The Dutch Police is aggressively prosecuted in arrests as well as in new searches for Dark Web vendors using data gathered since the closure of the Hansa drug dealership.
Currently, several Hansa security researchers and former salesmen have identified two ways in which the Dutch authorities are proceeding against Hansa's former salesmen.
Police reportedly gain access to Dream Market accounts via reused passwords.
In the first case, the Dutch authorities managed to decipher the access codes for vendors who had the same names on the Hansa drug market and the Dream Market, the current Dark Web's top market after the closure of the Hansa and AlphaBay.
If vendors allegedly re-use passwords and did not activate 2FA in their Dream Market accounts. So authorities take control of their profiles, they change passwords by virtually throwing out the sellers.
Dream Market and the Dark Web Community have identified 14 vendor accounts that had their PGPs changed wrenches: 00DRGREEN00, BoulderMedical, cannab1z, cocaMG, dutchcandyshop, DrPoseidon, GlazzyEyez, Gridlockdope, guessguess, ibulk, iCoke, MarcoPolo420, mushrooms, wolfydutch
One of the aforementioned sellers confirmed in Reddit that he lost access to his Dream Market account because he was using the same Hansa password.
The locktime file
The second method used by the Dutch Police and found by the Dark Web community includes the so-called "locktime" files that were in the Hansa market, which closed on July 20.
Under normal circumstances, a lock time record is a simple purchase transaction log of a seller, containing details of the item sold, the buyer, the time of sale, the price and Hansa's signature. The files are used as control identity by sellers to request the release of Bitcoin funds after a sale was completed or if the market was down for technical reasons.
According to people familiar with Hansa's internal operations, Hansa's locktime files were usually just a text file.
So before closing the site, these lock files were replaced with Excel files containing a hidden image. When a vendor opens the file to see the transaction details, the image is placed on the vendor's computer.
Once the image is uploaded, the Hansa server records the user's IP address. If the user did not use a VPN, proxy, or visited the page only through Tor, the server records its actual IP address.
Even after Hansa's closure has dropped, some vendors may still have the files on their computers. After the Hansa closure, vendors may have opened the saved files looking for ways to recover their money that is locked in Hansa's accounts.
The Dutch police seized Hansa's servers at 20 in June and secretly collected data from sellers until July 20 officially announced the closure of the market.
When Europol announced the confiscation of the Hansa market servers, it provided the following audio message, which today seems to be more important than ever.
In recent weeks, the Dutch Police have gathered valuable information about high-value targets and addresses delivery for a large number of orders. Around 10.000 foreign addresses of Hansa market buyers were passed on to Europol.
