AlphaBay

It was a series of monumental OpSec (operational security) mistakes that led to AlphaBay's demise, according to a series of documents released today by the US Department of Justice.

These documents were published today following coordinated press conferences by the DOJ in the US and Europol in the Netherlands, announcing the takedowns of the AlphaBay and Hansa Dark Web marketplaces.

While Dutch Police have worked with Lithuanian police to take down Hansa, the FBI was the driving force behind AlphaBay's fall.

AlphaBay admin accidentally leaked his personal email address

According to court documents, the investigation into AlphaBay started years back. In the beginning, investigators used classic techniques of buying goods using undercover identities and tracing back postal mail packages to AlphaBay vendors.

This got investigators nowhere, fast, as they were simply running around after small-time crooks. The real problem was AlphaBay — the platform. Luckily, the FBI caught a break when AlphaBay's operators decided to add a forum back in December 2014, three months after the marketplace launched.

Users who registered on AlphaBay's forum got a greeting message from the site's admin. Based on the evidence the FBI received in December 2016, investigators learned that for a short period in 2014, these greeting emails included the AlphaBay admin's personal email address in the message header. That email address was "pimp_alex_91@hotmail.com."

Canadian national confirmed as AlphaBay admin

Clever sleuthing on the FBI's part tracked down the email address to a man named Alexandre Cazes, a 25-year-old Canadian national living in Thailand with his wife.

On AlphaBay, Cazes was known under the username of Alpha02, which he later renamed to Admin in 2015.

With Alpha02's identity exposed, it didn't take long for the FBI to build a profile on Cazes. According to official documents, Cazes was an experienced web developer trained in various technologies and programming languages.

An older snapshot of Cazes' LinkedIn page listed skills such as concurrent programming, web development, network administration, server administration, network security, graphic design, custom software development, cryptography, database design, and database administration, among the few. There was also a long list of programming languages that Cazes claimed to be able to write code in.

Additionally, his LinkedIn page also listed him as the CEO and founder of EBX Technologies, a company that the FBI says he used as a front to hide the financial gains from running AlphaBay.

Snapshot of the EBX Technologies website
Snapshot of the EBX Technologies website

The FBI has also tracked down several PayPal accounts registered to Cazes using the pimp_alex_91@hotmail, contact@ebxtech.com, and admin@ebxtech.com email addresses.

Cazes's Hotmail email address was also linked to an account on commentcamarche.com where he used the username Alpha02, the same as his AlphaBay identity. On this site, Cazes posted technical tutorials on how to remove viruses from digital photos.

According to the FBI, Cazes appears to have started his cybercrime career working and managing carding forums, before deciding to create AlphaBay on his own. The skills listed on his LinkedIn page and the experience working with the carding cybercrime underground proved useful when setting up AlphaBay.

Cazes was at the top of AlphaBay's internal hierarchy

This experience was put to good use. Between September 2014 and July 2017, AlphaBay grew from a small fledgling community to the biggest marketplace for selling and buying illegal goods.

Cazes and his Alpha02 persona firmly stood atop the AlphaBay hierarchy. The FBI says he was the one that chose new admins and moderators, decided their salaries and managed disputes.

Besides Alpha02, AlphaBay was also run by a "Security Admin" known as DeSnake. DeSnake's whereabouts are currently unknown, but the FBI says he appears to have had the same amount of control over AlphaBay servers as Cazes.

Beneath the two there was the moderating team, made up of users such as Raspi, Disc0, Russ0, Botah, BigMuscles, and MountainHigh9. These users had access to reset account PINs,  refund disgruntled buyers, and were the forum's moderating crew.

One level down was a "Public Relations" manager known as Trappy, the face of the site on the forums and on clear web sites such as Reddit.

The last level of AlphaBay staff was the ScamWatch team composed of two members named Onionhood and Vaas, tasked with identifying fake AlphaBay portals, phishing sites, and marketplace scams.

Cazes was their boss in all matters, and the site thrived under his leadership.

AlphaBay portal before takedown
AlphaBay portal before takedown

Cazes amassed an estimated fortune of $35.5 million

After US and Canadian police seized AlphaBay servers on July 4, Thai police arrested Cazes the next day. When they arrested Cazes, authorities all over the world seized houses, cars, and money.

According to a forfeiture complaint, Cazes had amassed over $23 million in Bitcoin, Monero, Ethereum, Zcash, and real money in bank accounts spread in countries such as Thailand, Liechtenstein, Switzerland, and Saint Vincent and the Grenadines.

Additionally, authorities also seized cars and real estate estimated at around $12.5 million. Cazes owned homes and real estate in Thailand, Cyprus, and Antigua and Barbuda. He also owned a Lamborghini Aventador, a Porshe Panamera, a Mini Cooper, and a BMW motorcycle. Cazes also bought a villa in Thailand for his in-laws.

Cazes caught red-handed by Thai police

The case against Thai was solid and became more solid during his arrest. The FBI says that when Thai police raided Cazes' home on July 5, they found him using his laptop. The laptop was unlocked and unencrypted and Cazes was logged-in under the "Admin" account on AlphaBay and the admin account for AlphaBay's data center provider.

Furthermore, the laptop also included a document detailing all of Cazes' financial holdings, which included a list of physical assets, bank accounts, and cryptocurrency wallets. The document included private keys (passwords) for each cryptocurrency wallet.

Investigators tied assets from this document to a series of posts Cazes made on RooshV — a forum for pick-up artists — where he bragged about his financial status. Cazes' forum username was Alpha02, also registered using the same Hotmail email address.

Cazes found dead in his cell on July 12

All these mistakes helped the FBI build a strong case against Cazes. A day after Thai police arrested the Canadian national, US authorities requested his extradition.

Thai police found Cazes with a towel around his neck in his cell on July 12 [1, 2, 3], in what appears to be a suicide, albeit an investigation is underway to determine the preceise cause of death.

In an interview with Canadian press, Cazes' father said his son never smoked a cigarette, never used drugs, and was a little genius after he jumped a year at school. Cazes had no judicial record prior to his arrest in Thailand.

The FBI said they also had other evidence on Cazes, and that they are now also busy in putting cases together on other members involved with AlphaBay in the US.

AlphaBay users who flocked to Hansa made a big mistake

After AlphaBay went down on July 5, many of AlphaBay's users flocked to Hansa Market, which by that time was infiltrated by Dutch Police.

Some AlphaBay vendors and users seeking a new refuge might have accidentally walked into an FBI honeypot by mistake. Some of them will surely need to look for legal representation.

US authorities said that "usernames and passwords of thousands of buyers and sellers of illicit commodities have been identified and are the subject of follow-up investigations by Europol and our partner agencies."

FBI Active Director McCabe said AlphaBay was ten times larger than Silk Road at the time it was taken down. The site had over 350,000 listings, over 420,000 users, and over 40,000 vendors selling all sorts of illicit goods on the site.