Dutch Police are aggressively making arrests and new investigations into Dark Web sellers using the data which he collected from the closing of the Hansa drug market.
Currently, several Hansa security researchers and former salesmen have identified two ways in which the Dutch authorities are proceeding against Hansa's former salesmen.
Police reportedly gain access to Dream Market accounts via reused passwords.
In the first case, the Dutch authorities managed to decipher the access codes for vendors who had the same names on the Hansa drug market and the Dream Market, the current Dark Web's top market after the closure of the Hansa and AlphaBay.
If vendors allegedly re-use passwords and did not activate 2FA in their Dream Market accounts. So authorities take control of their profiles, they change passwords by virtually throwing out the sellers.
Dream Market and the Dark Web community have identified 14 vendor accounts that changed their PGP keys: 00DRGREEN00, BoulderMedical, cannab1z, cocaMG, dutchcandyshop, DrPoseidon, GlazzyEyez, Gridlockdope, guessguess, ibulk, iCoke, MarcoPolo420, mushrooms, wolfydutch
One of the aforementioned sellers confirmed in Reddit that he lost access to his Dream Market account because he was using the same Hansa password.
The locktime file
The second method used by the Dutch Police and found by the Dark Web community includes the so-called "locktime" files that were in the Hansa market, which closed on July 20.
Under normal circumstances, a lock time record is a simple seller's purchase transaction log, containing details of the product sold, the buyer, the time of sale, the price and Hansa's signature. The records are used as authentication by sellers to request the release of Bitcoin funds after a sale is completed or if the market were to go down for technical reasons.
According to people familiar with Hansa's internal operations, Hansa's locktime files were usually just a text file.
So before they shut down the site, these lock files were replaced with Excel files containing a hidden image. When a vendor opens the file to view transaction details, the image is uploaded to the vendor's computer.
Once the image is uploaded, the Hansa server records the user's IP address. If the user did not use a VPN, proxy, or visited the page only through Tor, the server records its actual IP address.
Even after Hansa's closure has dropped, some vendors may still have the files on their computers. After the Hansa closure, vendors may have opened the saved files looking for ways to recover their money that is locked in Hansa's accounts.
The Dutch police seized Hansa's servers at 20 in June and secretly collected data from sellers until July 20 officially announced the closure of the market.
When the Europol announced the foreclosure of the Hansa market servers, provided the following audio message, which today seems to be more important than ever.
In recent weeks, the Dutch Police have collected valuable information about high value targets and delivery addresses for a large number of orders. About 10.000 foreign buyer addresses on the Hansa market have been forwarded to Europol.
