This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves

Last month the FBI took down AlphaBay, the largest dark-web marketplace in existence. As part of the same operation, European authorities announced they had infiltrated Hansa, another online market, and claimed they had somehow obtained information that could help identify users who would have usually been protected by veils of digital anonymity.

Dutch police may have used a novel technique to unmask suspects—a booby-trapped file that drug dealers downloaded to their computers—including criminals likely in the U.S., according to digital evidence obtained by The Daily Beast. Although the tools cybercriminals use, such as the Tor network, are generally robust, law enforcement or hackers can still find workarounds.

“DON’T open the xlsx locktime file,” a post on Reddit from late July reads, referring to an Excel file hosted on Hansa. Drug dealers selling their wares on Hansa could download the file for a summary of their recent transactions. Usually, the file was a plain old text document, but someone recently switched it to the Excel format, according to another Reddit post. It’s not clear when exactly the switch occurred, but Politie, the Dutch police, secretly took over Hansa on June 20, according to a previous Politie press release. On its own dark-web site, Politie wrote it had changed the code of Hansa, allowing the agency to capture passwords, bitcoins, and other information.

Whoever switched the text file to an Excel document could have added additional bits of code within the download. Some files can surreptitiously connect to the internet, while others may run programs that lock down a target computer.

The Daily Beast obtained a copy of the file hosted on Hansa, and confirmed that when opened with Microsoft Office on Windows the file tries to connect to a remote server. Crucially, it does this outside of Tor—the anonymity network cybercriminals use to hide their tracks and protect dark-web drug markets—meaning the file exposes the user’s real IP address. Armed with this IP address, cops can then approach the relevant internet service provider and demand identifying details on who is behind it. The file The Daily Beast obtained appears to relate to a U.S.-based dealer on Hansa, judging by their online handle.

Buried within the Excel file is a set of commands that tell the file which server to contact. The structure is similar to that of a so-called Canarytoken, a tool digital defenders typically use to notify them when a hacker steals or downloads their files. Cybersecurity firm Thinkst maintains the Canarytoken software.

Haroon Meer, founder of Thinkst, told The Daily Beast the Hansa file included elements that were similar in structure to a Canarytoken.

It’s not clear how many Hansa drug dealers downloaded the file. Although Politie’s FAQ on the Hansa takedown doesn’t mention this Excel file, it does say, “Information about individuals from other countries has been shared with the appropriate agencies through Europol. It’s up to these agencies what they will do with the information.”

Not much information is available about the server that the Hansa file reaches out to. It is based in France and belongs to popular web-hosting company OVH, according to online records. When connecting to the server at the time of writing, it just displays a generic error message. But according to one of the Reddit posts, in July the IP address pointed to a page identical to Hansa.

“That is further suggesting that it was part of a deanonymization scheme,” Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, told The Daily Beast in an email.

Comments from European officials also indicate this suspicious Excel file may be connected to a law-enforcement operation. In a previous interview with this reporter, Rob Wainwright, the head of Europol, implied that some sort of tool was used to identify Hansa users. And Petra Haandrikman, the leader of the Dutch unit that infiltrated Hansa, told security journalist Brian Krebs, “We did use some technical tricks to find out who people are.”

This all sounds similar to the way law-enforcement agencies have unmasked other suspects who use Tor. Australian cops sent child-pornography suspects a video that connected to a server the police controlled. And the FBI has repeatedly done something similar with poisoned files. Earlier this month prosecutors announced charges against an alleged extortionist; the FBI added code to a video that surreptitiously phoned home to a government-run computer.

A spokesperson for Europol told The Daily Beast in an email “we are not willing to comment on operational matters like this.” Politie, the Dutch police, did not respond to multiple requests for comment sent over the last week.