The Darknet after AlphaBay and Hansa

AlphaBay and Hansa were considered two of the largest Darknet marketplaces before being taken down by law enforcement agencies in July 2017. The removal of these two sites has left underground marketplaces in a state of widespread uncertainty, but will it last?

Dutch police covertly infiltrated and took control of Hansa on 20.06.2017, but kept the site running for a full month before shutting it down. During this time Dutch police forces were able to trace the real-life identities of many vendors making illegal transactions on the marketplace, as well as a number who had migrated from AlphaBay after it was shut down on 05.07.2017. The covert operation caught vendors out and has spread the seed of doubt as to whether other markets may also have been infiltrated by law enforcement agencies:
(Figure 1. TradeRoute Forum)

Of the remaining Darknet marketplaces and forums, there is at present no clear leader stepping up to fill the void left by AlphaBay and Hansa, but instead there is a wider spread as displaced vendors migrate to different sites. Tochka and DreamMarket are currently amongst the most popular, with TradeRoute and Valhalla also seeing considerably more traffic than before.

The forum areas of these marketplaces are where activity has really increased. Many vendors are offering their products in forum discussion threads rather than creating listings, since this is what users are viewing most. This allows buyers to easily view any feedback left by customers and assess whether products are genuine or not. Given the turmoil of recent weeks on these marketplaces, buyers and vendors alike are wasting no time in sounding the alarm on any compromised accounts:
(Fig.2 – DreamMarket Forum)

(Fig.3 – DreamMarket Forum)

(Fig.4 – Tochka forum)

To make matters worse, there has been a large increase in phishing campaigns against Darknet users:
(Fig.5 – DreamMarket Forum)

In the above example from DreamMarket, a scammer named @rohff24 gives a tailored response that is disguised as a genuine reply to other messages in the thread concerning "afghan pure". @rohff24 tries to disguise his phishing link as another relevant product listing on the site. The link is swiftly branded as a phishing URL, but it is inevitable that many users will be tricked by the deceptive campaigns that are specific to each thread.

However, such are the levels of mistrust, that many vendors are simply shunning marketplaces altogether and setting up their own dedicated sites, and thus avoiding the risks of exit scams or law enforcement infiltration:
(Fig.6 – Connect Mega Labs)

The above screenshot is from a site named Connect Mega Labs which sells pharmaceutical and research chemicals, now on their own site.

The downside to having one’s own dedicated site however is that the vendors are largely reliant on their current customer base. The shops become much harder to find, and are exposed to far fewer potential buyers, lowering their sales. As more buyers return to Darknet marketplaces, so too will vendors.

Marketplaces are still reeling from the closures of AlphaBay and Hansa, and the uncertainty is being perpetuated by hackers who are breaching vendor accounts, most often through phishing, and stealing funds. The threat of another law enforcement takedown also means many vendors are lying low. They may continue to do so for some time, but displaced vendors will eventually return, as will their customers, and sales will likely increase again – as will the popularity of a select few marketplaces.

Scroll to Top