are active at Dark Markets and offer illicit goods or services”, followed by “Are you one of them? Then you have our attention.”

According to Dutch law enforcement, they collected at least some information on roughly 420,000 users, and around 10,000 different home addresses for buyers located outside of The Netherlands, which were given to Europol to be distributed to law enforcement agencies all over the world. Furthermore, they said they did “50 knock-and-talks” to drug buyers within The Netherlands to let them know that they have been identified, though they arrested only one high-volume buyer, they said.