How Dutch Police Busted Hansa Dark Web Marketplace

Hansa was once the second largest dark web marketplace after AlphaBay selling everything from illegal drugs to stolen databases, credit card information and malicious software. But then Dutch Police came in, secretly took control of Hansa domain days before seizing its domain and arrested its administrators, buyers, and sellers.

The sudden bust shocked the customers as well as the IT security community keeping an eye on dark web marketplaces. However, now the Dutch police have revealed how they took over Hansa and shut down its large-scale drug-related operation.

Following are the details explaining how the police busted Hansa marketplace. This information was revealed by Gert Ras, head of The Dutch National High Tech Crime Unit (NHTCU) and investigator Marinus Boekelo at Kaspersky Security Analyst Summit (SAS2018 in Mexico.

Marinus Boekelo (left) and Gert Ras (right) – Image credit: @pwnallthethings/Twitter

Bitdefender tipping Dutch police

It all started in 2016 when Romanian anti-virus software and cybersecurity firm Bitdefender informed Dutch police that servers hosting Hansa marketplace’s domain were based in the Netherlands. This came as a big surprise for the authorities since tracking a dark web domain using Tor is if not impossible at least very difficult.

The same year Dutch police successfully created a duplicated copy of Hansa server and discovered its chat logs. That is when the authorities identified that Hansa was being run by two German citizens and upon contacting the German authorities it turned out that both were already under investigation by police for pirating an eBook server.

Dutch and German police worked together

This was like a jackpot for both authorities who decided to work together and arrest the suspects on piracy charges rather than for running an illegal marketplace. However, the administrators sensed something was wrong and moved their operating servers from the Netherlands to somewhere else. This was devastating for the authorities since they were keeping an eye and downloading data from the Netherlands servers and there was no other way to track Hansa’s activities and its new servers.

But in April 2017 administrators of Hansa made a payment from a Bitcoin address which the authorities had previously found in the chatlog files they downloaded from the site’s servers. Upon tracking the payment’s destination it turned out that the hosting servers for Hansa were moved to Lithuania.

FBI comes in and AlphaBay goes down

While the Dutch and German authorities were hunting for Hansa, the FBI was about to take down dark web’s largest marketplace AlphaBay. The FBI got in touch with the investigators and they came up with a plan that would not only take down administrators for Alphabay and Hansa but also its buyers and sellers.

The plan was to shut down AlphaBay and let its users move to Hansa since it was the most active marketplace after AlphaBay and it was evident that a massive influx of users would migrate. On June 20th, German authorities raided and arrested Hansa administrators and seized their devices including unencrypted hard drives and laptops.

During the investigation, administrators handed over login credentials of their accounts including logins for the chat system they and four other moderators used for correspondence. Now, Hansa was fully in control of the Dutch police.

On July 4th, the FBI arrested the owner of AlphaBay from Thailand and seized his laptop along with login credential for the site leading to the shut down of AlphaBay. One week laterit was reported that the owner Alexandre Cazes, a Canadian citizen had committed suicide in a Thai prison which created a lot of confusion among the users but as expected tons of users moved to Hansa while Dutch Police had complete access to their passwords, chats, IP address, and sales record.

The operation was so secretive and professional that 4 other moderators of Hansa were totally unaware of it. A couple of weeks later, Dutch police defaced Hansa with a message that said: “This hidden site has seized by the Dutch National Police.”

Thus, that was the end of AlphaBay and Hansa, two of the largest illegal marketplaces on the dark web. Before these two, Silk Road was the largest ever marketplace to deal in illegal content including banned drugs on the dark web however it was also shut down by the FBI while its owner Ross Ulbricht is serving life in prison.

The end game

According to officials, after shutting down Hansa, Dutch police extracted data on over 420,000 users and 10,000 home addresses leading to the arrests of a number of vendors while the search for more vendors is still on by Europol Moreover, they have also seized millions of dollars worth of Bitcoins. 

The Dutch police also shared a list of active, arrested and identified Hansa vendors and buyers.


The CEO of Kaspersky Labs Eugene Kaspersky will be uploading Gert Ras and Marinus Boekelo’s video presentation on Hansa bust in coming days. Therefore, this article will be updated accordingly.

Related Posts