Darknet News

Questions About Legitimacy of the New AlphaBay Market Emerge

Sometime in July 2017, AlphaBay, the world’s biggest darknet marketplace, closed down abruptly under unclear circumstances. The buyers and vendors on the underground platform were not sure about whether that the site had been seized by law enforcement or pulled an exit scam on everyone.

Soon after, news about a global police operation targeting the most prolific dark web market of its time emerged. It turns out that a multi-stakeholder team of law enforcement agencies had infiltrated AlphaBay and harvested plenty of evidence against the site owners and users.

The investigations culminated in the arrest of AlphaBay founder Alexandre Cazes who was identified as the administrator of the marketplace. Recent memory serves that the admin died under disputed circumstances as the police claimed that he committed suicide – the larger dark web community, however, believe that this was a case of extrajudicial killing to date.

Now, barely five years since closure of the first AlphaBay market, the darknet platform is back in business but lots of questions remain about the legitimacy of the new version of the market – some dark web analysts and communities seem skeptical about the true intentions of its return.

Some Background Information

The now-deceased Cazes did not operate AlphaBay singlehandedly, but formed part of a team that included a “security administrator” going by the alias DeSnake. According to findings made by a host of darknet analysts, DeSnake may have had links to Russia although it appears that his true identity was not necessarily Russian.

Not too long ago, A California court sentenced Brian Herell, a Colorado man identified as one of AlphaBay’s moderators going by the moniker Botah to 11 years in prison. The charges included accusations of racketeering and helping to run an illicit marketplace on the dark web.

Even before running the highly successful AlphaBay market, Cazes was considered to be an experienced darknet operator with vast experience across underground communities. He was particularly prominent in the underground carding community where claims about him being a different person from alpha02 emerged.

Debate concerning the truth about DeSnake’s real identity is well reflected in a 2016 episode where a disgruntled AlphaBay user known as “Kinger” said that alpha02 had made his exit from the market in late 2015, sold his stake to DeSnake, and that DeSnake was serving as an admin for the remaining two years of its lifetime.

According to past media reports, the threats posed by “Kinger” were viewable on the now-defunct AlphaBay subreddit under the topic “the real reason why AlphaBay is down”. The user, who happened to be one of the vendors on the marketplace, claimed that he had revealed the real identity of DeSnake to the media.

He also asserted that he had doxed dark web community members in the past and signed the message with his digital signature. The message read something in the lines of “Hello guys, Kinger here. I would like to inform you AlphaBay has exit scammed because of me. DeSnake has been doxed by me because he made an OP-Sec error and after I contacted him about the error, I think he made the decision to burn everything.”

Further, Kinger added that DeSnake’s real identity was actually Dutch even though the AlphaBay admin masqueraded as a Russian national, and that he was fully aware of his location. The AlphaBay vendor threated to post DeSnake’s dox in case he tried exit scamming users.

Aside from DeSnake, AlphaBay had about half a dozen moderators whose roles included maintaining order as far as AlphaBay discussions and activities go. They played the important role as mediators in conflict situations that would arise between buyers and sellers on the market. In addition, AlphaBay moderators conducted promotions for the marketplace on other platforms such as Reddit before the darknet market subreddit was effectively banned.

There were also at least half a dozen moderators that helped administer the market and its discussion forum, moderated disputes between buyers and vendors, and promoted the market on Reddit (prior to the shutdown of the DNM subreddit). The indictment from 2017 listed them individually by their monikers and many have been arrested.

Further information concerning the other players that assisted Cazes to run the robust dark web empire emerged, including a public list made by U.S. authorities capturing other AlphaBay identitied – this included Trappy and Disc0.

Quite interestingly, the events following the arrest of some of the AlphaBay operators opened a can of worms into the highly sophisticated organizational structure that formed the AlphaBay underground empire. As such, after AlphaBay’s PR manager and the platform’s Reddit moderator Trappy was apprehended in a law enforcement operation, he claimed that the monikers alpha02 and DeSnake belonged to the same person.

The Stormy Return

In August 2021, DeSnake appeared on the Dread forum amid wild skepticism among dark web users. The platform’s staff backed his return in an effort to dissipate the doubt that had already been seen among users who were unsure that he was the real DeSnake from the past.

The challenge about proving his authenticity was quickly fixed by DeSnake signing all posts using the PGP key from the old AlphaBay market. Things took an interesting turn after the dark web market’s former moderator Disc0 joined the discussion, albeit using a lowercase “d” this time (See screenshot).

Figure 1: Disc0 joined a conversation by DeSnake on the Dread forum)

DeSnake went on to share information about the return of AlphaBay market after the four-year break and intimated that the platform would not be hosted on both Tor and I2P anonymity networks. This was also coupled with detailed information concerning their decision to invest special attention to I2P in circumstances that reflected the longstanding onion debate about the best anonymity tool for darknet browsing.

As noted by a host of dark web commentators and analysts, the new AlphaBay market started on a difficult footing as evidenced by instabilities on their Tor service – frequent errors, user registration challenges and login timeouts have become commonplace.

Figure 2: A 502 error message when trying to go past AlphaBay’s anti-DDoS firewall.

Other users have already complained that the I2P version of the market is has problems loading up. The two months that AlphaBay has been in operation since its return have not amounted to much – there’s not too many listings as would be expected from the once largest dark web platform on earth.

An interesting observation that can also be noted is the fact that AlphaBay’s Tor service appears to be hosted alongside Dread services – there’s a striking similarity between both the dread and AlphaBay waiting queue and the anti-DDoS firewall page that precedes the market’s landing page.

Other dark web experts have also noted another observations that may raise more questions than answers about the real circumstances surrounding AlphaBay’s return to the darknet marketplace scene.

For starters, Disc0 drummed support for DeSnake on Dread although they claim that they are not members of staff of the new AlphaBay or the forum alongside it – they said that they already retired from the work.

The new version of the dark web marketplace is seemingly being moderated by the users TheCypriot, tempest, and wxmaz. The AlphaBay moderators have all shown a consistent pattern in how they post their discussions.

The dark web intelligence firm DarkOwl noted that the moderators use very formal and polished English, and are quick to project their passionate “two cents” about why the dark web economy is desperate for a decentralized marketplace – the same users have not been shy to express their opinions about peer-to-peer networks and the need for markets to focus on nurturing darknet communities in lieu of profit-centered enterprises.

In particular, apart from signing off messages with a “thank you”, DeSnake’s Dread forum posts are noticeably packed with information when addressing other users on the popular discussion site – the screenshot below provides a clear example.

Figure 3: A lengthy response by DeSnake to a Dread user probing about the relevance of funding a decentralized marketplace project.

The same thing can be observed on AlphaBay’s “About and FAQ” section that gives significantly wordy answers to questions that users may have.

Aside from the technical issues that have plagued the smooth integration of the new AlphaBay market back into the underground economy, darknet researchers have reported noticing the rise in scammers that have jumped on the opportunity to scam users through various fraud campaigns.

One surface web domain is said to have been created by an unknown actor who succeeded to create an exact replica of the information that was being shared by DeSnake on the Dread forum. It turns out a Tor link that was provided by the domain was not verifiable via the mirrors.txt for onion sites.

It goes without saying that the surface web domain was specifically created by a cybercriminal with intentions to direct oblivious users to a phishing website where their sensitive credentials would be harvested without their knowledge.

Additionally, the links section on the said surface web AlphaBay domain is reported to be attempting to discredit DeSnake’s messages on dread by claiming that the user had been compromised by the admin and owner of the now-defunct White House Market.

Dark Web Users Are Doubtful

So far, there’s scanty information about how the dark web community beyond the Dread forum perceive the new version of AlphaBay market. Information searches have been difficult considering that the platform was quite a popular subject matter on the seemingly-offline Darknet Market Avengers.

Apart from that, users across both clearnet and dark web communities seem to have taken the AlphaBay news with a pinch of salt. Dread users were particularly combative whilst flagging some inconsistencies about DeSnake’s verification (See below).

Figure 4: A Dread user questions DeSnake’s legitimacy.

In addition, the Russian-language forum XSS thread titled “AlphaBay вернулся!” (Meaning: AlphaBay is back!) featured user sentiments that seemed critical of the darknet market’s return.

On the Reddit discussion forum, an announcement on the subreddit r/cybersecurity about AlhaBay’s return after a four-year shutdown was met with negative responses. One user said, “Hello FBI Honeypot” while another reacted that they would rather buy their drugs from facebook (See screenshot below).

Figure 5: A Reddit user reacting to news concerning AlphaBay’s return after a four-year shutdown.

As reported by a number of online news sites, DeSnake was quick to pull out a damage control strategy after users seemed highly sceptical about trusting that AlphaBay’s return was good news to the underground community.

As noted by DarkOwl, DeSnake joined the conversation after creating an account with his online moniker on September 12. This was seen as a response to the market’s negative reputational impact that would have kept potential buyers and sellers off the platform.

The dark web intelligence company noted that DeSnake’s attempts to save the site’s name fell on deaf ears as evidenced by how he struggled to contain the conversation on XSS, which was spiralling out of control.

DarkOwl went on to quote an XSS user’s reply to DeSnake that that read:

Your brand is irrelevant, long forgotten, your missing period as you should know is a lifetime in these circles, your name means nothing, you actually start with negative trust and momentum rather than popping up with a completely new name and brand not linked to the dumpster fire that went down before. So your either dAFeDz, or you have fallen victim to a serious and advanced case of autism after getting your covid vaccination. Either way none of your weird over explanation means anything because before we get to any of that we have to deal with the mental retardation and poor judgment that lead you to relaunch like this. But since youre not who youre trying to be we can skip it”.

AlphaBay’s Legitimacy – Additional Observations by DarkOwl’s Analysts

According to a DarkOwl analysis concerning the AlphaBay issue, a lot of inconsistencies can be picked from the recent return of AlphaBay and DeSnake. Although DeSnake may be an authentic identity after all, details concerning the 2017 shutdown of AlphaBay Market indicate that there’s more than meets the eye.

DarkOwl contends that AlphaBay’s return may be just another undercover law enforcement operation to gather evidence on users that will be quick to jump on to the ship. This premise is pegged on the understanding that AlphaBay’s shutdown featured the authorities confiscating the platform’s servers and Caze’s unencrypted laptop computer.

Against these backgrounds, DarkOwl compiled a set of observations that point to a potential deeper meaning about AlphaBay’s return to the darknet scene:

  • First, the registration process for the new AlphaBay is quite complicated. This problem presents itself in errors when a new users attempts to start their PIN code with “0”. It is also noteworthy that one is required to key their “real name” which, according to DarkOwl researchers, is irrelevant across the dark web spheres – it seems that the market admin is counting on the fact that some people may actually make the mistake of registering their accounts using their real names.
  • The DDoS protection and bot detection mechanisms in place are an overkill considering that the marketplace is still new, having been forced to begin recruiting users from scratch. DarkOwl analysts reported that they were forced to reset their Tor circuit and refresh their identity in order to conduct a simple action such as viewing the vendor listings.
  • The darknet marketplace has a massive number of stringent rules that are termed “global AlphaBay rules” in lieu of the standard rules that are normally prescribed to buyers and sellers. The list of banned items features weapons (which contrasts with the original platform that permitted the sale of such items), fentanyl and its derivatives. It’s also strange that the site has banned listings about COVID-19 cures, and ransomware that would otherwise be sold or advertised.
  • The “About-Us” and “FAQ” sections are a tough read owing to the lengthy texts that have been used to populate them. This is a new approach compared to sections of the original AlphaBay market that were simple to read and straight to the point.
  • Notably, the new AlphaBay has excluded activities from the Commonwealth of Independent States (CIS) that denote ex-Soviet countries. This is quite unexpected considering that DeSnake and alpha02 were ardent users of Russian carding platforms. In fact, the original AlphaBay market had Russian speakers that had been described before as “colleagues” by the former admin.
  • The fact that the new AlphaBay accepts only the Monero cryptocurrency raises eyebrows about how distant it stands from its historical reality. It has also openly supported I2P over the Tor network. This is well captured by DeSnake’s intiative to create a comprehensive guide on how users can install I2P.
  • The new market has also declined to take monetary donations from the larger dark web community, which is quite out-of-the-ordinary considering that most platforms will almost always let users send them donations. Discouraging user donations at this early stage does not make sense.
  • Further analysis by DarkOwl researchers point to questionable aspects of how language has been used on the platform. For instance, the FAQ and About-Us sections has several mentions of DeSnake’s OPSEC competence and law enforcement circumvention abilities, such as “dirty playing by LE with their parallel construction”. The analysts assert that the phrase “parallel construction” has been a common occurrence in post-AlphaBay discussions across English and Russian-language dark web forums.
  • It goes without saying that the recognizable patterns of communication that have been exhibited by DeSnake defeats their persona as an individual who is always watching over their back for undercover law enforcement agents.
  • Still on language analysis, DeSnake’s writings include several instances featuring British spellings of words such as “honoured” and “minimised” that can be noted in alpha02’s writings in an interview with Joshua G sometime in April 2015 on the now-defunct DeepDotWeb. DarkOwl investigators note that “decentralized” is still being spelled with the “z”. While there are very few English-speaking historical writing samples from DeSnake, as they were most active on Russian-speaking forums like TCF and Evolution, an analysis of historical AlphaBay market records never included any British-English spellings such as these.
  • Finally, dark web users are always looking to operate without the need raise unnecessary attention – they particularly avoid becoming famous. In contrast, DeSnake has gone against the grain by being enthusiastic about speaking to the media concerning the platform’s return to the darknet spaces.

Leave a Reply

Your email address will not be published.