Hacker News new | comments | show | ask | jobs | submit login
How Dutch Police Took Over Hansa, a Top Dark Web Market (wired.com)
246 points by Cwwm 41 days ago | hide | past | web | favorite | 138 comments

> They rewrote the site's code, they say, to log every user's password, rather than store them as encrypted hashes. They tweaked a feature designed to automatically encrypt messages with users' PGP keys, so that it secretly logged each message's full text before encrypting it, which in many cases allowed them to capture buyers' home addresses as they sent the information to sellers. The site had been set up to automatically removed metadata from photos of products uploaded to the site; they altered that function so that it first recorded a copy of the image with metadata intact.

Yeah, you probably should not do your PGP-encryption server-side...

You shouldn't do it in a web browser at all, client or server side. They can start off doing it client side and then silently switch to doing it server side. I've admittedly never used PGP, but I would think if a website at any point has access to your private key and could transmit it back to their server, you're doing it wrong.

I suppose it's a question of your threat model. Do you trust the website to not do that? Given that FBI is willing to take over and continue operating websites that distribute child porn, the default answer to that question ought to be no. You have no way of knowing if someone else has taken a server over.

Maybe a browser extension would be a good way to do PGP encryption for websites, keeping the key out of their reach but allowing a one-click encryption right in the browser.

Indeed, it's common advice that users of Darknet markets should not have Javascript turned on at all, since it increases their attack surface. (e.g. https://darknetmarkets.org/agora-comments-on-recent-bitcoin-...)

I like how that's a .org. They really do just want to get the information out there.

Isnt that the default of the Tor browser as well ?

No, it isn't, which is insane.

Yes it is. It wasn't for the first couple years but they turned it on a few yrs back. Last time I used Tor browser JS was disabled by default... I'd be surprised if that wasn't the case.

No, it isn't. I just downloaded the latest version of the Tor Browser, 7.5, and while it comes with NoScript installed, it's turned off by default: https://i.imgur.com/7pb7nvI.png

That's been a contentious point for years. The dominant faction of Tor devs fears that Javascript blocking will confuse and frustrate too many users. In the kindest interpretation, that's to protect the most users, notwithstanding that it will get some users pwned.

Less kindly, one could argue that Tor devs want to increase the anonymity set, in order to better hide US government users. That was, after all, one reason why Tor's initial Navy funders agreed with open release of the software.

There are similar issues around other Tor vulnerabilities. Such as how easy it is for apps to bypass Tor. Which has allowed the FBI's phone-home malware to pwn users.

Are you claiming that running an app in an environment where it can access the internet directly counts as a vulnerability in Tor?

Yes, of course it is. Whether it's the Tor Project's fault or the user's fault is a contentious issue.

I disagree, Tor isn't a sandbox or firewall for your apps. If they make undesired network traffic then the vulnerability is in the app (and arguably, the environment it's running in).

Could you please tell me more about the other Tor vulnerabilities?

I'm not aware of known vulnerabilities in Tor itself that devs haven't mitigated, out of usability concerns or whatever. Generally, I consider the focus on Windows users, and the reliance on tweaking Firefox for security, to be vulnerabilities. Also the refusal to compartmentalize the Tor process from userland, either in VMs or in separate hardware. I mean, Whonix has been around for years, and it's not featured (or even mentioned, unless you dig into the wiki) on the Tor Project website. And what about Qubes? Or Tor routers? I mean, they go after people for calling them that, citing their copyright.




But I fully agree the main site should make the risks of TBB clearer and promote Whonix/similar.

I think it imports any JS blocker you might be using on Firefox. For instance, in my case, I installed Tor and when I started it the first time, I saw the 'NoScript' tab enabled.

> I've admittedly never used PGP, but I would think if a website at any point has access to your private key and could transmit it back to their server, you're doing it wrong.

Encrypting a confidential message for another party is a public key operation. It’s the fact that the plaintext was sent to a remote server that’s problematic.

Oh right, good catch. So the problem is that encrypted messaging on a webpage just can't be convenient like messaging on facebook if you want to keep the server from having your messages. Other people send you messages, and you'll need to decrypt them yourself outside of the browser if you want to keep the browser from having your private key.

Extensions get exploited from inside the browser too. If you're going to be buying contraband online, one would hope that you have at least enough commitment to move your mouse over to another window on your desktop and do the cryptography there.

Client-side encryption (on the web) isn't any more secure; as they could just modify the JS code to log the plaintext.

> isn't any more secure

It's definitely more secure. But depending on your level of paranoia, yeah, it's often not enough.

Doing things in the browser shows customers that it's done properly and verifiably. It also makes attack way more public than being able to do it quietly server-side. I wish people applied security client-side more often.

I mean, if the server is compromised, you're fucked, regardless of whether you applied your crypto in js or on the server. But if it is done client-side, at least there's a chance that you notice you're fucked.

>Doing things in the browser shows customers that it's done properly and verifiably.

So customers are skilled enough to check the (webpacked together with other stuff and minified) JS code running in their browser before they run it? Even if this was actually feasible, it would be still orders of magnitude easier to just do GPG in a terminal.

And don't forget that, according to the article, we're talking about a crowd where even a lot of the long-standing big sellers are not smart enough to remove GPS meta-data from their product pictures.

>It also makes attack way more public.

You can still serve different (malicious) JS to a select bunch of your users who are least likely to notice and kinda spearfish with that. E.g. it's entirely feasible to just bug new first customers you fingerprinted as using default Tor Browser installs (most likelihood they are tech newbies too).

Even if users make sure the code they run is verified, how do users make sure the public key they are encrypting with is the public key of the party they intent and not a key the (rogue/police) operators of the website put there themselves, doing a good old active MITM key switcheroo? It's not like there is an independent web of trust in the realm of a tor drug market that you can check for that information. Even if the public keys of the big players (most of which would be sellers) are widely known, the key of Joe Newcustomer is not, so you can at least eavesdrop on communication directed to him by replacing his key with your own, look what the seller is writing and also at all those "Joe Newcustomer wrote: >" lines too, and nobody will ever notice until the police knocks on their doors.

> So customers are skilled enough to check the (webpacked together with other stuff and minified) JS code running in their browser before they run it?

Rather than posing the obvious as a question, yes, I am aware that the overwhelming majority of users will not be able to inspect it themselves. But there are also loads of people who are, and we also roam the internet.

And it's not about inspecting before it runs, it's about noticing weird changes before you typed your credentials. Currently it's a strange idea to open an element inspector before regular actions such as logging in, and indeed, it'd be quite the hassle. But if this were commonplace I imagine tools would jump up to aid in this for both experts and laymen. It isn't terribly hard to trace which pieces of code do something with the password field (such as reading out its value, and trace where the variable is used and copied to) and alert on changes to those. Upon such an alert, customers of a bank might wait a few days to see if there was a breach, and security experts of said bank might like to see the diff that the browser detected. Just a thought of what could be if security was applied client-side more often.

> So customers are skilled enough to check the (webpacked together with other stuff and minified) JS code running in their browser before they run it?

Checking code before it runs is possible. What is much easier is watching the network traffic on the web browser and examining it for sensitive material. It's an order of magnitude better to know that a security breach has _just_ happened than to find out much later, possibly when that information is being leveraged against you.

> spearfish

Almost all significant criminal activity leaves some trace. The buyer, by nature, has more trust in the seller because the buyer must pick up a package a specific location in a date range. The seller would be the most significant market players (spearfish targets), but give up less information in each transaction. The best way to attack would be watching for user mistakes (gps meta-data), social engineering, and zero days.

Having JavaScript enabled when buying drugs over the internet isn't exactly the smartest idea anyway.

>you probably should not do your PGP-encryption server-side

PGP-encryption server-side is meaningless, even if it was done client side, there's a MITM. Eve can replace public keys (though at the risk of exposing her MITM if people are double checking their own public keys listed on the site against their client side public keys)

>They tweaked a feature designed to automatically encrypt messages with users' PGP keys, so that it secretly logged each message's full text before encrypting it

Unless this is Wired's way of saying a MITM as described above.

>PGP-encryption server-side is meaningless

It's not meaningless, it prevents past messages from being compromised by a future breach. Future messages are still compromised, but past messages are secure.

By your logic you could say that forward secrecy is meaningless. But yet security professionals recommend that you use a TLS key exchange with forward secrecy.

I said: If there’s a MITM, server side PGP is meaningless. I didn’t say that server-side PGP has no security value in all domains.

If users still went to the webpage, and used whatever that webpage offered them, what could help them? Client or server side, they were pwned.

unless they knew beforehand to not enter plain text messages there. ever.

That quote doesn't say there is any server-side PGP. It could have been happening in javascript in the browser.

If you don't mind German (or subtitles) there is a hilarious documentary on YouTube about one of the biggest drug sellers on SilkRoad named „Pfandleiher“ from Bavaria: https://www.youtube.com/watch?v=frdpQF4bVJ4

He talks about his „setup“ (old car repair shop), routine to drive to different mailboxes, etc. Got busted when meeting with people offline from Austria to sell larger volume. German police got curious when they read in Mexican internet forums that the most advanced drug seller is located in Germany with 3 day shipping to Mexico.

Unfortunately there don't appear to be subtitles.

... Taking a whole server offline, and forcing thousands of drug users to go "uh... Guess I have to use a different server now".

From what I've heard, people are just selling over Facebook and WhatsApp, and the police just can't be bothered with it because what are they going to do? Arrest people for buying small amounts for what is obviously personal use? Or try and track down and pin a case on someone for posting stuff. I can't see them taking Facebook down.

> 'During their time as black market administrators, the Dutch police only banned one product on Hansa: the highly dangerous opioid Fentanyl. All other drugs on the site continued to flow freely, a circumstance over which Ras and Boekelo seem surprisingly unconflicted. "They would have taken place anyway," says Ras without hesitation, "but on a different market."'

So, the goal is probably aligned more with career progression than stopping drug trade as such

Or you are looking at this from an american perspective? Just guessing here. Everybody else on the planet figured out that prohibition doesn't work

That's wrong, Asia (and large parts of Africa and Latin-America) are treating drugs more harshly than the US nowadays.

Yea the poster was being hyperbolic, but the Netherlands is pretty fine with drugs for personal use. Their problems seems to be the tools the site is selling for committing other crimes (forgeries) and the larger sellers (who often have ties to other more heinous crimes).

Yet, people are still using them. Otherwise we wouldn't still hear stories about people being executed for smoking pot.

They've a lot of catching up to do, per web-search [asia opium export]

I'd be very careful reading about how laws in asian countries work in theory (on paper) without experience of what real life enforcement looks like.

Yeah right.

"Chinese Drug Dealers Are Being Sentenced to Death in Sports Stadiums and Public Squares"


[2015] "On Wednesday, China’s Supreme People’s Court argued that serious drug crimes merit the death penalty. Serious cases involving “drug lords, professional drug dealers or re-offenders” as well as “drug smuggling, organized transnational drug crime and armed or violent drug crime” should all receive capital sentences, according to a circular released by the SPC."


The reality of the situation is if you are connected, privileged, and drop some gifts or hush money, you won’t face a thing.

Fentanyl is extremely potent - its clinically relevant doses are measured in micrograms. Appears they were concerned with reducing mortality first.

What? Public health-oriented drug enforcement? Who would do such a thing? \s

Surprisingly common in the Netherlands.

I'm asking half-seriously here: assuming the fentanyl pill guy could demonstrate Good Manufacturing Practice, i.e. dose constant and as advertised and equally distributed throughout the pill, would he be sentenced more leniently?

At least in the US, it's almost certainly not written into the law or sentencing guidelines, so any leniency based on improved safety would have to be at the sole discretion of the judge.

I think it's commonly used to cut other drugs (coke), so I don't think that argument would go far.

I'd be very surprised if the fentanyl (or its analogues) in cocaine is deliberate (unless the goal is to harm users, which seems unlikely) - they are very different drugs. It's used more to be passed off as other opiates, because it's much cheaper and its potency makes it much easier to smuggle (carfentanyl being approximate 5000 times more potent than heroin). I'd suspect that the fentanyl in cocaine is coming from cross-contamination - lethal doses of carfentanyl are measured in micrograms, so anything less than perfect cleaning of equipment used to process both drugs could result in a fatality.

There's press reports about the DEA warning about it. E.g.: http://www.sun-sentinel.com/news/florida/fl-reg-cocaine-cut-...

That's what I remembered.

I'm sure it has happened at least once, but I suspect that the DEA gives it press coverage way out of proportion to its incidence.

As an adolescent of 12 or so, I remember watching a D.A.R.E. video in school where the fictional character tried marijuana for the first time, but it was secretly laced with cocaine and the fictional character had some kind of unspecified heart condition and hyper-sensitivity to cocaine that caused his first puff of pot to kill him. Remember kids, your first puff of pot can kill you!

They also told us that sometimes PCP is laced with rat poison.

Even as a 12 year-old, the implied frequency of such craziness beggared belief. It would have been more believable if they would have warned us that we shouldn't try hard liquor because it might be tainted with methanol. That at least happens with some frequency back in the Old Country, according to a Bulgarian friend.

Mixing cocaine and heroin is not all that uncommon. Sounds like a variant of a speedball:


Sure, there are certainly users who will mix the drugs, but mixing the two and then selling it as just cocaine seems strange. Supplying strong opiates to the (potentially) opiate-naive without their knowledge seems to be an unnecessary risk, and it is probably bad for business as you aren't supplying the experience that a cocaine user may be looking for.

It is very uncommon.

But surely the market for Fentanyl "[took] place anyway but on a different market"? It's such a short sighted move in an otherwise well played plan.

Maybe not. No one wants fentanyl: they want diacetylmorphine, and will take fentanyl if they can't find morphine. Opiates are all the same.

Did you meant _aren't _ all the same? They're certainly similar, and fentanyl will satisfy the cravings of those addicted to other opiates, but compared to heroin/diacetylmorphine has a shorter duration of action and reportedly less euphoric/more sedative effects.

The goal is likely aligned more with a different approach to management of drug use. Jumping to stopping drug trade as an immediate goal hits a lot of assumptions on what an effective policy can be.

It's also a lot easier to track down the whole network, and importantly, the bigger players, if you're tracking them.

Shut down the site, people move to another one, and you've got to start all over again.

Shutting it down is aligned with career progression (gets the big news). Leaving it running gives you some chance of affecting the actual drug trade

Or they have a similar problem that CT is facing and were focused on the human cost:


Non-broken URL (thanks, AMP): https://ctmirror.org/files/2018/03/Overdose-chart-lead.jpg

I agree with you that this sounds like a sensible strategy, and I don't understand the complaint above about career progression - to the extent that their careers were benefited by focusing on the most serious problems instead of a performative war on drugs, props to the system for enabling them to do this. People always make decisions based on career progressions, the best thing to do is set up incentives so those decisions are also good for society.

Jesus! What a bizarre statement. Didn't he just say that regardless of what the police do, drug transactions will continue? Why they hell do you both going after them then?

>So, the goal is probably aligned more with career progression than stopping drug trade as such

No, you should read the article rather than automatically assuming bad faith.

"Since the takedown, Ras says, they've arrested a dozen of Hansa's top vendors, with more arrests planned for coming weeks"

"While most drug vendors who fled AlphaBay showed up soon after on other dark web drug sites, those who fled Hansa didn't—or if they did, they recreated their online identities thoroughly enough to escape recognition"

Not all of the sales that take place on darknet markets are for personal use; some are bulk orders that will be split up for local resale. Investigating those buyers is well worth the investigative resources.

why is personal use OK but selling for personal use bad?

Personal use is still 'bad', but it's more efficient for police to go after resellers on the streets than all 50 individuals who bought from those resellers.

Why is personal use 'bad' then?

It's irrelevant if it's "bad". It's illegal, which means that at least in theory, law enforcement is supposed to pursue and prosecute it, since their mandate is to enforce the laws as passed by the legislative body, etc.


> Unless you're in California, in which case you pick and choose what laws you pursue and prosecute even though as a state body you fall under federal laws.

“State bodies” are not required to pursue and assist with enforcing federal laws, and are generally prohibited from prosecuting under then except when states have been granted special power to do so in federal law. These are fundamental features of the “dual sovereignty” federal system in the US (and the freedom of states to decline to enforce federal law was noted as far back as in cases related to the Fugitive Slave Act prior to the Civil War.)

If the federal government wants to make laws, then it is also responsible for figuring out how to enforce them. Within certain bounds, it can bribe states to do it, but it can't command them to.

writ of mandamus?

A bare noun phrase is kind of vague as a question, but.

> writ of mandamus?

Yes, it exists.

No, it doesn't obligate state bodies to “pursue” or “prosecute” violations of federal law.

Heroin is basically legal in San Francisco. Public injection is 100% tolerated by police (not by most citizens though). Police won't arrest you for buying heroin. DA certainly won't prosecute even if you are arrested.

Hell, you can buy heroin directly in front of the Tenderloin police station. Not across the street, directly in front.

de facto, I'd say heroin is basically legal in San Francisco.

Because the law says it's "bad" and that's why everyone used quotes around "bad".

Because heroin addicts cause vast destruction to their communities and families.

Don't forget about reddit which has also become a popular destination for drug trade. It's actually pretty surprising when you realize the same site everyone uses for funny memes and arguing about politics is also a go-to for illegal drug trade.

There are certainly subreddits to talk about various drugs, and subreddits that the darknet markets and how to use them, but as far as I know, there aren't subreddits for people to directly buy/sell/trade in drugs. Can you cite a subreddit where is a popular destination for drug trade?

Ditto, no drug related subreddit I know of doesn't explicitly ban dealing.

I won't out any, but while the rules are there, many deals take place using very thinly veiled codewords. Craigslist, mocospace, facebook, letgo, etc all have pretty blatant drug selling in the open as well.

Oh definitely: A friend showed me people openly selling weed on Instagram - no PGP or anything like that.

More likely they are trying to go after the distributors rather than the users

Looks like they just searched up parts of the website (in google?) until they found a testing server running the market. Another lesson for the operators there. Protect your testing deployments the same way you do the production web.

BTW, are there search engines that allow to search for HTML code of the web pages?

If it's IPv4 you can also just scan the whole address space yourself.

Shodan is a search engine for finding things connected to the internet probably don't want to be found.

> IPv4

Don't rely on IPv6 for protection from scanning.



Censys indexes a lot of these things so you can for example search for the title here. This works very well for sites that try to hide behind Cloudflare but don’t block access to other IPs.

I was thinking of something like searching by an element class name or other unique looking attribute values to find deployments of a given web app on the internet.

How close are we to pure-crypto distributed markets? It strikes me as odd that dark markets are still centralized, albeit behind Tor. Surely someone is working on something entirely distributed.

There's OpenBazaar.

Dark Web 101. Encrypt client side. Use a trusted browser extension not their arbitrary website.

Law enforcement 101. Don't blow your cover. Ignore 95% of the transactions and focus on the few major racketeering cases that matter. Let the IRS go after them for tax evasion instead so your cover remains as long as possible.

Waste of time and money if the goal was to stop drug trade. If on the other hand the goal was to see what law enforcement can do/utilize new tools for cybercrime, that's just dandy, I guess.

I would like to see their productive interventions on child porn and sex trafficking. Instead we get this tedious and unhelpful war on drugs that ultimately is futile.

American authorities have primarily focused on the exploitation/trafficking side of the dark web. In some cases, I would expect that mention of pursuing "darknet markets" is a more media-friendly euphemism for real operations that are focused on the trafficking of guns and/or people.

Hundreds were arrested in the FBI's Operation Pacifier [0], and their cases are still actively working through the courts. We don't hear much about Operation Pacifier, and I assume that's by design.

For security-aware technologists, however, there is an important detail: the feds have some heretofore-undisclosed exploit that is used to de-anonymize Tor users, which gets referred to as "the malware".

They're so interested in keeping the details of this secret that they dropped all charges on one of Operation Pacifier's biggest offenders, because he had a skilled lawyer who convinced the judge that the government would have to disclose more details about how it unmasked him to ensure that his constitutional rights had not been violated.

It's interesting that the tool used gets referred to as "the malware". Is this a real-world use of the Intel ME or just your run-of-the-mill trojan? Is there a backdoor in the Tor Browser Bundle, and that's why the government still allows such easy access to it? Is the claim of "malware" just a diversion to prevent people from learning that they have a crack for the Tor network itself? Dunno. Would be interesting to find out though.

[0] https://en.wikipedia.org/wiki/Operation_Pacifier

It could be some some super secret technique. I suspect it probably relies on Javascript though, or they'd probably hoard it for military ("cyber") use.

Tor is reasonably secure but if you run JS or download and execute files from Tor you will probably reveal your IP to a determined attacker.

While true, you'd think they wouldn't throw out the case if all they have to say is "We tricked him into running some weird JavaScript". There may be some deterrence benefit in making people think the government has an uber-secret exploit, but I don't know if they'd throw out all the charges on a high-level suspect just to create that sentiment (since there will surely be other times to posture about that kind of thing).

There's an app people can use to take photographs of hotel rooms. You take one photo from the doorway, and one of the bed.

This gets uploaded to a database for law enforcement to use to find locations when they get images of child sexual abuse that happens in hotels.


And there's also this article about one such takeover of a site that distributed images of child sexual abuse: https://news.ycombinator.com/item?id=12084471

Few months ago there was an article on HN how FBI took over child porn web ring and allowed it to run "normally" for about three months before all major players were "locked on" and simultenious raids took place. Can anyone find that article?

Police can legally commit crimes while investigating crimes.

EU police have led several large-scale onionland raids focusing on child trafficking in the last few years, and more recently have been making simultaneous international arrests of producers and distributors. The problem is the same with the drug war unfortunately, these sites are basically a hydra.

I have heard that child porn is actually more difficult to take down than drugs because the crime network topology is much more decentralized, with lots of the abusers acting as both producers and consumers. Drug trafficking on the other hand is much more asymmetrical and hierarchical so taking out an important drug dealer has a much more disruptive effect on the network (at least on the short term).

There's also the case that many drug buyers live in jurisdictions where the consequences to them of being found to buy recreational drugs are minimal (Even in this case, the consequences for buyers were some police pointing out "hey, we know"), so they aren't particularly incentivized to cover their tracks or use more secure measures than they would for e.g. facebook, as opposed to child porn which is taken seriously in every jurisdiction. I imagine this leaves the police with fewer entry points.

That would be cool to read a take down story about that instead of drugs.

That makes me curious though, it sounds like in the drug takedown the users are largely spared but the dealers are targeted. Is it the same for child porn/trafficking? I would prefer they go after everyone in those rings..

From what I've read (including one of your sibling comments), when it comes to CP there is much less of a seller and user dichotomy. Many times people are both consumers and producers. Some sites/networks will even require someone to submit new content before they can join to see other content (although I don't have a source for this and don't particularly care to dig one up).

I think a lot of more progressive(?) places let drug users off because it's more or less a victimless crime (no one has to be harmed in making and distributing drugs, though some producers certainly do that, but so does any capitalistic system; the cartels aren't significantly worse than buying from Apple) and they really just need help.

Child pornography is never a victimless crime.

" the cartels aren't significantly worse than buying from Apple"



Foxconn has 14 year old workers. Foxconn workers commit suicide over working conditions. Foxconn has violent drunken fights between workers that injure dozens of people (including those 14 year old workers by the by).

It isn't significantly different.

Yes, it really, really, really is. People all over the world commit suicide over working conditions. Foxconn did not have a significantly higher rate of suicide than the general population. People all over the world lie about their age (Foxconn is not recruiting 14 year olds to work for them) in order to work. And lots of places have drunken fights.

Not a single one of those, or even all of them put together, is anywhere near the video posted.

Nothing is significantly different if you go up enough layers of abstraction. I think it's pretty obvious there's a difference between collateral damage caused by a drunken riot, and the sober specific targeting of an economic rival by torturing a child, you know, to an empathetic human.

I certainly think the cartels are worse. But both torture children soberly for economic gain. I have empathy for both situations. But just because Foxconn is legal, doesn't really make it better.

Also in case anyone missed it today, corporations have increased the violence they use against their critics (rivals?) [0]. Certainly the cartels are worse with their brutality, but they are no different than any other modern international capitalistic enterprise.

[0] https://www.theguardian.com/global-development/2018/mar/09/h...

Poverty / living standards * Harshness of law & enforcement = level of misery.

"But both torture children soberly for economic gain. "

No, they do not. You have absolutely no evidence to back this statement up.

Foxconn workers suicide rate has never been demonstrated to be extraordinary.

Foxconn's working conditions are bad, but have been highly overstated. They employ 1.3 million people. The suicide rate among their workers is actually lower than the average. It's also not surprising that among 1.3 million people, some workers may get into fights.

Of course, that doesn't justify child labor.

Here you go: http://www.facing-finance.org/en/database/cases/working-cond...

Do you think the global drug trade 'provides work' for more than 500,000?

I don't think narcotics should be illegal, but law enforcement definitely does go after child exploitation and sex trafficking on the darknet as well. The FBI (very justifiably) burned at least two different NSA-developed exploits to identify people on child sex abuse websites.

I guess they focus on drugs because there is big money and real goods involved, both of which make it much easier to track down identities.

Right off the bat, mistakes. Silk Road was very much a secret take over sting as well. The dutch Police were following that playbook it sounds like.

>the German police raided the two men's homes, arrested them, and seized their computers with their hard drives unencrypted.

Wow, that's some bad opsec.

If the computers were actively being used, then the hard drives' contents were at least partly accessible, encrypted or not. Copy everything off before shutting them down.

Prudent folk have a UPS kill switch within easy reach.

And someone running a darkweb drug site should have really strong home security, like outside video cameras, motion sensors, and alarms on the windows and doors.

For sure.

Ok, but the article makes it sound like the whole drive was unencrypted. But maybe that was just inexact reporting.

> They then made a copy of each server's entire drive, including ... every conversation that took place through its anonymized messaging system.

That's why you should not keep history. All messengers like WhatsApp that save history on the server have zero respect for privacy. A decent messenger should not save anything unless allowed by the user.

I don't think Whatsapp stores messages on their servers. They do only until they are delivered to all parties and delete after that. What will they even do with the messages if they stored them- they would be end to end encrypted and Whatsapp won't have the decryption keys.

Well, WhatsApp might be not doing this, but other messengers save history on the server. And by the way , how do you know what WhatsApp really does if it has closed source code?

> What will they even do with the messages if they stored them

You can still do metadata analysis on communication patterns between people, without knowing the content of the messages.

That's...that's not how Whatsapp operates

Let me take a guess - Fentanyl is being sold on the new markets the Dutch police handed over their market share to.

AKA "any market that sells fentanyls probably isn't being running by dutch police"

From TFA:

"During their time as black market administrators, the Dutch police only banned one product on Hansa: the highly dangerous opioid Fentanyl. All other drugs on the site continued to flow freely, a circumstance over which Ras and Boekelo seem surprisingly unconflicted. "They would have taken place anyway," says Ras without hesitation, "but on a different market." "

Exactly - the Dutch police let Fentanyl be sold freely by shutting down Hansa, where it wasn't allowed.

What? They stopped the selling of Fentanyl when they had access to the site. Hansa allowed Fentanyl to be sold before they got into the servers.

If they had continued to run the site they would reduce the amount of users of other marketplaces, where Fentanyl is sold.

Basically, if the government ran a legitimate darknet marketplace, they could reduce the sales of the worst substances.

archive.is link in case full article doesn't display: http://archive.is/HelDj

> They [the police] then made a copy of each server's entire drive, including records of every transaction performed in Hansa's history, and every conversation that took place through its anonymized messaging system.

Why can't all transactions be removed after say a day after completion? I just don't see the point in keeping all of that data there, sounds like a big liability for everyone involved.

how does the dutch tax payer like that they paid those folks salaries for some 3 years while all they did was play global recreation drug police?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact