around the world

Operation “Bayonet”: how the Dutch operatives secretly took control of the darknet shop

The plug of the Dutch special services, which appears when you try to enter the darknet pad of Hansa

The struggle of the authorities of different countries with dark areas such as Silk Road, RAMP or Hydra has been going on for more than five years, but the tactics of the police are often useless. They hunt for creators and destroy the site server, but the audience soon moves to another site. In prison are only a few people who are soon replaced by the authors of new services.

In the autumn of 2016, Dutch policemen received a tip over the drugstore site of the drugstore Hansa and decided to act differently. Their goal was not to destroy the platform, but to seize it secretly and inflict a serious blow to the reputation of the whole darknet industry. The history of the operation “Bayonet” and its consequences was told by the magazine Wired.

Hole in the system

In 2016, Hansa was considered one of the largest drug markets in Europe. At the peak of popularity, about 3,600 dealers placed there more than 24,000 types of their goods, including cocaine, acid, ecstasy and heroin. Such a scale could not but draw the attention of the authorities, but for a long time no one saw a way to get the store out of order.

In the autumn of the same year, everything changed – an unnamed cyber security organization discovered the Hansa server in the data center of a Dutch provider (its name was not disclosed). As experts explained, they found a version of the site to test new features – unlike the main resource, it was visible on the network, and researchers wrote down its IP address.

Gert Ras (left) and Marinus Boekelo – they led the operation to penetrate and seize Hansa. Photos Wired

Soon the Dutch police contacted the provider of the suspicious server and demanded access to the data center. The operatives connected a monitoring system to monitor all the traffic of the device: they determined that the additional server is in the same place as the main one, and several others are based in the data centers in Germany. The police copied all available information from the resources, including transaction histories and every message that appeared on Hansa.

But even such seemingly valuable information could hardly help operatives seize the authors of the platform. On the darknet sites it is customary to register only under pseudonyms, and all users go through Tor. The police had only one real clue – on the server in Germany, the old correspondence of the two administrators was preserved, where, oddly enough, their real names were indicated, and in one case even the home address.

Trap for dealers

Administrators Hansa were a 30-year-old man from Siegen and 31-year-old from Cologne. The Dutch authorities appealed to the German with a request for the arrest and extradition of the suspects, but learned that the local police were already following them. Against the Germans, an investigation was launched into the creation of a pirated site with electronic books. This suggested to the Dutch operatives the idea: if German police arrest Hansa’s administrators without publicity, Dutch colleagues will take the place of site moderators.

But as soon as the hunters for the employees of the darkened platforms launched the operation, the traffic on the Hansa servers suddenly stopped. The operatives suspected that the administrators noticed the copying of files from the servers and lay down on the bottom. As it turned out later, they moved the site to more secure servers in different parts of the world.

The Dutch policemen had two options: wait for the arrest of suspects by their German counterparts and use the data from their computers to turn off Hansa, or wait. The operatives chose the second option and continued to gather information on the darknet store.

In April 2017, they were lucky – the prospective administrator made a payment by bitcoins through an address that was once lit up in a chat in Hansa. With the help of block analyst analysts of the Chainalysis organization, the police found that the crypto currency had passed through the company in the Netherlands and settled on the account of another firm. This time, in Latvia.

Two at one stroke

Operatives had not yet had time to think about a further plan when FBI agents suddenly addressed them. They found in the Netherlands a data center with an AlphaBay server – one of the most popular darknet stores in the world. American intelligence agencies were preparing to disable the server to stop the site, and waited for approval of the local police.

The Dutch operatives realized that if AlphaBay quits the game, some of the customers could go to Hansa, which the police would capture by that time. “Even switching to another store will not allow them  to avoid surveillance of special services,” explains Gert Ras, the head of the Dutch cyber crime unit.

In early summer of 2017 the Dutch police sent a couple of operatives to the Latvian data center, having agreed with the local authorities. On June 20, everything was ready: the German special forces arrested two suspects in their apartment and gave green light to their Dutch counterparts. At the same time, agents in Latvia began downloading all the data from the servers and transferring them to the controlled police of the Netherlands.

A few days later, the suspects gave the German police data from their accounts. The next day, Hansa completely passed under the supervision of operatives. Apparently, users and administrators have not noticed any changes.

Full control

For the next few months, the Dutch police secretly rewrote the site code to monitor the actions of users. Upon login, the resource no longer encrypted account passwords, but added them in its original form to a special list. The same thing happened with all the messages in the chat rooms – the police learned the logs freely and calculated the home addresses of buyers and dealers.

Experts turned off the automatic removal of metadata from photos of goods downloaded to the site. This allowed to determine the geolocation data of many frames and to understand where they were made. According to investigators, the method was so effective that they deliberately removed all the photos from the site and explained that it was a malfunction. Sellers had to upload images again, not suspecting that their police meticulously collected their metadata. So managed to locate 50 people.

According to experts, they offered the sellers on Hansa a file that supposedly will serve as a backup key: if the site stops working, the record will restore the bitcoins sent to them over the past 90 days. When the attackers opened the document, he secretly passed a unique address to the police servers, revealing the user’s IP address. As Wired writes, 64 vendors came to deception.

In parallel, agents resolved conflicts and disputes between dealers and buyers. For the sake of this, the police replaced each other, offering a place for those who were better versed in diplomacy. Operatives believe that they managed to solve problems even better than the original owners of accounts.

Tightening the loop

As expected, after the fall of AlphaBay in July 2017, many buyers moved to Hansa. In total, up to five thousand people per day were registered on the site. At some point, the influx of users became too large, and the investigators had to temporarily close the registration. They had to report for every transaction on the site before Europol, and when the number of remittances reached a thousand a day, the police just did not have enough time to do paper work.

During the entire management of the black market, investigators banned the sale of only one type of drug – an extremely dangerous opioid of fentanyl, many times greater than the effect of heroin. Other types of prohibited substances were freely dispensed to customers. Operatives are calm: “They would have spread anyway, but in another store,” explained Gert Ras.

After 27 days and about 27 thousand transactions, policemen decided to turn off the site. In its place there was a stub with a notice of closure of the site by the authorities and a reference to a government resource with a list of buyers and dealers. “We track people who are active in darknet and offer illegal goods or services. Are you one of them? Then we follow you, “- said on the site.


In the report on the Operation “Bayonet”, the Netherlands Organization for Applied Scientific Research named the success of operatives as the “first sign of change” in the fight against darknet grounds for the sale of prohibited goods. “When the shop is shut down, everyone simply moves to another,” says Dutch operative Marinus Boekelo. His team sought not only to catch the suspects, but to deal a psychological blow to the industry. “We expected that we could really reduce the credibility of the whole system.”

Dutch policemen claim that their coup in Hansa is the most successful attack against darknet sites in history. They received information about 420 thousand users, including about 10 thousand home addresses, and transferred them to Europol for distribution to all police departments in Europe and the world.

The police arrested about 10 members of the top of the darknet site and withdrew 1,200 beatcoins, which, according to the current exchange rate , equal 12 million dollars. Also, operatives met with 50 buyers and threatened them with arrest, if they once again fall. For the credibility of the police promised to monitor the actions of darknet customers.

Back to top button