Hello everyone, and welcome to the final installment of this six-part AlphaBay newsletter.
Disrupting the dark web economy through a vast, clandestine takedown-takeover sting can be an ethically fraught business, as evidenced in this final part of our series on the global law enforcement investigation known as Operation Bayonet. Sometimes, it turns out, so is the process of reporting on it. |
In the fourth part of the series (and of this newsletter), I wrote about how the location of AlphaBay’s central server was discovered through a secret technique, one developed by IRS Criminal Investigations and the cryptocurrency tracing firm Chainalysis. In fact, I heard about this secret tool, which the case’s prosecutors described to me only with the incredibly anodyne term “advanced analysis” from multiple sources in late 2020, early on in the process of writing the book from which this series is excerpted, Tracers in the Dark.
Somehow, it seemed, Chainalysis had developed a method capable of finding the IP address of a dark-web site’s Bitcoin wallet—despite the fact that the blockchain, the distributed ledger of all Bitcoin transactions on which Chainalysis focused its analysis—contains no IP addresses. How this worked was a mystery, and one that my sources refused to explain. In fact, they actively discouraged me from trying to figure it out. |
That secrecy was necessary because, as several of the participants in Operation Bayonet told me, this technique had been used repeatedly to take down other dark-web marketplaces after AlphaBay—and would no doubt be used again. As Tigran Gambaryan, the IRS criminal investigator who became the central protagonist of my book, put it, “We’re using this to go after the real bad guys out there, and it’s something I wouldn’t want to burn.” If I discovered and revealed any details of the method, in other words, it would be “burnt”—exposed so that dark-web administrators or Bitcoin developers could fix whatever vulnerability it exploited, and the technique would become useless.
|
Despite that warning, I couldn’t help but call up a particularly clever cryptocurrency-focused security researcher not long after learning about the technique. We had an off-the-record conversation in which the researcher immediately told me with 99% certainty how he believed the technique must work: Chainalysis, he said, must run its own Bitcoin nodes—the computers that relay transaction messages across the Bitcoin network—to intercept users’ IP addresses when they broadcast their transactions. Soon after, I learned of an incident early in Chainalysis’ history when Bitcoin users discovered in 2015 that it was doing exactly this, much to the dismay of those privacy-sensitive cryptocurrency users.
|
This left me with a dilemma: Should I lay out what I knew—or at least guessed—about how this “advanced analysis” really operated? Or leave it a mystery? Reveal it, and I was potentially disrupting law enforcement’s use of a tool capable of taking down truly abhorrent dark-web sites—including child exploitation networks, another layer of the dark web I’d already begun reporting on for the book. But hold back what I knew, and I felt I’d be betraying my duty as a journalist to tell readers the truth whenever possible—and essentially siding with law enforcement over privacy advocates.
I wrestled with this for nearly a year. More than once, I woke up at 3 am and lay awake, thinking about the pitfalls of either decision. |
Finally, in the fall of 2021, I was spared from the responsibility of making that decision: A leaked presentation from Chainalysis appeared on the dark web that—lo and behold—included a description of a secret technique for obtaining the IP addresses of dark-web markets’ Bitcoin wallets. This leak was shared with me by none other than a dark-web market administrator, exactly the sort of person in a position to patch the vulnerabilities the Chainalysis technique exploited.
To my relief, I could now publish what I knew: The decision to “burn” the tool had been taken out of my hands. |
Just to avoid spoilers, I won’t say exactly which market’s administrator shared the leaked material. But suffice to say that he runs what is now the biggest drug market on the dark web, just as Alpha02 did in 2017. As I wrung my hands for a year over exposing Chainalysis’ secret weapon, I should have known, perhaps, that the cat-and-mouse game of the dark web would outpace my reporting—that, as I ultimately wrote in the piece, secret weapons don’t tend to stay secret forever.
|
This is by no means the end of that cat-and-mouse game, but it’s the end of one story from it—and this newsletter. Thanks for going on this journey into the heart of the dark web with me. I’ll leave you with this last image, the red button prop that the Dutch police used at a press conference to announce the AlphaBay and Hansa bust, pressing the button dramatically on stage as if this were what finally pulled their targets offline.
The truth, as usual, was much more complicated. |
A photo I took of the Hansa-killing red button inside the Dutch police headquarters in the Netherlands city of Driebergen. |
Read the sixth and final part of our series on AlphaBay at the link below, and check out my book Tracers in the Dark, of which it’s a part, here.
|
|
|
