
How Dutch Police Took Over Hansa, a Top Dark Web Market - Cwwm
https://www.wired.com/story/hansa-dutch-police-sting-operation/?retry
======
vilhelm_s
> They rewrote the site's code, they say, to log every user's password, rather
> than store them as encrypted hashes. They tweaked a feature designed to
> automatically encrypt messages with users' PGP keys, so that it secretly
> logged each message's full text before encrypting it, which in many cases
> allowed them to capture buyers' home addresses as they sent the information
> to sellers. The site had been set up to automatically removed metadata from
> photos of products uploaded to the site; they altered that function so that
> it first recorded a copy of the image with metadata intact.

Yeah, you probably should not do your PGP-encryption server-side...

~~~
wlesieutre
You shouldn't do it in a web browser at all, client or server side. They can
start off doing it client side and then silently switch to doing it server
side. I've admittedly never used PGP, but I would think if a website at any
point has access to your private key and could transmit it back to their
server, you're doing it wrong.

I suppose it's a question of your threat model. Do you trust the website to
not do that? Given that FBI is willing to take over and continue operating
websites that distribute child porn, the default answer to that question ought
to be no. You have no way of knowing if someone else has taken a server over.

Maybe a browser extension would be a good way to do PGP encryption for
websites, keeping the key out of their reach but allowing a one-click
encryption right in the browser.

~~~
vilhelm_s
Indeed, it's common advice that users of Darknet markets should not have
Javascript turned on at all, since it increases their attack surface. (e.g.
[https://darknetmarkets.org/agora-comments-on-recent-
bitcoin-...](https://darknetmarkets.org/agora-comments-on-recent-bitcoin-
stealing-private-message-javascript-attack/))

~~~
stingraycharles
Isnt that the default of the Tor browser as well ?

~~~
4ad
No, it isn't, which is insane.

~~~
dmix
Yes it is. It wasn't for the first couple years but they turned it on a few
yrs back. Last time I used Tor browser JS was disabled by default... I'd be
surprised if that wasn't the case.

~~~
4ad
No, it isn't. I just downloaded the latest version of the Tor Browser, 7.5,
and while it comes with NoScript installed, it's turned off by default:
[https://i.imgur.com/7pb7nvI.png](https://i.imgur.com/7pb7nvI.png)

~~~
mirimir
That's been a contentious point for years. The dominant faction of Tor devs
fears that Javascript blocking will confuse and frustrate too many users. In
the kindest interpretation, that's to protect the most users, notwithstanding
that it will get some users pwned.

Less kindly, one could argue that Tor devs want to increase the anonymity set,
in order to better hide US government users. That was, after all, one reason
why Tor's initial Navy funders agreed with open release of the software.

There are similar issues around other Tor vulnerabilities. Such as how easy it
is for apps to bypass Tor. Which has allowed the FBI's phone-home malware to
pwn users.

~~~
crtasm
Are you claiming that running an app in an environment where it can access the
internet directly counts as a vulnerability in Tor?

~~~
mirimir
Yes, of course it is. Whether it's the Tor Project's fault or the user's fault
is a contentious issue.

~~~
crtasm
I disagree, Tor isn't a sandbox or firewall for your apps. If they make
undesired network traffic then the vulnerability is in the app (and arguably,
the environment it's running in).

------
philfrasty
If you don't mind German (or subtitles) there is a hilarious documentary on
YouTube about one of the biggest drug sellers on SilkRoad named „Pfandleiher“
from Bavaria:
[https://www.youtube.com/watch?v=frdpQF4bVJ4](https://www.youtube.com/watch?v=frdpQF4bVJ4)

He talks about his „setup“ (old car repair shop), routine to drive to
different mailboxes, etc. Got busted when meeting with people offline from
Austria to sell larger volume. German police got curious when they read in
Mexican internet forums that the most advanced drug seller is located in
Germany with 3 day shipping to Mexico.

~~~
Buge
Unfortunately there don't appear to be subtitles.

------
superflyguy
... Taking a whole server offline, and forcing thousands of drug users to go
"uh... Guess I have to use a different server now".

From what I've heard, people are just selling over Facebook and WhatsApp, and
the police just can't be bothered with it because what are they going to do?
Arrest people for buying small amounts for what is obviously personal use? Or
try and track down and pin a case on someone for posting stuff. I can't see
them taking Facebook down.

~~~
xkcd-sucks
> 'During their time as black market administrators, the Dutch police only
> banned one product on Hansa: the highly dangerous opioid Fentanyl. All other
> drugs on the site continued to flow freely, a circumstance over which Ras
> and Boekelo seem surprisingly unconflicted. "They would have taken place
> anyway," says Ras without hesitation, "but on a different market."'

So, the goal is probably aligned more with career progression than stopping
drug trade as such

~~~
idiot900
Fentanyl is extremely potent - its clinically relevant doses are measured in
micrograms. Appears they were concerned with reducing mortality first.

~~~
HarryHirsch
I'm asking half-seriously here: assuming the fentanyl pill guy could
demonstrate Good Manufacturing Practice, i.e. dose constant and as advertised
and equally distributed throughout the pill, would he be sentenced more
leniently?

~~~
anarazel
I think it's commonly used to cut other drugs (coke), so I don't think that
argument would go far.

~~~
stordoff
I'd be very surprised if the fentanyl (or its analogues) in cocaine is
deliberate (unless the goal is to harm users, which seems unlikely) - they are
very different drugs. It's used more to be passed off as other opiates,
because it's much cheaper and its potency makes it much easier to smuggle
(carfentanyl being approximate 5000 times more potent than heroin). I'd
suspect that the fentanyl in cocaine is coming from cross-contamination -
lethal doses of carfentanyl are measured in micrograms, so anything less than
perfect cleaning of equipment used to process both drugs could result in a
fatality.

~~~
grzm
Mixing cocaine and heroin is not all that uncommon. Sounds like a variant of a
speedball:

[https://en.wikipedia.org/wiki/Speedball_(drug)](https://en.wikipedia.org/wiki/Speedball_\(drug\))

~~~
stordoff
Sure, there are certainly users who will mix the drugs, but mixing the two and
then selling it as just cocaine seems strange. Supplying strong opiates to the
(potentially) opiate-naive without their knowledge seems to be an unnecessary
risk, and it is probably bad for business as you aren't supplying the
experience that a cocaine user may be looking for.

------
megous
Looks like they just searched up parts of the website (in google?) until they
found a testing server running the market. Another lesson for the operators
there. Protect your testing deployments the same way you do the production
web.

BTW, are there search engines that allow to search for HTML code of the web
pages?

~~~
Buge
If it's IPv4 you can also just scan the whole address space yourself.

Shodan is a search engine for finding things connected to the internet
probably don't want to be found.

~~~
ShorsHammer
> IPv4

Don't rely on IPv6 for protection from scanning.

[https://www.internetsociety.org/blog/2015/02/ipv6-security-m...](https://www.internetsociety.org/blog/2015/02/ipv6-security-
myth-4-ipv6-networks-are-too-big-to-scan/)

------
ttul
How close are we to pure-crypto distributed markets? It strikes me as odd that
dark markets are still centralized, albeit behind Tor. Surely someone is
working on something entirely distributed.

~~~
wmf
There's OpenBazaar.

------
crb002
Dark Web 101. Encrypt client side. Use a trusted browser extension not their
arbitrary website.

Law enforcement 101. Don't blow your cover. Ignore 95% of the transactions and
focus on the few major racketeering cases that matter. Let the IRS go after
them for tax evasion instead so your cover remains as long as possible.

------
Para2016
Waste of time and money if the goal was to stop drug trade. If on the other
hand the goal was to see what law enforcement can do/utilize new tools for
cybercrime, that's just dandy, I guess.

I would like to see their productive interventions on child porn and sex
trafficking. Instead we get this tedious and unhelpful war on drugs that
ultimately is futile.

~~~
joering2
Few months ago there was an article on HN how FBI took over child porn web
ring and allowed it to run "normally" for about three months before all major
players were "locked on" and simultenious raids took place. Can anyone find
that article?

~~~
kristofferR
Were you thinking about this?

[https://www.vg.no/spesial/2017/undercover-
darkweb/?lang=en](https://www.vg.no/spesial/2017/undercover-darkweb/?lang=en)

------
trsse
Right off the bat, mistakes. Silk Road was very much a secret take over sting
as well. The dutch Police were following that playbook it sounds like.

------
woodandsteel
>the German police raided the two men's homes, arrested them, and seized their
computers with their hard drives unencrypted.

Wow, that's some bad opsec.

~~~
mkl
If the computers were actively being used, then the hard drives' contents were
at least partly accessible, encrypted or not. Copy everything off before
shutting them down.

~~~
mirimir
Prudent folk have a UPS kill switch within easy reach.

~~~
woodandsteel
And someone running a darkweb drug site should have really strong home
security, like outside video cameras, motion sensors, and alarms on the
windows and doors.

~~~
mirimir
For sure.

------
codedokode
> They then made a copy of each server's entire drive, including ... every
> conversation that took place through its anonymized messaging system.

That's why you should not keep history. All messengers like WhatsApp that save
history on the server have zero respect for privacy. A decent messenger should
not save anything unless allowed by the user.

~~~
6ak74rfy
I don't think Whatsapp stores messages on their servers. They do only until
they are delivered to all parties and delete after that. What will they even
do with the messages if they stored them- they would be end to end encrypted
and Whatsapp won't have the decryption keys.

~~~
codedokode
Well, WhatsApp might be not doing this, but other messengers save history on
the server. And by the way , how do you know what WhatsApp really does if it
has closed source code?

------
kristofferR
Let me take a guess - Fentanyl is being sold on the new markets the Dutch
police handed over their market share to.

~~~
plussed_reader
From TFA:

"During their time as black market administrators, the Dutch police only
banned one product on Hansa: the highly dangerous opioid Fentanyl. All other
drugs on the site continued to flow freely, a circumstance over which Ras and
Boekelo seem surprisingly unconflicted. "They would have taken place anyway,"
says Ras without hesitation, "but on a different market." "

~~~
kristofferR
Exactly - the Dutch police let Fentanyl be sold freely by shutting down Hansa,
where it wasn't allowed.

~~~
r1pped
What? They stopped the selling of Fentanyl when they had access to the site.
Hansa allowed Fentanyl to be sold before they got into the servers.

~~~
akvadrako
If they had continued to run the site they would reduce the amount of users of
other marketplaces, where Fentanyl is sold.

Basically, if the government ran a legitimate darknet marketplace, they could
reduce the sales of the worst substances.

------
eddyg
archive.is link in case full article doesn't display:
[http://archive.is/HelDj](http://archive.is/HelDj)

------
oliv__
_> They [the police] then made a copy of each server's entire drive, including
records of every transaction performed in Hansa's history, and every
conversation that took place through its anonymized messaging system._

Why can't all transactions be removed after say a day after completion? I just
don't see the point in keeping all of that data there, sounds like a big
liability for everyone involved.

------
gcb0
how does the dutch tax payer like that they paid those folks salaries for some
3 years while all they did was play global recreation drug police?

