Dutch Study: Half The Vendors Migrating To Dream Did Not Change PGP

A recent study by Dutch researchers shows that over half of the vendors who migrated to the Dream Market after Operation Bayonet, did not change their usernames and PGP setups.

The Dutch research institution TNO released a study, in which the researchers analyzed the dark web markets – with a special focus on the vendors – after law enforcement authorities took down AlphaBay and Hansa in a coordinated global action, Operation Bayonet.

On July 20, multiple law enforcement agencies, including the Europol and the U.S. Department of Justice, announced the takedown of Hansa and AlphaBay. At the time, when AlphaBay went down, the users of the marketplace suspected an exit scam, however, it was a globally coordinated law enforcement action. On July 12, Thai authorities arrested Alexandre Cazes, 26, one of the administrators of AlphaBay. The next day, a prison guard found the 26-year-old Canadian hanged in his cell.

News emerged about Cazes’ death and his AlphaBay “operation” but the public did not hear anything about Hansa. However, prior to Cazes’ arrest, German authorities arrested the operators of the Hansa marketplace. In addition, since the servers and the equipment were seized too, the Dutch police managed to control the website for a while, without user knowledge.

The study showed two main findings. Firstly, when law enforcement authorities closed down AlphaBay, the Dream Market experienced a high influx of vendors from the seized marketplace. On the other hand, when the same happened with Hansa, there was only a minimal migration to Dream. The possible reason for this could be that after AlphaBay was shut down, the sellers of the marketplace trusted Hansa as an alternative. However, after Hansa was seized too, they lost confidence in other darknet markets too and feared that they could be compromised by the authorities.

Furthermore, while law enforcement authorities did not infiltrate AlphaBay – only seized the servers and arrested one of the admins, the Dutch police controlled the Hansa website for about a month, where the investigators managed to identify at least 10,000 Hansa users.

The second finding of the research institute shows the negligence of the vendors. According to TNO, 54 percent of the migrated vendors (from AlphaBay, Hansa, or both to the Dream Market) did not change their usernames and PGP setups. 26 percent of the sellers switched their PGPs, 14 percent signed up to Dream with a new username, while only six percent of the vendors changed both their PGPs and usernames.

The researchers highlighted that both usernames and PGPs are “valuable assets” in the dark web community, and users only change these when they really have to. PGPs are especially valuable since users can only verify if the same vendor is selling, for example, on another marketplace if they verify their PGP. In the dark web Reddit community, there were several reported scams when the swindler posed as a popular vendor on a different marketplace.

According to Rolf van Wegberg, co-author of TNO’s study, the difference between the AlphaBay and Hansa migration was striking. Mr. Wegberg said that after Hansa was shut down, “the amount of blank-slate new vendors on the Dream Market shot up.” On the other hand, Mr. Wegberg said that TNO can’t prove that this statistic jumped because vendors are starting their business over – they could just be completely new sellers – however, the researchers strongly suspect that reason for this is the PGP or username change.

Since TNO is currently researching how effective was Operation Bayonet, the researchers will be monitoring the Dream Market – with a special focus on new vendors – to find out whether the law enforcement action holds out in the long run.

Mr. Wegberg told the news publication TNW that they will start a special investigation against the new vendors on Dream. According to the researcher, TNO will use text analysis and will try to match the new vendor accounts with their old ones, potentially linking the sellers to their compromised accounts. The researchers will only analyze the way the vendors are communicating with their customers, and, according to Mr. Wegberg, this will be enough to link the old and new vendor accounts.