Why the New AlphaBay Matters
On July 5, 2017, AlphaBay—the original AlphaBay—was notoriously shut down along with Hansa. The cybercrime underworld reeled in the aftermath: law enforcement had planted an ominous seed in doubt in the administration of current and future illicit online marketplaces.
And yet, on August 6, 2021, AlphaBay bewilderingly relaunched. Thus far, this iteration of AlphaBay has been met with skepticism among the threat actor community.
In this article, we examine AlphaBay—then and now; detail its current iteration to-date and rules of engagement; and analyze what AlphaBay’s reemergence means for illicit marketplaces, the threat actors who operate within them, and the organizations, communities, and individuals they target.
No other illicit marketplace captured the collective interest of disparate cybercrime communities quite like the original AlphaBay. Its founder, “Alpha02,” was a regular on Tor Carding Forum (TCF) while its security administrator and self-proclaimed AlphaBay co-founder, “DeSnake,” frequented other illicit marketplaces like Evolution.
AlphaBay experienced an increase in active users following the shutdown of TCF in December 2014 and exit of Evolution in March 2015. As a result AlphaBay became one of the most popular, comprehensive, and largest cybercrime marketplaces in terms of active users, vendors, and listings. AlphaBay was a one-stop shop for cybercriminals and served as a jumping off point for threat actors to propagate illicit activity like buying and selling drugs, general malware and hacking tools, and compromised or counterfeit information.
Now, several years later, threat actors still await a successor to AlphaBay that can reengineer its prior effectiveness. It remains to be seen whether or not AlphaBay can follow in its own footsteps.
Following AlphaBay’s takedown, several marketplaces also experienced a bump in active users. Dream Market, which slightly pre-dated AlphaBay, became the heir apparent but it was shut down in 2019 by its own admins supposedly over fears of suffering a fate similar to Hansa and AlphaBay. Dream Market, which was concentrated on the sale of drugs and stolen data, publicly attributed the shutdown to incessant DDoS attacks and an expensive ransom demand.
Other marketplaces, like Wall Street Market, launched in 2016 after a short period of cooldown. It was taken down in 2019 by a joint law enforcement effort between the United States and Germany.
Empire Market launched in the image of AlphaBay and even included an homage to its fallen administrator. Administrators pulled off an “exit scam” in August 2020; it was well positioned as an escrow service to make off with users’ crypto.
The Current Landscape
Other marketplaces like White House Market, Dark0de Reborn, and World Market have all experienced a high level of success as they have been able to amass tens of thousands of listings respectively. At its takedown, the original AlphaBay boasted over 350,000 offerings.
New AlphaBay, New Rules, New Operations
The “new” AlphaBay announced its return on the centralized underground messaging platform Dread. “DeSnake”—whose identity has been confirmed to be the same threat actor behind the original AlphaBay—also shared new rules of engagement for administrators and vendors within the marketplace and forum.
Fentanyl, COVID Fraud Banned
Fentanyl and fentanyl-laced substances, COVID-19 vaccines, and activity related to Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia are all verboten. (These rules are not uncommon as most marketplaces want to avoid attention from law enforcement and the Russian intelligence services.)
Cryptocurrency: Monero Only
AlphaBay requires its customers to use Monero to conduct transactions—the original marketplace implemented support for Monero in 2016—due to “higher security and anonymity” than Bitcoin. Notably, several other illicit marketplaces accept Monero and Bitcoin because the adoption of Monero exclusively could push users to conduct business elsewhere.
AlphaBay also warns against using swappers from Bitcoin to Monero as, according to “DeSnake,” they could expose parts of AlphaBay’s infrastructure and lead to law enforcement halting trade or freezing crypto account balances.
If AlphaBay takes off, it could foment a wider adoption of Monero as acceptable payment on other illicit marketplaces. In theory Monero makes it more difficult to attribute identifiers of the sender and receiver. “DeSnake” has also promoted a functionality called “AlphaGuard” in order to protect threat actor wallets in the event of a raid or seizure—the fate of the original AlphaBay.
At the time of this writing, White House Market is currently the only top darknet market to enforce a Monero-only payment policy, a possible factor inhibiting the marketplace from reaching original AlphaBay status.
The current iteration of AlphaBay appears to be solely designed to bootstrap a “Decentralized Market Network Project.”
When “DeSnake” initially appeared on AlphaBay, the threat actor stated a firm belief that “darknet marketplaces (including ones similar to OpenBazaar ideas) and forums are the future and the way to go.” OpenBazaar (OB), the prototypical decentralized marketplace, shuttered in January 2021 due to a lack of funding. Though OB had its roots in dark marketplaces, it aimed to create a legitimate e-commerce platform that was devoid of central authority.
“DeSnake” intends to morph AlphaBay into a “decentralized market” by 2022 or 2023. The ultimate goal would be to create
a fully anonymous market and network that would be “near impossible” for law enforcement to take down. The aforementioned details are all key developments for law enforcement, researchers, and security teams to follow, as anonymity is major capital for threat actors.
“DeSnake” said AlphaGuard would be obsolete once the market is decentralized.
DeSnake’s disappearance since AlphaBay’s shutdown, as well as abrupt exits from Evolution and scuttled projects like Club 99 do not breed confidence for the prospects of a decentralized market. Failed ventures like OpenBazaar also cast doubt on the feasibility of a peer-to-peer exchange.
AlphaBay Hosting: A Push Towards I2P
Previously, AlphaBay was hosted exclusively on Tor. In DeSnake’s Dread announcement, they stated that this new iteration of AlphaBay would be hosted on I2P, with a mirror site on Tor. According to “DeSnake,” they will continue to operate a Tor mirror site until the “majority of users migrate” to I2P. As of this publishing the Tor site is still live.
“DeSnake” has also commented on Dread that the administration has decided to host AlphaBay on I2P because of its advantages in defending against distributed denial-of-service (DDoS) attacks, which was a factor in driving Dream Market offline.
More Questions Than Answers
DeSnake’s operational security tactics for the new AlphaBay 2.0, like the sole use of Monero and I2P, both of which have been implemented for their increased anonymity, are generally less popular and create a barrier to entry for existing darknet vendors.
According to our research, the volume of current marketplace offerings remains relatively low. As of this publishing there are more than 500 total offerings. However, since the Tor and I2P sites went live, offerings have been steadily trickling in.
The general skepticism of DeSnake’s motives—some claim that “DeSnake” is acting on behalf of law enforcement or that the alias of “DeSnake” has been taken over by law enforcement—also serves as a deterrent for current vendors from making the switch.
At this time, AlphaBay is a market like any other although it’s evident that it dreams of growing into something more—a place where threat actors can conduct illicit business anonymously.
Reduce Risk and See Flashpoint Intelligence in Action
Sign up for your risk-free 90-day trial and see how Flashpoint can provide you with the actionable threat intelligence you and your entire team need to identify and respond to threats targeting your organization. When equipped with Flashpoint Intelligence, your team has immediate access to collections across illicit online communities ranging from private forums and illicit marketplaces to encrypted chat services channels to gain insight into threat-actor activity on a global scale.