520

In this article we chronicle the epic saga of AlphaBay – possibly the world’s most well-known darknet market – the rise of admin DeSnake, his resurrection of the market, its subsequent downfall, and discuss what may have caused it to happen.

Much of the information presented in this article is collected from various forum and social media posts. It is important to remember that, while some theories presented may be more plausible than others, there is no public knowledge of what actually happened with AlphaBay in its final days or DeSnake, its chief administrator. The circumstances of DeSnake’s disappearance, which led to the automated lockdown and then closure of AlphaBay, remain mysterious.

Instead of making assumptions for the reader, this article provides a wealth of sourced background information on AlphaBay (both old and new versions), its admin, and presents some of the major theories surrounding their disappearance, allowing them to come to their own conclusion on what really happened with the darknet’s most famous legacy.

AlphaBay & DeSnake Origin Stories

If the official record (government) is to be believed, the original AlphaBay darknet market was launched in the third quarter of 2014 by Alexandre Cazes, a Canadian citizen with a knack for programming and web development, who had moved to Thailand in 2013. Cazes opened the market under the online pseudonym alpha02, who already had a reputation as a carding expert, having written one of the most widely circulated guides to carding on the internet.

It was apparent that Cazes couldn’t do the job alone, however, and sought out assistance in the form of security administration from a well-established hacker, DeSnake, who is said to have sold cards to Cazes in the past, having sold card data on various forums and the former Evolution darknet market. In DeSnake’s own words, he began his career on the market as a vendor, selling tools and guides to carders. After doing some hobbyist pen testing on the AlphaBay site, however, he claims to have uncovered an exploit, choosing to inform Cazes about it rather than use it for his own purposes. It was at that point that Cazes offered him the job of security admin.

To this day, nobody knows the true identity of DeSnake — or at least nobody willing to come forward with proof of his identity. There have been a multitude of theories regarding who DeSnake is that have been presented over the years. Three of the most popular (though likely incorrect) theories are:

1. He and Alexandre Cazes (alpha02), chief architect and principal admin of the original AlphaBay, are one in the same. This theory gained traction when the market’s public relations spokesman, Trappy, suggested it to authorities after being arrested in Nov 2017. It was also reported that Cazes was known online as DeSnake in several news articles at the time of Cazes’ death. However, there are too many references of the two being distinct individuals with distinct skill sets for this to be the case. As was chronicled in various threads on Reddit and even in court documents, DeSnake was likely simply hired by Cazes to act as AlphaBay’s security administrator.
2. He is a German citizen who purchased the domain name “snake.de” and was the administrator of its website, although there is no proof of this association. Looking up public information for the domain, which is the two parts of “De Snake” written in reverse order, snake.de was founded by a German citizen. Interestingly, an archived version of the site from 2001 lists geographic coordinates of where the server is located, and viewing the coordinates on Google Street View yields a blurred-out building. However, there’s a good chance the occupants of the property just wanted privacy after having endured harassment by online detectives searching for DeSnake.
3. He is a Dutch citizen that was doxed in March 2017. It is known that AlphaBay did indeed pay at least two extortionists money to keep the identity of its admin a secret. Somewhat confusingly, however, this theory ties in elements from the first two theories, proposing that: 1) the original alpha02 retired after extortionists threatened to reveal his identity in 2015, selling his share in the market to DeSnake, and 2) DeSnake himself was doxed based on information tying him to his ownership of snake.de.

The first extortionist, known as kinger, said the following to DeSnake in a now-deleted 2016 Reddit post:

“PS: DeSnake, if you read this, we know who you are and where you reside. We know you’re a Dutch guy who acts like he’s Russian. Should you attempt to exit scam with AlphaBay, rest assured your dox will be posted.” – r/kinger

Reddit post, presumably written by AlphaBay staff member Trappy, responding to an extortion attempt in March 2017.

The latest in a series of extortion attempts turned out to be the least of AlphaBay’s problems, however, as it turned out the US feds had been building a case against Alexandre Cazes for months prior, culminating in the admin’s arrest and AlphaBay’s takedown in early July, 2017.

Whether Cazes was the original alpha02 – or simply someone who assumed the role later on – is not entirely certain, although evidence presented in court demonstrates that an email address known to belong to Cazes was found in the header of a 2014 “welcome” email sent to AlphaBay forum users. The email address, [email protected], was also found in forum password recovery emails, as well. This suggests that Cazes was indeed the market’s founder and thus theories about DeSnake being the chief administrator are unfounded.

Closure, Disappearance & Relaunch

At the time of its seizure, the original AlphaBay is thought to have processed around $1 billion in sales and had over 240,000 registered users in all, rendering it markedly bigger than any other darknet market that had come before. The market inspired several successors who lifted its user-friendly design, copying its template line-for-line in an attempt to draw in users who appreciated its familiarity. The most notable of these markets was Empire, which even paid homage to Cazes in its footer. Gone, however, was DeSnake, who would go silent for a little over four years — at least under that particular moniker.

On August 8, 2021, a surprising turn of events unfolded as a poster claiming to be DeSnake took to the Dread darknet forum to post a series of long-winded, PGP-signed messages explaining how AlphaBay had “returned” in a new-and-improved form. The return seemed to catch the entire darknet market community off-guard, who scrambled to verify claims made by the new poster. Many were highly skeptical of the claims, and the problem was not helped by the fact that the first version of the signed message would not verify with DeSnake’s known PGP key.

After another version of the message was posted that did verify, and with authorities such as Dread admin Paris and former AlphaBay staff disc0 vouching for DeSnake’s authenticity, the suspicion surrounding his comeback began to subside. It would take the “new and improved” AlphaBay several months before it began to attract well-established vendors and their customers. By April 2022, however, AlphaBay was once again on top as the world’s most popular darknet market, aided not only by DeSnake’s competent management but the downfall of other top markets at the time.

The Wired Interview

AlphaBay’s rise back to the top was also helped by a lengthy, somewhat unusual interview by Wired of DeSnake. In the interview, the admin states the reason for bringing back AlphaBay was to “make the AlphaBay name be remembered as more than the marketplace which got busted and the founder made out to have committed suicide.” He also chose to reveal some interesting information about himself that was previously unknown:

• He lived in a “non-extradition country” that was part of the former USSR, meaning that even if he was arrested by local authorities he could not be extradited to the US.
• He had done a lot of traveling in the four years of his absence and encountered “zero problems.”
• He was still in disbelief that Cazes had put his personal email address in the header of the AlphaBay forum welcome emails. “He was a good carder and he knew better opsec.”
• He was paranoid about his security to the point of overkill, claiming to shut down his computer every time he stepped away from it (including bathroom breaks).

In the interview, DeSnake also talked at length about his market’s “AlphaGuard” system, which was supposed to be a way of helping users recover escrowed funds in the case of an emergency. It involved the automatic renting of new servers in case it should detect old ones were being taken down, as well as the planting of data on other websites to allow the recovery of user funds. Even weeks after AlphaBay’s second closure, many users held out hope that AlphaGuard would soon “kick in,” but it did not.

“It is a system to ensure users can withdraw funds, settle disputes, and generally go without a cent lost if raids happen, even if it happens on all servers at the same time. It is unstoppable.” – DeSnake to Wired, on AlphaGuard

In Dec 2022, DeSnake once again appeared in Wired where he was listed as one of “the most dangerous people on the internet.” In the article, DeSnake is described as AlphaBay’s “cofounder and Cazes’ top lieutenant,” noting that he had set more rules than the original AlphaBay, which included banning the sales of ransomware tools and fentanyl (although the latter was largely unenforced), as well as only supporting Monero (XMR) as a deposit option.

Second Closure

While AlphaBay was never a perfect operation, it was considered relatively dependable and trustworthy as far as darknet markets go — at least for the first year of its operation. Within that time, they had managed to attract a huge number of users, survive DDOS attacks that had devastated other markets, and even roll out a first-of-its-kind “harm reduction” program which subsidized drug purchases for independent testers who would report back to AlphaBay with product test results. Things seemed to be on the up-and-up for the market, yet activity from DeSnake began to taper off, and he began to take unannounced leaves of absence from the market for weeks at a time.

In October 2022, one such leave of absence caused AlphaBay to go into a lockdown mode which was automatically triggered by a failure to update the market’s PGP-signed canary message. Upon expiry of the canary, users with 2-FA enabled found themselves no longer able to log in. While this type of lockdown had actually already occurred twice for the market, this time was particularly worrisome as DeSnake had not been heard from for over three weeks, which was uncharacteristic of him since his return.

The situation was resolved before the end of the month as DeSnake returned to sign a new canary, restoring everyone’s access to the market. The market continued to be bombarded by a flood of problems, however. These included complaints from vendors saying they had been unfairly banned, issues with XMR withdrawals (which was blamed on a problem with AlphaGuard), and worst of all: a ramped-up DDOS attack that had not only knocked most markets offline, but the Dread forum itself. As Dread was the primary center of communication for vital darknet market-related information, AlphaBay users became increasingly worried about the status of the market.

Dread did return on-and-off through the month of November, and AlphaBay users were asked to use the I2P network version of the site to continue business. “Funds stuck, Funds held, withdrawals missing, deposits missing,” wrote one concerned vendor in the AlphaBay subdread on November 24^th, 2022.

“When so many vendors have issues logging on, getting their money, something is up… It becomes the same old story, lure all the people, then screw them… And when dread was down, how hard would it be to post an update that there was an issue with funds? It happened to several thousand people.” u/PracticalMatters1 on Dread

Although DeSnake personally replied to the vendor, his words didn’t have much of an affect on the mounting concerns market users were having. On November 30^th Dread suffered its worst DDOS attack yet, taking it offline completely. It would not come back online until March of the next year. What transpired between then was the total disassembly of AlphaBay, which played out rather slowly and under a blanket of communication darkness.

The months of December – February 2023 saw most major darknet markets struggling to stay online in the face of an extremely persistent DDOS attack, including AlphaBay, which went offline several times during this time. The ability to visit the market via I2P was a saving grace for the market, although things were never again as smooth as they were before November of last year. In early February, the market’s auto-lockdown system once again kicked into effect, preventing users with 2-FA activated from logging in, and triggering a new wave of theories as to what was going on behind the scenes.

On February 14^th, 2023, the worst was finally confirmed on Reddit by one of AlphaBay’s top staff members and self-described admin, who went by the name TheCypriot. In a PGP-signed message, TheCypriot explained that the market was no longer reachable, and even if it was, it should no longer be used, as something with it had definitely run afoul.

“In my experience over the years this is not (law enforcement). Feel free to discuss, many of you will but the signs just are not there. If it is it would be the worst planned and executed LE action in the history of the markets. They didn’t even put up a fancy seizure screen… Doesn’t mean that it wasn’t.

In my experience this is not an exit (scam). I mean if it doesn’t come back it would be, but it would be the most poorly planned and executed exit in the history of the markets. Doesn’t mean that it wasn’t.” – TheCypriot on Reddit

With Dread still being down, complaints began to pour into the r/darknets subreddit, including horror stories of users who had lost upward of $10,000. Understandably, several vendors did not want to complain about their problems on the clearnet and waited for the resurrection of Dread, which happened in early March. Many vendors complained about how they had been unfairly banned, others complained about their XMR withdrawals never being processed. Most had already moved on to start careers at other markets.

Prevailing Theories

The months that followed the closure of AlphaBay saw the generation of a preponderance of theories about what happened to DeSnake. Some of the most widely-mentioned ones on Reddit, Dread and elsewhere include:

• he was killed in the February earthquake that devastated parts of Turkey and Syria,
• he was killed in the Russia-Ukraine conflict,
• he was arrested by feds who performed an unannounced seizure of the market,
• he was arrested on charges possibly not even related to AlphaBay,
• he simply walked away from the business due to the level of stress he endured because of it.

Most theories fall into one of three major categories:

1. Exit scam – the market’s closure had been planned all along, with or without the help of staff members like TheCypriot. Most of the adamant claims DeSnake had made about AlphaGuard, site upgrades, and wanting to build a decentralized marketplace were all for the sake of confidence-building and drops in the price of XMR from January through March 2023 were precipitated by a sell-off of customers’ funds.
2. Unplanned or accidental exit – for reasons not necessarily malicious or out of DeSnake’s control, the market was closed after it entered lockdown mode for the final time. This includes having critical hardware and backups seized, stolen, or destroyed, going on a vacation and being denied re-entry upon return, or even health reasons — including mental health reasons or even death.
3. Arrest – DeSnake was arrested by authorities and is currently in custody, perhaps even waiting to testify about other AlphaBay admins or operators of other markets. He may or may not be awaiting extradition to the United States where the FBI has been after him since 2017.

A fourth category of theory – however unlikely – was that the actual DeSnake had never been involved with the new-and-improved AlphaBay at all, and that his PGP key had been compromised by the feds who had set up a giant honeypot to catch unsuspecting users. This theory is unlikely for a number of reasons, mainly because of the user security features it employed (such as using Monero only and consistently reminding users to self-encrypt shipping information).

Most of the other theories have good rationale for why they may not be correct, so it is genuinely hard to make an assumption about what actually happened.

• To counter the exit scam theory, there is ample evidence that suggests DeSnake was busy working on upgrades to the AlphaBay up to the time of his disappearance, that he was already quite wealthy from his time working for Cazes on the original AlphaBay, and that he was simply trying to restore the market’s reputation.
• To counter the unplanned exit theory, DeSnake seemed highly meticulous regarding his own OpSec, and as he had already had over a decade of experience as a darknet criminal, it seems he would have already been adjusted to the lifestyle and not prone to mistakes involving access to crucial hardware or admin panel software.
• To counter the arrest theory, law enforcement (regardless of the country) would have announced they had made an arrest or seizure related to AlphaBay by now, following the precedent set by the takedown of every other darknet market that fell to the hands of the feds (including the original AlphaBay).

This means that as of now, for all intents and purposes, DeSnake has simply disappeared, vanished into the ether on both digital and physical planes. Whether this outcome was by design or accident remains completely unknown, and only time will tell if his fate will eventually be discovered.

Most AlphaBay users caught up in the downfall of the market’s last (and probably final) iteration seem to have accepted its fate, resigned to the fact that there’s nothing left to do but continue on business as usual. For those watching from the outside, the story will go down as lore in the annals of darknet history, a fable never to be forgotten.