The Dutch Police is aggressively prosecuted in arrests as well as in new searches for Dark Web vendors using data gathered since the closure of the Hansa drug dealership.
Currently, various researchers security and former Hansa sellers have identified two ways in which the Dutch authorities proceed against former Hansa sellers.
Police are reportedly gaining access to Dream accounts Market through reused passwords.
In the first case, the Dutch authorities managed to decipher the access codes for vendors who had the same names on the Hansa drug market and the Dream Market, the current Dark Web's top market after the closure of the Hansa and AlphaBay.
If vendors allegedly re-use passwords and did not activate 2FA in their Dream Market accounts. So authorities take control of their profiles, they change passwords by virtually throwing out the sellers.
Dream Market and the Dark Web community have identified 14 vendor accounts that changed their PGP keys: 00DRGREEN00, BoulderMedical, cannab1z, cocaMG, dutchcandyshop, DrPoseidon, GlazzyEyez, Gridlockdope, guessguess, ibulk, iCoke, MarcoPolo420, mushrooms, wolfydutch
One of the aforementioned sellers confirmed in Reddit that he lost access to his Dream Market account because he was using the same Hansa password.
The locktime file
The second method used by the Dutch Police and found by the Dark Web community includes the so-called "locktime" files that were in the Hansa market, which closed on July 20.
Under normal circumstances, a lock time file is a simple buyer purchase transaction log that contains details of Hansa's product sold, buyer, sale time, price, and signature. Records are used as vendor authentication to request the release of Bitcoin funds after a sale has ended or if the market was falling for technical reasons.
According to people familiar with Hansa's internal operations, Hansa's locktime files were usually just a text file.
So before they shut down the site, these lock files were replaced with Excel files containing a hidden image. When a vendor opens the file to view transaction details, the image is uploaded to the vendor's computer.
Once the image is loaded, Hansa's server records the user's IP address. If o user δεν χρησιμοποιούσε κάποιο VPN, proxy ή επισκεπτόταν τη σελίδα μόνο μέσω Tor, ο διακομιστής καταγράφει την πραγματική διεύθυνση IP του.
Even after Hansa's closure has dropped, some vendors may still have the files on their computers. After the Hansa closure, vendors may have opened the saved files looking for ways to recover their money that is locked in Hansa's accounts.
The Dutch police seized Hansa's servers at 20 in June and secretly collected data from sellers until July 20 officially announced the closure of the market.
When Europol announced the confiscation of the Hansa market servers, it provided the following audio message, which today seems to be more important than ever.
In recent weeks, the Dutch Police have collected valuable information about high value targets and delivery addresses for a large number of orders. About 10.000 foreign buyer addresses on the Hansa market have been forwarded to Europol.