nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Alphabay shutdown: Bad boys, bad boys, what you gonna do? Not use your Hotmail...

...or the Feds will get you ♪

By Kieren McCarthy, 20 Jul 2017

Analysis The alleged owner of dark-web marketplace AlphaBay was tracked down by FBI because he was stupid enough to include his real Hotmail address in the content management system used to run the site.

That is one of the eye-opening details in the case of Alexandre Cazes, the 25-year-old arrested earlier this month in Thailand suspected of being the administrator of an illegal marketplace trafficking in drugs, guns, counterfeit goods and hacking tools, among other items.

Cazes must have known that investigators would be all over him: AlphaBay had grown into the internet's biggest black market, with over 200,000 users and 40,000 sellers. It had more than 250,000 listings – making it nearly 20 times larger than Silk Road, which was shut down in 2013 after a massive investigation by the FBI.

Which makes it all the more bizarre that, according to American prosecutors, he used his real email address, albeit a Hotmail address – Pimp_Alex_91@hotmail.com – as the administrator contact for the marketplace software. As a result, every new user received a welcome email from that address when they signed up to the site, and everyone using its password recovery tool also received an email from that address.

However, rather than carefully set up and then abandon that email address, it turns out that Alexandre Cazes – Pimp Alex – had been using that address for years.

US Dept of Justice lawyers, in their case against Cazes, said "law enforcement subsequently learned the 'Pimp_Alex_9l@hotmail.com' email address belonged to a Canadian man named Alexandre Cazes with a birthdate of October 19, 1991, matching the numeric identifier in his Hotmail email address."

Not only that, but Cazes had also used the exact same alias as the admin username for the AlphaBay marketplace – Alpha02 – and associated it with the Pimp Alex Hotmail address for many years, leaving a long digital trail that investigators easily followed.

Not smart

And if there was any doubt, Cazes repeatedly added his full name to blog posts using that alias, and that email address on online forums.

It was of course still possible that the real mastermind behind the marketplace had elaborately set up Cazes as a fall guy, creating a digital trail to point them to the wrong guy. That would have been smart.

Except when the investigators stormed Cazes' house in Bangkok, Thailand, they found him still logged into the AlphaBay website as the admin and actively communicating about problems with one of its data centers.

Adding to the fact that Cazes had done a terrible, terrible job of protecting himself and his illegal activities, he also did not encrypt his personal laptop – because when law enforcement searched it, they found "passwords to AlphaBay's servers and other infrastructure."

And just in case you had any doubt that this was not a criminal mastermind at work, Cazes had also used his Pimp Alex Hotmail address as well as an email address from his own business – EBX Technologies – to set up online bank accounts and crypto-currency accounts. How did law enforcement know that Cazes was behind EBX Technologies? It was on his LinkedIn profile.

All of this enabled the authorities to do a huge sweep of his assets and turn up $5m in Bitcoin, $2m in Ethereum, $770,000 in Zcash and $474,000 in Monero – all now shifted to government accounts.

That was just the cryptocash. Cazes' miserable operations security also led investigators to accounts in his and his wife's (Sunisa Thapsuwan) names at Bangkok Bank, Bank of Ayudhya, Kasikorn Bank, Siam Commercial Bank and several others.

Even more amazingly, the cops didn't even have to ask the banks for accounts under those names: Cazes had listed all of his accounts, his houses and his luxury cars in a spreadsheet on his unlocked, unencrypted laptop.

Here you go

"The document was modeled after a personal financial statement – listing 'TOTAL NET WORTH' in bold at the top of the document," reveals the filing. "Below the net worth heading, Cazes broke down his 'holdings' into various subcategories such as 'Asset holdings' and 'Cash holdings,' as well as by each distinct cryptocurrency ... and method of storage. According to his financial statement, Cazes had a net worth of $23,033,975."

Even though his website routinely sold fake identities, neither Cazes nor his wife – who with a simple social media search we can discover works at Mahidol University in Bangkok – thought to use them to hide their illegal profits.

Their real names were also used to buy property in Bangkok – two houses, side-by-side and just seven minutes' drive away from Mahidol University. Other houses were found in Phuket, Cyprus, Antigua and Barbuda and added to the asset seizure.

And then there were the cars: a Lamborghini Aventador, a Porsche Panamera S, and a Mini Cooper – all registered to the same address in Bangkok.

Luxury cars go bye-bye

In short, it is safe to assume that Cazes spent significantly less time thinking about how to disguise his identity and ill-gotten gains than he did making sure his website was patched and up and running. Not so much a career criminal as a nerd with a popular website.

Why did he use his actual email address and actual alias to set up a dark-web marketplace? We can only assume that he set it up on the spur of the moment and didn't expect AlphaBay to become as huge a marketplace as it did.

Why didn't he revisit the setup? Or shut the site down and start it up again in a more secure manner? Why didn't he use some of the millions of dollars he made from the site to create solid fake identities that he could then use to secure his money and assets? Did he imagine that the US authorities wouldn't be able to get to him in Thailand?

Bolt hole

There is some evidence that Cazes suspected that the net was closing in on him: investigators found a trail of documents in which he sent money outside the country.

He sought – and achieved – citizenship of Antigua and Barbuda by buying a $400,000 property there. The police found their passports in the house. And he was in the process of getting citizenship of Cyprus by investing more than €2m in real estate there. He even sent money from Thailand through Liechtenstein to Cyprus in an effort to hide his tracks.

But it was far too little, too late. His identity was already out there thanks to his Hotmail address. He was living in a house that he owned under his own name. And his unlocked laptop exposed all of his assets and his planned bolt-holes.

How close did he come to escaping before the cops arrived? Sadly, we'll never know. Just a week after Cazes was arrested and dumped in a Thai jail, he was found dead in his cell. The authorities say it was suicide. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing