Hansa Market |
Type of site | Darknet market |
---|
Available in | English |
---|
URL | hansamkt2rr6nfg3.onion (defunct)[1] |
---|
Commercial | Yes |
---|
Registration | Required |
---|
Current status | Offline |
---|
Hansa was an online darknet market which operated on a hidden service of the Tor network.
On July 20, 2017, it was revealed that it had been compromised by law enforcement for several weeks before closing shortly following AlphaBay as a culmination of multinational law enforcement cooperation in Operation Bayonet.[2][3]
Compromise and Seizure
Dutch police discovered the true location in 2016.[4] Law enforcement quickly began monitoring all actions on the site. Administrators soon moved the site to another unknown host, but law enforcement got another break in April 2017, which allowed them to identify the new hosting company, in Lithuania.
On June 20, 2017, German police arrested the administrators (two German men) and the Dutch police were able to take complete control of the site and to impersonate the administrators. The following changes were made to the Hansa website to learn about careless users:
- All user passwords were recorded in plaintext (allowing police to log into other markets if users had re-used passwords).[4]
- Vendors and buyers would communicate via PGP-encrypted messages. However, the website provided a PGP encryption convenience feature which the police modified to record a plaintext copy.[4]
- The website's automatic photo metadata removal tool was modified to record metadata (such as geolocation) before being stripped off by the website.[4]
- Police wiped the photo database, which enticed vendors to re-upload photos (now capturing metadata).[4]
- Multisignature bitcoin transactions were sabotaged, which at shutdown would allow police to confiscate a larger amount of illicit funds.[4]
- Police enticed users to download a Microsoft Excel file (disguised as a text file) that, when opened, would attempt to ping back to a police webserver and unmask the user's IP address.[4][5][6]
Shutdown
When AlphaBay was shut down on July 4, the expected flood of users came to Hansa, until Hansa's shutdown on July 19/20. During this time, the Hansa userbase (grew from 1,000 to 8,000 vendors per day[3]). Law enforcement allowed the userbase to grow during the seizure resulting in 27,000 illegal transactions occurring which served as evidence for future prosecution of the users.[4][7] Local cybercrime prosecutor Martijn Egberts claimed to have obtained around 10,000 addresses of Hansa buyers outside of the Netherlands.[8]
After shut down, the site displayed a seizure notice and directed users to their hidden service[9] to find more information about the operation.
References