00DRGREEN00, BoulderMedical, cannab1z, cocaMG, dutchcandyshop, DrPoseidon, GlazzyEyez, Gridlockdope, guessguess, ibulk, iCoke, MarcoPolo420, mushroomgod, wolfydutch
One of the above listed vendors confirmed on Reddit that he lost access to his Dream Market account because he reused passwords on Hansa and Dream.
Another crook’s name also appears on a list of vendors Dutch authorities have been keeping an eye since last year, according to a Dark Web portal managed by Dutch Police.
Police spreading Excel files laced with phone-home beacons
The second method of operation spotted by the Dark Web community involves so-called “locktime” files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20.
Under normal circumstances a locktime file is a simple log of a vendor’s market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa’s signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale’s conclusion, or if the market was down due to technical reasons.
According to people familiar with Hansa’s inner workings who shared their knowledge with Bleeping Computer, Hansa locktime files were usually just a simple text file.
Before the market went down, these locktime files were replaced with Excel files that contained a hidden image. When the vendor opened the file to view transaction details, the image would load on the vendor’s computer.
This image was hosted on the Hansa Market, and once loaded, the server would log the user’s IP address. If the user didn’t use a VPN, proxy, or funneled all OS-level traffic through Tor, the Hansa server would log his real IP address.
Even if the Hansa Market went down, some vendors might still have the files laying around their computers. After Hansa went down, vendors most certainly opened the files looking into ways to retrieve any funds still locked in Hansa’s accounts.
It was all part of the plan
Dutch Police has seized the Hansa Market servers on June 20, and have secretly collecting data from vendors up until July 20, when they officially announced their operation, shutting down the market for good.
When Europol announced the seizure of Hansa Market servers, an Europol provided the following soundbite, which now makes more sense than ever.
In the past few weeks, the Dutch Police collected valuable information on high value targets and delivery addresses for a large number of orders. Some 10 000 foreign addresses of Hansa market buyers were passed on to Europol.