The Thai cops met the American agents, analysts, and prosecutors at the US attorney’s office, with more than two dozen people arrayed around the room. The two countries traded PowerPoint briefings. Ali and Erin, expert cryptocurrency-tracing FBI analysts from Washington, DC, walked the Thais through a “Bitcoin 101” presentation and detailed how they had tracked Cazes’ hidden cash flows. The Thais shared everything they’d learned from following Cazes’ physical movements for months. The police then explained the particulars of the Thai legal system—what US agents would and wouldn’t be allowed to do with Cazes after, if all went well, they laid hands on him. Between meetings, Sanchez took the Thai group on field trips: to a golfing range, to a shopping mall—where the officers descended ravenously on a Coach outlet—and on an outing to San Francisco in rented vans. The Thais, accustomed to the tropics, nearly froze on Fisherman’s Wharf; they were so jet-lagged and exhausted from their sightseeing frenzy that they slept through the drive over the Golden Gate Bridge in both directions. On another day, the FBI gave the Thais a tour of the explosives lab at the bureau’s Sacramento field office, showing off the agency’s bomb-defusing robots. Paul Hemesath, the prosecutor, later brought out his HTC Vive VR headset, and the two countries’ agents took turns walking a plank over a digital abyss and swinging virtual swords at zombies. When they weren’t busy with tourism and team-building exercises, the agents were grappling with the practical details of raiding a dark-web kingpin. At one point, the case’s lead FBI agent presented the looming problem of Cazes’ laptop encryption. Sanchez and the Thais explained that based on their surveillance, Cazes almost never opened his machine outside his own home. The agents agreed: They’d have to catch him in his house, logged in to AlphaBay and yet somehow off guard so that he wouldn’t shut the laptop before his arrest. Almost as important as the computer was Cazes’ iPhone. The FBI told the Thais they’d need to grab it unlocked, or it too would be irretrievably encrypted. That phone, after all, might hold keys to Cazes’ cryptocurrency wallets or other crucial data. The question of how to thread the needle of capturing these two devices and their information hung in the air, unanswered. Then Sanchez spoke: She asked the lead FBI agent if it would be helpful to know more about how Cazes spent his days, hour by hour. After all, she explained, he had laid it all out on Roosh V, the online forum for “alpha males” where Cazes practically liveblogged his daily life and sexual escapades under the handle Rawmeo. The FBI agent invited her to go ahead. So Sanchez walked the group through Cazes’ daily schedule as he had, himself, described it in exacting detail: Wake up at dawn and check his email and social media, including the Roosh V forum. Work out at home until the late morning. Have sex with his wife. Then go to his laptop and take care of business until the evening, with only a short break in the afternoon for a light lunch. At seven, he’d quit work for the day to go out for dinner and cruise for girls in his Lamborghini Aventador. Almost without fail he’d be back home and asleep by 11. just days later, on the morning of June 20, 2017, in the small central Netherlands city of Driebergen, half a dozen Dutch police officers were huddled around a conference room where they’d been anxiously waiting since early that day. Finally, one of the investigators’ phones rang with a call from the German Federal Police. The Germans had just arrested the two administrators of Hansa, the dark web’s second-biggest black market for drugs, in their homes. Both men were in custody. The first phase of Operation Bayonet’s one-two punch—an unprecedented attempt to take down one market while secretly taking over another—could now begin. For weeks, the Dutch National High-Tech Crime Unit had been preparing for this moment. They’d used the source code for Hansa that they’d pulled from the German servers to reconstruct their own, offline, practice version of the market, to familiarize themselves with how it was built and administered. They’d even gone so far as to create their own play-money version of Bitcoin, with its very own blockchain—what cryptocurrency developers call a testnet—to privately experiment with how the site handled its monetary transactions. Now, with the real admins arrested, they had to take over and run the actual, live version of Hansa, with millions of dollars moving between tens of thousands of users. And they had to do it seamlessly, without knocking the site offline or, worse, giving its users or staff any clue that the two administrators had been replaced by a team of undercover Dutch police. At the Germans’ signal, the Dutch team immediately called a pair of agents they’d sent to a data center in Lithuania, where the server actively running Hansa was hosted. Those agents physically pulled out a hard drive from the rack that held the machine so they could access a backup copy of its data. The teams in Driebergen and Lithuania then began feverishly duplicating every digital component of the market, piece by piece, on their own computers and then on a server in a Netherlands data center, reconstructing an exact copy of the site that was now under their control. For the next two days, the Dutch investigators sat at their keyboards from morning until well after midnight, fueled by pizza and Red Bull. At one point early on, someone spilled a soda onto the conference table, nearly soaking a laptop that stored the entire collection of the Hansa data; only a desperate lunge by one of the investigators managed to save it. At another point, a typo in a single command caused the site to go down for several panicky minutes before it could be restored. Get exclusive commentary and behind-the-scenes notes from writer Andy Greenberg. Sign up for The Rise and Fall of AlphaBay companion newsletter. Around 3 am on the third night after the arrests, a Dutch investigator, Marinus Boekelo, was troubleshooting another bug that was causing error messages to cascade across the screen whenever someone used the search bar at the top of the page. “Fuck, fuck, fuck!” Boekelo muttered, bent over his laptop, his hands on either side of his face as he attempted one fix after another. After nearly 72 hours, they had the reconstructed site running smoothly, fully under their command. The skeleton crew still working in the conference room exploded with jubilation. Aside from the one brief period of downtime, the migration of the site to a Dutch data center had been nearly invisible to its users. The most conspicuous sign of the takeover, the Dutch police worried, was that for almost three days there had been complete radio silence from the two Hansa administrators. The site’s staff of four moderators looked to the two admins for orders and to resolve any disputes between buyers and dealers that they couldn’t handle themselves. The police could see that the admins communicated with Hansa’s staff using an encrypted messaging system called Tox Chat—the server they’d seized contained some limited logs of their past communications—but they didn’t have the password to log in to their chat accounts. So they tried a simple solution: They asked the real admins for help. The two German men quickly agreed to cooperate in hopes of a lighter sentence. They handed over their Tox Chat passwords to the German police, who passed them on to the Dutch. The team in Driebergen then resumed day-to-day chatter between the bustling black market’s bosses and staff. With the cooperation of the real admins and their Tox Chat logs, they were able to pick up the business of the site without a hitch. Their only initial error was paying one moderator the incorrect amount for his Bitcoin salary, pegged to the wrong non-digital currency. The undercover police fixed their mistake, paid the staffer the difference, and all was forgiven. The Dutch team had come up with a cover story for the admins’ three days offline: They’d tell anyone who asked that they were heads-down, coding an upgrade to the market. But no one asked. The hierarchy of the marketplace’s org chart and the secrecy of dark-web operations, where no one on staff knew their coworkers beyond a username and a shared chat history, meant the cops in admin clothing were spared any curious questions about their absence. Nor, they were relieved to discover, did there seem to be any inside jokes or watercooler gossip to catch up on. “It actually turned out that they did not discuss anything personal with each other,” one investigator remembers. “It was pure business.” The cover story about an upgrade wasn’t exactly a lie. In reconstructing the site, the Dutch police had actually ironed out some of its bugs and rewritten parts of its code to be more efficient. And because they now had a team of half a dozen rotating agents acting as the administrators, instead of two overworked individuals, they found that the site’s customers considered the day-to-day operations of the market to be significantly improved. One of the younger Dutch agents had been an IT help-desk admin years earlier. He found his new job helping run Hansa to be remarkably similar. He got to work efficiently resolving disputes over the site’s drug deals, assisted by a collection of answers the administrators had helpfully prepared in an online control panel. The undercover agent even came to the rescue of one grateful, sight-impaired drug dealer, helping him figure out how to get his screen reader software properly integrated with his Tor browser. for their first day acting as Hansa’s bosses, the team had cautiously watched the site’s internal clockwork, barely believing that they’d gotten away with their takeover. But when it became clear they could control Hansa seemingly indefinitely, they settled in, working in shifts to run the site 24/7 from the small conference room in Driebergen. On one wall, they set up a 65-inch screen where someone started a stopwatch, measuring exactly how long they’d been in control of the market. Then slowly, silently, they began to spring the trap they’d assembled. Hansa, like any good dark-web market, had been designed to learn as little as possible about its users beyond what was necessary to facilitate reliable drug transactions. The passwords for users’ accounts were stored only as cryptographic “hashes,” indecipherable strings of characters that let the site avoid having to protect a collection of those sensitive login credentials. Hansa also offered to let users automatically encrypt all their messages using the privacy program PGP—including, most importantly, the mailing addresses buyers would share with sellers when they made an order. All of this meant that, in theory, the site itself would never have full access to its users’ accounts or know their most personal data, such as the location of their homes. Now the police began to invisibly sabotage those safeguards. They started recording all of Hansa’s usernames and passwords when buyers and sellers logged in. They also began secretly archiving the full text of every message that users sent on the site before the text was encrypted. Soon they were collecting hundreds, then thousands, of buyers’ addresses from orders, turning the business of the entire market into a glass aquarium under their real-time surveillance. According to Dutch law, the police had to record and attempt to intercept every drug order made on the market while they controlled it. So the half-dozen undercover agents in their small conference room were soon joined by dozens of others, working on the same floor, who were tasked with manually cataloging every single purchase. They forwarded the data from sales destined for the Netherlands to Dutch police, who could seize the packages of heroin, cocaine, and meth shipped through domestic mail. Non-Dutch orders would be sent to Europol, which was charged with distributing the ever-growing pile of drug-deal data to their respective nations’ law enforcement agencies. Already, the Dutch police had accomplished something law enforcement had never attempted before: hunting, capturing, and vivisecting a dark-web drug market in real time, unbeknownst to the site’s users. But Operation Bayonet was only getting started. The Dutch—and their collaborators from Sacramento to Bangkok—had other, bigger game in their crosshairs. on june 22, 2017, two days after the Hansa takeover and less than two weeks before the date of the planned AlphaBay takedown, Michael Gronager and Jonathan Levin, cofounders of the world’s leading cryptocurrency tracing firm, Chainalysis, happened to be in the Netherlands. So was an Internal Revenue Service Criminal Investigations agent named Tigran Gambaryan. They had all flown to The Hague, halfway across the small country from the Driebergen office where the Dutch were pulling Hansa’s puppet strings, for a Europol conference focused on virtual currency investigations. As contractors with no security clearance, Levin and Gronager were unaware of what Gambaryan knew: that by this time, all the interlocking pieces of Operation Bayonet were falling into place. The Dutch Hansa takeover was underway. A team of Americans targeting AlphaBay planned to set up surveillance of that market’s Dutch servers early on July 5, taking a snapshot of its contents while Cazes was logged in to it. They would pull it offline only after the Thais arrested Cazes in Bangkok; touching it any sooner might spook him and cause him to destroy evidence or flee. US prosecutors would then interrogate Cazes and swiftly extradite him. Even the Royal Canadian Mounted Police had been roped in to simultaneously search Cazes’ mother’s home in Quebec. Gambaryan worked as part of IRS Criminal Investigations’ cybercrime unit in DC, but he had learned about the AlphaBay case early on from a friendly IRS agent in Fresno, California, his hometown, where he often went to visit his parents. He’d followed the investigation’s progress, but he’d never been assigned to the case. Still, he couldn’t help but take an occasional, curious poke at the biggest dark-web market in history. For months, Gambaryan had followed AlphaBay’s tracks through the blockchain, obsessively pestering Chainalysis’ Jonathan Levin with new ideas about how to circumscribe the edges of the AlphaBay “cluster”—the millions of Bitcoin addresses the site and its users had generated—or trace its most incriminating money trails. He was, as Levin put it, “completely relentless.” That spring, Gambaryan and Levin had together come up with an idea—a new, experimental method to examine AlphaBay’s use of cryptocurrency. Prosecutors in the AlphaBay case have referred to it using only the hideously vague term “advanced analysis.” But Gambaryan and Levin hoped they could use it to unearth a major finding: the IP address of the server that hosted AlphaBay’s Bitcoin wallet. With that IP in hand, they should be able to pinpoint the server’s physical location and seize it, gaining key evidence in their case against Cazes and assuring that no one else on AlphaBay’s staff would be able to take control of the site after Cazes’ arrest. By all conventional wisdom, it shouldn’t have been possible to learn that IP address through blockchain surveillance. The blockchain, after all, is a ledger of transactions between Bitcoin addresses. It doesn’t record IP addresses, the strings of numbers that identify individual computers on the internet and can often help investigators locate them. But Levin and Gambaryan’s method could somehow obtain those identifiers. Neither has revealed a word of how this technique works. In fact, in our conversations, they never treated any piece of cryptocurrency-tracing tradecraft with more secrecy. Unbeknownst to Levin, by the spring of 2017 the Operation Bayonet team believed they already knew an AlphaBay IP address: the one in the Netherlands that had once been leaked in the welcome email for the site’s forums and then in November 2016 passed on by a tipster to Fresno DEA agent Robert Miller. But Gambaryan figured it couldn’t hurt to independently verify this critical piece of evidence. Levin had been doing his own hands-on research into AlphaBay for years, and he was eager to try out a new investigative technique that Chainalysis could potentially sell to other customers. Levin and Gronager were both up early, before the Europol conference began. So Levin used this spare moment to check the results of his and Gambaryan’s advanced analysis experiment. The answer appeared, without fanfare, on Levin’s screen: an AlphaBay IP address. Or rather, a handful of IP addresses that were likely to belong to the site’s wallet server. A quick search revealed that the likeliest of them wasn’t, in fact, in the Netherlands, but in a data center in Lithuania. Levin remembers his reaction in the moment as less of an epiphany than a brief flash of recognition. “Huh,” he thought to himself. He had no clue that the coordinated global raid of AlphaBay was planned for just over 10 days later and that, according to the digits he now saw on his screen, it was targeting a server in the wrong country. He made a mental note to tell Gambaryan about the Lithuanian IP the next time he saw him. The opportunity arrived that evening. After a day spent at the Europol conference, the two sat side by side at dinner with a dozen other agents, analysts, prosecutors, and contractors around a long table at Flavor’s, a ribs-and-steak restaurant a few blocks from Europol headquarters, its walls covered in paintings of a medieval feast. They had just ordered drinks when Levin thought to mention to Gambaryan that their experimental idea had apparently worked. He showed Gambaryan the three IP addresses on his phone, pointing out the Lithuanian one that seemed most likely. The IRS agent went silent. He pulled out his own phone and took a picture of Levin’s screen. Then he stood up, blank-faced, and quickly walked out of the restaurant without explanation. Levin watched him go, dumbfounded. Gambaryan hadn’t even paid for his beer. gambaryan ran the eight blocks through the streets of the residential neighborhood, past The Hague’s art museum, to the Marriott next to Europol headquarters, where he and most of the other international agents at the conference were staying. He went directly to the building’s top floor, overlooking the darkened forest of Park Sorghvliet, ringed by international government buildings. At a table in an empty conference room, he opened his laptop, confirmed that the IP address Levin had found was indeed in a Lithuanian data center, and then began calling Operation Bayonet’s prosecutors—Grant Rabenn and Paul Hemesath in California, as well as Alden Pelker, the DC-based cybercrime attorney on the case, and Erin, the FBI Bitcoin-tracing analyst who was in The Hague attending the Europol conference—to tell them that he and Chainalysis had found what appeared to be the true location of AlphaBay’s central server, and it wasn’t in the Netherlands but a thousand miles to the east. Ultimately, Gambaryan and Chainalysis’ advanced analysis trick spared Operation Bayonet, at nearly the last minute, from what could have been a major error. The investigators would later learn that the Netherlands IP address they’d been focused on for months pointed to a data center that held only an older server for the site, rather than the holy grail they were looking for. Just like Hansa, AlphaBay had apparently moved at some point from a Dutch hosting provider to the Baltics. Without the Lithuanian IP address, passed from Levin’s phone to Gambaryan’s in a steak restaurant, the investigators would have been raiding the equivalent of an abandoned hideout, leaving AlphaBay’s actual criminal headquarters untouched. None of the investigators in Operation Bayonet has ever explained the mechanics of that Hail Mary advanced-analysis technique publicly—nor would they explain it to me in the years that followed. That’s in part because the secrecy of the technique, agents and prosecutors suggested, had allowed it to be used again and again, identifying the IP addresses of dark-web services’ Bitcoin wallets in a series of major cases. Law enforcement agencies wanted to make sure the method wasn’t “burned”—exposed to dark-web administrators or Bitcoin developers who might be able to fix the vulnerabilities it exploited. For anyone who followed the early days of Chainalysis, though, it would be hard not to take one particular educated guess at how the company’s mysterious tool worked. In 2015, just months after its founding, the startup had caused a brief, very public blowup in the Bitcoin community with a technique capable of identifying Bitcoin users’ IP addresses. The company had set up its own secret collection of Bitcoin nodes, the computers that serve as the communications backbone of the Bitcoin network. Unlike typical Bitcoin nodes, Chainalysis’ nodes were designed to silently record the IP addresses Bitcoin users broadcast with every transaction. By quietly intercepting every IP that passed through the nodes, Chainalysis aimed to create a global map of Bitcoin users’ physical locations. The IP eavesdropping was meant as a demonstration of the young startup’s capabilities. When it was discovered, however, the result was a long, venom-filled thread on the cryptocurrency forum BitcoinTalk, where Chainalysis was excoriated as a purveyor of “mass surveillance” tools. Gronager, the company’s CEO, apologized and shut down the experiment. Yet, years later, could that technique somehow have been adapted to secretly target—and locate—the Bitcoin wallets of very specific users? Even when the transactions were sent from a computer running on the Tor anonymity network? in the last days of June, the Americans descended upon Bangkok like a tropical law enforcement convention. They included nearly 20 agents, analysts, computer forensic experts, and prosecutors from the FBI, DEA, IRS, Department of Justice, Department of Homeland Security, and Canada’s Royal Canadian Mounted Police. More than a dozen members of the group checked in at the Athenee, a five-star hotel a few blocks from the US embassy, which advertised that it was built on grounds once owned by a 19th-century Siamese princess and featured eight restaurants and a rooftop complete with a garden and swimming pool. It was, the prosecutor Grant Rabenn noted, certainly the nicest hotel he’d ever managed to book on the government’s per diem. With just days until their planned bust, Rabenn, Hemesath, and the DC prosecutor Louisa Marion remained swamped by the bureaucracy of coordinating law enforcement agencies in five countries—the United States, Thailand, Canada, the Netherlands, and now Lithuania, where they had a fresh plan to seize the central AlphaBay server. The team also met repeatedly with the Thais at the headquarters of their Narcotics Suppression Bureau (NSB) across town, gathering in a conference room on the building’s eighth floor to talk through the details of Cazes’ arrest. The central problem remained unsolved: how to distract Cazes and lure him out of his house with his phone unlocked and his laptop open and unencrypted. Set fire to a dumpster outside the house? Too dangerous, they decided. Have a female undercover agent begin screaming and crying outside his house? Cazes might simply ignore her, or else close the laptop before checking out the noise. Amid all this frantic eleventh-hour planning, a core group still managed to cap off each day at the Athenee’s lounge for its all-you-can-eat sushi happy hours. It was during one of those evening gatherings that something surprising appeared in the group chat the Thai police had set up on a messaging app called Line, popular in Thailand. The Thais used the group chat to post constant updates to one another and to the DEA on their physical surveillance of Cazes. That day, the Thai team assigned to Operation Bayonet had been following their target on an early evening outing, tracking him in his Porsche Panamera as he approached central Bangkok. Jen Sanchez, who lived near both the Athenee and her workplace at the US embassy building down the street, had just returned home when she saw a photo, taken by one of the Thai officers, pop up. It showed a white Porsche, parked at a swanky-looking hotel entrance. “What the fuck?” she thought, with a sudden rush of adrenaline. Wasn’t that the Athenee, where much of the US team was staying? At that moment, in the Athenee lounge, Rabenn recalls seeing the same Porsche out of the corner of his peripheral vision and instantly remembering that a white Panamera was in Cazes’ stable of pricey vehicles. He pointed it out to Hemesath, as well as the DEA’s Miller and an FBI agent, all of them sitting together at a table in the lobby. They half-jokingly suggested that the FBI agent go check it out. The agent gamely strolled across the lounge as a figure walked through the front door of the Athenee. A spasm of shock went through Rabenn’s mind. It was him. Alexandre Cazes. And he was walking directly toward Rabenn, Miller, and Hemesath’s table. Rabenn froze. “It was like seeing a ghost,” he remembers. He glanced over at Hemesath, who seemed equally paralyzed, in disbelief. The image of that first in-person encounter with Cazes, after nine months of obsessively tracking Alpha02, remains burned into Rabenn’s memory. Cazes was dressed, Rabenn remembers, in a slim, expensive-looking blue suit, his white shirt unbuttoned underneath in the style of someone too rich to wear a tie. Yet Rabenn also observed that Cazes moved with a certain nerdy awkwardness—that, under his costume, he looked “more like a pudgy programmer pretending to be a rock star than an actual rock star.” The FBI agent, thinking quickly, avoided eye contact with Cazes and walked directly past him to the door. In the seconds it took for Cazes to cross the room, seemingly in slow motion, thoughts raced through Rabenn’s mind: How did Cazes know who they were? Or that they were on his trail? Or which hotel they were staying at in Bangkok? Had there been a leak? Had they been meeting too conspicuously, blowing their opsec? Had this criminal mastermind outsmarted them? Rabenn realized he had no idea how he would respond. They could arrest Cazes on the spot, but they’d lose all hope of getting access to his laptop or any smoking-gun evidence of his control of AlphaBay. Just as they were on the cusp of victory, it seemed their plan had failed. “Oh, shit,” Rabenn silently concluded, in a state of blank panic. “This thing’s over.” Then, when Cazes was about 5 feet away from their table, he turned and sat down at the table next to them, across from a pair of Israeli businessmen wearing suits and yarmulkes. The Americans looked at each other in confusion. After a moment, the FBI agent returned and sat down casually. He and Miller began silently signaling to the rest of the table that everyone else should leave. Rabenn, recovering his composure, allowed the thought to cross his mind that perhaps all was not lost—that this was simply the most stunning coincidence of his life. Doing their best to act naturally, the prosecutors cleared out and walked up the curved staircase to the mezzanine floor of the hotel, while the FBI agent and Miller hung back to eavesdrop on Cazes’ conversation at the neighboring table. On the floor above, Rabenn and Hemesath shared a moment of wide-eyed relief. Text messages from the FBI and DEA agents still at the table began to roll in, reporting on Cazes’ meeting: He was talking with the Israelis about one of his real estate investment deals in the Caribbean. As their panic subsided, they now saw that a group of Thai undercover police—including the team leader, Colonel Pisal Erb-Arb, in plain clothes—had stationed themselves around another table across the hotel lounge from Cazes and were discreetly watching him, even stealthily taking photos of each other that captured Cazes in the background. The AlphaBay founder gave no sign of having spotted them. As Rabenn and Hemesath silently rejoiced, the FBI agent joined them on the mezzanine floor and pulled out his phone. He started Googling, trying to calculate the odds of what had just happened. How many hotels were there in Bangkok, anyway? He quickly showed them the answer: There were thousands. In a euphoric daze, the two prosecutors marveled at their bizarre near-collision—but not for long. In two days, they knew their team would be encountering Cazes face-to-face again, this time in the most elaborate arrest they had ever attempted. Continued next week: The day of the takedown arrives. Operation Bayonet reaches its kinetic climax. And then the case takes a tragic twist. This story is excerpted from the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, available now from Doubleday. If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Chapter illustrations: Reymundo Perez III Photo source: Getty Images This article appears in the December 2022/January 2023 issue. Subscribe now. Let us know what you think about this article. Submit a letter to the editor at mail@wired.com.