3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
AlphaBay Market

AlphaBay Market

ID: 209787c7bfde790cd32e6c615d66533500388
Darkweb Market/Service MaaS (Malware-as-a-Service) Marketplace
Threat types: Fake IDs, Passports, KYC Bypass, Malware
Unknown
Updated: 2026-03-02
Created: 2025-10-24
Progress: 72% Completeness: 73% Freshness: 70%
Operation zone:
Aliases Limited alias preview
AlphaBay
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

AlphaBay was a large darknet marketplace that enabled cybercrime and fraud ecosystems by facilitating illicit trade in malware, stolen identities, and other contraband. It is best modeled as criminal service infrastructure rather than a single intrusion actor.


Technique Technique name Tactics Evidence
T1583.001 Domains TA0042
  • 2017-07-20 — Marketplace operations relied on maintained infrastructure and domain presence; LE reporting describes coordinated seizure of AlphaBay infrastructure (platform-level). · ref
T1583.003 Virtual Private Server TA0042
  • 2017-07-19 — INFERENCE (confidence: medium): Operating a high-traffic marketplace implies use of leased virtual infrastructure to host web services and backend components; legal filings and reporting describe seized servers and hosted services consistent with VPS/server acquisition. · ref
T1583.004 Server TA0042
  • 2017-07-20 — LE and partner-agency reporting describes seizure of marketplace servers/infrastructure as part of Operation Bayonet, consistent with acquiring and operating server infrastructure for sustained operations. · ref
T1583.006 Web Services TA0042
  • 2021-10-04 — INFERENCE (confidence: low): Public reporting on relaunch claims references additional service hardening and operational features that plausibly rely on third-party web services and distributed hosting components. · ref
T1585.002 Email Accounts TA0042
  • 2017-07-19 — Public case materials and reporting reference operational email accounts linked to administration workflows (identity linkage/OPSEC failure narrative). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-18T17:16:52+00:00

AlphaBay — Darknet marketplace (criminal service infrastructure)

Classification: TLP: WHITE - Open Source Intelligence (OSINT)

Category: Cybercrime / Darknet marketplace - Origin: Mixed/Unknown (operators linked to Canada/Thailand via public cases)

Author: iQBlack CTI Team



Executive Summary

AlphaBay was a high‑volume darknet marketplace that facilitated illicit trade in narcotics, stolen and fraudulent identity documents, malware and “hacking tools,” and other contraband. Public reporting indicates it operated primarily as a Tor hidden service (and, in later iterations, with additional anonymity-layer options), using cryptocurrency payments and escrow to enable buyer/seller transactions at scale.

In July 2017, a globally coordinated law enforcement operation (“Operation Bayonet”) seized AlphaBay infrastructure and simultaneously leveraged the takedown to drive users toward another market (Hansa) that authorities had covertly controlled, enabling additional identification and arrests. Public cases identify Alexandre Cazes (Canada) as the alleged founder/administrator, arrested in Thailand on 2017‑07‑05 and later found dead in custody on 2017‑07‑12.

From a defensive-intelligence standpoint, AlphaBay should be treated less as a single “intrusion actor” and more as an enabling platform within the cybercrime supply chain: it lowered transaction costs for threat actors and supported “capability acquisition” (malware, access devices, stolen credentials, document fraud) and laundering/cash‑out ecosystems. The market’s lifecycle illustrates repeatable OPSEC failure modes (identity linkage, weak endpoint encryption discipline, operational routine) and also the persistent re-emergence of brands through re-launch claims.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — AlphaBay

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — AlphaBay


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-18T17:22:12+00:00

IOC Appendix — AlphaBay

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-18T17:22:26+00:00

OSINT Library — AlphaBay


2017-07-20 — FBI — “AlphaBay Takedown”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
clcua5cwkutouq2mgpf4dgejgx6reugt7pma5h5sueyogfl57xfsd5ad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
Logo Free Preview
Logo
Banner Free Preview
Banner