Blog

Crypto, Cash-outs, and Closures: Surveying the Darknet Ecosystem in the Wake of Hydra Market

On the one-year anniversary of Hydra’s seizure, Flashpoint explores how threat actors have adapted to fill the market’s void and fuel their illicit aims—from narcotics transactions to money laundering.

Default Author Image
April 5, 2023

Down goes Hydra

Today, exactly one year since German authorities seized Hydra Market, leading to its closure, we’re publishing key findings of our investigation of the aftermath—namely how threat actors have adapted, struggled, and innovated in order to fill Hydra’s void and fuel their illicit aims. 

At its peak, Hydra Market was the single largest darknet market as well as the largest marketplace for online narcotics in countries of the former Soviet Union. Unrivaled in its size, reach, and complexity, and vertically integrated network—along with its status as a crucial hub for illegal cryptocurrency cashout services—made it a significant player amongst darknet marketplaces. In 2020, its turnover was more than $1B. Its closure on April 5, 2022 created a seismic shift in the Russian-language darknet marketplace landscape.

Overview

Written by Flashpoint’s Intelligence Team, this report is also supported by research from blockchain intelligence firm TRM Labs. As we detail below, Flashpoint observed a considerable decrease in the volume of money being handled by crypto wallets linked to dark web markets. And, as we’ve previously reported, new markets have aggressively vied to take Hydra’s place—but U.S. government sanctions have so far prevented any from reaching its level in terms of breadth, reputation, and trust. As a result, threat actors have migrated elsewhere, including to forums like “RuTor,” decentralized Telegram-based shops, and even switching to offline transactions for physical commodities like narcotics. 

Almost a year after Hydra’s takedown, five markets—Mega, Blacksprut, Solaris, Kraken and OMG!OMG! Market—have emerged as the biggest players based on the volume of offers and the number of sellers. 

However, these developments do not mean a complete departure from darknet markets, or DNMs. Nevertheless, as long as these actors avoid arrest, the general darknet market landscape appears to be capable of healing itself

Now, let’s dig in.

Mixers, exchanges, and new markets

The takedown of Hydra market undoubtedly caused a major rupture in the Russian darknet market ecosystem. In its wake, the US has also sanctioned several mixers and risky exchanges that handled stolen funds and which had exposure to Hydra wallets.  

Among them are Bitzlato, Garantex, Chatex, and Blender. Of these, Bitzlato had the highest exposure to Hydra. According to TRM Labs, the exchange sent $125 million to Hydra and received over $170 million from Hydra between 2015 and 2022. 

Nonetheless, threat actors adapted, with many choosing to move to the “RuTor” forum for communications and to decentralized platforms such as Telegram-based shops for drug advertisements, as well as offline sales. Russian-speaking DNM customers were historically frequent users of RuTor, where they would exchange information. In fact, much of the Russian-language DNM ecosystem emerged from such forums. However, in the wake of Hydra’s takedown many Russian vendors set up independent vendor shops and automated Telegram shops employing Telegram shop bots, although this did not imply a wholesale move away from DNMs. 

Mega, Blacksprut, Solaris, Kraken and OMG!OMG!

Almost a year after Hydra’s takedown, five markets—Mega, Blacksprut, Solaris, Kraken and OMG!OMG! Market—have emerged as the biggest players based on the volume of offers and the number of sellers. 

According to TRM, OMG!OMG! had already amassed $12.15 million in sales by the end of its first month in operation (April 2022). As of this publishing, Mega currently appears to be the biggest of the five Russian language DNMs. Mega received nearly $40 million in March 2023, followed by Blacksprut with around $20 million. In that same period, Kraken took in $10 million. 

In the same period, Flashpoint observed 5,755 listings on OMG!OMG!l; 5,030 on Mega; 4,849 on Solaris; 4,313 on Blacksprut; and 2,095 on Kraken, which was a late addition to the competition. This data suggests that while vendors spread offers more evenly across the markets, buyers showed a clear preference for Mega.

Cyber warfare among darknet markets

Since the summer of 2022, the aforementioned markets have waged war against each other, involving the spreading of rumors, the doxing of administrators and staff members, distributed denial of service attacks and breaches. 

In the most recent chapter of this conflict, the allied DDoS-for-hire groups Killnet and Deanon Club targeted several of the major DNMs, most prominently Blacksprut, in November 2022, and Mega, in March 2023. The two groups seem to have allied themselves with Solaris, a marketplace that Killnet and its founder Killmilk have even advertised. This caused consternation among the group’s followers, who pointed out contradictions between the group’s earlier criticism of narcotics marketplaces and its apparent embrace of one of these markets. 
In October 2022, a cryptocurrency address associated with Solaris Market was found to have directly sent approximately $50,000 to Killnet as payment for a DDoS attack that Solaris Market had instructed Killnet to conduct against RuTor, a forum that provides support to Solaris’ competitor OMG!OMG! Market.

Cryptocurrency cash-out services on the new markets

Cryptocurrency cash-out services nested on Hydra could, by definition, not move offline, unlike narcotics sellers. For these services, the cost incurred after the Hydra takedown has been associated with reestablishing themselves on new platforms, often under new names. These sellers offer virtually the same kind of services as their predecessors on Hydra:

  • Payments to Russian payment systems, such as QIWI, Tinkoff or Alfa Bank, are almost always supported; often, so are prepaid bank cards. Many services now offer conversion not only to fiat money or Monero (a privacy-focused cryptocurrency used by cybercriminals), but also to USDT, perhaps reflecting concerns about Bitcoin’s exchange rate volatility. 
  • Unlike English language DNMs that tend to deliver through the mail, Russian-speaking DNMs distribute their wares as “klad”or buried treasure, where couriers hide drugs at pre-agreed locations for buyers to collect. Some sellers also apply this klad model to cash-out services.
  • Commissions can move in a wide range, up to 15 percent, based on the “cleanness” of the cryptocurrency or fiat money that comes out of the operation (measured as the percentage of money of suspect origin, which may trigger a review by Russia’s financial monitoring agency). Additional surcharges depend on how the buyer wants to receive the money. 
  • Txids, a mixer that has been around since 2017, guarantees a cleanness of 0-35%, with a sliding scale of commission.
  • Dark Swap, the partner of the hacktivist group Killnet on the now quasi-defunct Infinity forum, takes an 11 percent commission for crypto mixing and 8 percent for cleaning cryptocurrency—enough to bypass AML checks. 
  • Some services can exchange money automatically, using an API, up to a certain sum (typically around 20,000 rubles – $260), while other services require an interaction between buyers and sellers. 
  • Several services highlight that they maintain physical offices in Russian cities. Many have opened offices in cities in Turkey, the United Arab Emirates or even Western Europe, which is notable, considering the exodus of Russian citizens fleeing the draft and the consequences of Russia’s war against Ukraine in 2022. For instance, an exchange service advertised on the WWH-Club forum claims to have offices in Antalya, Istanbul, Barcelona, and Dubai. 

Volume of cash-out services on other markets

Market listings containing language suggesting cryptocurrency cash-out and mixer services. April 6, 2021-April 5, 2022. (Flashpoint)
Market listings containing language suggesting cryptocurrency cash-out and mixer services, April 6, 2022 – April 4, 2023. (Flashpoint)

However, the lower volume is likely not due to these services disappearing altogether. Cryptocurrency cash-out services are not only advertised on Dark Web markets; this has never been the case. However, the takedown of Hydra coincided with a large increase in posts discussing cryptocurrency cash-out and mixers on forums in Flashpoint collections. The number remained high since, suggesting that the conversation (and offers) merely shifted from one type of platform to another. The advertising and discussion of cryptocurrency cashout services and mixers also increased significantly on Telegram, especially in late summer 2022 when the “war of marketplaces” seemed to peak. 

The shadow of Hydra

Hydra, which had a long-standing review system and significant entry barriers for potential sellers, provided a useful platform for vendors, including crypto launderers, to prove that they were trustworthy. The trust Hydra commanded among users is obvious from how Kraken Market, which claims to be a project of former Hydra administrators, even designed its logo to make it similar to Hydra’s. In fact, there’s no evidence that Hydra and Kraken were developed by the same team. 

Due to the concerted law enforcement action (and successive sanctions) against Hydra, cryptocurrency cash-out services are often wary of running under the same name as they did on the now-defunct market. However, they are still interested in regaining their former clientele. Thus Flashpoint analysts have observed several cash-out services and their users stating that the service in question had been present on Hydra, typically in a positive context.

The volume of offers containing cryptocurrency cash-out services in darknet markets has still not reached the number of such services advertised on Hydra before its takedown. In the eleven months before the takedown of Hydra, Flashpoint observed 431 listings using language associated with cryptocurrency cash-out services on Hydra alone. In the eleven months since the five main successor markets accumulated only 280 listings (see graphs below).

Related Resource

Investigating Hydra: Where Cryptocurrency Roads All Lead to Russia and Go Dark

Given that these stores often operate under new names, it is difficult to assess with absolute certainty whether they were present on Hydra or just planting the reviews for publicity. However, Flashpoint’s cryptocurrency analysis performed in September 2022 found that some of the exchanges that received funds from Hydra (e.g. Bitzlato, MINE exchange, Bitpapa,) were also receiving funds from OMG!OMG!, Mega, and Blacksprut (data for other markets was, at that point, not available). TRM Labs adds that eight of the top 10 mainstream exchanges that received funds from Hydra before its shutdown also received funds from its successor entities over the subsequent year. 

This suggests some continuity in the financial infrastructure of funds leaving darknet vendors following the takedown. However, 334 cash-out service entities (mainstream exchanges, high-risk exchanges and mixers) that received funds from both Hydra and its top five successors (Mega, Blacksprut, OMG!OMG!, Kraken and Solaris) showed an overlap of just under 50 percent.

The sanctions effect

Sanctioning the various actors in the global cryptocurrency laundering and cashout ecosystem has caused disruptions for these services. At the same time, the takedown of Hydra Market pushed cryptocurrency cash-out providers onto other platforms. However, as long as these actors are not apprehended, the market seems to be able to heal itself and adapt. Apart from mixers and cashout services that assume new identities, new mixing services, such as “Sinbad”, used by North Korea’s Lazarus Group, also appear.

The growing symbiosis taking place within the Russian-language DNM ecosystem between hacktivist groups, on the one hand, and Dark Web markets and cryptocurrency exchange services on the other hand, is a novel development and represents a further challenge for investigators tracking the movement of illicit funds.

Let’s talk at RSA!

Flashpoint’s team of experts are available for 1:1 meetings throughout the conference to learn more about your organization’s intelligence requirements and provide insight into our available solutions. Click here and reserve your spot.

Learn How We Can Help