Hydra Market research
Hydra Market was the single largest darknet market as well as the largest marketplace for narcotics in countries of the former Soviet Union. Unrivaled in its size, reach and vertically-integrated network, its turnover was more than $1B in 2020.
Of course, that’s no longer the case.
The takedown of Hydra Market in April by joint German and US law enforcement was more than just a major drug bust. It removed a key piece of the Russian-language illicit online ecosystem. Along with its drugs trade, Hydra also increasingly hosted sellers of cybercrime tools and services, such as cryptocurrency laundering, as Flashpoint and Chainalysis detailed in an immensely popular 2021 white paper.
On June 8 at RSA, we will talk about the rise and fall of Hydra and its role in the global cryptocurrency laundering system. Our panel will present findings combining threat intelligence and blockchain investigations to show how sellers and, increasingly, cybercriminals used the market to launder their ill-gotten gains, plus what lies ahead now that Hydra is gone. This article serves as a preview to these findings.
Down goes Hydra
Following the takedown of the market, former Hydra users and sellers started organizing on the forum RuTor, with a significant number of users in the thread awaiting the resurrection of Hydra. While initially, users hoped the market would be reopened from a backup, users quickly became suspicious of fake sites run by law enforcement.
Users’ initial reactions also focused on the potential consequences of the seizing of the servers and the arrest of Dmitry Pavlov, Hydra’s cofounder, in Moscow. Law enforcement agencies – both in Russia and in Germany – were thought to have obtained significant data on internal communications and transactions related to the market, which could lead to further investigations.
One member tried to reassure other users that due to the war in Ukraine there was little chance that Western law enforcement agencies would share this data with their Russian counterparts. In the weeks that followed, this view became more widely accepted among former users, especially as evidence emerged of an actual breakdown in communication between Western and Russian authorities on cybercrime.
Following the takedown of the market, former Hydra users and sellers started organizing on the RuTor forum. Forum users set up threads to connect sellers and buyers active in various Russian regions. However, these threads were unable to replicate Hydra’s automated and efficient user interface or Telegram bots, so the conversation quickly turned toward what alternative marketplaces the now-unavailable shops would reappear on.
Users on RuTor have mentioned various Hydra alternatives – apart from RuTor itself, which has also been rumored to be favored by some former Hydra administrators as the new platform. However, several former Hydra users have expressed frustration over the fact that the alternative markets have been unable to handle the influx, plus other issues which we detail below.
New and existing markets
As of early June, six weeks after the takedown of Hydra, Flashpoint analysts have not seen a single dominant marketplace emerge. Instead, sellers and buyers seem to have departed to Telegram and several pre-existing markets, which have seen a relatively large influx of products, services, and money.
It is possible that users prefer existing markets because they fear that new sites popping up could be run by law enforcement. However, Solaris, a new market that appears to be run by former top sellers on Hydra, seems to buck this trend. The market experienced a rapid growth of interest in May.
However, RuTor users have raised several problems with these markets, suggesting that none of them has so far built the necessary infrastructure to replace Hydra. Users seem to mainly value high reliability and easy money transfers, and as of early June 2022, none of the sites has been able to provide this.
As of early June, OMG, which conducted an aggressive ad campaign following Hydra’s takedown, still had an edge over the others, but no clearly dominant position. According to a mid-May survey of narcotics buyers on the “DrugStat” Telegram channel, 28 percent of respondents who buy narcotics from online platforms used OMG; 22 percent used Telegram; 18 percent used Mega, and 10 percent used Solaris.
Flashpoint analysts also observed threat actors on Telegram advertising phished accounts of both users and vendors from other shops. Previously, a similar market of phished Hydra accounts existed. The advertisements—which arose with remarkable speed as threat actors adapted to the new situation—supports anecdotal evidence of scammers on the new marketplaces.
Hydra’s takedown—and the sanctioning of the cryptocurrency exchanges Chatex and Garantex—has also had repercussions on the market of cryptocurrency cash-out services, as, prior to the takedown, the market had been emerging as a major hub of illegal cash-out services.
As long as the alternative markets continue to face problems with their infrastructure, it is unlikely that any of them will take over Hydra’s position in this market. However, Flashpoint analysts have seen a growing number of cash-out offers on OMG.
Similarly, analysts have observed a significant increase in posts by Russian-speaking threat actors looking for cryptocurrency mixers, another key service previously offered by Hydra.
Almost immediately following the takedown, many shops that were previously active on Hydra relocated their activities exclusively to Telegram. The rise of Telegram shops is notable (though not entirely new), given that these stores are often rudimentary and do not provide vital features such as a review system or an escrow, which can strengthen trust between vendors and buyers.
However, Telegram shops are less vulnerable to takedowns and cyber attacks, they do not require users to download Tor—risking repressive actions from the Russian authorities—and they typically offer a quicker and smoother user experience than many of the markets—even non-tech-savvy users can purchase narcotics using Telegram on their phones. It remains to be seen if this ecosystem becomes a rival to darknet markets. Telegram shops do not provide a review system, but a Telegram channel briefly existed that listed actual and scam vendors from Hydra.
The fight between various marketplaces for their place under the sun demonstrates the significance of Hydra in the Russian-language segment of the Dark Web. And while narcotics sales can go local or go offline, offerings such as cybercriminal tools and cryptocurrency laundering cannot. The ability to safely cashout illicit funds was a major pull for a number of big players in the cybercrime space: major ransomware collectives, as well as marketplace and card shop operatives.
Circumstances have not changed. The disruption of global financial flows between the West and Russia, and the continuing tightening of cryptocurrency regulations mean that threat actors will continue to demand reliable cash-out services that also protect their anonymity. It remains to be seen how many heads this new Hydra will grow. Flashpoint will continue to observe and analyze the birth of these new beasts.
Combat cyber risk with Flashpoint
Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo or free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.