Last month the FBI took down AlphaBay, the largest dark-web marketplace in existence. As part of the same operation, European authorities announced they had infiltrated Hansa, another online market, and claimed they had somehow obtained information that could help identify users who would have usually been protected by veils of digital anonymity.
Dutch police may have used a novel technique to unmask suspects—a booby-trapped file that drug dealers downloaded to their computers—including criminals likely in the U.S., according to digital evidence obtained by The Daily Beast. Although the tools cybercriminals use, such as the Tor network, are generally robust, law enforcement or hackers can still find workarounds.
“DON’T open the xlsx locktime file,” a post on Reddit from late July reads, referring to an Excel file hosted on Hansa. Drug dealers selling their wares on Hansa could download the file for a summary of their recent transactions. Usually, the file was a plain old text document, but someone recently switched it to the Excel format, according to another Reddit post. It’s not clear when exactly the switch occurred, but Politie, the Dutch police, secretly took over Hansa on June 20, according to a previous Politie press release. On its own dark-web site, Politie wrote it had changed the code of Hansa, allowing the agency to capture passwords, bitcoins, and other information.
Whoever switched the text file to an Excel document could have added additional bits of code within the download. Some files can surreptitiously connect to the internet, while others may run programs that lock down a target computer.
The Daily Beast obtained a copy of the file hosted on Hansa, and confirmed that when opened with Microsoft Office on Windows the file tries to connect to a remote server. Crucially, it does this outside of Tor—the anonymity network cybercriminals use to hide their tracks and protect dark-web drug markets—meaning the file exposes the user’s real IP address. Armed with this IP address, cops can then approach the relevant internet service provider and demand identifying details on who is behind it. The file The Daily Beast obtained appears to relate to a U.S.-based dealer on Hansa, judging by their online handle.
