Exclusive: Dutch Cops on AlphaBay ‘Refugees’

Following today’s breaking news about U.S. and international authorities taking down the competing Dark Web drug bazaars AlphaBay and Hansa Market, KrebsOnSecurity caught up with the Dutch investigators who took over Hansa on June 20, 2017. When U.S. authorities shuttered AlphaBay on July 5, police in The Netherlands saw a massive influx of AlphaBay refugees who were unwittingly fleeing directly into the arms of investigators. What follows are snippets from an exclusive interview with Petra Haandrikman, team leader of the Dutch police unit that infiltrated Hansa.

Vendors on both AlphaBay and Hansa sold a range of black market items — most especially controlled substances like heroin. According to the U.S. Justice Department, AlphaBay alone had some 40,000 vendors who marketed a quarter-million sales listings for illegal drugs to more than 200,000 customers. The DOJ said that as of earlier this year, AlphaBay had 238 vendors selling heroin. Another 122 vendors advertised Fentanyl, an extremely potent synthetic opioid that has been linked to countless overdoses and deaths.

In our interview, Haandrikman detailed the dual challenges of simultaneously dealing with the exodus of AlphaBay users to Hansa and keeping tabs on the giant increase in new illicit drug orders that were coming in daily as a result.

The profile and feedback of a top AlphaBay vendor.

The profile and feedback of a top AlphaBay vendor. Image: ShadowDragon.io

KrebsOnSecurity (K): Talk a bit about how your team was able to seize control over Hansa.

Haandrikman (H): When we knew the FBI was working on AlphaBay, we thought ‘What’s better than if they come to us?’ The FBI wanted [the AlphaBay takedown] to look like an exit scam [where the proprietors of a dark web marketplace suddenly abscond with everyone’s money]. And we knew a lot of vendors on AlphaBay would probably come over to Hansa when AlphaBay was closed.

K: Where was Hansa physically based?

H: We knew the Hansa servers were in Lithuania, so we sent an MLAT (mutual legal assistance treaty) request to Lithuania and requested if we could proceed with our planned actions in their country. They were very willing to help us in our investigations.

K: So you made a copy of the Hansa servers?

H: We gained physical access to the machines in Lithuania, and were able to set up some clustering between the [Hansa] database servers in Lithuania and servers we were running in our country. With that, we were able to get a real time copy of the Hansa database, and then copy over the Web site code itself.

K: Did you have to take Hansa offline for a while during this process?

H: No, it didn’t really go offline. We were able to create our own copy of the site that was running on servers in the Netherlands. So there were two copies of the site running simultaneously.

The now-defunct Hansa Market.

The now-defunct Hansa Market.

K: At a press conference on this effort at the U.S. Justice Department in Washington, D.C. today, Rob Wainwright, director of the European law enforcement organization Europol, detailed how the closure of AlphaBay caused a virtual stampede of former AlphaBay buyers and sellers taking their business to Hansa Market. Tell us more about what that influx was like, and how you handled it.

H: Yes, we called them “AlphaBay refugees.” It wasn’t the technical challenge that caused problems. Because this was a police operation, we wanted to keep up with the orders to see if there were any large amounts [of drugs] being ordered to one place, [so that] we could share information with our law enforcement partners internationally.

K: How exactly did you deal with that? Were you able to somehow slow down the orders coming in?

H: We just closed registration on Hansa for new users for a few days. So there was a temporary restriction for being able to register on the site, which slowed down the orders each day to make sure that we could cope with the orders that were coming in.

K: Did anything unexpected happen as a result?

H: Some people started selling their Hansa accounts on Reddit. I read somewhere that one Hansa user sold his account for $40. The funny part about that was that sale happened about five minutes before we re-opened registration. There was a lot of frustration from ex-AlphaBay users that weren’t allowed to register on the site. But we also got defended by the Hansa community on social media, who said it was a great decision by us to educate certain AlphaBay users on Hansa etiquette, which doesn’t allow the sale of things permitted on AlphaBay and other dark markets, such as child pornography and firearms.

K: You mentioned earlier that the FBI wanted AlphaBay users to think that the reason for the closure of that marketplace was that its operators and administrators had conducted an ‘exit scam’ where they ran off with all of the Bitcoin and virtual currency that vendors and buyers had stored in their marketplace wallets temporarily. Why do you think they wanted this to look like an exit scam?

H: The idea was to hit the dark markets even harder when they think they’re just moving to another market and it turns to be law enforcement. Breaking the trust, so that [users] would not feel safe on a dark market.

K: It has been reported that just a few days ago the Hansa market administrators decided to ban the sale of Fentanyl. Were Dutch police involved in that at all?

H: It was a combination of things. One of the site’s employees or moderators started a discussion about this drug. We obviously also had our own opinion about it. It was a pretty good dialogue between us and the Hansa moderators to ban this from the site, and [that decision received] a lot of support from the community. But we didn’t instigate that discussion.

K: Have the Dutch police arrested anyone in connection with this investigation so far?

H: Yes, we identified several people in the Netherlands using the site, and there have already been several arrests made [tied to] Fentanyl.

K: Can you talk about whether your control over Hansa helped you identify users?

H: We did use some technical tricks to find out who people are, but we can’t go into that a lot because the investigation is still going on. But we did try to change the behavior [of some Hansa users] by asking for things that helped us to identify a lot of people and money.

K: What is your overall strategy in all of this?

H: Our strategy is that we want people to know that the Dark Web is not an anonymous place for criminals. Don’t think you can just buy or sell your drugs there without eventually getting caught by law enforcement. We want people to know you’re not safe on the Dark Web. Sooner or later we will come to get you.

Tags: , , , , ,

Posted in Security | Leave a comment

After AlphaBay’s Demise, Customers Flocked to Dark Market Run by Dutch Police

Earlier this month, news broke that authorities had seized the Dark Web marketplace AlphaBay, an online black market that peddled everything from heroin to stolen identity and credit card data. But it wasn’t until today, when the U.S. Justice Department held a press conference to detail the AlphaBay takedown that the other shoe dropped: Police in The Netherlands for the past month have been operating Hansa Market, a competing Dark Web bazaar that enjoyed a massive influx of new customers immediately after the AlphaBay takedown.

The normal home page for the dark Web market Hansa has been replaced by this message from U.S. law enforcement authorities.

The normal home page for the dark Web market Hansa has been replaced by this message from U.S. law enforcement authorities.

U.S. Attorney General Jeff Sessions called the AlphaBay closure “the largest takedown in world history,” targeting some 40,000 vendors who marketed a quarter-million listings for illegal drugs to more than 200,000 customers.

“By far, most of this activity was in illegal drugs, pouring fuel on the fire of a national drug epidemic,” Sessions said. “As of earlier this year, 122 vendors advertised Fentanyl. 238 advertised heroin. We know of several Americans who were killed by drugs on AlphaBay.”

Andrew McCabe, acting director of the FBI, said AlphaBay was roughly 10 times the size of the Silk Road, a similar dark market that was shuttered in a global law enforcement sting in October 2013.

As impressive as those stats may be, the real coup in this law enforcement operation became evident when Rob Wainwright, director of the European law enforcement organization Europol, detailed how the closure of AlphaBay caused a virtual stampede of former AlphaBay buyers and sellers taking their business to Hansa Market, which had been quietly and completely taken over by Dutch police one month earlier — on June 20.

“What this meant…was that we could identify and disrupt the regular criminal activity that was happening on Hansa Market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading plot form for their criminal activities,” Wainwright told the media at today’s press conference, which seemed more interested in asking Attorney General Sessions about a recent verbal thrashing from President Trump.

“In fact, they flocked to Hansa in droves,” Wainwright continued. “We recorded an eight times increase in the number of human users on Hansa immediately following the takedown of AlphaBay. Since the undercover operation to take over Hansa market by the Dutch Police, usernames and passwords of thousands of buyers and sellers of illicit commodities have been identified and are the subject of follow-up investigations by Europol and our partner agencies.”

On July 5, the same day that AlphaBay went offline, authorities in Thailand arrested Alexandre Cazes — a 25-year-old Canadian citizen living in Thailand — on suspicion of being the creator and administrator of AlphaBay. He was charged with racketeering, conspiracy to distribute narcotics, conspiracy to commit identity theft and money laundering, among other alleged crimes.

Alexandre Cazes, standing in front of one of four Lamborghini sports cars he owned. Image: Hanke.io.

Alexandre Cazes, standing in front of one of four Lamborghini sports cars he owned. Image: Hanke.io.

Law enforcement authorities in the US and abroad also seized millions of dollars worth of Bitcoin and other assets allegedly belonging to Cazes, including four Lamborghini cars and three properties.

However, law enforcement officials never got a chance to extradite Cazes to the United States to face trial. Cazes, who allegedly went by the nicknames “Alpha02” and “Admin,” reportedly committed suicide while still in custody in Thailand.

Online discussions dedicated to the demise of AlphaBay, Hansa and other Dark Web markets — such as this megathread over at Reddit — observe that law enforcement officials may have won this battle with their  clever moves, but that the another drug bazaar will simply step in to fill the vacuum.

But Ronnie Tokazowski, a senior analyst at New York City-based threat intelligence firm Flashpoint, said the actions by the Dutch and American authorities could make it more difficult for established vendors from AlphaBay and Hansa to build a presence using the same identities at alternative Dark Web marketplaces.

Vendors on Dark Web markets tend to re-use the same nickname across multiple marketplaces, partly so that other cybercriminals won’t try to assume and abuse their good names on other forums, but also because a reputation for quality customer service means everything on these marketplaces and is worth a pretty penny.

But Tokazowski said even if top vendors from AlphaBay/Hansa already have a solid reputation among buyers on other marketplaces, some of those vendors may choose to walk away from their former identities and start anew.

“One of the things [the Dutch Police and FBI] mentioned was they were going after other markets using some of the several thousand password credentials they had from AlphaBay and Hansa, as a way to get access to vendor accounts,” on other marketplaces, he said. “These actions are really going to have a lot of people asking who they can trust.”

“There are dozens of these Dark Web markets, people will start to scatter to them, and it will be interesting to see who steps up to become the next AlphaBay,” Tokazowski continued. “But if people were re-using usernames and passwords across dark markets, it’s going to be a bad day for them. And from a vendor perspective, [the takedowns] make it harder for sellers to transfer reputation to another market.”

For more on how the Dutch Police’s National High Tech Crimes Unit (NHTCU) quietly assumed control over the Hansa Market, check out this story.

This story may be updated throughout the day (as per usual, any updates will be noted with a timestamp). In the meantime, the Justice Department has released a redacted copy of the indictment against Cazes (PDF), as well as a forfeiture complaint (PDF).

Update, 4:00 p.m. ET: Added perspectives from Flashpoint, and link to exclusive interview with the leader of the Dutch police unit that infiltrated Hansa.

Tags: , , , , , , , , , ,

Posted in Security | Leave a comment

June 28, 2017: Registered Nurse Pleads Guilty to Tampering with Fentanyl

OCI Small Clear Seal 

 

Food and Drug Administration 
Office of Criminal Investigations

 

PITTSBURGH – A resident of Houston, Texas, has been sentenced in federal court to 15 months in prison, followed by two years of supervised release on his conviction of conspiracy to import prescription drugs, Acting United States Attorney Soo C. Song announced today. 

Senior United States District Judge Donetta W. Ambrose imposed the sentence on Manuel Martin Pena, 65, of Houston, Texas.

 

According to information presented to the court, in and around November 2013, to in and around January 2015, Pena conspired to misbrand, smuggle, and import drugs that were exported from India and received in the U.S. by Pena.

 

Assistant United States Attorney Shardul S. Desai prosecuted this case on behalf of the government.

 

Acting United States Attorney Song commended the Food and Drug Administration – Office of Criminal Investigations, Homeland Security Investigations, the U.S. Postal Inspection Service, the Pennsylvania State Police and the Internal Revenue Service – Criminal Investigation for the investigation leading to the successful prosecution of Pena.

 

Topic(s): 

Prescription Drugs

 

Component(s): 

USAO – Pennsylvania, Western

Posted in Security | Leave a comment

July 19, 2017: Texas Man Sentenced to Prison for Conspiring to Import Prescription Drugs

OCI Small Clear Seal 

 

Food and Drug Administration 
Office of Criminal Investigations

 

PITTSBURGH – A resident of Houston, Texas, has been sentenced in federal court to 15 months in prison, followed by two years of supervised release on his conviction of conspiracy to import prescription drugs, Acting United States Attorney Soo C. Song announced today. 

Senior United States District Judge Donetta W. Ambrose imposed the sentence on Manuel Martin Pena, 65, of Houston, Texas.

 

According to information presented to the court, in and around November 2013, to in and around January 2015, Pena conspired to misbrand, smuggle, and import drugs that were exported from India and received in the U.S. by Pena.

 

Assistant United States Attorney Shardul S. Desai prosecuted this case on behalf of the government.

 

Acting United States Attorney Song commended the Food and Drug Administration – Office of Criminal Investigations, Homeland Security Investigations, the U.S. Postal Inspection Service, the Pennsylvania State Police and the Internal Revenue Service – Criminal Investigation for the investigation leading to the successful prosecution of Pena.

 

Topic(s): 

Prescription Drugs

 

Component(s): 

USAO – Pennsylvania, Western

Posted in Security | Leave a comment

Investor Bulletin: Retirement Investing Through 403(b) and 457(b) Plans

The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to provide investors with educational information about the basics of retirement investing through 403(b) and 457(b) plans.

403(b) and 457(b) Plans

403(b) and 457(b) plans are tax-deferred retirement savings programs provided by certain employers. Employers such as public educational institutions (public schools, colleges and universities), certain non-profits, and churches or church-related organizations may offer 403(b) plans.  Employers such as state and local government agencies and certain non-profit organizations may offer 457(b) plans.  Some employers may offer both 403(b) and 457(b) plans, and allow you to contribute to both plans.  Contact your employer to find out if both plans are available.

Similar to 401(k) plans, 403(b) and 457(b) plans allow you to contribute pre-tax money from your paycheck to your 403(b) or 457(b) plan to invest in certain investment products.   These pre-tax contributions and their investment earnings will not be taxed until you withdraw the money, typically after you retire.

IMPORTANT! The rules and tax consequences related to withdrawing money differ between 403(b) and 457(b) plans.  For additional information on these rules and tax consequences, please consult a tax professional.  You may also find general tax information about these plans on the Internal Revenue Service’s (“IRS”) website (IRS 403(b) webpage, IRS 457(b) webpage).

Contributions

The IRS determines the annual contribution limits for both 403(b) and 457(b) plans.  In 2017, the annual contribution limit for both 403(b) and 457(b) plans is $18,000.  In addition to that amount, both plans allow “catch-up contributions” of up to $6,000 for eligible participants (those age 50 or older or turning 50 that year).  Each plan has specific rules governing contribution limits and “catch-up contributions.”  You can review these rules on the IRS’s website (403(b) contributions, 457(b) contributions). 

IMPORTANT! Contribution limits for both 403(b) and 457(b) plans may change each year.  Please remember to confirm the current contribution limits for each plan on the IRS’s website (403(b) contributions, 457(b) contributions).

Things to consider when selecting a vendor

Your employer may allow you to choose your 403(b) or 457(b) plan provider from a group of pre-selected financial professionals or firms (“vendors”).  Do not assume that your employer has endorsed any vendor.  Determining which investment products best meet your financial objectives and identifying a vendor who sells those products is very important. Different vendors sell different types of products, and some vendors only offer a limited number of choices. Before selecting a vendor you should:

  • Read your employer’s 403(b) or 457(b) plan documents to learn the basic rules for how your plan operates.
  • Read each vendor’s 403(b) or 457(b) plan materials. A vendor’s plan materials generally may include:
    • A background description of the vendor
    • A description of the vendor’s investment products and services, including information related to product fees and past investment performance  
    • Information related to the vendor’s fees for administering and operating the 403(b) or 457(b) plan (“vendor fees”), including: brokerage fees, advisor fees, account transfer or closure fees, recordkeeping or custodial fees, and general administrative fees 
    • A discussion of the tax information related to investing in a 403(b) or 457(b) plan; and
    • Any additional information the vendor may need to provide as required by applicable federal or state laws.
  • Research each vendor’s background, credentials and experience.  Ask your employer to provide you with any background information it has on the vendors in your 403(b) or 457(b) plan.  Some states require vendors that provide these plans to register with one or more state regulators – in addition to any required registrations under federal laws. If your state requires these vendors to register, it may provide resources to assist you in researching vendors (e.g., California and Texas). Some vendors may be registered with the SEC or state securities regulators.  For tips on researching a vendor registered with the SEC or state securities regulators, please read our Investor Bulletin: Top Tips for Selecting a Financial Professional.  Vendors that are insurance companies generally register with your state’s insurance commission.  For information on how to research insurance companies in your state contact your state insurance commission.
  • Understand how much you’ll pay for the vendor’s investment products and services, including any fees or commissions. Ask each vendor if it provides this information in a simple form that you can easily compare to similar information from other vendors.

IMPORTANT! Your employer selects the vendors you may choose from for your 403(b) or 457(b) plans. Some employers only offer a single vendor.  Contact your employer to find out your vendor options for your specific 403(b) and 457(b) plans.

Investment options

As a participant in a 403(b) or 457(b) plan, you may need to choose among different types of investments.  Typically, 403(b) and 457(b) plans offer two types of investment products – annuities and mutual funds. 

An annuity is a contract between you and an insurance company that requires the insurer to make payment to you, either immediately or in the future.  There are three basic types of annuities:

  • Fixed annuity. The insurance company promises you a minimum rate of interest and a fixed amount of periodic payments. Fixed annuities are regulated by state insurance commissions. Please check with your state insurance commission about the risks and benefits of fixed annuities.
  • Variable annuity.  The insurance company allows you to direct your annuity payments to different investment options, usually mutual funds.  Your payout will vary depending on how much you put in, the rate of return on your investments, and expenses. The SEC regulates variable annuities. For more information about their benefits and risks, please read our Investor Bulletin: Variable Annuities – An Introduction.
  • Indexed annuity. This annuity combines features of securities and insurance products.  The insurance company credits you with a return that is based on a stock market index, such as the Standard & Poor’s 500 Index. Indexed annuities are regulated by state insurance commissions. Please check with your state insurance commission about the risks and benefits of indexed annuities.

A mutual fund is the common name for an open-end investment company.  Like other types of investment companies, mutual funds pool money from investors and invests the money in stocks, bonds, short-term debt or money market instruments, or other securities. Mutual funds issue redeemable shares that investors buy directly from the fund or through a broker for the fund.

IMPORTANT! Vendors may use different names for these investment products. After reviewing the vendor’s plan materials, if you are uncertain about what type of investment product a vendor offers, contact the vendor and ask them to explain it to you.

For more information about annuities and mutual funds, please read our descriptions on Investor.gov (annuities, mutual funds).

Questions to ask when choosing investment products

It will be up to you to select investments that best meet your financial objectives.  Although you may be eligible to participate in a 403(b) or 457(b) plan, do not assume that your employer has endorsed any particular investment product offered through the plan. Before selecting an investment product for your 403(b) or 457(b) plan, ask the following three questions:

  1. What fees will I pay?
  2. Will I have to pay any penalties if I change my investment choices? If so, how much?
  3. Does the vendor make more money for selling me one product over another?

What fees will I pay?

Fees and expenses vary from investment product to investment product — and they can take a huge bite out of your returns. An investment product with high costs must perform better than a low-cost investment product to generate the same returns for you. Even small differences in fees can mean large differences in returns over time.  

If a vendor tells you an investment product has “no fees,” it may mean there are no upfront fees when buying the investment product. But most investment products in 403(b) and 457(b) plans have expenses related to their operation that come out of their investment returns on an ongoing basis (e.g., an expense ratio for mutual funds or administrative expenses for annuities).  These ongoing expenses can have a major impact on the investment product’s overall investment return. 

For mutual funds and variable annuities, you can find information on costs and fees in the prospectuses. For fixed annuities, check the sales literature or the contract.  If you need additional help understanding mutual fund related fees, please read our Investor Bulletin: Mutual Fund Fee Expenses. If you need additional help understanding variable annuity fees, please read our Investor Bulletin: Variable Annuities – An Introduction.

In addition to investment product fees, you should also carefully consider the impact of vendor fees. You can generally find these fees in the vendor’s plan materials.

For additional information on how fees can impact your investment returns, read our Investor Bulletin: How Fees and Expenses Affect Your Investment Portfolio.

Will I have to pay any penalties if I change my investment choices? If so, how much?

Make sure you know the answer to this question before you make your investment choices. For example, if you withdraw money from an annuity within the first few years, the insurance company may assess a “surrender” charge. A surrender charge compensates the vendor who sold the annuity to you.

Generally, the surrender charge is a percentage of the amount you sell or exchange, and declines gradually over a period of several years, known as the “surrender period.” Some annuity contracts will allow you to withdraw part of your account value each year — 10% or 15% of your account value, for example — without paying a surrender charge.

Some mutual funds have a back-end sales load known as a “contingent deferred sales load.” Like a surrender charge for an annuity, the amount of this type of load will depend on how long the shares are held, and it typically decreases to zero if the investor holds the shares long enough. The rate at which this fee will decline is disclosed in the fund’s prospectus.

A redemption fee is another type of fee that some mutual funds charge their shareholders when the shareholders redeem their shares. Unlike a sales load, a redemption fee is typically used to defray fund costs associated with a shareholder’s redemption and is paid directly to the fund, not to a vendor. The SEC generally limits redemption fees to 2%.  For additional information on mutual fund fee expenses, read our Investor Bulletin: Mutual Fund Fee Expenses.

The question of whether you must pay a penalty or other fee for switching among investment choices in your plan is different from whether you must pay a penalty for taking money out of your 403(b) or 457(b) plan. You usually have to pay a tax penalty for early (pre-retirement) withdrawals from tax-deferred retirement plans.  Consider consulting with a tax professional before you take money out of your 403(b) or 457(b) plan.

Does my vendor make more money for selling me one product over another?

Always ask how — and how much – the vendor receives as payment for selling a particular investment product. For example, you could ask:

  • Do you receive a commission for selling Product X to me? If so, how much?
  • Do you get any other type of compensation for selling Product X? If so, what? (This could include a bonus or points toward some other reward, such as a trip or a cruise.)
  • Are there any other products that can meet my financial objectives at a lower cost to me, even if you do not sell those products?

Additional Resources

The Financial Industry Regulatory Authority (FINRA) provides an online tool called the FINRA fund analyzer. This fund analyzer offers information and analysis on several mutual funds, exchange traded funds (ETFs) and exchange traded notes (ETNs). This tool estimates the value of the funds and impact of fees and expenses on your investment and also allows you the ability to look up applicable fees and available discounts for funds. Please visit the FINRA website to use the fund analyzer.

IRS 403(b) webpage

IRS 457(b) webpage

Some 403(b) plans must comply with the Employee Retirement Income Security Act (ERISA).  Please visit the U.S. Department of Labor’s 403(b) plan webpage to learn more about the ERISA requirements for these plans.

Select State Resources:

For a list of questions you should ask when considering an investment, see Ask Questions: Questions You Should Ask about Your Investments.  This publication is also available in Spanish.

For general information about saving and investing, see Saving and Investing: a Roadmap to Your Financial Security through Saving and Investing.  This publication is also available in Spanish.

For additional investor education information, see the SEC’s website for individual investors, Investor.gov.

The Office of Investor Education and Advocacy has provided this information as a service to investors. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule, please consult with an attorney who specializes in securities law.

Posted in Security | Leave a comment