One Simple Error Led to AlphaBay Admin's Downfall
Compartmentation Fail Analysis: Darknet Admin Reused Personal Hotmail AddressHollywood loves to portray hackers as wunderkinds with such exceptional cybercrime mojo that they can hack or crack anything, even with their eyes closed.
See Also: Gartner Market Guide for DFIR Retainer Services
But in reality, it seems like cops often find their suspects not because they've had to throw the cybersecurity equivalent of a Sherlock Holmes at a case, but because the crooks screwed up.
Just one error is all it takes. And Alexandre Cazes, 25, the accused administrator of the seized AlphaBay site - described by authorities as the world's largest online criminal marketplace - appears to have made more than one such error.
AlphaBay, launched in 2014, was a dark web - or darknet - site reachable by using the Tor anonymizing browser. Modeled on a legitimate e-commerce forum, the marketplace included such categories as fraud; drugs and chemicals; counterfeit items; weapons; software and malware; as well as sections for buying and selling stolen payment card data and personally identifiable information (see Darknet Marketplace AlphaBay Offline Following Raids).
On Thursday, the FBI, Europol and law enforcement partners announced the seizure of both the AlphaBay and Hansa darknet marketplaces (see Special Report: Impact of the AlphaBay Takedown).
Simple Mistake Outed Cazes
Law enforcement agencies identified AlphaBay's administrator, Cazes, thanks to a basic mistake: He reused for official AlphaBay communications an email address he'd previously used for personal matters, according to the Justice Department's AlphaBay complaint.
"Once new users joined the forums and entered their private email accounts, they were greeted with an email directly from AlphaBay welcoming them to the forums. The email address of 'Pimp_Alex_91@hotmail.com' was included in the header information for the AlphaBay welcome email," according to the government's complaint against Cazes. It said the email address had been included on all such communications since December 2014.
In December 2016, according to the criminal complaint, law enforcement learned that the email address belonged to Cazes, who was a "self-described independent website designer affiliated with a company called EBX Technologies" and listed his skills as including programming, email hosting, web development, network and server administration, network security, database administration, graphic design and cryptography, among others.
In short, he would know everything that a darknet marketplace administrator might need to know.
Email Account Connections
After that, law enforcement apparently had their man. For example, Cazes had registered a PayPal account - tied to Canadian bank accounts held in his name as well as the EBX Technologies business name - using the "Pimp_Alex_91@hotmail.com" email account.
Likewise, a 2008 post to a French-language online tech forum called "www.commentcamarche.com" by a user named "Alpha02" included the name "Alexandre Cazes" and the aforementioned Hotmail address.
The administrator of AlphaBay, notably, had used the username "Alpha02" before changing it to "Admin."
Recovered: Open, Unencrypted Laptop
In a clever move, the FBI and Drug Enforcement Agency appear to have timed the AlphaBay takedown so Thai police could catch Cazes in the process of attempting to restore the site.
When Thai police, aided by the FBI and DEA, raided Cazes's home on July 5, they said he was using a PC that was logged into AlphaBay as "Admin." A digital forensic investigation of the laptop - found open and unencrypted - revealed that Cazes had been communicating with an AlphaBay data center - day-to-day operations were managed by a team of 8 to 10 individuals - about an apparent law enforcement takedown of the site, as well as with AlphaBay users, according to the complaint. Investigators also recovered numerous passwords to AlphaBay servers and other infrastructure.
The irony is that Cazes was identified thanks to his having reused an email address obtained for free, when other, unique ones could have instead been used, also for free.
"A mistake made in December 2014 was reported to the police in December 2016," the operational security expert who calls himself the Grugq says in a blog post. "This single minor error was enough to bring him down. The internet is forever. Mistakes, once made, can resurface at any time. The real error was to not create a compartmented persona to handle all things AlphaBay."
Cazes apparently used that same Hotmail address on other sites too, as the security researcher who goes by @abdilo__ found.
Pimp_Alex_91@hotmail.com was found in myspace, linkedin, exploit.in and 000webhost breaches... good job alphabay admins @thegrugq
— abdilo (@abdilo__) July 20, 2017
While practicing good OPSEC, including compartmentation - keeping personal and illegal identities separated - might work in crime thrillers, in real life it appears to be tough to practice.
"Failing to create a special persona with an email address, false name and identity, used only for managing the AlphaBay darknet market was the root cause problem," the Grugq says. "A compartmentation failure meant that any security mistakes, infosec errors, or other problems would immediately link the darknet market to a real identity. This real identity would then be liable for criminal activity."
LulzSec Takedown Redux
Mikko Hypponen, chief research officer at Finnish security firm F-Secure, calls this type of compartmentation failure "OOPSEC." And Cazes isn't the first to have so stumbled.
Another was Hector Xavier Monsegur, aka Sabu, the former leader of LulzSec, which breached and doxed numerous sites in 2011. FBI agents arrested Monsegur on June 7, 2011, after which he quietly turned informant, helping authorities to identify and arrest other individuals associated with LulzSec, as well as the Antisec and Anonymous groups.
How did the FBI track down Monsegur? They had multiple opportunities. For example, Monsegur reportedly failed to mask his IP address once or twice before logging into an internet relay chat room as "Sabu," meaning investigators could have retrieved internet service provider records to identify the name of the subscriber assigned that IP address. Researchers at security firm Backtrace Security also found clues in a LulzSec chat file leading them to a domain name that led to a subdomain that mirrored a page where Monsegur had posted a picture of his beloved Toyota AE86.
But Monsegur has claimed that his identity had been compromised and shared with the Feds long before then, thanks to his having participated in a group that waged "war" against EFnet, which was once the largest IRC network.
I was part of a "war" on efnet back in mid-2000s where my dox were retrieved That person simply forwarded to FBI
— Hector X. Monsegur (@hxmonsegur) August 2, 2016
Unfortunate Coda for Cazes
For assisting the FBI, Monsegur was spared jail time. Post-parole, he's allowed to use computers again and has stayed legit, working as a penetration tester.
The coda for Cazes, meanwhile, isn't so pretty.
Authorities say Cazes amassed about $23 million from AlphaBay, thanks to the site charging a commission of 2 percent to 4 percent on every transaction, and he spent the money freely. "Cazes and his wife amassed numerous high-value assets, including luxury vehicles, residences and a hotel in Thailand," as well as assets in other countries, including Lichtenstein and Antigua & Barbuda, and Cyprus, where he was pursuing "economic citizenship by purchasing expensive real property in the country," according to the Department of Justice.
The FBI and DEA have seized cryptocurrency wallets tied to Cazes containing bitcoins, ethereum, monero and zcash collectively worth more than $6.5 million, while his financial statements said he had $770,000 in cash on hand.
But after being arrested two weeks ago at the request of the FBI, Cazes was found dead in his Thai jail cell, having apparently taken his own life.