In the summer of 2017, an international operation, known as Operation Bayonet, led by the FBI and the Dutch National High Tech Crime Unit (NHTCU) targeted two popular darknet marketplaces. The FBI successfully took down Alphabay, and the NHTCU silently took over, administered, and shut down Hansa Market. By coordinating these international efforts, both agencies expected vendors active on Alphabay to shift to Hansa Market , which was then under complete control and fully operated by the NHTCU.
To assess the aftermaths of Operation Bayonet, a recently published paper examined the user base of current market leader, Dream Market, to identify the migration pattern of vendors from Alphabay and Hansa Market. Authors of the paper analyzed the effects of the operation on all newly registered vendors on Dream Market, which were around 220, during and shortly after Operation Bayonet by examining their individual and historic features to identify migration patterns and alterations in vendor behavior.
Oppositely, to the simple take-down of the Alphabay, the aftermaths of the Hansa Market shut down on vendors seem entirely different. Vendors did not just simply shift to the Dream Market after the Hansa Market shut down. Few just simply moved, some took precautions like changing their alias and/or PGP-key, but many started over with a clean slate, losing their past reputation and buyer feedback completely. Let’s take a look at some of the results presented via this study.
Patterns of migration of vendors to the Dream Market:
After obtaining all vendor usernames (220) that registered on Dream Market between July 1st and September 1st 2017, the Grams search engine was used to map the historic characteristics of these vendors, e.g. on which darknet markets they were previously active. Grams enabled the researchers to search for vendors using either their username or PGP-key. For each vendor, a Grams’ search was executed with their Dream Market username. The output of this search always was at least the combination ‘username-market’ of that user on Dream Market. Hence, it was possible to validate the initial assumption that all 220 newly registered vendors were indeed active on the market and were not merely active on the Dream Market forum.
Next, the output of Grams’ searches revealed any other ‘username-market’ combinations that either used the same username or were connected through the same unique PGP-key. As such, it was determined where the vendor migrated from: Alphabay, Hansa Market, or that the vendor was active on both markets before migrating to Dream Market.
Figure (1): A pie chart of newly registered vendors on the Dream Market
Figure (1) shows the breakdown of newly registered vendors on the Dream Market. First, it is clear that many vendors migrating to Dream Market came from Alphabay (40%). Interestingly, the migration path from Hansa Market to Dream Market was almost entirely absent (2%). The latter is especially interesting due to the big difference between the two market takedowns in Operation Bayonet. Even though Alphabay was a traditional takedown, the Hansa takedown was preceded by a month of complete control.
This breakdown proves that there is a major difference in vendor migration patterns directly after that takedown. Unexpectedly, many of the newly registered vendors were completely ‘new’ and were without any previous feedback or track record. This can lead to one of two conclusions: real ‘new’ vendors chose this exact moment to start their online business and picked the Dream Market to do so, or vendors that were previously active on Alphabay, Hansa Market or other darknet marketplaces, took the tougher decision to completely start over, ignoring months or even years’ worth of reputation and changed their identity by creating new usernames and PGP-keys.
To analyze the effects of Operation Bayonet further, the researchers closely examined the migrated vendors, so the 131 users that were active on Alphabay, Hansa Market or both, as the question arises: did they take any evasive measures after both market takedowns?
Behavior of vendors migrating to the Dream Market:
To measure changes in vendor behavior in the vendors who migrated to the Dream Market (131), the search engine Grams was used again. Using the search engine, vendors that changed usernames, but stuck to their PGP-key, or vendors that stuck to their username but changed PGP-keys, were identified. Given the fact that Grams uses both usernames and PGP-key to connect vendors, this output was leveraged to see if the Dream Market username was the same as other usernames used on other markets but had been linked to a different PGP-key, or if that the Dream Market username was different from usernames used earlier, but all had been linked to the same PGP-key connected to it.
Figure (2) Pie chart of different evasive strategies of vendors migrating to the Dream Market
Figure (2) shows that 66% of the users migrating to Dream Market did not take any noticeable evasive measures. However, 20% of users changed their PGP-keys, 8% changed their usernames, and 6% did both. A small number of newly registered vendors on Dream Market were found to try to start over completely via changing both their username and PGP-key, yet they failed in a way or another. For example, they used the same email address to register their new PGP-key as they used to register their old ones. This enabled the researchers to conclude that these vendors at least tried to start over completely and provided evidence that others might have successfully did so.
Both the number of evasive measures, as well as the share of ‘new’ vendors, represented a strong indicator that this intervention is more than what the surface information suggests. Given the fact that a username and PGP-key represent valuable assets in an anonymized setting, like darknet marketplaces, users do not change PGP-keys or usernames unless they are forced to do so.
Looking beyond the herding of users to Dream Market, one could easily identify a scenario of ‘panicking’ community members, or at least a community where vendors feel forced try to entirely use new identities, be it with a new username, a new PGP-key, or even change both and start over completely.