
Dutch Cops on AlphaBay ‘Refugees’ - allworknoplay
https://krebsonsecurity.com/2017/07/exclusive-dutch-cops-on-alphabay-refugees/
======
AlexCoventry
> we wanted to keep up with the orders to see if there were any large amounts
> [of drugs] being ordered to one place...

Approximately what fraction of people on these sites communicate their
addresses in the clear? I thought such sites provided end-to-end encrypted
communication between sellers/buyers, and encouraged users to use it.

~~~
gwern
People always, always optout, and once they can control the website, they can
MITM any auto-PGP encryption. On some DNMs it's possible cleartext is the
majority. And even when people are careful to keep their address/order info
PGP encrypted, they can give away info in other PMs.

~~~
AlexCoventry
That is some powerful wishful thinking/ignorance. Or maybe it's the drugs.

~~~
ryanlol
Most buyers have nothing to fear from the police.

------
whoami_nr
Can someone explain me the technical details as to how the mirroring of the
website didn't raise any suspicion from the customer or buyer side ?

Someone mentioned here that the sites are end to end encrypted, so how exactly
did the dutch police MITM such connections ?

Why do the website admins have the capability to read transactions between
buyer and seller ? Is this how it generally works in these websites in the
sense that the buyer and seller use the website for talking to each other ?
That seems kind of stupid given that such websites become a single point of
failure outing both buyer and sellers. Why can't they have a end of end
system(with forward secrecy) and the website is just a medium for advertising
your needs ?

Even if you have the website code, access to the databases etc, you shouldn't
be able to know what the sellers and buyers are talking. Aren't the databases
encrypted with the keys for decryption only with the seller ? Why does the
website owner have access to the transcripts between everyone ?

Please correct me if any of my assumption are wrong.

EDIT: I went to the Hansa market site which has been taken down. The banner
there mentions that the source code of the website was changed to allow such
behaviour which makes sense. However, this should only put the new
buyers/sellers at risk and leave the old ones safe. What went wrong ?

~~~
pfg
> Can someone explain me the technical details as to how the mirroring of the
> website didn't raise any suspicion from the customer or buyer side ?

I don't know any of the specifics in this case, but generally speaking, that
would not be a user-visible change. The police had access to the hidden
service's private key and could simply announce the service from a new
location, keeping the same URL. Tor hidden services hide the location where
the service is hosted (at least from regular users, less so from more powerful
adversaries).

> The banner there mentions that the source code of the website was changed to
> allow such behaviour which makes sense. However, this should only put the
> new buyers/sellers at risk and leave the old ones safe. What went wrong ?

I don't know if they've mentioned whether they have busted only users that
have used the site after the takeover - they got a massive influx of new users
after AlphaBay went down, so that could've been good enough for them. Based on
past cases, I imagine there were plenty of OpSec mistakes that could've lead
to a bust either way.

(This is probably a good example for why browser crypto is currently a bad
idea.)

------
jugbee
"We knew the Hansa servers were in Lithuania, so we sent an MLAT (mutual legal
assistance treaty) request to Lithuania and requested if we could proceed with
our planned actions in their country. They were very willing to help us in our
investigations."

Okayy, this "very willing" part is going to deter me from hosting anything
located in Lithuania any time soon

~~~
mcv
Every country has laws. If you want to evade investigations into drug trade
and whatever else they were trading at AlphaBay and Hansa, you should go to a
country where they're not illegal.

------
peternicky
I am very interested in finding out how they were able to know with certainty
that the server was located in Lithuania. I didn't find this mentioned in any
reporting of the Hansa takedown and I see a handful of commenters on Krebs
asking the same question.

