The Dutch Police is aggressively prosecuted in arrests as well as in new searches for Dark Web vendors using data gathered since the closure of the Hansa drug dealership.
Currently, several Hansa security researchers and former salesmen have identified two ways in which the Dutch authorities are proceeding against Hansa's former salesmen.
Police reportedly gain access to Dream Market accounts via reused passwords.
In the first case, the Dutch authorities managed to decipher the access codes for vendors who had the same names on the Hansa drug market and the Dream Market, the current Dark Web's top market after the closure of the Hansa and AlphaBay.
If vendors allegedly re-use passwords and did not activate 2FA in their Dream Market accounts. So authorities take control of their profiles, they change passwords by virtually throwing out the sellers.
Dream Market and the Dark Web community have identified 14 vendor accounts that changed their PGP keys: 00DRGREEN00, BoulderMedical, cannab1z, cocaMG, dutchcandyshop, DrPoseidon, GlazzyEyez, Gridlockdope, guessguess, ibulk, iCoke, MarcoPolo420, mushrooms, wolfydutch
One of the aforementioned sellers confirmed in Reddit that he lost access to his Dream Market account because he was using the same Hansa password.
The locktime file
The second method which uses the Dutch Police and discovered by the Dark Web community includes so-called "locktime" files that existed on the Hansa market, which was closed on July 20.
Under normal circumstances, a lock time file is a simple buyer purchase transaction log that contains details of Hansa's product sold, buyer, sale time, price, and signature. Records are used as vendor authentication to request the release of Bitcoin funds after a sale has ended or if the market was falling for technical reasons.
According to people familiar with Hansa's internal operations, Hansa's locktime files were usually just a text file.
So before they shut down the site, these lock files were replaced with Excel files containing a hidden image. When a vendor opens the file to view transaction details, the image is superimposed on the computer of the seller.
Once the image is loaded, Hansa's server records the user's IP address. If o user δεν χρησιμοποιούσε κάποιο VPN, proxy ή επισκεπτόταν τη σελίδα μόνο μέσω Tor, ο διακομιστής καταγράφει την real its IP address.
Even after Hansa's closure has dropped, some vendors may still have the files on their computers. After the Hansa closure, vendors may have opened the saved files looking for ways to recover their money that is locked in Hansa's accounts.
The Dutch police seized Hansa's servers at 20 in June and secretly collected data from sellers until July 20 officially announced the closure of the market.
When Europol announced the confiscation of the Hansa market servers, it provided the following audio message, which today seems to be more important than ever.
In recent weeks, the Dutch Police have collected valuable information relative to high value targets and delivery addresses for a large number of orders. Around 10.000 foreign addresses of Hansa market buyers were passed on to Europol.