A Slow Burn: Exploring the Uncertain Fate of AlphaBay 2
Earlier this year, AlphaBay 2, a well-known dark net market and successor to the fabled AlphaBay, vanished. Its admin, DeSnake, remains unaccounted for. What happened?
This post is also published on the Tailored Access website.
In January 2023, the esteemed dark net market known as AlphaBay 2 suddenly went offline. It was first presumed that this was due to either a denial-of-service attack (a frequent occurrence on the dark net) or unannounced emergency maintenance work. The general expectation was that AlphaBay 2 would come back online shortly, just as it always had.
Dark net markets are encrypted, anonymous online platforms that facilitate the exchange of (mostly) illegal goods and services. Picture the internet you’re familiar with as a lively house party, with people hanging out, telling stories and otherwise openly broadcasting their presence. By contrast, the dark net is a highly-choreographed masked ball. Its participants know nothing about each other except that they are in the same room at the same time. Their interactions are regulated by protocols and decorum: use encryption, go by handles to preserve anonymity and strive to reveal as little identifying information as possible. The dark net is only accessible via the Tor Browser, which routes connections in such a way as to make users untraceable and unidentifiable.
As one week turned into two and then into three, rumors started to spread as to the true reasons behind the site’s prolonged downtime. AlphaBay 2’s owner and administrator, going by the handle DeSnake, was ominously silent about the outage. This naturally caused many to speculate that the site may have been taken down by law enforcement. Others weren’t convinced, citing the absence of the typical take-down notice which usually accompanies such operations. An exit scam was suggested as another likely scenario. Exit scams - when admins shut down a market without warning and disappear along with their users' funds - are another all-too-common occurrence on the dark net. However, there was no evidence speaking in favor of this particular explanation either.
A note on the OG AlphaBay
AlphaBay 2 is a direct descendant of the original AlphaBay - the most notorious market to emerge on the dark net since the untimely demise of the legendary Silk Road in 2014. The OG AlphaBay was run Alpha02, an established carder (a hacker specializing in credit card fraud) who was no stranger to criminal enterprise on the dark net. When it first launched, AlphaBay was primarily dealing in the tools of the carding trade: stolen credit card details, account logins, skimmers and the like. Given its niche, the market got off to a slow start. It would take the arrival of narcotics vendors to finally boost the site’s mass market appeal, eventually transforming it into the fabled contraband emporium it’s now remembered as.
Alpha02 had an epic vision for AlphaBay from the beginning. His goal was to “become the largest eBay-style underworld marketplace”. With the takedown of the Silk Road still fresh in people’s minds, Alpha02 spoke publicly and often about his site’s vastly improved security: “..[we] have created a stable & fast marketplace web application which has been built with security in mind right from the start.”
By 2016, the OG AlphaBay was facilitating sales in excess of $2 million per day. It counted more than 400,000 users and 350,000 product listings. At around this time, just as AlphaBay was nearing its peak, Alpha02 started to gradually withdraw from the limelight. He stopped granting interviews, changed his handle to the more generic “admin” and only permitted direct contact from other AlphaBay staff. While retaining full control of the site, he delegated daily operations and communications tasks to his second-in-command: DeSnake.
Alpha02 would eventually be outed as Alexandre Cazes, a 26-year-old Québécois man living in Thailand. Police arrested Mr Cazes in his house on a quiet cul-de-sac of a gated suburb on the fringes of Bangkok. His wife and child were home at the time. After spending just a few days in custody at a Thai police station, he hung himself in his cell with a bath towel.
The sting that brought down Mr Cazes was one element of complex and coordinated multinational police effort called Operation Bayonet, which involved the parallel takedown of Hansa, another well-known dark net market. Dutch police surreptitiously took control of Hansa, running it as a honeypot for 28 days. They gathered personal information on hundreds of thousands of users and arrested dozens of vendors.
In addition to Alexandre Cazes, Operation Bayonet led to the capture and conviction of two other AlphaBay employees. In 2018, Ronald Wheeler III (aka ‘Trappy’) was sentenced to nearly 4 years in federal prison for his role as spokesperson and PR manager. A few years later, in 2020, Brian Connor Herrell (aka ‘Penissmith’ aka ‘Botah’) of Aurora, Colorado was sentenced to 11 years in prison for serving as an AlphaBay moderator and dispute mediator. Both were low-level staffers with little operational involvement in the market. Meanwhile, DeSnake, AlphaBay’s second-in-command and head of security, appeared to have successfully eluded the authorities.
The harsh sentences meted out to Trappy and Botah, the dark net equivalent of cash register clerks, speaks to the pressure law enforcement must have been under for their operation to produce results. (The cost of Operation Bayonet remains classified.) With AlphaBay’s kingpin dead and his right hand man unaccounted for, the remaining convictions simply had to count. It’s also well-documented that drug and computer crimes are amongst the most harshly-punished non-violent offenses in the US criminal justice system. This possibly explains why those implicated in dark net market operations, a domain of crime which is at the intersection of these two areas, routinely receive such stiff sentences.
The circumstances surrounding Mr Cazes death remain disputed by those close to him. His attorney, Roger Bonakdar, was preparing to fly to Bangkok to meet with Mr Cazes when word of his death reached him. He was floored by the news of his client’s apparent suicide: “I know someone who’s on the edge when I speak to them, I just never got that sense from Cazes that he felt all was lost, that there was no recovering from this, that he was a dead man.” Mr Cazes' mother also refuses to accept the official version of events surrounding her son’s death: “Why did the FBI take no action to protect ‘their trophy’ while awaiting his extradition to the USA? Surely they wanted Alex not to speak, and his assassination was ordered.”
The Unlikely Return of DeSnake
In the years following the 2017 OG AlphaBay bust, numerous dark net markets popped up and disappeared again just as quickly. This is a period now termed “the Great Cyber Resignation” by cybersecurity threat analysts. Some markets were taken down by law enforcement. Others pulled exit scams, the admins vanishing overnight with millions worth of escrow funds and vendor bonds. A select few announced their intention to shut down weeks in advance, giving users time to finalize their orders and withdraw their money - an exit strategy known as ‘honorable retirement’ in the dark net community.
Then, in the midst of the turmoil, DeSnake suddenly re-appeared on the dark net scene. He hadn’t been heard from in the four years since the OG Alpha Bay bust, but he was able to verify his identity with a PGP-signed message. In an interview given to WIRED Magazine on the occasion of his comeback, DeSnake explained the motivation behind his return:
The biggest reason I am returning is to make the AlphaBay name be remembered as more than the marketplace which got busted and the founder made out to have committed suicide.
DeSnake re-launched AlphaBay in 2021. He claimed to have re-coded the site from scratch, completely overhauling its security regimen in the process. AlphaBay 2 would only settle transactions in Monero, a privacy-focused cryptocurrency that has so far proven impervious to the kind of blockchain analysis that helped to bring down the Silk Road and the OG Alpha Bay. He also implemented a new security protocol called AlphaGuard, designed to allow the market to continue operating in the event of a security breach.
Even with his identity apparently confirmed, there were still good reasons to question DeSnake’s legitimacy. Many in the dark net community believed that law enforcement had found and flipped him in the intervening years - or had otherwise gained control of his PGP key. For them, AlphaBay 2 was tainted by association from the start. The possibility of falling victim to another elaborate law enforcement honeypot such as Hansa Market loomed high in the minds of prospective customers.
Despite these reservations, users and vendors still flocked to the new market. By the summer of 2022, AlphaBay 2 had 30,000 listings and 1,300 active vendors. For a moment, it appeared that DeSnake had made good on his claims. AlphaBay 2 seemed well on it’s way to becoming the top dog among the dark net markets once again.
Exit scam, law enforcement sting or just plain old bad luck?
By February 2023, AlphaBay 2 had been down for months with no official word from the site’s staff. Customers were becoming desperate for an explanation.
One report indicated that users on Reddit claimed to have spotted a withdrawal of 1,479.03904709 Bitcoin (worth $41.4 million at the time of writing) from an address possibly associated with AlphaBay 2. If true, this would indicate an exit scam. However, the ownership of this address has never been verified. It’s also not immediately clear why so much Bitcoin would be held in reserve by market that runs exclusively on Monero.
On February 14, a high-level AlphaBay 2 admin going by the handle ‘TheCypriot’ posted a PGP-signed message on Reddit with an update on the status of the market:
The market main link is down and has been up and down for probably 2 months due to DDOS. You will get this error: Onionsite Not Found
In my experience over the years this is not LE. Feel free to discuss, many of you will but the signs just are not there. If it is it would be the worst planned and executed LE action in the history of the markets. They didn’t even put up a fancy seizure screen. (Hat tip to the Dutch team for top notch graphics). Doesn’t mean that it wasn’t.
In my experience this is not an exit. I mean if it doesn’t come back it would be, but it would be the most poorly planned and executed exit in the history of the markets. Doesn’t mean that it wasn’t.
TheCypriot claimed that AlphaBay 2 had partially shut down because one of the two canaries used by the site had not been signed on time by DeSnake.
A ‘canary’ is a method of alerting users that a website may have been compromised. It requires admins to regularly sign a public message containing some independently verifiable information (e.g. news headlines or the hash of the latest bitcoin block) with their PGP key. If a site’s canary is not updated on time, users should assume the worst.
DeSnake went one step further and integrated canaries into AlphaBay 2’s security protocols, as the TheCypriot further explained in his Reddit post:
Canary 2 is a lock on our PGP module which handles all signing and creation of PGP messages. This has a direct impact on any account with 2FA (Staff and vendors mandatory, customers encouraged). You will get an error message saying ERROR: Data signing failed. This means the market is locked because DeSnake has not signed with his PGP key for a month and the market locks down for safety.
It turns out that AlphaBay 2 had shutdown by design. This was not an exit scam - at least not following the TheCypriot’s take on the matter. However, this insight begs an obvious question: What prevented DeSnake from signing the canary on time?
Furthermore, this was not the first time that AlphaBay had shut down due to DeSnake going AFK (away from keyboard) for an extended period. In October 2022, AlphaBay 2 had automatically locked down due to DeSnake’s unexpected three-week absence. Similar incidents occurred in July and August.
If AlphaBay 2 didn’t fall prey to law enforcement and if DeSnake kept to the high road and didn’t exit scam, then what happened?
One theory that briefly gained traction on Reddit was that DeSnake may have been a victim of the Turkey-Syria earthquake, which struck the region earlier this year, just as AlphaBay 2 went dark. DeSnake claimed to live in a non-extradition country - this was an important part of his operational security regimen. There were also long-standing rumors of links between both AlphaBays and Russia. Most of Syria is currently under the control of the Russia-Iran backed Syrian Arab Republic regime. This includes areas close to the border with Turkey, which were among those hardest hit by the earthquake.
Could DeSnake have been living in Syria at the time of the earthquake? Is he one of the estimated 24,000 Syrian casualties? The theory appears to fit with what we know. But then again, we know so little that this isn’t a particularly high bar to meet.
It’s unlikely that we’ll ever be able to say for certain what really happened to DeSnake and AlphaBay 2. The sudden unexplained disappearance of this notorious dark net market has left behind a trail of unanswered questions and a lingering sense of unease.
Yet, in many ways, this enigmatic (non-)ending is a fitting testament to the obscure and elusive nature of dark net operators like DeSnake, who thrive in a world shrouded in secrecy. DeSnake may forever remain an unknown quantity - just the way he always intended.