Dutch Police Have Taken Over 12 Dream Accounts, Likely More

In June, law enforcement in Germany arrested three men. All three, according to the Bamberg General Prosecutor’s Office, operated LuL.to, an illegal (eBook) file-sharing website. Two of those men, according to Dutch police, managed or owned Hansa Market. Dutch police subtly took control of the market. Once they secretly owned Hansa—akin to the FBI running PlayPen—they had access to any and everything. And after the announcement on July 20, law enforcement warned they would use the same account logins and passwords to access accounts on other marketplaces. Later in July, authorities accomplished just that.

They took control of at least 12 Dream Market vendor accounts. Likely more than 12. One Reddit user counted 16. The method used to determine whether or not a vendor’s account is in the hands of law enforcement is incredibly easy. The PGP keys. Several vendors can confirm that someone locked them out of their accounts and changed their PGP key. The User-ID of the PGP key: “Dutch National Police.”

The next step requires the use of Grams. “Grams is the Google of the dark net, with cross-marketplace searches and search database for TOR sites,” the DeepDotWeb page for Grams explains. The search service allows for username searches and reverse searches using a PGP key in. Plug the Dutch National Police’s key into the search field and Grams returns a list of Dream Market vendors. (The key can be found at either of the Reddit links in this post) The Key-ID is 6682AB28 and the fingerprint is 25A7 8CC4 EA76 D2A4 D018 F3C0 E162 0751 6682 AB28.

As of July 25, /r/darknetmarkets moderator “wombat2combat” verified that the police grabbed the account of a vendor who preferred not to be named. Over on the /r/DNMUK subreddit, verified vendor “iCoke” confirmed that law enforcement had taken over his account as well.

iCoke wrote in one thread regarding the issue:

“[iCoke] here, i also cannot access my dream vendor account as 2fa has been disabled. anyone know someone in support or who has had this problem fixed… 2fa has always been setup for me. can’t log in with only password. profile says account last accessed on the 20th. Which wasnt me!! I want to be back on dream but things don’t look good.”

The subreddit moderators stickied a post that contains a list of compromised vendors. It varies slightly when compared to the original post on the topic, but the OP clarified that some of the keys had not changed when he looked. The vendors that currently have the Dutch National Police PGP key associated with their Dream profile: 00DRGREEN00; BoulderMedical; cannab1z; cocaMG; dutchcandyshop; DrPoseidon; GlazzyEyez; Gridlockdope; guessguess; ibulk; iCoke; MarcoPolo420; mushroomgod; wolfydutch. Two more, medicalzNL and rxchemist “turn up when searching for the DNP key on grams… However they have currently not listed the DNP key on their profile,” wombat2combat wrote. For some reason, law enforcement accessed those accounts, changed the PGP key to the DNP key and changed back after Grams crawled Dream Market.

What does this mean? Dutch law enforcement may be the only ones who know. If the operation to infiltrate Hansa Market was as calculated as they claimed, changing compromised a vendor’s PGP key to one labelled “Dutch National Police” would be seemingly counterproductive. But, like their failed attempt at signing a message on their “Hansa FAQ,” maybe this was an accident.

Wombat2combat closed the post with the following advice:

“No vendor would willingly list the DNP key. Either the vendors are compromised [more likely] or the Dream admins, or maybe both. Regardless, if you have ordered from one of the listed vendors, clean your house now (remove everything illegal and suspicious) and research a lawyer… I am not sure why law enforcement would do that, but the customers from these vendors should also proceed as explained above to be safe.”