This is a list of all major DNM which have been comprimised by LE, a short summary of them, and how they were caught. This does not cover DNMs which have been hacked.
This is a long post, I’ve tried to make it as detailed as possible for those who want to know the details of market takedowns. I try to provide more details on the less well known markets. This is also not meant to hate/support on any specific markets. Just laying out the facts so people can see what went wrong and mistakes they can avoid.
List of markets listed here
Farmer’s Market
Silk Road
Silk Road 2.0, Cloud 9, and Hydra (Operation Onymous)
AlphaBay 1
Hansa Market
Farmer’s Market (AKA Adamflowers)(2006-2010 Clearnet 2010-2012 Onion Site)– In 2006 a drug market by the name of Adamflowers⚠️ appeared on the clearweb. This website would run as a small drug market (selling “LSD, ecstasy, fentanyl, mescaline, ketamine, DMT, and high-end marijuana” and more), flying under LE radar, until 2010. In 2010 Adamflowers changed its name to Farmer’s Market and switched over to the Dark Web, using TOR. This was a new idea for online drug markets and caused Farmer’s Market to rapidly grow in popularity. As is the case, with this newfound popularity, LE began to take a stronger notice in it. Thus in 2010 an investigation (aptly named “Operation Adam Bomb”) began, led by the US Drug Enforcement Agency (DEA). While this takedown did take nearly two years, a part of the reason was due to lack of urgency. Farmer’s Market wasn’t near as big as future DNMs, and thus had less incentive for LE to hurry with their takedown. What led to Farmer’s Markets takedown eventually though was lack of OpSec technology/innovation of the time. Farmer’s Market came before the creation of Bitcoin, and so instead customers could buy using PayPal, WU, I-Golder, or cash by mail. This created a easy way to track market users and admin, compared to future DNMs which used cryptocurrencies. The other thing that led to the takedown of Farmer’s Market was their use of Hushmail for communicating, an “encrypted and safe method of communication [which] would not produce e-mails to law enforcement officers.” Despite this claim, it is largely believed that Hushmail gave LE their unencrypted e-mails. (*cough*, don’t just trust VPNs that say no-log without checking court cases or audits) Information of Farmer’s Market’s takedown is a big hard to find but a major souce of information comes from the 66 page indictment⚠️. This court indictment list the charges for the market admins, as well as 284 bits of “evidence” on these charges. Most of this evidence comes from e-mails logs, hence why it’s assumed that Hushmail gave up their encrypted e-mails. LE was also able to track where certain Paypal, cash, etc. payments were going to and coming from, and use that information to arrest several users. Eight admins were arrested as well as at least seven users. All eight admins were charged with at least one crime. Of the eight, one passed away before trial, the other seven pled guilty and got ten years or less. After the LE takedown, Farmer’s Market had had thousands of users, and approximately $2.5M worth of sales.
Silk Road (2011-2013)– I won’t spend too much time on this market since it already has so much coverage. If you want detailed info, I highly suggest a book “American Kingpin by Nick Bilton,” Basically Ross Ulbricht made a mistake in his websites code which leaked his Icelandic servers IP address. This along with the fact that he discussed Silk Road on a clearnet forum linked back to him. There’s tons more to this story (like a 320 page book above lol,) but also short articles that can explain the story a lot better and more entertaining then I can.
Silk Road 2.0, Cloud 9, and Hydra (Operation Onymous 2014) Operation Onymous was a six month long, international operation with LE from the US and Europe to take down several illegal sites, including several DNMs. This operation reached the beginning of the end on November 5-6 2014, when a number of dark web websites were shut down. What was claimed by the government as 410 sites, soon shrunk down to 267 sites shortly. This Operation also led to 17 arrest and (only) $1M worth of Bitcoin seized. How Operation Onymous was carried out, and how LE was able to take down so many sites at once remains unclear. However, there is a lot of interesting facts and information to look at, which help give some ideas. It is believed that Operation Onymous was a widescale “sweep” of illegal sites, and that no particular websites were targeted. Instead it is believed that popular dark web servers were targeted. Part of this thought comes from the fact that many illegal sites remained uneffected from Operation Onymous, including other major DNMs such as Agora (was already bigger than Silk Road 1.0 at this point), Evolution (which allowed the sale of weapons) and Andromeda. The TOR developers still do not know how LE was able to comprimise so many sites. There are four main possibilities: 1) Poor OpSec on sites parts (I personally don’t think this one is the case. You would have to assume that LE exploited the poor OpSec of 267 sites within a 6 month period, yet they executed those flaws all in a sigle day. Also many of those 267 sites were mirrors for sites that didn’t get taken down. If a sites mirrors have bad OpSec, then I assume their main site would too.) 2) SQL injections 3) Bitcoin Deanonymisation and the most interesting 4) attacks on the TOR network by DDOSing nearly all relay nodes, so as to force all traffic through LE owned attacking nodes. With this they could perform traffic confirmation attacks aided by a Sybil attack. The admins of Cloud 9 market took to Reddit saying that they could no longer access their site, but they still had access to all their Bitcoin. 17 arrest were made, although it is unsure what number of these 17 arrest were website admins or users. With what info we do have (as previously stated) it is assumed that this operation targeted hosting companies rather than individual sites, based on the randomness of sites taken down. More detailed/further info can be found here⚠️.
AlphaBay 1– Launched September 2014, officially so on December 22, 2014. As with the Silk Road I won’t spend much time on this popular market. When the creator of the market (Alpha02) first released the market he sent welcome messages from his clearnet email, [email protected]. This was quickly fixed and went unnoticed for several years. He used the same username that he had since at least 2008. When LE caught Alpha 02 (Alexandre cazes) they found his laptop completely unencrypted, performing a administrative reboot on the site. His servers were linked to his real name, he had multiple open, unencrypted hot wallets which he put his funds in. He bragged about all his illegally obtained money by showing off expensive things he’d bought. Overall a massive amount of OpSec failures. It was by pure luck that the site remained as long as it did (July 2017.)
Hansa Market– Hansa market opened its doors in August of 2015. Very quickly it rose to become one of the top markets on the Dark Web. Within a year it had become one of the biggest DNMs and caught the attention of the Dutch police. The Dutch police began an investigation into the market, however they organized this investigation quite differently than previous DNM investigations and takedowns. This time they planned a take over. This way they could control the DNM and gather more evidence against its vendors and buyers. Thus began a 10 month investigation, from October 2016 to July 2017.
What began the investigation was a tip from an anonymous source. A security and research foundation had found a Hansa development server. A server where the Hansa admins could test out new features and ideas before implementing such features and ideas on the main market. Due to some (unknown) OpSec falure on the parts of the Hansa admins, this development server exposed its real IP. Dutch LE went to that server and installed network-monitoring equipment. Using this they were able to find what servers this development server was communicating with, and copy all the data from all the servers. While this normally wouldn’t help (as all market users are protected by TOR and the fake usernames) the Dutch LE found something very surprising. A massive OpSec failure by the Hansa admins left unencrypted IRC chat logs on the servers. On these chat logs LE found tons of information, including the admins real names and even addresses. Everything was going to plan for LE, and just as they were about to take over the servers and arrest the admins, a set back came. The admins moved the website to a different, now unknown server. At this point the Dutch LE could have just accepted their loss, arrested the admins, and then search for the servers, or let the website crash and burn without any admins. Instead, determined to complete a takeover instead of a takedown, they started searching for the new servers. After several months (in April 2017), they got their next lead. A BTC address that was mentioned on those unencrypted IRC chat logs became active. Using chainanalysis LE was able to see where that BTC had gone to, a Bitcoin payment provider in the Netherlands. LE contacted this payment firm and gave them a legal order to hand over information on where that BTC had come from… a hosting company in Lithuania. Again, just as Dutch LE was about to arrest the admins and try to implement a takeover, the FBI contacted them, saying they were just about to take down AlphaBay. So Dutch LE again waited a bit until after AlphaBay had been shut down. They did this so all the AlphaBay users and vendors would transition to Hansa right before the take over. And finally, the Dutch LE was ready to put everything into action. Similar to the Silk Road 1 takedown, they had to catch the admins with their laptop opened and unencrypted. So they waited until they were home and logged onto the market. At that time, on June 20th 2017, German police (in coordination with Dutch LE) raided the admins homes, arrested them, and seized their unencrypted laptops. At this point Dutch LE began transitioning the servers to LE owned servers. The admins gave LE all their login information (to help reduce their sentencing,) and Dutch LE officially owned Hansa. Over the next month they rewrote parts of Hansa code and gathyered info on its users. These changed included storing all users passwords, record plaintext messages before it encrypted them (Hansa had a feature that automatically encrypted messages. This is why you always encrypt your own messages, don’t trust markets to do it for you,) not remove metadata from photos (Hansa also had a feature that automatically removed pictures metadata. With this change LE was able to find the location of many vendors.) The biggest move they made though was sharing a file with all users supposed to be a backup key for the users BTC if the website ever went offline. Instead this was an excel file, that when opened would record and share the users real IP if they weren’t using Tails/Whonix/Qubes. This one move led to the arrest of 64 sellers. After 27 days, the Dutch LE had gathered all the info they wanted and took down the site. They wrapped a few things up, which I’m not going to talk about because this already super long, and that was the end. Main source⚠️ and further reading.