What’s Old is New Again: AlphaBay Re-emerges
Flashpoint analysts are tracking the alleged re-emergence of AlphaBay, once the largest darknet marketplace and community in history. The market was active from 2014 to June 2017, when it was shut down following an international law enforcement operation and the arrest of one of its administrators Alexandre Cazes, who operated under the alias “Alpha02/Admin.”
The new AlphaBay is claimed to be run by the other administrator, a threat actor operating under the alias DeSnake. On GhostBin, DeSnake claimed they are bringing back the forum because of the poor state of operating darknet marketplaces, and to honor the legacy of the previous moderator Alpha02 (Alexandre Cazes), who died by suicide in Thailand after his arrest following the seizure of the original forum. In order to prevent users from losing money to similar seizures, DeSnake said they have created a system called “AlphaGuard” which would allow threat actors operating on the forum to withdraw funds even if all servers are seized.
The rules of the marketplace have been slightly amended since the previous iteration of AlphaBay and now include rules against posts dealing with fentanyl, COVID-19 vaccines, ransomware, and any activity related to Russia, Belarus, Kazakhstan, Armenia, and Kyrgyzstan. Flashpoint analysts note that threat actors based in the countries of the former Soviet Union avoid targeting those countries, as to not draw attention of domestic law enforcement.
Additionally, DeSnake said the new marketplace will have an “Automatic Dispute Resolver” feature, that would quickly handle disputes between buyers and sellers without the involvement of a third-party or moderator. They also noted in their post that the forum will include a ranking system of “trust levels” to minimize scammer activities.
The homepage of the new AlphaBay is seen below:
In addition to the marketplace feature, DeSnake said AlphaBay will also have a forum section. The forum will include the return of a private malware sub-community, in which DeSnake claims they will post an updated source code for a famous banking trojan to promote the re-launch.
Several other threat actors previously associated with AlphaBay have posted to confirm DeSnake’s identity as one of the original moderators of the first iteration of AlphaBay marketplace. Notably, a forum administrator operating under the alias “Paris” claimed that while they believed DeSnake was legitimate, they could not prove the threat actor wasn’t “compromised” by law enforcement. In addition to asking other threat actors to confirm their identity, DeSnake also included their PGP key as proof that they are legitimate.
UPDATE (8/11): Alpha Bay’s reemergence was initially reported by Tom Robinson at Elliptic, and the description above supplements their report with data from the Flashpoint platform and analyst team. Tom and the Elliptic team have provided strong reporting on these topics, and we apologize for omitting reference to the Elliptic post in our initial report.
See Flashpoint Intelligence in Action
Sign up for your risk-free 90-day trial and see how Flashpoint can provide you with the actionable threat intelligence you and your entire team need to identify and respond to threats targeting your organization. When equipped with Flashpoint Intelligence, you have access to collections across illicit online communities ranging from private forums and illicit marketplaces to encrypted chat services channels to gain insight into threat-actor activity on a global scale.