Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Back to the Future: Notorious AlphaBay Market Reboots

Darknet Market Only Accepts Monero, Promotes Malware and Botnets, Bans Ransomware
Back to the Future: Notorious AlphaBay Market Reboots
The new AlphaBay darknet market's homepage (Source: Elliptic)

The notorious AlphaBay darknet marketplace appears to be getting rebooted.

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

A new market site bearing that name is now accessible via the anonymizing Tor browser as well as via I2P - an anonymous, peer-to-peer distributed communication layer.

But if you build another darknet market, will buyers and sellers trust it enough to use it? That's just one of many questions accompanying the debut of the new AlphaBay.

AlphaBay's return announced in a post to Ghostbin

Many darknet markets portray themselves as havens for nearly any illegal goods or services one might want to buy or sell: guns, drugs, malware, fake passports and sometimes even contract killings.

Unsurprisingly, such markets remain top targets for takedowns by law enforcement officials. Many get infiltrated by police, so they can identify not just administrators and moderators, but also top buyers and sellers.

The first iteration of AlphaBay ended poorly for its founder, Canadian citizen Alexandre Cazes, who launched the site in December 2014 and ran it from Thailand. For a time, AlphaBay was the most popular darknet market in the world, and Cazes was rich. Authorities say he amassed about $23 million, thanks to his market charging a commission of 2% to 4% on every transaction.

But as part of "Operation Bayonet," spearheaded by the FBI and the EU's law enforcement agency, Europol, authorities in mid-2017 took down the site, Thai police arrested Cazes, who was later found dead in his jail cell.

The FBI says that when it seized and shut down the prior AlphaBay on July 4, 2017, the site featured about 369,000 listings, 350,000 active buyer accounts and more than 9,000 vendors.

Authorities said they'd identified Cazes, aka "Alpha02" and "admin" on AlphaBay, via a personal Hotmail address that he'd reused.

Others are also doing jail time over AlphaBay, including moderator Bryan Connor Herrell, a Colorado resident who last year pleaded guilty to a federal racketeering charge and received an 11-year prison sentence. Authorities said he'd moderated about 20,000 disputes on the site.

AlphaBay Returns

Now, someone has debuted a new AlphaBay, and they claim the impetus is not to cash in on the brand name but rather to carry forward Cazes' legacy by offering the next generation of darknet marketplaces.

As Tom Robinson, chief scientist of blockchain analysis firm Elliptic, first reported via a blog post on LinkedIn, someone with the handle "DeSnake" on Sunday posted to text-sharing site Ghostbin saying he was relaunching AlphaBay and had previously serving as its security administrator and a co-founder. The message was signed using a PGP key that DeSnake said he'd previously used to sign AlphaBay communications, and it provided links that individuals could use to verify that assertion.

"I welcome you to the re-opening of our professionally run, anonymous, secure marketplace AlphaBay to buy or sell products and services. If you are tired of marketplaces run by inexperienced amateurs and/or ones which only copy/paste without having any goals or vision for the future, then we are here to bring you a fresh breath of air," DeSnake says in his Ghostbin post. "I want to dedicate this to alpha02 first and foremost we promised each other to go to the bitter end, here I am keeping my end of the deal."

Some have confirmed that whoever posted that is using legitimate credentials, according to Robinson, who's posted extracts of these attestations. For example, responding to the launch announcement, also posted to a darknet forum, a user therein named "Paris" posted that DeSnake "did verify his identity and provide proof that he was the tech staff at the original AlphaBay," meaning his claim to be an AlphaBay alumnus is "legitimate."

Paris added: "I'm not saying he isn't compromised; but if what he offers is true, at least some people will want to know about it."

'Don't Be Stupid'

Reaction to AlphaBay's return, however, has been mixed. As one user of the Russian-language cybercrime forum Exploit with the handle "lordlucifer" posted to that forum: "This is the most stupid thing that people can trust. After Alpha died there was a new market called Empire with same look as Alpha and it just scammed people. Same as this new 'Alpha.' Don't be stupid and putting money on those sites. The gold times of the deepweb are gone and never will come back."

The Empire darknet market referenced by lordlucifer launched in 2017. In August 2020, it suffered an "exit scam," meaning one or more administrators closed up shop, leaving with all of the cryptocurrency being held in escrow by the site, making them at least several million dollars richer.

Before Empire, other markets that closed after their admins "exit scammed" have included BitBazaar, Apollon and Nightmare, while Icarus exit scammed shortly after Empire.

What's on Offer

DeSnake says AlphaBay will offer most of what darknet forums have historically offered. "For the majority our forum will be run as before - it will dual between a place for vendors to interact with customers by advertising, replying in topics, etc., and a place for having discussions related to hacking, fraud/carding, anonymity, malware/botnets, drugs safety, warez, making money online, etc." he says.

In addition, DeSnake claims AlphaBay has been rebuilt "from the ground up," runs on bulletproof servers and offers a highly automated dispute-resolution system. Like many other markets, the site also offers a highly automated escrow service designed to combat nonfulfillment, which offers protections for buyers and sellers.

One notable difference compared with the old AlphaBay, however, is that for cryptocurrency, the new market will only accept monero, aka XMR. Elliptic's Robinson said this shows the site "following in the footsteps of current market leader White House Market in shunning bitcoin" in favor of monero, which is more privacy-preserving and reputedly tougher for authorities to trace. DeSnake says AlphaBay also runs its own monero mixer - which mixes different streams of the cryptocurrency to make any given user more difficult to trace - "which guarantees that any of your monero coins will not be linked to you."

Many darknet markets offer escrow systems, holding buyers' and sellers' funds to prevent nonfulfillment. The new AlphaBay's version is a decentralized system, dubbed "AlphaGuard," which DeSnake claims will offer protection against both exit scams and takedowns.

"I know all of you lost millions to seizure from law enforcement; this time around I have created a very well-tested system called AlphaGuard, which ensures even if seizures happen on all servers, users will be able to withdraw their funds, settle disputes and leave without a cent lost," he claims.

Cyber-Focused Marketplace

Many darknet markets come and go relatively quickly. As noted, White House Market currently dominates, but other players include ToRReZ and Versus, as well as drug-focused markets, such as CannaHome and Cannazon.

Researchers at Israeli threat intelligence firm Kela have told Information Security Media Group that, in general, there are two types of darknet markets: drug marketplaces and cyber-focused marketplaces selling such things as malware, stolen databases and login credentials.

The new AlphaBay appears to fall more into the latter category, per its long list of rules about what is and isn't allowed. What's banned: advertising for a hit man as well as selling guns or COVID-19 vaccines or anything that targets Russians. Following in the footsteps of a number of other forums and marketplaces, AlphaBay supposedly also bans all ransomware activity, although, as other sites have demonstrated, how and when that gets enforced remains to be seen.

AlphaBay's rules (Source: Ghostbin post by DeSnake)

While ransomware may be officially banned, DeSnake has promised to restart an AlphaBay malware forum called VXcode. "To make the launch of VXcode even more interesting we will be dropping an updated source code of a famous banking Trojan for everyone to enjoy as well as the story of how the feds tried to pin the creation of that malware on me," he says.

Why Darknet Markets Persist

As the debut of the AlphaBay reboot demonstrates, new darknet markets continue to appear, despite the ever-present threats for users losing funds or even getting arrested.

Why do darknet markets persist? "There are two main reasons here: the lack of alternatives and the ease of use of marketplaces," researchers at the Photon Research Team at digital risk protection firm Digital Shadows have told ISMG (see: Why Darknet Markets Persist).

Whether vendors and sellers will buy into the new AlphaBay, and how long it might operate before suffering a potential exit scam or law enforcement takedown, only time will tell.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.