How it all started
This was back in 2016, when Hansa Market was thriving in its business across Europe and beyond. Dutch law enforcement agencies searched Hansa's servers to stop its operation, but to no avail.
One cybersecurity researcher thought that he had discovered the main servers belonging to the "dark market".
He told Dutch law enforcement that he found servers in the Dutch data center of a web hosting firm. Upon further investigation, the Dutch Security Team, in collaboration with representatives from Germany, was able to determine that the servers were used to test new features before they were used in the Hansa market.
All these actions of the police went unnoticed by the site administrators. The same company was hosting the actual Hansa site, but in a different location and under Tor protection.
According to the officers, they ordered the firm to install network monitoring equipment, which helped them remotely monitor all traffic in the system.
Data collected by the hardware helped the Dutch team discover that the development server was connected to a secure Tor server that hosted the real Hansa. One of the investigators from the Netherlands National High-Tech Crime Team who worked on the case explained that they made a copy of all the servers they had access to. They contained data about transactions, as well as conversations between two site administrators.
During these actions, there were no arrests, as the suspects ' accounts were located in encrypted Tor links, under their pseudonyms.
The police continued to analyze the content of the servers, in an attempt to get a clue that could lead them to the criminals. Fortunately, one of the servers in Germany contained almost all the chat logs of the two alleged administrators.
To their surprise, they were able to see the full name and home address of one of the administrators, which was a significant breakthrough in the case.
The police set out to detain the administrators without the site moderators knowing about it.
Hunting
Now, the officers in charge of this case had a clear idea of the location of the Hansa administrators. Surveillance and planning for the apprehension of suspects began.
One of the administrators lived in Siegen and the other in Cologne. Dutch police contacted their counterparts in Germany to arrest two suspected administrators. To their surprise, both were controlled by the German police for the ownership and management of the site lul.to that sell pirated e-books and audio books.
After the administrators were arrested, the site lul.to it was closed by law enforcement agencies
Unexpectedly, an event occurred that put the entire operation at risk – the Hansa servers stopped working, which led the police to decide that their activities had been discovered. Why this happened remains a mystery to this day. It is most likely that an error occurred while copying data from the servers, which alerted the administrators.
The Hansa marketplace was moved from their original servers to another one, Tor-protected, whose location was unknown to the agents. Dutch officers continued to analyze the collected source data in order to use it to find a new server location without arousing suspicion. This allowed the site to continue its business as usual, selling illegal goods and drugs.
In April 2017, there was a breakthrough in the hunt for two suspected Hansa administrators. The police determined that they made a Bitcoin payment using an address that was in the IRC chat logs originally extracted from the servers.
Knowing this data, the law enforcement team used blockchain analysis software, known as Chainalysis, to find the source of the transaction. The funds were sent to a Bitcoin payment provider in the Netherlands.
The police demanded more information from the firm about the deal. They found out that the transaction was carried out through a hosting provider in Lithuania, which was not previously mentioned in the investigation.
Now the police had a lead. Law enforcement agencies have launched an investigation against the Lithuanian company.
An invasion
While Dutch investigators were trying to extract more data from Hansa's servers, the FBI contacted them. This was related to a case that the agency was investigating on another marketplace, AlphaBay, whose servers were recently uncovered by the feds.
The bureau was preparing to close the market, which was supposed to lead to a sharp increase in visitors to other Darknet sites, including Hansa, which would allow more criminals to be detained if the latter was closed. The Dutch police waited until the end of the FBI operation to close Alphabay, and then began an investigation in the Lithuanian data center.
Two months have passed since the German police decided to arrest the administrators of Hansa Market. A raid was planned to arrest suspects with their computers and hard drives turned on, unencrypted, which would greatly help the Dutch in their investigation.
The Germans immediately signaled the Dutch law enforcement agencies to start moving the Hansa servers to take full control of them. The transition to other servers was supposed to be smooth, without market downtime.
After the arrest of the suspects, the German authorities conducted an intensive interrogation until they handed over their account details to Hansa. They also revealed details of the correspondence via Tox, which was used as a communication channel between two administrators and moderators of the site.
It took only three days to migrate the servers, without Hansa customers suspecting it.
The Death Trap
Police experts began rewriting the site's code to get information about users of the resource. They changed the message encryption function using PGP keys so that messages are saved before they are encrypted.
This allowed them to track the communication between suppliers and their customers, as well as the delivery addresses that will be used for their subsequent discovery.
Since the website was designed to not receive or store image metadata, security personnel changed the code to receive the data. Metadata that helped them get information about the time and place when the image was taken.
They removed images of drugs on the site, where sellers had to upload new photos. This was framed as a code error that deleted all photos in the suppliers ' account, which did not arouse suspicion among vendors.
In another bold move, NHTCU forced Hansa Market users to download a file that gives them their real IP address. Initially, the file was provided by administrators as a backup key that will help users get their Bitcoins back in case the site is shut down.
64 sellers were caught in the trap, who opened the file and ran it on their computer, after which their addresses became known. All this time, the "fake" Hansa administrators continued to communicate with the moderators, distracting their attention. A Dutch expert studied the conversations of two suspects in order to change the operation of the market so that disputes were resolved without processing by moderators. Everything went according to plan.
After the closure of AlphaBay, as expected, a massive influx of users began. More than 5,000 accounts were registered per day, which is 5 times more than usual. The Dutch shared their data with Europol to facilitate the arrest of drug traffickers.
Many drugs and other illegal goods were sold at the market under police supervision; the only prohibited product was fentanyl.
After 27 days of intense surveillance, the Dutch decided to shut down the site, as they got almost everything they wanted. They replaced the site with a notice that law enforcement agencies have taken over the market, as well as a message to Darknet users warning that the authorities are paying close attention to their activities.
The police even opened their website on Tor, with a warning, as well as a list of arrested and uncovered sellers. Here you can consult or "convey"."
Success
After the market closed, the Dutch police were able to obtain data on more than 400,000 users, which led to the arrest of more than 10,000 suspects.
With the help of Europol and Dutch agents, they managed to arrest a large number of drug dealers. Dutch police were also able to seize more than 1,000 Bitcoins belonging to sellers and customers in the marketplace.
According to NHTCU employees, they have arrested a huge number of sellers, which will be a warning to others to stop the criminal business.
After the closure of Hansa Market, users are wary of registering on the markets, as well as to the Darknet sites themselves. Some of them prefer to contact customers via Jabber, Telegram and other means of anonymous communication, without using the services of onion resources.
