Has there ever been a darknet vendor busted by LE, then had their account used as a honeypot? : OpSec | Torhoo darknet markets

It happens more often than you think. Some examples (but at a larger scale):

Hansa Market (2017)

Dutch police secretly took over the market for about a month before shutting it down after arresting the admins. They gained access to the server infrastructure and admin accounts.

While undercover, they collected messages and transactions, logged users' PGP messages and decryption attempts, and modified marketplace code to deanonymize vendors and buyers.

Signs of takeover: changes in site behavior (for example, auto-decryption of messages that previously required manual PGP usage); subtle UI/UX changes and performance differences; increased arrests shortly after migration from AlphaBay (which was seized simultaneously)

Silk Road 2.0 / Alphabay

After takedowns, LE reportedly used seized messages and credentials to pursue further arrests. No known cases of long-term impersonation of specific vendors; however, data from seized servers was heavily utilized.

Signs a vendor account may be a honeypot

- Strange PGP behavior (Previously required PGP is now optional or auto-decrypted)
- Too-good-to-be-true listings (unrealistically low prices, perfect stock, or fast shipping promises)
- No longer negotiating or haggling like they did before
- Change in communication style (Grammar, tone, or vocabulary differs from earlier messages; replies become unusually formal or delayed)
- Sudden reappearance after a long absence or bust (Vendor disappeared for weeks/months, now back with identical profile and old reviews; despite rumors of arrest or doxxing, the vendor claims "all is fine".)
- Overly eager to transact (Pushing for rapid orders; unusual willingness to bypass escrow or accept odd terms.)
- Law enforcement language clues (Formal signatures, disclaimers, or odd timestamps.)

About which vendor is your concern? Or is it just a general question?

[removed]