The Dutch National Police’s infiltration and takedown of the Hansa marketplace may be linked to the recent shutdown of Leakbase, a shop that sold usernames and passwords from hundreds of data breaches. Leakebase, in early December, unexpectedly redirected visitors to haveibeenpwned.com.
Leakbase users reported connectivity issues several times this year. Hackers, at one point, even leaked the usernames and passwords of Leakbase members. However, according to Krebs, the site’s users reported that they had difficulties contacting the site’s support staff roughly two weeks ago. Given various issues in the past, this customer support issue may have been overlooked as another one of the site’s issues.
During the first weekend in December, anyone who attempted to access the site found themselves at Troy Hunt’s haveibeenpwned.com, a legitimate breach reporting service. (Nearly everyone in the infosec sector doubted the legitimacy of Leakbase as a resource for researchers. Although the service simply indexed and sold billions of passwords from databases already available for free, the site’s owners undoubtedly knew they had created a market designed for criminal activity.)
Only few people know why the site shut down. The Twitter account run by the owners of password marketplace wrote, in a recent Tweet, “this project has been discontinued, thank you for your support over the past year and a half.” Several reporters wrote stories covering the site’s mysterious shutdown, but only Krebs had insider information on what could have really happened.
According to the security researcher’s source who asked to remain anonymous, the site changed hands in April and the new owners not only sold access to accounts and passwords, but also dealt drugs on the former Hansa darknet marketplace. Dutch police shut Hansa down in July, but had controlled the site for roughly one month before replacing the market’s homepage with a seizure banner. They kept the site running to collect data on some of the site’s many users.
The anonymous source explained that the new Leakbase owners also happened to “dabbled” in narcotic distribution as a vendor on Hansa. And that the recent Leakbase takedown had ties to “Operation Bayonet,” the globally coordinated action taken against Hansa and Alphabay markets. This accusation led to a response from the Leakbase Twitter account admins who wrote that “…none of the LeakBase operators have any connections to Hansa.” The account owner added, “the fact that this can be portrayed as near fact is astonishing as it is only a claim.”
Site owners (or the Dutch National Police) also Tweeted:
We understand many of you may have lost some time, so in an effort to offer compensation please email, [email protected]
Send your LeakBase username and how much time you had left. We will have a high influx of emails so be patient, this could take a while.
Although the Hansa connection is only a claim from an anonymous source, Krebs is infrequently incorrect.