What helped me a lot in directing my focus to the right things in life was the Silk Road Forum. It was somehow magical. Sure there were some idiots, but for the most part I remember the forum being characterized by respect and tolerance. That's where I first encountered philosophy and ethics, and the time I spent there was very formative. I want to contribute to building a healthy and vibrant drug scene in Europe where values are more important than profit maximization. Archetyp is meant to be the archetype of a marketplace. I'm not afraid of a bust at all. I have great respect for law enforcement agencies and don't underestimate them. I'm clear about what my security is based on and that I absolutely need to maintain it. In five years, Archetyp will be the dominant European marketplace for drugs. In 10 years, I'll proudly read in the Scenes forums how users mention Agora Dream and Archetyp in the same breath. Like every former market admin, I'll probably be living in Belize.

Welcome to Deep Dive from the Global Initiative Against Transnational Organized Crime. And this is Dethroning BigBoss: the Fall of Archetyp.

So when Bitcoin first emerged back in 2009 following the famous white paper written by the mysterious Satoshi Nakamoto the previous year, many people didn't understand what this thing was. In fact, some media headlines proclaimed Bitcoin as global, private and untraceable. Why this was said is unknown, probably a lack of understanding or clickbait articles, because almost as soon as bitcoin emerged, others were highlighting that it was traceable simply due to the way it worked. Blockchain technology, the public ledger which records every transaction. But the myth persisted and so for a long time, websites that sold illegal content or illicit goods and services continued to use it. Silk Road, the first darknet drug marketplace. On the dark web, payments were made using Bitcoin and ultimately the data stored on the blockchain contributed to law enforcement getting their man. And then subsequently, two corrupt law enforcement agents who attempted to steal Bitcoin from the site. AlphaBay, one of Silk Road's successors, albeit without the libertarian ideals of its ancestor, also used Bitcoin, and analysis of the bitcoin flows helped US Dutch and other law enforcement track down the wallets used by the admin, a man called Alexander Karzus, who amassed a fortune of tens of millions of dollars. Eventually, Karzus was arrested in Bangkok and later found dead in his cell shortly after his arrest. Another case was the child sexual abuse website welcome to Video A case which is discussed in great length in Andy Greenberg's book 'Tracers in the Dark', which led to the arrest of the admin for the site, a Korean man called Son Jong Woo, and The arrests of 337 paedophiles from around the world. And officers were able to rescue a number of victims. The point is that the myth around the anonymous nature of Bitcoin endured for some time, when in fact it's what's called pseudonymous, which means on each transaction your name is not revealed, but plenty of other information is, and providing an exchange is using Know youw Customer KYC verification. Discovering a name is not that challenging these days unless a person is more skilled at laundering their crypto. But a lot has changed since those early days of Bitcoin. According to some estimates, there are now over 10,000 different cryptocurrencies in circulation with a total market cap of around $4 trillion. Now, at the start of this episode, you heard the words of a guy known as the Yoshi. It was from an interview with a German independent technology blog Tan Karpa, back in 2021. Yoshi is the creator and admin of Archetyp, an online illicit drugs market that lives on Tor, which most people know as the Dark Web.

Archetyp was an online marketplace on the Dark Web where people could buy and sell illicit drugs using cryptocurrency. Archetyp focused only on drugs, so on there you would find almost every substance you can think of. It had more common ones like heroin, cocaine, methamphetamine.

This is Sarah Fares, an analyst at the Global Initiative Against Transnational Organized Crime and author of the recent article An Archetypal Drug Market.

But we've also come across substances that are either very niche, like precursors only drug producers would ever need, or substances that are outright banned by other platforms because they're that dangerous. Some synthetic opioids like fentanyl, for example, are banned by many other platforms, but Archetyp did allow it. Essentially, whether you were a first time buyer of a bit of cannabis or a reseller of very large quantities of benzodiazepines, for example, Archetyp had over time become the go to place on the Dark Web for that.

The makeup of Archetyp was nothing unusual. It sold illicit drugs. But Yoshi, alongside his interest in the ethos of Silk Road, was big on operational security opsec and seemed to have a comprehensive understanding of the topic. One of the security issues he noticed was the use of Bitcoin, and so his market used another cryptocurrency called Monero, the privacy coin. Indeed, it was the only cryptocurrency that could be used on the site. A switch to Monero was a natural evolution to increase protection for both the site, admin vendors and users alike. And it wasn't just Archetyp who realized this. According to blockchain intelligence company TRM Labs, although there are fewer net markets being launched, nearly half of those emerging are Monero only services. So what is Monero and how does it work and why has it become increasingly popular on net markets? Like Archetyp, there are essentially three components to every transaction. Ring signatures, which hides who is spending the coins. Stealth addresses. These are one time addresses that hide who receives them. And then finally something called Ring confidential transactions ringct, which hides how much is being transferred. So let's break this down into a simple analogy, the first of many in this episode. Let's say you have a $1 bill. First you mix that bill with a load of other random bills. No one knows which is your bill. Then you put the money in a sealed envelope that can only be opened by the person who gave you the secret key. Then finally you put the envelope in a special post box which hides the sender's address and the recipient's. This means that anyone tracking this envelope can see that some post went out, but they don't know who sent it, where it's going to, or how much money was inside. At the moment, Monero appears to be almost the perfect privacy method. It's quite an amazing bit of technology. I've spoken to a number of blockchain intelligence companies over the years and they have all remained tight lipped over how effective their tools are in in tracing Monero transactions. Although it's been claimed that Cipher, Trace and Chainalysis have developed tools in an attempt to do so. And to be fair to Yoshi, he was under no illusions about the security of even Monero in the long run.

What many people forget is that just because Monero is currently considered untraceable, it doesn't mean it will remain anonymous and private in the future. You should always keep in mind that there are companies actively researching ways to trace Monero payments. So if I send a payment today that I consider secure, anonymous and private, it might be traceable in five years. Nothing is secure forever and I plan every step to ensure my anonymity holds. Not just today, but also in 10 years.

But at the time, Yoshi saw it as the best option. So Monero was a prerequisite for For Archetyp and his personal security conscious attitude. Translated to his website, the site employed an anti phishing jail, essentially a sandbox that serves as a containment layer. It isolates suspicious login attempts, analyzes them for malicious behavior, and blocks them before any credentials can be stolen or the market compromised. It also employed PGP pretty good privacy protocols, which allows you to encrypt, sign and verify data, keeping personal data safe from snoopers. But of course, not everyone who uses Tor is necessarily technically aware. And so the site provided an entire section to help new users, the archiwiki, which included a helpful section on what PGP is, how it works and how to use it correctly. And finally, again, for those who are less conscious of their personal operational security, Archetyp had a feature that automatically encrypted shipping details. But it was widely encouraged not to rely on this. Why? Because when Dutch law enforcement took over Hansa market in 2022 and actually ran it for a couple of weeks, they rewrote the code so that all messages that were previously automatically encrypted using PGP would first capture the content of the messages and even addresses in plain text. Prior to encryption. They even removed the auto removal of metadata for uploaded images, allowing them to get not only the image, but potentially the geolocation data contained within that metadata. Here's Sarah.

We know that being the main man behind Archetyp, Yoshi was someone who stirred quite a tight ship, so to say. For example, he was very serious about implementing security measures to not get caught. Many of the design features, for example, by Archetyp came directly from his ideas, like encouraging Monero payments instead of Bitcoin, enforcing encrypted communications, and also doing strong background checks before accepting any vendors. None of these measures were unique at the time, but Yoshi did bring operational security to the next level, not just with Archetyp, but also to the extent that other markets have since then followed that security approach.

Indeed, in the design of Archetyp, Yoshi talked about the concept of security by obscurity, which means keeping the operation code architecture and so on secret in order to protect it against attacks. But there are downsides to this form of security. If someone does discover details of the operation, it's harder to deal with the fallout.

Obviously the Archetyp admin was very technically proficient. He was smart.

This is Louise Ferret, the lead threat intelligence analyst at Searchlight Cyber.

But a lot of people do fall victim to kind of seeing Tor as a fail safe. As long as it's all put behind Tor, you're basically unreachable. You can't be de anonymized. Which as we as we see time and again is not true.

That interview with Tan Karpe back in 2021, Yoshi revealed how much he thought about his operational security.

Archetyp has no paper trails. The entire infrastructure is funded with money that cannot be linked to me. I've never cashed out a cryptocurrency and that will remain my shield for a long time.

And for a long time, Yoshi's security held its own. And Archetyp grew to be a leading market after it launched in 2020. By mid-2025, the site had over 600,000 users worldwide, over 3,000 vendors with over 17,000 listings, making it one of the largest and most long running net markets in the world. Over the span of its lifetime, the total volume of transactions was at least 250 million euros. Indeed, if we broaden that out. Despite a lot of disruptions to the market, according to TRM Labs, the in its Crypto Crime Report 2025, the sale of illicit drugs online grew by 19% between 2023 and 2024, reaching nearly $2.4 billion. Here's Louise

Archetyp may have become sort of the most popular is it was very focused. So a lot of dark web markets, they won't just sell drugs, they'll also sell things like malware, credit card details, stolen accounts. And this can really clog up the kind of interface. It's sort of like any online shopping experience and you want to be able to find the things that you're looking for pretty easily. And Archetyp had a pretty clean and slick interface. It was easy to navigate and that kind of focus of what it was selling could have drawn a lot of people to was the last man standing really. So a lot of markets which also became really popular came and went during its tenure there was ASAP when it first started Incognito, Bohemia, the second iteration of AlphaBay. And these were all arguably more popular than Archetyp at their sort of peak. The Archetyp was just able to outlive them, so to speak. And once a market has been around for a couple years, that's a long time on the dark web. And it does build up a certain level of trust that users are far more likely to follow rather than using a new, less tested site.

One thing you repeatedly see in the comments about the site is praise for the user interface and carefully designed look of the market. Indeed, in that interview with Tan Khapa, you can clearly detect from Yoshi's response how much he cared for it.

Archetyp has, in my opinion, the most beautiful front end a very clean user interface with well thought out features that offer an unprecedented user experience. Archetyp has by far the best search function, allowing 100% accurate search queries.

He goes on to talk about the usability for customers. Of course it has the usual things like ratings and so on, but also features that help customers search listings for their specific drug of choice, the cheapest price quantity, useful filtering that allows you to choose the source, countries and delivery destination. A deep dive into the market's functions by the Net market expert Sam Bent revealed that the site's forum had a multilingual section and even some basic games where you could place bets on world events or games of chance. It also had features that helped improve performance, which for any site on tour is a bonus. Of all the markets I've seen, this was the most meticulously planned and visually attractive. And this is a really important point in this story. As you will see later, Yoshi appeared to care deeply about his creation, how it worked, the security protections he'd put in place and the look of the site. And he communicated directly with people on Dread, a forum on torture. So much so that he'd become almost part of the furniture. Here's Sarah

What makes Yoshi quite different as a leader of Archetyp compared to the administrators of other platforms is that he sort of over time has built quite a Persona for himself on the dark web community. Other admins generally like to keep a low profile, but Yoshi was very, very present on Dread, for example was which we can think of as a Reddit style dark web forum. He was very active under the handle BigBossChef, where he directly stepped in when vendors and buyers had a dispute. He posted updates when the website was down, and his clear communication with everyone even led to some long standing inside jokes, like him cooking the market or stirring the pot. Which I think goes to show how much of his Persona was a part of the Archetyp brand.

Indeed, his occasional arguments and goading of other Dread users could have something to do with what happened, although it's hard to know definitively, but we'll come back to that shortly. On 13 April this year, buyers and vendors tried to log in to Archetyp, but the site wouldn't load consistently. Timing out, not for the first time, the site was suffering from a significant Distributed Denial of service or DDoS attack. Now this is nothing unusual. It happens Indeed, it happened a few months earlier in the previous November. There was a peculiar moment when most of the top darknet markets were suffering from DDoS attacks simultaneously. Anyway, Yoshi, who on the dread forum goes by the username Big Boss Chef of Archetyp, ever the dutiful communicator, informed.

His customers that we are again under DDoS, which causes troubles when accessing the market. It's mitigated for now, but I will have to change the captcha to make it last longer, so expect a change to our captcha within the next 24 hours. We are archetyp.

For those who don't know what a captcha is. It's one of those annoying things when you log into a website, it might ask you to copy an almost indecipherable code, or perhaps ask you again and again and again to click on the boxes that contain pictures of bicycles before eventually letting you through. Regardless of their annoyance, they have an important use. They're there to determine whether the request is being made by a person or a bot, the idea being to prevent the bot from entering the site. So given that DDoS attacks are predominantly conducted using botnets, those large networked zombie devices directed towards the target to flood a website server or network with traffic, rendering it unusable, you can see why they are important for the functionality of a website. This DDoS attack on Archetyp in April this year focused on attacking the primary d onion address. So this is your main URL. Because that was inaccessible, Yoshi had public mirrors of the marketplace. These are essentially copies of the main website using an alternative onion URL. These exist to reduce load on the main address or provide an alternative route if the main address doesn't work. And traffic can be managed in a couple of different ways. For example, Yoshi employed rotating mirrors. Now this means that these multiple copies of the main website conserve traffic simultaneously, sometimes periodically, other times dynamically spreading traffic around in increasing resilience. The other option to mitigate a DDoS attack is through a load balancer or on tour through a tool called Onion Balance. This means that if one mirror is being overloaded, the load balancer would detect this and switch the traffic to an alternative mirror, so a different copy of the website. And Yoshi also urged the use of private mirrors, but these were likely only available to just the most important admin staff, vendors and high level buyers. Here's Louise

I'm not sure if this was introduced in the wake of the DDoS attacks or if this had already been a feature, because it is quite Common on certain markets, but that's basically giving every user account, or sometimes it's just vendor accounts, a private onion address that is unique to their account that will allow them to access the market even in the event of a DDoS attack.

And finally, the Clearnet web hosting mirror. So this was an available site that you could access through a normal browser like Google Chrome. You can grab one of the dot onion mirror addresses from this clearnet site, then boot up Tor and you're good to go. But one guy on the Dread forum noticed something strange about the clearnet site.

That was at one point protected by Cloudflare, which is obviously a very well known ddos protection and general safety utility. The alleged attackers who were carrying out the DDoS attack found out about this and made an abuse report to Cloudflare or likely multiple abuse reports and actually got their access to that revoked. So Archetyp one able to use that anymore. I think a lot of Dark Web users would probably be a bit concerned about using such a high profile entity for your illicit activities.

The clearnet site was taken offline. Yoshi attempted to relay any fears about the safety of archetyp. Meanwhile, the DDoS attacks continued.

I think they ended up switching to another sort of sort of anti DDoS utility, probably DDoS guard. But other than that there's not really that many more measures you can take in that targeted of a kind of campaign other than just trying to wait it out basically and hope that all of your users will still stick around.

Now Sam Bent, who is a former Darknet market vendor and admin turned YouTuber and darknet expert, among other things, spoke to a person known as Hugbunter who runs the Dread forum on Tor. In the interview he revealed that the DDoS attack was much more significant than people realized. As a result, Hogbunter suggested that Yoshi migrate Archetyp servers as soon as possible because the marketplace's Guard relay was likely identified or compromised. Now to understand what this means, you have to understand a little bit about how the onion router tore works, which involves three hop circuits, Tor relays, rendezvous points, layered encryption and so on. So rather than that, let me try and give you an analogy. On the regular Internet, sending a request is like putting a letter in a single sealed envelope, handing it to the postal service and letting it travel straight to the destination post office. Every carrier along the way, your Internet service provider, backbone providers, the hosting company can see both your return address and the destination address. But Tor works differently. You have the Guard relay, middle relay and exit Relay in that order. But for this, we'll call them couriers. Imagine you're sending a parcel. To get to that final destination. That parcel has to be handed over to three separate couriers before you send it. The parcel is placed in a locked box. The box is placed in another locked box, which is then placed in another locked box. Each box has a label for one of the courier stops. You lock the outer box with a key, but only the first courier has the correct key to unlock. The first courier unlocks the outer box, learns who sent the parcel, and then passes the locked box onto another courier. The middle courier unlocks the next box and passes the last locked box to the third and final courier. That courier then opens the final box containing the parcel and reads the destination address and delivers it. Because each courier only sees the box addressed to it, no single courier knows both who sent it and where it's going. This is why it's called the onion router. You peel back the layers of encryption as the data moves inward and outward. Now, I hope that makes sense, because just to add a layer of complexity, Darknet markets are what's called hidden services, which unlike the Clearnet, means that the traffic never actually leaves the Tor network via one of these exit nodes. But let's stick with the analogy of the parcel in the lockboxes. So imagine you want to send a parcel to a secret shop that never shows its address. That shop buys a few post offices, let's say three, where it will accept incoming parcels. It then writes a small advertisement revealing its three post offices and adds a secret signature so you know that it's really them. Meanwhile, you send a parcel locked in three boxes to a different post office, a neutral one. From there, you send a sealed knock to the shop to give the location of your neutral post office and give a one time secret. The secret shop receives the knock. It checks the secret to make sure it's correct and places a parcel in three lockboxes and heads for the neutral post office. Once there, the neutral post office places the boxes together. Neither box is ever opened, but they can talk to each other. Okay, the analogy is going a little wayward here, but the point is, is that those two parcels are now connected two encrypted circuits and you never have to leave Tor. No exit node is used. Even the meeting place can't read the conversation, preserving privacy for both parties. Now, if we go back to Archetyp, if the guard relay the first courier used by the market was identified, law enforcement could obtain the guard's IP address and any logs the operator kept. Depending on the jurisdiction and the guard operator's logging policy. A guard may keep basic timestamps and bandwidth statistics, and in some cases it also records the client's IP address. That IP can be rich pickings for investigations, and we'll come back to that later. Now Hugbunter pointed out that Tor's public metrics showed a fourfold spike in traffic across the entire network, which is exactly the kind of surge you'd expect from a massive DDoS attack on a net market. Who was behind the attack is unclear, although some speculation saw people point the finger to pro Russian hacktivist group Killnet, who re emerged earlier this year. Although TRM Labs told the Record that this new version seemed more cybercrime for hire rather than ideological, Hugbunter suggested that given the firepower that was aimed at Archetyp, it was most likely a ransomware gang who were possibly paid to do so by a competitor. He further suggested that it was possibly the same group that was responsible for a previous attack in February on Archetyp and Dread, and maybe those attacks were them actually advertising their services. And just to throw this in there, there was one ill conceived message from Yoshi on Dread that's worth mentioning where he goaded specific users who threatened a DDoS attack.

Monday is officially over. Where is the DDoS?

One user replied.

At your service.

The comments below revealed that the service was down, but given the size of this DDoS attack, some users on Dread had another theory law enforcement.

Some other users on Dread were hypothesizing that it could have been a law enforcement spearheaded project to try and deanonymize some of Archetyp's infrastructure or in forcing the admin to take contingency measures, but mostly setting up new mirrors for legitimate users to access the site, hoping that in the sort of chaos of doing that he'd slip up and reveal some more information about himself, like IP addresses for instance.

It's quite an interesting theory, and I must say it crossed my mind as well because that spike four times higher across the Tor network as a result of a ddos and the relays that are suddenly overloaded can be mapped to a few real world data centers and depending on the jurisdiction of where it's located, it could be subpoenaed with all the logs that are stored and also it can be shut down. But this is nothing but speculation.

No one's been able to bring forward any kind of evidence that this was a law enforcement directed operation. The theories online are either it was directly from them, or they sort of outsourced another team to do it. But people on the dark web are very quick to point to any malicious activity going on being the result of law enforcement operation. And yeah, I'd be skeptical of that claim. I mean, this isn't the first time that we've seen a targeted DDoS campaign against a popular market. There was sort of a spate of them happening maybe like 2023, I think there was a huge spate of DDoS attacks, even against dread, against all the major markets. And that was allegedly just one disgruntled actor that was sort of trying to extort all of these Onion sites with a ransom in order to let them function again. So it could be the case that it's just criminal on criminal. There's no easy way to tell, unfortunately.

So what kind of damage did this DDoS do? Well, that's hard to quantify.

I remember during this time Archetyp would still be accessible and you know, if you were able to find the right circuit and get online, there was sort of no change really. Everything looked the same obviously when it comes to trying to carry out transactions and maybe your vendor can't get online to complete the order, or your buyer can't get online to send the cash, that obviously it makes the flow of the market a lot more difficult. So I can imagine that the cash flow, the transaction volume going through the market at that time probably dropped quite significantly along with people sort of getting worried and scared and pulling their money out of the market.

Eventually the attack appeared to stop and Archetyp limped on. Now, during all this DDoS chaos and uncertainty, in May, the site actually celebrated an anniversary, its five year anniversary. And as Yoshi predicted, the site had grown to a significant size with over 600,000 users. And he marked the occasion with a dread post.

I'm getting goosebumps when I look back to where we once started and where we are now. I plan to write a bit about our history and the last years, but I can't find the right words.

But not long after, the maintenance screen started popping up. Here's Sarah.

Archetyp kept having technical issues, essentially going in and out of maintenance mode all the time. Now, technical issues in itself on the dark web, especially on the dark web, is not that uncommon. But what was really, really unusual and what set people on edge basically was the silence around it. There was no information, no assurance from the administrator saying things like, we're aware of the technical issue, we're fixing it, hang tight. Instead of that just silence. And as many pointed out, the that was quite odd, especially because Yoshi and his team were quite communicative. So initially that is what started to fuel the panic.

At least weeks before that, Yoshi had gone dark. Now, Archetyp had several different payment methods. For example, the most trusted sellers could get payments directly from the buyer before they had received their order, a reward for the most reliable vendors. You could also send money directly to the vendor, limiting exposure to the site's own security. But most Darknet markets use an escrow system between the vendors and buyers. The markets are the trusted third party in the transaction. In the case of Archetyp, a buyer deposits some Monero into their market account after the purchase is submitted. The money stays with the website until delivery is confirmed by the buyer. The market then releases those funds to the vendor's wallet on the market, which then needs to be withdrawn to their private wallet. Although this does appear to solve potential trust issues between the buyer and the vendor, that trust is transferred to the market. And this is where the problem comes in. Because one thing that is feared by buyers and vendors alike is an exit scam. The maintenance screen was a red flag to some. Now, an exit scam is when an admin of a site basically pulls the plug and disappears with all the money that's been deposited on the site by the vendors and users, usually allowing the escrow system to keep operating for a bit of time without allowing any withdrawals to maximize the theft. And this is a relatively common occurrence. Empire Market exit scammed in 2020, Bohemia in 2023. Tortador was also suspected of doing so that same year, and then famously incognito in 2024. Now, incognito is an interesting one because users began to report issues in the fund withdrawal process. The admin known as Pharoah claimed that this was due to an upgrade to the system. But eventually the penny dropped and it was revealed to be an exit scam. But this one was different, because after the exit scam, Pharoah returned, taking a leaf out of the ransomware playbook. He tried to extort vendors, promising to release data on over half a million orders and nearly a million cryptocurrency transaction IDs. Extortion payments depended on the level of the vendor. Level one, it was $100, but if you were a level five, it was $20,000. Just a few months later, Pharaoh, real name Rui Xiang Lin, a Taiwanese national, was arrested when arriving in the US in October, eventually pleading guilty to charges of narcotics conspiracy, money laundering and conspiracy to sell adulterated and misbranded medication. And just a side note, after Incognito exit scammed, Lin remodelled himself as a crypto crime expert and even trained law enforcement. Now with Archetyp, the Dread community didn't think it was an exit scam. Certainly given the statements Yoshi had written before, people couldn't believe that that's what was happening. Indeed, earlier we talked about the game section of the website. Well, on that video by Sam Ben, he showed a game called Deadpool where a user could actually place bets on how long competitor Darknet markets would last. One comment on Dread said, I don't think Archetype will exit, I swear, before adding, not trying to make a fud, but this is my personal opinion. Ah yes, you might be wondering what a FUD is. Here's Louise

It stands for 'fear, uncertainty and doubt'. But that is a pretty big term in Darknet circles. There's rules against spreading fud, so it's a pretty pervasive problem of anytime there's sort of a problem on a market, users will start sort of sky is falling paranoia and writing lots of posts on forums. Yeah, saying how it's been infiltrated by law enforcement or an exit scam is imminent. It's discouraged on the forums, but it's always going to happen. I don't think that's really avoidable in this kind of space because no one really knows anything for sure. They don't know each other's identities. They can't really verify that someone is who they say they are, even if they've got the PGP signature at the bottom of all their posts.

But suspicions remained, and partly due to a security feature built into the site, auto withdrawal. The idea behind this was that even if the site went down, the auto withdrawal feature would kick in and automatically send your funds to you. The concept being that it prevents a possible exit scam. But almost universally across Dread, vendors were reporting that it hadn't happened and that they had no access to their funds. And because Yoshi was silent, people feared the worst. But the other theory was a law enforcement operation Here's Sarah

One was that law enforcement had quietly taken control of the website and was running it themselves. Which may sound outrageous, but this is exactly what had happened before with the Hanson market. Years before, when the Dutch police did not just take down the page, they first secretly ran it by themselves for a few weeks, gathering as much data on all the people involved as they could. So with Archetyp, when the page started to have Technical issues. People were understandably anxious at the same thing might have happened again, and that they were all at risk of being exposed.

I mentioned an interview with Hugbunter, the owner of the Darknet forum dread, on 12 June. He wrote a thread where he outlined all of the data he'd managed to gather on what the situation was as he saw it. Hugbunter talked about the DDoS attack, possibly exposing Archetyp, and how he urged Yoshi to complete a server migration, but then went on to point out some other disconcerting things for users. First, that there'd been no communication for almost 24 hours. This was unusual. As we've seen, Yoshi, under the username Big Boss, regularly gave updates and interacted with Dread users. But things were worse than that. Yoshi hadn't logged into Dread for four days. And then he pointed out something else. That maintenance screen. He said that it looked off something unusual for a marketplace that took such care over aesthetics. For example, if the site was in legitimate maintenance, it would have used a pixel perfect layout matching the usual design of the site and use a specific styling and font. Hogbunter revealed that both of these aspects were wrong. He also highlighted that it was a static page with no backend connection, meaning load balancing using tools like Onion Balance wasn't functional and raised concerns about potential server misconfiguration, signalling either a rushed response or or a deeper issue with the site's infrastructure. And finally, the clearnet site was down again. If you're migrating servers, this shouldn't be the case as they operate on different infrastructure. What was going on?

I have always been susceptible, especially when it comes to pleasure.

On 16 June, the news landed with a video.

Then I met this one guy. Better to be someone for a day than no one for a lifetime, I thought. He was right. So I started my own biz. You only need a logo, a catchy name, a website, and most importantly, products everyone wants.

Way back in September 2023, after a rival darknet market retired ASAP. Yoshi published an open letter on Dread to governments and law enforcement and said, ominously...

I think this market will be in the focus of the government and consequentially law enforcement with an immense and disproportional amount of resources.

And he was right. The operation was called Operation Deep Sentinel, involving law enforcement from six countries alongside Europol and Eurojust. The logo for Operation Deep Sentinel was the blue Archetyp logo, rotated 180 degrees and turned blood red between the 11th and 13th of June coordinated raids took place across European countries. Germany, the Netherlands, Romania, Spain and Sweden. Around 300 officers took part in the action. They were after moderators, vendors, the technical infrastructure and the admin Yoshi.

Germany in this case took the lead, which is not a surprise given that Yoshi was a German national. And to answer your question right away, yes, they did get him that day. That was the headline arrest that got everyone talking. He was eventually arrested in Spain, so Spanish authorities were also part of that operation. Of course. Then there is the Netherlands. Dutch police were the ones who actually took the market offline. They ceased to serve for infrastructure which was hosted there. Sweden was also involved along with Germany. They arrested a couple of high level sellers and some moderators as well. In total they had seized around 7.8 million euros worth in cryptocurrencies and other assets like phones, hard drives, luxury cars, of course drugs. So the usual in those types of operations, they ceased.

The moment that caught the eye of everyone was when a video was released by the BKA, the German Federal Criminal Police, which showed a man in a white shirt with a black pattern on it being led away by three police officers in Spain. He had dark hair and appears to be wearing glasses with black frames. Obviously it's hard to tell, but the likeness was not too dissimilar to the central character in the graphic novel video released by Europol. This is believed to be Yoshi, according to a report out of the Spanish media who named an individual but are the only news service so far to do so. They reported that the man arrested was a programmer and musician and was living at the penthouse apartment in Diagonal Mar in Barcelona in the Netherlands. Dutch police, so often playing a prominent role in cyber operations in Europe, had identified the market's infrastructure. It was in their country. I won't pretend that I know why Yoshi had the market infrastructure based in the Netherlands because certainly from the outside, for someone who was so knowledgeable and conscious of operational security, it seems odd to have chosen a location where law enforcement are so proactive against net markets. Here's Louise.

It is interesting because like you said, the Netherlands do have a very advanced, very active cybercrime task force within their law enforcement. I also agree that it could have been just due to convenience that there's more reliable infrastructure there that than in a sort of non 5 eyes or 14 eyes aligned country. I did see some interesting theories about how potentially the Archetyp Admin could have fallen victim to a fake bulletproof hosting provider. Now this is all speculation, but essentially bulletproof Hosting is hosting providers that assure you that your site won't get taken down and they won't hand any of your details over to law enforcement enforcement if asked. So it makes it a really good utility for people wanting to host cybercrime sites. I'm not sure if you might have already come across this post on Dread, but there was someone theorizing about how if a bulletproof hosting provider was able to spoof their location and claim to be from a non extradition country or something like that, but actually have their servers hosted in in the Netherlands, this could be a potential reason of why Archetyp decided to do this unknowingly. They also brought up the example of Hydra. Again, a lot of their servers were in Germany, which you might remember. And again, that is a place with undoubtedly good, fast and cheap infrastructure, but also a very active cybercrime element of its law enforcement and sort of very matured.

And this is the thing. The Dutch high tech crime unit have been involved in loads of different cases. The Hansa Market takedown, the Encrochat hack, Bohemian Kanabia Market, the Encrypted Sky ECC hack, and now Archetyp. Here's Sarah

Beyond the Archetyp case, the Netherlands does indeed often take a lead in those cyber operations. One reason that they're involved so often is simply because of the high capacity of their Tech Crime Unit. If we compare their capacity to other European countries, it's quite clear that over the years they've built up a deep expertise in areas like the Tor network, crypto tracing, server, forensic and the like. Then apart from capacity, just as important is the legal flexibility that they have in the Netherlands. Dutch prosecutors tend to be a bit more willing to authorize these types of operations, like digital undercover work, or in another example, running a dark web market for weeks where people buy and sell illicit drugs. That's not something that wouldn't as easily be allowed in many other European jurisdictions. Then combine that with the expertise that they have built over the years. They have now become a leader in this field.

On the day the news broke, a message from the BigBoss username appeared on Dread, clearly written by law enforcement. Starting with...

Hey, I am sorry to say, but I was arrested on the 11 of June.

Before going on to say that...

Law enforcement seized my devices and now analyze the heart of the market, the Archetyp database with all of your data from the last five years.

Before signing off with...

We are not Archetyp anymore.

The news unsurprisingly caused panic on the forums.

It only Took a few hours, I think, before the Dread forum was filled with posts and messages about people in panic over their own risk. You'd see posts like did I screw up if I did this? Or can law enforcement trace my order? It's partially paranoia, partially actual damage control. And in that chaos, a kind of informal security lesson system emerged. More experienced users began posting operational security primers, do's and don'ts, even step by step guides on how to wipe your device. One of the more popular posts was it said something like, read this post if you only have five minutes to burn it all, meaning to clean all your traces. So for quite a long while, these forums shifted into pure crisis management zone.

Others, resigned to yet another market takedown, began searching for alternatives.

Messages on Dreddy were flooded with communication and information from those vendors with things like find me here on this page or Contact me there or don't worry, you'll still get your order. We determined that the first place that many of those vendors went to was Abacus, followed by Turzon, MGM grand, also drug hubs. These platforms are okay, they do the job, but none of them still they do not come closer to the skill of reputation that Archetyp had.

It's interesting to consider where Archetyp sits in the pantheon of Darknet. Mark is Yoshi was inspired by the ethos of Silk Road, but hoped to be seen alongside the lights of Dream and Agora.

I think it's safe to say that Archetyp was one of the most successful drug markets on the Dark web to date. I think that in the future it will be talked about in the same breath as, let's say, Silk Road or AlphaBay.

And this is a sentiment already shared by some users themselves. There was one post I came across that kind of summed up the mood. It was titled 'I miss you Archetyp', which read like an obituary for a person rather than for an online illicit drug market. But still.

It'S been a few days since we found out this place was seized and nothing feels the same. I miss how easy it was to communicate with my vendors about orders. I miss the beautiful user interface and design of this website the most. I have to use Abacus, where I've had plenty of issues beforehand. I'm missing a few vendors and it's an eyesore teacher use.

We'll come back to Abacus in a second.

I really hope these websites start to fill the hole in my heart Archetyp left when it was taken from us. I will never forget you, Archetyp. I Miss you please come back one day.

Here's Louise.

Yeah. When a market has been around this long, it does kind of get a lot of cheerleaders. There's obviously it's very difficult verifying information on the Darknet for the sake of anonymity, so people can get quite, quite emotionally involved in the sites that they use.

If I'm honest, I do kind of feel sorry for the author of I miss you Archetyp because, well, Abacus...

Abacus, you might know, has already disappeared from the scene. I think a few weeks maybe, or maybe a month after the Archetyp bust, the site became inaccessible. People can withdraw their cryptocurrency and the alarm bells start ringing. No official statement was ever made, unlike the Archetyp admin that was keeping users updated every few days up until their arrest on the status of the market. This was more of a classic assumed exit scan, where everything just goes dark and there's no communication. It could be possible that they were struggling to deal with the level of new membership, so people joining up and putting a strain on the site due to all that extra traffic. They may have seen the amount they've already made and decide to just cut their losses. Or they may have feared becoming the new number one market because that does put a target on your back.

Oh dear. Abacus exit scammed. The admin claimed it was shot due to a DDoS attack and the weight of new users following the Archetyp takedown. Either way, Abacus is also now gone. And this is actually really interesting. Remember what Yoshi said in the wake of ASAP market going down? He said that Archetyp would now be a major target for law enforcement. And he was right. The Abacus admins may well have come to the same conclusion after the takedown of Archetyp. Seeing the target shifting in their direction, they decided to shut up shop and disappear, taking their users money with them. Some users were obviously really angry about this, and understandably so, but others provided a gentle reminder about the reality of these markets.

It's all in the game. We aren't ordering off Amazon here. It's an illegal online drug market. Use at your own risk, don't keep funds on the market and don't get complacent.

Wise words indeed. And there were a number of people who were granted incredibly irritated by the situation, but begrudgingly acknowledged the risks admins take running an online illicit drug market and can understand why they exit scammed.

Yeah, I guess they will sort of understand that logic and wanting to get out while you can. Some people do still have a very kind of like honorable position on it and will get really annoyed that a market doesn't like they don't even say goodbye. They don't even tell you, oh quick, take all your money off the market. We're shutting down in the next two weeks, which some markers they will do. But I can kind of see the logic of like, you're already doing something illegal, the people using the site are doing something illegal, so why not just take all their money?

At the start of this episode, we heard some words from Yoshi. That interview was in the early days of Archetyp, and there was a striking moment where the interview asks, what will you be doing in five or ten years? Yoshi responds with...

In five years, Archetyp will be the dominant European marketplace for drugs, and I'll continue diligently working on new features to offer users the best experience. We'll keep running the market until we've dethroned Dream in terms of market run time. After that, we can follow in the footsteps of Agora and Dream, slowly retire and make way for the next marketplace.

Unfortunately for Yoshi, Archetyp didn't quite beat Dream Market for longevity, but it was close. Dream Market opened in the wake of the closure of Silk Road and lasted until 2019, when consistent DDoS attacks and a suspected ransom demand from an unknown hacker forced him to close. And just a side note, a senior vendor and admin for the site, known as oxymonster, real name Gal Valerius, was arrested in the US in 2017 after arriving to attend the World Beard and Mustache Championship. Agora Market, which also emerged in the post Silk road World in 2013, closed just two years later citing security concerns. Concerns the main admins of Agora and Dream Market have never been arrested, so you can see why Yoshi used these successful examples as blueprints.

In 10 years, I'll proudly read in the Scene's forums how users mention Agora, Dream and Archetyp in the same breath. Like every former market admin, I'll probably be living in Belize.

Unfortunately, his dreams of slowly bowing out to a quiet life in Belize were just that, a dream. And so the question inevitably is, what comes next? As we've heard, Archetyp was just another darknet market taken down by law enforcement, much like Hansa, AlphaBay, Silk Road and the like. But the community that surround these markets are resilient and have been through these types of events time and time again. Indeed, one person on Dread said that Archetyp had an incredible run and set a high standard for markets to live up to in the future. A testament to Yoshi's hard work, but also illustrative that these markets are not going anywhere and the users expect things to carry on. And of course, there is a lot of money on the table for those willing to use their skills and knowledge and also take the risk to build new markets to serve these customers. But law enforcement will be combing through the gathered intelligence looking for more potential convictions. Here's Louise.

The total assets seized from the Archetyp operation was somewhere in the realm of 7 million euros, which is quite massive. But we can say that law enforcement are definitely, they're improving with sort of each time, they're definitely more active in taking down or surveilling and monitoring these sites. And with each successful bus, you could sort of expect them to keep improving as the wealth of intelligence that they get from these busts databases that the market admins have kept, cryptocurrency addresses, things like that, that's only going to enable them to make more connections between more actors and then probably more arrests.

So perhaps there will be a change in strategic thinking for law enforcement. Indeed, according to TRM Labs, some law enforcement agencies are focusing their energies more on vendors rather than dart market admins, apparently for greater disruptive impact. And we can see examples of that from May this year, when the U.S. department of justice and Attorney General Pam Bondi revealed the result of Operation Raptor, an international law enforcement collaboration that took down 270 vendors, buyers and administrators from across the world. $200 million worth of fiat and cryptocurrency was seized. Two metric tons of drugs, including fentanyl, and over 180 firearms. That being said, likewise, the takedown of Archetyp Market was a success. It's yet another in a long line of net markets that have suffered this fate, only for new ones to appear pretty quickly. Here's Sarah.

Law enforcement can absolutely take down markets, yes. And with Archetyp, they did it quite cleanly. Administrator gone, server seized, infrastructure also gone. But what the operation didn't do and what other takedowns cannot do is take down the broader ecosystem. So when a market goes offline, users and vendors are left in the dark for a while, there's some chaos, but then eventually they do regroup in one way or another. And by now they've been through enough market takedowns that the process of picking up the pieces again has become a bit of a routine. They know what to do and how to do that quickly. Archetyp itself arose out of that same cycle when other markets before it were taken down. So after Silk Road, then Alphabay and now Archetyp, I would say it is only a matter of time before the next big market shows up.

And so to conclude that open letter to governments and law enforcement that I mentioned earlier, it was published by Yoshi on dread in September 2023. He wrote it because just weeks earlier in July 2023, one of the top Start net markets at the time called ASAP Market, had decided to close with the admins planning a retirement, giving users and vendors a month to complete all orders and withdraw their funds from the site. It closed at the end of the month. The open letter is quite long and it's a little wild, such as comparing ibuprofen to illicit drugs sold on the website, which is a little bit of a stretch considering the site allowed the sale of things like Fentanyl. He talks about society and corporations, some of which is fairly legitimate. He even says he's sorry for every.

Negative impact this site also has, but I am also confident that we saved more of them with this platform.

And this is because users avoid having to be involved with street dealers or violent gangs. Anyway, it's an interesting read and I think it shows he understood the game he was involved in because towards the end of the letter he said this.

You may arrest me tomorrow, you may arrest me in a week. I'm not hiding in paranoia and I'm not running after this letter. You might rub your hands when you get me for having the audacity to address the real issue you should work on. I will be replaced overnight. Even the entire market will be replaced with the next head of the hydra in no time. This is bigger than you and me. Please start working on the root cause. We are a symptom. We are Archetyp.

That's it for this episode of Deep Dive. A special thank you to Sarah and Louise for speaking to the podcast. Sarah's article An Archetypal Drug Market is available in the show Notes along with a long list of links related to this topic. Check out the GI's research into organized crime around the world by visiting our website globalinitiative.net and this has been Deep Dive from the Global Initiative Against Transnational Organized Crime. Thanks for listening.