Operation Bayonet: This is how HTCU took Hansa Market offline

The Dutch High Tech Crime Unit expertly assumed control over the underground website, Hansa Market. Operation Bayonet, a multinational law enforcement operation, proved that Hansa Market undeservedly felt safe on the darknet.

The story behind pulling Hansa Market down started a couple months earlier along with another a critical marketplace on the darknet, Alphabay. The HTCU got signals that the FBI was involved with a key operation in regards to AlphaBay, and saw an opportunity to join the action with an investigation that was then being led against Hansa Market.

However, around that time, the police were at that point completing a lot of research into Hansa, with a server in the Netherlands which necessitated a jurisdiction to look at it. The research started in 2016 when the team received tips from the European Cybercrime Center of Europol and from security company Bitdefender that servers from Hansa were once hosted in the Netherlands. After the framework seemed to be migrated through Lithuania by means of an alleged ‘Mutual legal assistance treaty’ (MLAT), the police figured out to coordinate with the investigative services in Lithuania. This gave the police access to all data from Hansa Market right away.

THTC team leader, Petra Haandrikman in an interview with security analyst Brian Krebs said, “it would have been easy to pull down the website right then and there; yet when we heard that the FBI had its own research we concocted a much better idea”. As indicated by Haandrikman, the FBI needed AlphaBay going offline to resemble an ‘exit scheme’ for the users, where it would seem that the owners have suddenly gone away with all bitcoins. Haandrikman also said that “our idea was to carry things a step further and give the darknet markets an extra blow. Users at that point felt that they were basically heading to an alternate market, yet in actuality, they were running against the police.” This was trailed by an intriguing operation called ‘Bayonet’.

Haandrikman added; “we got physical access to the machines in Lithuania, and we figured out how to bunch those servers with our own servers in our own country. This enabled us to effectively duplicate the website without taking the websites offline, so no one could know it. Along these lines, we kept an ongoing duplicate of the database constantly while transferring the code from the website. Due to that, it came to a period while we were replicating them when the website was running on two servers.”

Since that time, the police had full access to all transactions through the site, all messages, IP addresses and even passwords of buyers and traders. Moreover, when the FBI pulled down AlphaBay, the anticipated mass migration, in fact, took after. Explicitly, “we called the new visitors ‘AlphaBay refugees’. We temporarily needed to stop the registration of new visitors because accompanied by the visitors were such a huge amount. This additionally prompted scenes where users offered their current Hansa Market accounts for sale on Reddit. However, the police figured a way to watch out for all users for over a month through the operation.

After thirty days the website was at last closed down and a major cautioning went to all visitors including a report with nicknames and residences that, the site had been taken over. People who missed the announcement were surprised with the way in which the THTC reported the operation and the media attention that the unpredictable approach globally produced. This made the main aim of ‘Operation Bayonet’ appear to be successful and revealed drug vendors as not completely anonymous on the darknet.

Also, a vital piece of the success of Operation Bayonet, unexpectedly, concerns the poor security efforts by the victims. The greater part of the sellers who migrated from AlphaBay or Hansa to Dream Market after the advancement held the same usernames, passwords, and PGP keys. In any case, this needed to do with the significance of reputations on such sites thus, after the advancement, sellers do not want to lose their users and begin again with building up a reputation.

In the interim, many studies are constantly being conducted on Dutch users of the site thus, both sellers and buyers themselves. Data was additionally transferred to foreign investigation services. Due to the present investigation, the police would not yet state how the real identities of users have come, THTC leader Haandrikman suggested. Nevertheless, the police have given up 1,158 seized bitcoins to the Public Prosecution Service.