1) They were investigating AlphaBay for nearly 3 years
2) They came upon somehow control of an email address which contained 3 year old mail that contained the password reset email
3) They are capturing and storing large amounts of tor traffic much like the NSA does on clearnet see: xkeyscore
Apparently, he leaked the email address in an early email sent to site users. It contained his real first name and birth year, and he used the address on several other sites.
When he was busted he was logged in to the site, and had several passwords/keys stored in plaintext on his machine.
They could have gained knowledge of the email address through classified means, and made up the email header story to hide their method of initially obtaining it.
Honestly it doesn't seem that interesting - browsing /r/DarkNetMarkets, dnstats and just signing up yourself is enough. I've signed up for a few for shits and giggles but never bought anything, browsing is pretty interesting. You just need to find one person like me who'd be willing to give them the email... not exactly hard.
Perhaps it's from someone they were investigating for other crimes. I mean, it doesn't seem beyond the realm of possibility that law enforcement were going after say, a drug dealer who was using the site to sell goods, and found the welcome email from the platform he or she was using in their inbox.
Isn't it likely that a number of recipients did not delete that particular message? Also that a number of them sold drugs by mail order, not uncommonly a short lived profession?
1) They were investigating AlphaBay for nearly 3 years 2) They came upon somehow control of an email address which contained 3 year old mail that contained the password reset email 3) They are capturing and storing large amounts of tor traffic much like the NSA does on clearnet see: xkeyscore
This isn't really explained in the indictment