Operation Bayonet (darknet)

Operation Bayonet was a multinational law enforcement operation culminating in 2017 targeting the AlphaBay and Hansa darknet markets. Many other darknet markets were also shut down.

Methodology
Investigators from several law enforcement agencies including the FBI, DEA, and Europol located Canadian Alexandre Cazes, the alleged founder of AlphaBay, due to a series of operational security errors:
 * About the time the service first began in December 2014, Cazes used his Hotmail address pimp_alex_91@hotmail.com as the 'From' address in system generated welcome and password reset emails, which he also used for his LinkedIn profile and his legitimate computer repair business in Canada.
 * Cazes used a pseudonym, Alpha02, to run the site which he had previously used (e.g., in carding and tech forums) since at least 2008, and variously advertised this identity as the "designer", "administrator" and "owner" of the site.
 * When Cazes was arrested, he was logged into his laptop performing an administrative reboot on an AlphaBay server in direct response to a law-enforcement-created artificial system failure; furthermore, encryption was wholly absent on that laptop.
 * Cazes' laptop reportedly contained an unencrypted personal net worth statement mapping all global assets across multiple jurisdictions, conveniently leading police to complete asset seizure.
 * The servers were hosted at a company in Canada directly linked to his person.
 * The servers contained multiple constantly open (unencrypted) hot cryptocurrency wallets.
 * Cazes' flashy use of proceeds to purchase property, passports and luxury cars and frequent online boasting about his financial successes, including posting videos of himself driving luxury cars acquired through illegal proceeds, not only revealed his geographical location, but also made denying connection to the service impossible.
 * Assets acquired through proceeds were held in a variety of accounts directly linked to Cazes, his wife and companies they owned in Thailand (the jurisdiction in which they lived), as well as directly held personal accounts in Liechtenstein, Cyprus, Switzerland and Antigua.
 * Cazes' statements about the goal of the site &mdash; "launched in September 2014 and its goal is to become the largest eBay-style underworld marketplace" &mdash; helped to legally establish intent.

AlphaBay target
Law enforcement took at least one month to obtain a US warrant, then over one month to obtain foreign warrants, prepare for and execute searches and seizures in Canada and Thailand:
 * Early May 2017: Law Enforcement verifiably active on the site since at least this period.
 * 1 June 2017: Warrant issued by United States District Court for the Eastern District of California for racketeering, narcotics trafficking, identity theft and access device fraud, transfer of false ID, trafficking in illegal device making equipment, and conspiracy to commit money laundering.
 * 30 June 2017: Warrant is issued for Cazes' arrest in Thailand at US request.
 * 5 July 2017:
 * Canadian police raid EBX Technologies in Montreal, Cazes' Canadian company and the reported location of the physical servers, as well as two residential properties in Trois-Rivières.
 * Cazes is arrested in Bangkok at his dwelling at Phutthamonthon Sai 3 Road in Thawi Watthana district which is searched by the Royal Thai Police, with the help of the FBI and DEA.
 * 12 July 2017: Cazes' suspected suicide by hanging while in custody at Thailand's Narcotics Suppression Bureau headquarters in Laksi district, Bangkok, was reportedly discovered at 7AM. He was due to face US extradition.
 * 16 July 2017: Cazes' wife was reported as having been charged with money laundering.
 * 20 July 2017; U.S. Attorney General Jeff Sessions announces shutdown of the site.
 * 23 July 2017: Narcotics Suppression Bureau chief is interviewed and suggests that more suspects will be arrested soon.

Hansa Investigation
Dutch police discovered the true location of the Hansa onion service after a 2016 tip from security researchers who had discovered a development version. The police quickly began monitoring all actions on the site, and discovered that the administrators had left behind old IRC chat logs including their full names and even a home address, and they began to monitor them. Although the administrators soon moved the site to another unknown host, they got another break in April 2017 by tracing bitcoin transactions, which allowed them to identify the new hosting company, in Lithuania.

Hansa Seizure
On June 20, 2017, German police arrested the administrators (two German men) and the Dutch police were able to take complete control of the Hansa site and to impersonate the administrators. Their plan, in coordination with the FBI, was to absorb users coming over from the upcoming AlphaBay website shutdown. The following changes were made to the Hansa website to learn about careless users:
 * All user passwords were recorded in plaintext (allowing police to log into other markets if users had re-used passwords).
 * Vendors and buyers would communicate via PGP-encrypted messages. However, the website provided a PGP encryption convenience feature which the police modified to record a plaintext copy.
 * The website's automatic photo metadata removal tool was modified to record metadata (such as geolocation) before being stripped off by the website.
 * Police wiped the photo database, which enticed vendors to re-upload photos (now capturing metadata).
 * Multisignature bitcoin transactions were sabotaged, which at shutdown would allow police to confiscate a larger amount of illicit funds.
 * Police enticed users to download a Microsoft Excel file (disguised as a text file) that, when opened, would attempt to ping back to a police webserver and unmask the user's IP address.

Service Shutdowns
Per the plan, AlphaBay was shut down on July 4, 2017, and as expected a flood of users substituted to the Hansa marketplace, until its subsequent shutdown on July 19/20 2017. During this time, law enforcement allowed the Hansa userbase (then growing rapidly from 1000 to 8000 vendors per day ) to make 27000 illegal transactions in order to collect evidence for future prosecution of users. Dutch local cybercrime prosecutor Martijn Egberts claimed to have obtained around 10,000 addresses of Hansa buyers outside of the Netherlands.

After the shut down of Hansa, the site displayed a seizure notice and directed users to the Operation's onion service to find more information about the operation.

Participating law enforcement agencies
Most of the involved countries are part of the Virtual Global Taskforce (VGT), however additional law enforcement agencies played a role.
 * The server where Alphabay was located was traced back to Lithuania, leading to the Lithuanian law enforcement's involvement in the operation.
 * The founder of the site, Alexandre Cazes, was arrested in Thailand, which resulted in the Thai police involvement.

List

 * Canada
 * Europol – European Cybercrime Centre (EC3)
 * Germany
 * Lithuania
 * Netherlands – Netherland's National Police – Politie
 * Thailand
 * United Kingdom – National Crime Agency (NCA)
 * United States
 * Homeland Security Investigations (HSI)
 * Federal Bureau of Investigation (FBI)
 * Drug Enforcement Administration (DEA)
 * U.S. Postal Inspection Service (USPIS)
 * IRS Criminal Investigation (IRS-CI)