In the days after the AlphaBay takedown but before Alexandre Cazes’ death, Paul Hemesath spent a few enjoyable hours by the rooftop pool of the Athenee, scrolling on his iPad through the responses to the sudden, unexplained disappearance of the world’s largest-ever dark-web market. Rumors had begun to swirl instantly that the site’s administrators had pulled off an exit scam, taking with them millions of dollars’ worth of the market’s cryptocurrency. But others argued that the site might just be down for technical reasons or to carry out routine maintenance. Few suspected the truth. “People have always screamed exit scam in the past, and they’ve always been wrong,” wrote one user on Reddit. “I really hope this turns out the same.” Another added, “Until we know otherwise, keep the faith.” Almost immediately, faithful or not, AlphaBay’s vendors and buyers went looking for a new market where they could continue business as usual. The natural choice was AlphaBay’s biggest rival, Hansa, which was well run and already growing fast. “wow alphabay exit scam. crazyness!” one user wrote on Twitter. “moving to hansa.” Back in the Netherlands, the Dutch police were waiting for them. For two weeks, they had been overseeing Hansa’s vast marketplace, surveilling its users and collecting their messages, delivery addresses, and passwords. Their Driebergen conference room, where the small team of undercover investigators had continued to work in shifts around the clock, had taken on the atmosphere of a college dorm. Chips, cookies, chocolates, and energy drinks covered the table, a warm, stale funk pervading the air. At one point the head of investigations for the Dutch National Police paid them a visit to see their landmark operation in action. He was visibly offended by the smell and left after 10 minutes. Someone brought in an air freshener. (“It didn’t really work,” a team member says.) Hansa’s marketplace, meanwhile, was thriving. In the days before the AlphaBay takedown, it was adding nearly a thousand new registered users a day, all falling into the trap the Dutch had patiently set. When AlphaBay went offline, that number spiked to more than 4,000 a day. Then more than 5,000 the next day. Then, two days after that, 6,000. Then, in the middle of that week, on July 13, one prong of Operation Bayonet suddenly slipped into the light. The Wall Street Journal broke the news that AlphaBay had been taken down by a joint law enforcement operation involving the US, Thai, and Canadian governments and that the site’s administrator, Alexandre Cazes, had been found dead in a Thai jail cell. There was no mention in the article of Hansa or the Dutch police. And when the Dutch reached out to the FBI, they were surprised and relieved to find that the Americans were willing to keep mum—to follow the Dutch team’s lead and delay any announcement of the entirety of Operation Bayonet. The still-operational, undercover half of their one-two punch would remain hidden for as long as the Dutch chose to pursue it. So a week after pausing new registrations on Hansa, the Driebergen team turned them on again. New user sign-ups soon spiked to more than 7,000 a day. The dutch knew that their operation couldn’t go on indefinitely. They could see the moment approaching when they would have to take off their masks, reveal their surveillance coup, and tear down the market they’d so carefully rebuilt and maintained. They were, after all, facilitating drug sales, not all of which were being intercepted in the mail. The closer they got to the end of the sting, meanwhile, the less they had to lose if they were discovered—and the more risks they were willing to take. Throughout the operation, the Dutch team would hold what they called “evil plan” meetings, brainstorming ever more devious schemes to track and identify the unwitting users of the market they controlled. They created a list of those tactics, ordering the menu of surveillance actions from least to most likely to blow their cover. As they reached their endgame, they began to put their most brazen ideas into practice. Hansa had long ago implemented a standard feature for dark-web markets, designed to protect their vendors: When sellers uploaded images for their product listings, the site automatically stripped those images of their metadata—information nested within the file, such as what sort of camera had taken the photo and the GPS location of where the image was created. The Dutch had silently sabotaged that feature early on, recording images’ metadata before it was stripped, so as to catalog uploaders’ locations. But they had managed to pinpoint only a few vendors that way; they found that most rarely updated their listings or posted new photos. So, a few weeks into their takeover, the police wiped every image from the site. They claimed that a server had failed due to a technical glitch, and they announced that vendors would have to re-upload all the images for their listings. Those fresh uploads allowed the Dutch cops to scrape the metadata from a vast new batch of images. They quickly obtained the locations of 50 more of the site’s dealers. All the while, of course, the files the team was pushing on vendors were functioning as secret digital beacons. The top left of the Excel spreadsheet displayed an image of the Hansa logo, a stylized Viking ship. The police had designed the Excel file to fetch that image from their own server when the spreadsheet was opened. As a result, they could see the IP address of every computer requesting it. Sixty-four sellers on the market took the bait. In the most involved scheme of all, the Dutch team turned their sights to the staff of the marketplace itself, the moderators who were directly working for them. They’d found that one moderator in particular was extremely dedicated—very “emotionally involved” in the site, as the team lead, Petra Haandrikman, put it. The Dutch team felt a collective sense of admiration and affection for this hard worker—while simultaneously hatching a scheme to try to arrest him. They offered him a promotion. Hansa’s two bosses would give him a raise, but only if he agreed to become a third admin of the site. The moderator was overjoyed, immediately accepting. Then they explained that for him to become an admin, they’d have to either arrange a meeting in person or get his mailing address so that they could send him a two-factor authentication token—a physical USB stick plugged into a PC to prove his identity and keep his account secure. In his next message, the moderator’s tone suddenly changed. He explained that he had made a promise to himself that if his bosses at Hansa ever asked for his identifying information or tried to meet him in person, he would immediately quit and wipe all of the devices he had used in his moderator job. Now he planned to abide by that promise. He said goodbye. That moderator’s sudden decision—a very wise one, likely saving him from a prison sentence—meant that the admins now had an opening to fill. So they began advertising that they were taking applications for a new moderator. At the end of a series of questions about qualifications and experience, they would ask “successful” applicants for their address so that they could mail them a two-factor authentication token. Some, eager for the job, handed over the locations of their homes. “Please don’t send the cops to this address hahahahahaha just kidding,” one would-be moderator wrote, as he, in fact, sent his address to the cops. “I trust you guys because Hansa support was always good and helpful.” To circumvent that safeguard, the Dutch police went one step further: For moderator applicants who provided a drop address, they shipped them the two-factor token hidden inside the packaging of a teddy bear, a cute stuffed panda with a soft pink nose. They intended the panda to appear as an innocuous disguise to hide the authentication token, a sign of their new employers’ attention to opsec—and, perhaps, their sense of humor. The Dutch cops hoped their targets would take the stuffed pandas home as a kind of gift or souvenir. Unbeknownst to the recipients, each one also contained, hidden deep in its stuffing, a small GPS tracker. On July 20, after running Hansa for 27 days, the Dutch prosecutors decided it was finally time to give up their game—over the objections of several members of the Driebergen team controlling the site, who had more ideas for surveillance tricks still up their sleeves. In a press conference at the Dutch police’s national headquarters in The Hague, the head of the agency dramatically pressed a large red plastic button to shut down the site. (In fact, the button was just a prop; an agent sitting nearby with a laptop sent the simultaneous command to the server that finally pulled Hansa offline.) Simultaneously, the US Justice Department announced the news in a DC press conference in which Attorney General Jeff Sessions spoke about the coordinated action against both AlphaBay and Hansa. Sessions used the opportunity to issue a warning to the dark web’s users. “You are not safe. You cannot hide,” he told them, from a packed room of reporters and cameras. “We will find you, dismantle your organization and network. And we will prosecute you.” The Dutch, meanwhile, put up a slightly different message on Hansa: “THIS HIDDEN SITE HAS BEEN SEIZED and controlled since June 20.” The Dutch seizure notice linked to another dark-web site that the police had created themselves, which listed dark-web vendors by pseudonym under three categories: those under investigation, those who had been identified, and those who had been arrested—a list that they suggested was about to grow significantly. “We trace people who are active at Dark Markets and offer illicit goods or services,” the site read. “Are you one of them? Then you have our attention.” The Dutch team in Driebergen, even after exposing their operation, still had one last card to play: They decided to try the usernames and passwords they had already collected from Hansa on the largest surviving dark-web drug bazaar, known as Dream Market. They found that at least 12 of that site’s dealers had reused their Hansa credentials there. They were able to immediately take over those accounts and lock out the vendors—who promptly posted panicked messages to public forums suggesting that Dream had been compromised as well. All of that carefully coordinated agitprop and disruption was expressly designed to sow fear and uncertainty across the dark-web community—to “damage the trust in this whole system,” as the Dutch police’s Marinus Boekelo said. It had its immediate intended effect. “Looks like I’ll be sober for a while. Not trusting any markets,” wrote one user on Reddit. “DO NOT MAKE NEW ORDERS ON ANY DNM ANY MORE!” wrote another, using the common abbreviation for “dark net market.” “So it’s a wrap for the darknet?” one user asked. “To everyone who thinks they’re screwed and wants to flee the country,” another advised, “do so ASAP.” That all-pervading paranoia was, for many of the dark web’s users, warranted. In their nearly four weeks of running Hansa, the Dutch had surveilled 27,000 transactions. After shutting down the site, they seized 1,200 bitcoins from Hansa, worth tens of millions of dollars as of this writing, thanks in part to silently sabotaging the site’s implementation of a Bitcoin feature called multi-signature transactions, designed to make that sort of simple confiscation impossible. They had collected at least some amount of data on a staggering total of 420,000 users, including more than 10,000 home addresses. In the months following the takeover, Gert Ras, the head of the unit that oversaw the operation, said Dutch police carried out around 50 “knock and talks” in the Netherlands, visiting known buyers to warn them they had been identified and should stop purchasing narcotics online, though he said they arrested only one high-volume customer. The site’s sellers weren’t so lucky: Within a year, more than a dozen of Hansa’s top dealers had been arrested. Finally, the Dutch police fed the massive corpus of dark-web data they’d collected into a database controlled by Europol, which in turn shared it with law enforcement agencies around the world. A series of massive, high-profile dark-web busts would follow. These operations were all carried out by a new group known as JCODE, or Joint Criminal Opioid and Darknet Enforcement, pulling together agents from the FBI, DEA, Department of Homeland Security, US Postal Inspection Service, and half a dozen other federal agencies: in 2018, Operation Disarray; in 2019, Operation SaboTor; in 2020, Operation DisrupTor. In total, according to the FBI, those enforcement campaigns would eventually result in more than 240 arrests, 160 “knock and talks,” and the seizure of more than 1,700 pounds of drugs, along with $13.5 million in cash and cryptocurrency. But the Hansa side of the operation was not without costs. Aside from the vast manpower and resources Operation Bayonet had required, it had demanded that a group of Dutch police become dark-web kingpins. For nearly a month, they had facilitated the sale of untold quantities of deadly narcotics to unknown buyers across the world. Even as they compromised Hansa, Hansa had compromised them too. Did the Dutch police feel that sense of taint—taint that perhaps comes with any undercover work? Some, at least, describe feeling surprisingly unconflicted about their role. “To be honest, it was exciting, mostly,” said the team lead, Petra Haandrikman. Dutch prosecutors had, after all, already reviewed the case, weighed its ethics, and given them the green light. After that, the police involved felt they could push the operation as far as possible with a clean conscience. The Dutch police pointed out that they did ban the especially deadly opiate fentanyl from Hansa while it was under their control, in an effort to minimize the harm they might be responsible for—a move Hansa’s users actually applauded. In truth, however, that ban had come just a few days before the end of their undercover operation. Until then, for more than three weeks, that highly dangerous opioid had continued to be offered on the site, with no guarantee that all of its orders would be intercepted. And how did the police feel about the decision to oversee those narcotics sales rather than shut Hansa down and prevent the transactions altogether? “They would have taken place anyway,” Gert Ras said without hesitation, “but on a different market.” In the years since, the dark web’s observers have tried to determine to what extent Operation Bayonet actually disrupted that endless interchangeability of markets, the constant cycle of raid, rebuild, and repeat. Could the highly coordinated global takedown of AlphaBay—or anything else—end or even slow the eternal shell game law enforcement agencies had by then been playing for years, with a new market constantly ready to absorb the users of the last? One study, at least, suggested that the AlphaBay and Hansa busts had more lasting effects than previous dark-web takedowns. The Netherlands Organisation for Applied Scientific Research, which goes by the acronym TNO, found that when other markets had been seized, like the Silk Road or Silk Road 2, most of their drug vendors soon showed up on other dark-web drug sites. But the vendors who fled Hansa after Bayonet’s one-two punch didn’t reappear, or if they did, they had been forced to scrub their identities and reputations, re-creating themselves from scratch. “Compared to both the Silk Road takedowns, or even the AlphaBay takedown, the Hansa Market shutdown stands out in a positive way,” the TNO report read. “We see the first signs of game-changing police intervention.” Chainalysis’ blockchain-based measurements, by contrast, found that AlphaBay was generating as much as $2 million a day in average sales just before its shutdown—revenue that no other dark-web market of its kind has ever rivaled. (The Russian-language dark-web site Hydra, which was pulled offline by German law enforcement in April 2022, did top those numbers, taking in more than $1.7 billion in bitcoin in 2021, according to Chainalysis. But because its black-market contraband sales were difficult to distinguish from its money-laundering services, its inflows of cryptocurrency aren’t directly comparable to AlphaBay’s.) The FBI has estimated that Cazes’ site, with more than 369,000 product listings and 400,000 users at its peak, was 10 times the size of Silk Road when it was pulled offline. Regardless of who holds the title for the largest dark-web market of all time, Christin predicts that this anonymous contraband economy cycle will continue long after the dark web’s memory of Operation Bayonet has faded, as long as there are buyers for illegal, lucrative, and often highly addictive products. “History has taught us that this ecosystem is very, very resilient,” he says. “What happened in 2017 was very unique, that one-two punch. But that doesn’t seem to have dented the ecosystem in a major way.” Even on the day that the Hansa takedown was announced and Operation Bayonet was finally revealed, some users seemed ready to return to the dark web as soon as the chaos subsided, and their insatiable need for another fix began to make itself felt. The very same Reddit user who had posted to the site’s dark-net market forum that they would be “sober for a while” ended their message with a note of stubborn persistence. “Things will stabilize, they always do,” that anonymous user wrote. “The Great Game of whack-a-mole never ends.” In early August 2021, just as I was reporting out the final details of AlphaBay’s downfall, something unexpected happened: It rose from the dead. “AlphaBay is back,” read a message posted to Ghostbin, a site for publishing anonymous text-based messages. “You read that right, AlphaBay is back.” “I welcome you to the re-opening of our professionally-run, anonymous, secure marketplace AlphaBay to buy or sell products and services,” DeSnake’s message began. The staff of this new AlphaBay, he wrote, had “20 years of experience in computer security alone, underground businesses, darknet market management, customer support and most importantly evading Law Enforcement.” Sure enough, when I entered the site’s address into a Tor browser, a reincarnated AlphaBay appeared—albeit a newly launched one. It was the same market as the one last seen in 2017, but restarted from scratch, with none of AlphaBay’s many thousands of vendors. And there was another major difference: Now that he had taken over from Alpha02, DeSnake allowed transactions only in the privacy-focused cryptocurrency Monero, not Bitcoin, to prevent the blockchain analysis that had played such a central role in AlphaBay’s takedown. I reached out to DeSnake for an interview, writing to his account on the Tor-protected web forum Dread. Within 24 hours, I found myself exchanging encrypted instant messages with the newly resurfaced, would-be kingpin of the dark web. DeSnake quickly explained why he had reappeared only now—fully four years after the original AlphaBay had been torn offline, after Cazes had died in jail and the rest of AlphaBay’s staff had scattered. He had intended, he wrote, to retire after AlphaBay was seized, but his plans changed after he saw the news that an FBI agent involved in the AlphaBay takedown had shown a video of Cazes’ arrest at the 2018 Fordham International Conference on Cyber Security and had spoken about Cazes in a way that DeSnake deemed disrespectful. “The biggest reason I am returning is to make the AlphaBay name be remembered as more than the marketplace which got busted and the founder made out to have committed suicide,” DeSnake wrote, in his slightly foreign-inflected English. “AlphaBay name was put in bad light after the raids. I am here to make amends to that.” DeSnake repeated the claim I’d heard before: that Cazes was murdered in jail. He offered no real evidence but said that he and Alpha02 had developed a contingency plan in case of his arrest—a kind of automated mechanism that would reveal Alpha02’s identity to DeSnake if he disappeared for a certain amount of time, so that AlphaBay’s number two could help him in jail. (Whether that help would have come in the form of a legal defense fund or the “helicopter gunship” Cazes had mentioned to Jen Sanchez, DeSnake refused to say.) DeSnake described countermeasures he’d since developed for practically every tactic that had been used to capture Cazes and take down the original AlphaBay. DeSnake never stepped away from his computer when it was unlocked, he wrote, not even to use the bathroom. He claimed to use an “amnesiac” operating system to avoid storing incriminating data, as well as “kill switches” to destroy any remaining information that law enforcement might find on his machines, should they leave his control. He even wrote that he’d designed a system called AlphaGuard that will automatically set up new servers if it detects that the ones that run the site are being seized. But the biggest factor protecting DeSnake was almost certainly geographic: He wrote that he’s based in a former USSR country, beyond Western governments’ reach. While he acknowledged that Cazes had used fake clues to suggest a Russian nationality to throw off investigators, he claimed that AlphaBay’s ban on victimizing people from that part of the world was genuine and designed to protect him and other actual post-Soviet citizen AlphaBay staffers from local law enforcement. “We did that for security of other staff members,” DeSnake wrote. Cazes then “decided to embrace it as a way to secure himself.” Even so, DeSnake claimed that he had traveled multiple times through countries with US extradition treaties and had never been caught. He credited that track record in part to his careful money laundering, though aside from his preference for Monero, he declined to detail his methods. “Anyone who believed any currency method or cryptocurrency is safe is a fool or at the very least very ignorant. Everything is tracked,” he wrote. “You have to go through certain methods to be able to enjoy the fruits of your work … it costs to do what you do. If you are a legit business you pay taxes. If you are doing this you pay taxes in forms of obfuscating your money.” DeSnake said he was shocked when he learned of Alpha02’s early slipup that first revealed his email address to the DEA. “I am still in disbelief to this day that he had put his personal email on there,” DeSnake wrote. “He was a good carder and he knew better opsec.” But he added that Cazes’ failure to hide his money trails to the degree DeSnake recommended was a more willful mistake. DeSnake had warned the previous AlphaBay boss about the need to take more measures against financial surveillance, he said. Alpha02 hadn’t listened. “Some advice he took, other he disgarded as ‘overkill,’” DeSnake wrote. “In this game there is no overkill.” One afternoon, at the end of several weeks of on-and-off chats with DeSnake about how he planned to win this next round of the dark web’s cat-and-mouse game, he shared some news: The mice had scored another small victory. Within the DarkLeaks collection, one slide deck immediately caught my eye. It was a presentation from Chainalysis. It described, in Italian, a remarkable set of surveillance tricks that Chainalysis offered law enforcement but that had never before been publicly revealed, including the ability to trace Monero in a majority of cases. The slides even seemed to reveal that Chainalysis had turned a free blockchain analysis tool it had acquired, WalletExplorer, into a honeypot: The company had turned over identifying information to law enforcement about people who used the tool to check the traceability of their coins. But amid these revelations, there was another slide that finally offered the most elusive answer I’d been looking for: a possible solution to the mystery of the “advanced analysis” trick Chainalysis had used to locate the AlphaBay server in Lithuania. The Italian presentation confirmed that Chainalysis can, in fact, identify the IP addresses of some wallets on the blockchain. It did so by running its own Bitcoin nodes, which quietly monitored transaction messages. This appeared to be the very practice that had led to a scandal in the company’s earliest days, when it was revealed that Chainalysis was running its own Bitcoin nodes to collect the IP addresses of cryptocurrency users—an experiment it had promised was shut down after an outcry about it spread across the Bitcoin community. One slide in particular described a tool called Rumker, explaining that Chainalysis could use its surreptitious Bitcoin nodes to identify the IP addresses of anonymous services, including dark-web markets. “Although many illegal services run on the Tor network, suspects are often negligent and run their bitcoin node on clearnet,” the slide read, using a term for the traditional internet not protected by Tor. Had AlphaBay made this mistake? Rumker sounded very much like the secret weapon that had pinpointed that dark-web giant’s IP address, and likely those of many other targets too. (When I wrote to Chainalysis’ Michael Gronager to ask about the slides and specifically about Rumker, he didn’t deny the presentation’s legitimacy. Instead, he sent me a statement that read like a kind of summation of his stance on Bitcoin’s privacy, which he argues is virtually nonexistent: “Open protocols are openly monitored—to keep the space safe—and to enable a permission-less value transfer network to flourish.”) Rumker, if it was in fact the tool that located AlphaBay, had likely just been “burned.” Whoever leaked it had, in doing so, exposed the vulnerabilities of the Bitcoin protocol it exploits. Dark-web administrators like DeSnake will no doubt take more care in the future to prevent their cryptocurrency wallets from revealing their IP addresses to snooping Bitcoin nodes. But there will be other vulnerabilities, and other secret weapons to exploit them. The cat-and-mouse game continues. And for every Alpha that’s taken down, another will be waiting in the dark web’s manifold shadows, ready to rise into their place. This story is excerpted from Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, available now from Doubleday.  If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Chapter Illustrations: Reymundo Perez III Photo source: Getty Images This article appears in the December 2022/January 2023 issue. Subscribe now. Let us know what you think about this article. Submit a letter to the editor at mail@wired.com.

The Hunt for the Kingpin Behind AlphaBay  Part 6  Endgame - 36The Hunt for the Kingpin Behind AlphaBay  Part 6  Endgame - 32The Hunt for the Kingpin Behind AlphaBay  Part 6  Endgame - 29The Hunt for the Kingpin Behind AlphaBay  Part 6  Endgame - 62The Hunt for the Kingpin Behind AlphaBay  Part 6  Endgame - 86