> we wanted to keep up with the orders to see if there were any large amounts [of drugs] being ordered to one place...
Approximately what fraction of people on these sites communicate their addresses in the clear? I thought such sites provided end-to-end encrypted communication between sellers/buyers, and encouraged users to use it.
People always, always optout, and once they can control the website, they can MITM any auto-PGP encryption. On some DNMs it's possible cleartext is the majority. And even when people are careful to keep their address/order info PGP encrypted, they can give away info in other PMs.
Can someone explain me the technical details as to how the mirroring of the website didn't raise any suspicion from the customer or buyer side ?
Someone mentioned here that the sites are end to end encrypted, so how exactly did the dutch police MITM such connections ?
Why do the website admins have the capability to read transactions between buyer and seller ? Is this how it generally works in these websites in the sense that the buyer and seller use the website for talking to each other ?
That seems kind of stupid given that such websites become a single point of failure outing both buyer and sellers.
Why can't they have a end of end system(with forward secrecy) and the website is just a medium for advertising your needs ?
Even if you have the website code, access to the databases etc, you shouldn't be able to know what the sellers and buyers are talking. Aren't the databases encrypted with the keys for decryption only with the seller ? Why does the website owner have access to the transcripts between everyone ?
Please correct me if any of my assumption are wrong.
EDIT: I went to the Hansa market site which has been taken down. The banner there mentions that the source code of the website was changed to allow such behaviour which makes sense. However, this should only put the new buyers/sellers at risk and leave the old ones safe. What went wrong ?
> Can someone explain me the technical details as to how the mirroring of the website didn't raise any suspicion from the customer or buyer side ?
I don't know any of the specifics in this case, but generally speaking, that would not be a user-visible change. The police had access to the hidden service's private key and could simply announce the service from a new location, keeping the same URL. Tor hidden services hide the location where the service is hosted (at least from regular users, less so from more powerful adversaries).
> The banner there mentions that the source code of the website was changed to allow such behaviour which makes sense. However, this should only put the new buyers/sellers at risk and leave the old ones safe. What went wrong ?
I don't know if they've mentioned whether they have busted only users that have used the site after the takeover - they got a massive influx of new users after AlphaBay went down, so that could've been good enough for them. Based on past cases, I imagine there were plenty of OpSec mistakes that could've lead to a bust either way.
(This is probably a good example for why browser crypto is currently a bad idea.)
> Can someone explain me the technical details as to how the mirroring of the website didn't raise any suspicion from the customer or buyer side ?
By definition the point is the server location is hidden else the police would just bust it. So there's no way anyone can ever tell where it is by definition.
Although the question is has someone found a way?
Technically it's as pfg mentions, they get the private key when they bust the real site, hence can locate where ever they want.
If it's a virtual machine they'd just snapshot it and read it from memory.
Dedicated encrypted server, theoretically possible (Silly things like chilling the RAM). Practically? Pretend there's an outage and MITM the password when entered? I'd bet on they'd just cut their losses in this case. Buuut??
"We knew the Hansa servers were in Lithuania, so we sent an MLAT (mutual legal assistance treaty) request to Lithuania and requested if we could proceed with our planned actions in their country. They were very willing to help us in our investigations."
Okayy, this "very willing" part is going to deter me from hosting anything located in Lithuania any time soon
Every country has laws. If you want to evade investigations into drug trade and whatever else they were trading at AlphaBay and Hansa, you should go to a country where they're not illegal.
I am very interested in finding out how they were able to know with certainty that the server was located in Lithuania. I didn't find this mentioned in any reporting of the Hansa takedown and I see a handful of commenters on Krebs asking the same question.
Approximately what fraction of people on these sites communicate their addresses in the clear? I thought such sites provided end-to-end encrypted communication between sellers/buyers, and encouraged users to use it.