At its peak in 2015, the anonymous online market AlphaBay had an estimated 200,000 users who used cryptocurrency to buy and sell drugs, weapons, and a myriad of illegal goods and services.
It all came crashing down in July of last year, when U.S. and international law enforcement agencies seized it and arrested Alexandre Cazes, a Canadian citizen who ran the site.
On Jan. 9, FBI Special Agent Nicholas G. Phirippidis told attendees at the ICCS 2018 how “Operation Bayonet,” as it was dubbed, came together.
The bureau’s first break in identifying Cazes came when an agent in Fresno made two arrests of vendors who’d been selling on AlphaBay. Those arrests prompted someone to leak to the agent an e-mail that Cazes had sent to an early user of AlphaBay, and that e-mail revealed both an ISP address and Cazes’ personal Hotmail account.
Phirippidis said that as they began to track down his digital footprint on social media sites around the internet, it appeared Cazes had cleaned up other parts of his name online.
“For the most part, he had a lot of success, but the internet archive and a few other sites that take snapshots through time allowed us to go back and see some of the early uses of the e-mail address affiliated with his name,” he said.
“Like many of these subjects on the dark web, they try to have a firm firewall [to protect their public persona], and every once in a while, they’ll make the smallest mistake. That’s usually how we can attribute a true name to a moniker on the dark web.”
Another feature of AlphaBay that the FBI explored was the site’s so-called “bitcoin mixer,” which was billed as a foolproof way to launder cryptocurrency but which FBI analysts could figure out. They were able to trace the exchangers who Cazes had been using to convert bitcoins into real-world currency.
A Bizarre Coincidence, a Staged Accident
Phirippidis said the bust, which took place from July 2 to 6 in five countries, was as dramatic as a Hollywood thriller. Coincidentally, three days before the scheduled arrest, he and his team were sitting at the bar in the lobby of their Bangkok hotel when a Porsche Panamera E-Hybrid pulled up in front.
“As a joke, one of the prosecutors said ‘Hey look at that car, that looks like one of Cazes’ cars. I’m sure there are more than one of them in Bangkok,’” he said.
“Then we passed Cazes, who was entering through the sliding door in the lobby. It was the most bizarre coincidence I’ve ever been a part of.”
On the day of the arrest three days later, they lured Cazes out of his apartment abruptly by purposely crashing a car into the gate outside his villa. As luck would have it, when they entered the apartment, they found his computer on and already logged onto AlphaBay through his e-mail account.
A week before the FBI took over AlphaBay, European authorities had quietly taken control of Hansa, a similar site to which those fleeing AlphaBay joined on to. They operated it for two weeks to collect information of thousands of users, and then made more arrests.
“The whole point was to throw a curve ball at the dark web community, so they never really know moving forward who they could trust,” Phirippidis said.
“Looking ahead, we want to make sure we can leverage any kind of tactic to hit this thing with a hammer.”