You could buy pretty much any contraband you desired on DarkMarket, an online marketplace that was shuttered last week: illegal drugs, counterfeit passports, malware. The site, a kind of eBay for the dark Web, ran on Tor, the encrypted software that allows users to communicate with one another without betraying their real-life identities or I.P. addresses. Europol, which helped to coördinate an international investigation of the site, recently described DarkMarket as the largest illicit marketplace in the world—an unverifiable claim, since a handful of similarly vibrant bazaars are currently operating on the dark Web. DarkMarket was, without doubt, highly lucrative. Since May, 2019, when the site was constructed, its users have exchanged about a hundred and forty million euros’ worth of cryptocurrency. The owners of such Web sites typically take a commission of two to three per cent on each sale.
DarkMarket had a few interesting quirks. Unlike other successful dark-Web markets, it prohibited the sale of some items—including weapons, fentanyl, and images of child abuse. This tactic was seemingly designed to deter action against the site by police. (In the U.S., in particular, the sale of fentanyl on the dark Web puts a target on your back; a body called the Joint Criminal Opioid and Darknet Enforcement monitors the issue.)
DarkMarket also advertised itself as being the only such site administered exclusively by women. This was an intriguing boast—a prosecutor told me it was made to gain users’ trust—but it was untrue. DarkMarket’s thirty-four-year-old founder and administrator was apparently an Australian man, who was arrested last weekend near the German-Danish border. The police referred to him only as Julian K. Shortly after Julian K.’s arrest, DarkMarket was shuttered by the German police. On the site, a graphic appeared, showing an insect with a female face—a logo for DarkMarket—underneath a flyswatter.
The investigation of DarkMarket was spurred by another, much larger German police investigation into an organization called CyberBunker, which I wrote about in the magazine last year. In 2013, a polyglot group of programmers and hackers, under the leadership of an eccentric fifty-three-year-old Dutchman named Xennt, moved into a Cold War-era bunker near the picturesque town of Traben-Trarbach, in the Mosel Valley. The bunker had previously belonged to the German military, and it was designed to withstand a nuclear attack. Xennt, who had a lifelong fascination with underground fortresses, lived in the bunker. The rest of his crew lived aboveground, in austere barracks. Inside the bunker, Xennt’s team installed servers that hosted dark-Web sites trading illicit products and images, including terrorist material and images of child abuse.
Shortly after Xennt arrived in the Mosel Valley, his activities attracted the interest of a prosecutor named Jörg Angerer, who worked in the nearby city of Koblenz. Angerer, a genial and unassuming man who specializes in prosecuting cybercrime, encouraged a police investigation into CyberBunker. Under German law, the hosting of illicit material is a gray area. It is legal to host sites containing illegal activity, so long as the host is unaware of the content and does not actively assist the site’s owner in illegal behavior. The threshold of proof needed to prosecute such cases is high. A German police unit in Mainz spent about five years spying on Xennt, using digital and phone taps as well as undercover officers—including a man employed as a gardener at the bunker complex. In September, 2019, Xennt and most of his lieutenants were arrested in a nearby restaurant, as German police made a spectacular raid on the bunker. About six hundred and fifty officers were involved in the action. Shortly afterward, eight people were charged with facilitating two hundred and forty-nine thousand criminal transactions.
Xennt and his colleagues are currently being tried in the city of Trier. The trial may not finish this year, and the result is by no means certain. No one has ever been convicted in Germany for hosting sites containing illicit material. Xennt’s position has always been that he has never known or cared to know what was hosted on his servers—a claim that German prosecutors believe is provably false, and which they are currently attempting to unravel. Prosecutors say that they have evidence showing that Xennt and his team actively facilitated illegal behavior by showing clients how to obscure their real-life identities. According to Der Spiegel, Xennt also confessed, shortly after his arrest, to being troubled by the illegal activities of his client base. If he and his colleagues are found guilty, a powerful precedent will have been created. Even respectable Web hosts, such as Amazon, unknowingly facilitate some criminal behavior. The CyberBunker trial may determine what a state deems to be an unacceptable threshold of criminality for such a service.
Whatever the outcome of the CyberBunker trial, the operation against Xennt has provided police with an Aladdin’s cave of information on other criminal activity. In its raid on the bunker, German police seized four hundred and twelve hard drives, four hundred and three servers, sixty-five USB sticks, sixty-one computers, fifty-seven phones, reams of paper documents, and about a hundred thousand euros in cash. The servers alone contained some two thousand terabytes of data. One of the German officers charged with analyzing the contents of the CyberBunker servers told me that the volume of data was unwieldy, but its content fascinating. “I do not recall any case where this huge amount of criminal-infrastructure data was gathered,” he said.
One of the clues unearthed by the trawl of CyberBunker’s servers was related to the ownership of DarkMarket. In May, 2020, an online-crime unit in the northern German city of Oldenburg was asked to investigate. An I.T. specialist in the Oldenburg unit, Frederik Berg, told me last week that he could not describe exactly how his team had used the CyberBunker data to follow the trail to DarkMarket’s administrators, because it would betray police methods, but that their approach had been to “follow the money.” Everyone who used the site went by a pseudonym, including its owner, but cryptocurrency payments and other data allowed the Oldenburg police to start the process of de-anonymizing Julian K.—and, Berg suggested, other managers of the site who might soon be arrested. British, American, and Australian forces then helped to follow the clues to verify real-world information about them.
Rolf van Wegberg, who studies dark-Web markets at Delft University of Technology, in the Netherlands, explained that, without access to servers, police officers are forced to feed off crumbs. They might get lucky by posing as buyers and hoping that a vender would leave a trace of his real identity during the shipping procedure. But, if police could inspect the servers on which the site was hosted, the odds turned in their favor. “You have the complete administration of the market, you have the communication between the buyer and the vender—and often communication that has been encrypted can be decrypted,” van Wegberg said. “You have the mafia’s blue book: everything from orders to payments to addresses.”
Even before the German police shut down CyberBunker, they had glimpsed inside its blue book. On May 3, 2019, at almost the same time that DarkMarket began using CyberBunker’s services, another massive dark-Web marketplace hosted by CyberBunker was shuttered, after a years-long investigation led by German police, with heavy involvement by the F.B.I. When the site, called Wall Street Market, was taken down, several German federal officers visited CyberBunker to seize the servers on which the site had been hosted. Xennt did not come to the door, but one of his managers spoke to the officers and showed them to the server bank. The police seized the Wall Street Market servers.
Last September, another international police sting, Operation DisrupTor, announced the results of a push to catch drug dealers and other criminals who had used Wall Street Market. A hundred and seventy-nine people were arrested in seven countries, a hundred and twenty-one of them in the U.S. In Ohio, officers arrested several members of a group called Pill Cosby, who had allegedly mailed more than a million pills laced with fentanyl. The Department of Justice noted that DisrupTor was initiated after “U.S. and international law enforcement agencies obtained intelligence to identify Darknet drug traffickers.” I wondered whether “intelligence” referred to information gained from servers seized from CyberBunker after the closure of Wall Street Market, in May, 2019. Claire Georges, a spokeswoman for Europol, confirmed to me recently that DisrupTor was “entirely designed around” that first cache of information from CyberBunker’s servers.
What other bounty might be found in the CyberBunker data, now that investigators have its entirety? Georges could be no more specific than to say, “It’s going to be a very bad year for dark-Web markets.”
Last week, I spoke to Angerer, the prosecutor from Koblenz whose persistence led to the closure of CyberBunker and DarkMarket—significant prizes for a regional German prosecutor. He remained characteristically measured, and self-effacing. “I don’t think it’s done anything for my reputation,” he said. “Perhaps I’ve gained a certain expertise.”
Angerer understood that every time you took down a criminal marketplace, another would spring up in its place. DarkMarket had flourished in large part because Wall Street Market had been crushed. A site called White House Market was currently thriving. I was reminded that, last year, a member of the team that had led the German investigation into Wall Street Market had told me that the war on dark-Web marketplaces was unwinnable. People would continue to have illicit desires; the Internet would find a way to satisfy them.
I wondered if Angerer ever got discouraged. He laughed and said, “It’s prosecution: the nature of the work is that the work is endless.”