German authorities announced today that they had taken down the Germany-based servers of Hydra Market—the largest Russian-speaking darknet market—and closed it. They also confiscated 23M Euros (about $25M) in Bitcoin. The steps follow an investigation with the participation of German and U.S. law enforcement, which started in August 2021. According to German authorities, the market had 17 million users as of April 2022.
News of Hydra’s takedown reached Russian-speaking illicit communities in the early hours of April 5 and prompted heated discussions about the actual state of the market, its future and its potential replacement, given that its size was unprecedented and an increasing number of threat actors have relied on criminal services offered on Hydra. The administrators of Hydra reportedly claim that the market is undergoing “technical works” and have not acknowledged the takedown.
Hydra was primarily known to facilitate the illicit sales of narcotics, but also cryptocurrency laundering, fake documents, and other illicit digital goods. Active since 2015, Hydra opened as a less-antagonistic option to its now-defunct competitor, Russian Anonymous Marketplace (aka “RAMP”), which was notorious for eliminating its competition via DDoS attacks and operator doxing. Following the takedown of RAMP, Hydra built networks across Russia’s regions and helped to vertically integrate some aspects of drug production and trade Hydra’s annual transaction volumes swelled from $9.4M in 2016 to $1.37 billion in 2020.
Last year, Flashpoint and Chainalysis published a whitepaper on Hydra’s role in the global cryptocurrency laundering system, which you can view here. The paper analyzed the growing amount of illicit funds passing through Hydra-associated wallets and how the market adapted to increasingly strict KYC and AML roles on cryptocurrency exchanges by sellers offering various cashout services ranging from transfers using compromised P2P exchange accounts, to “hidden treasure” cashout, where cash is hidden at a specific location, often underground.
Analysts observed cryptocurrency cashout offers on Hydra as late as at the end of March, even as Western sanctions have greatly limited conventional financial flows to accounts in Russia.
Threat actors react to Hydra’s closure
Reacting to the news, users of several Russian-speaking illicit communities were trying to guess what the future held. As of April 5, most threat actors in Flashpoint datasets who voiced an opinion seemed to believe that Hydra was over and done with, even as the administrators pledged to make the market operational within days. A minority adopted a wait-and-see approach, pointing out that whether Hydra administrators had also lost access to server backups was unknown, but most threat actors expressed the view that a large number of smaller shops will replace the large marketplace. Some also pointed that a pervasive fear that authorities or malicious actors may use the takedown to set up fake versions of Hydra in order to track down former users and sellers, may dent interest in the market, even if it is set up again.
Recommended: The Great Cyber Exit: Why the Number of Illicit Marketplaces Is Dwindling
The future of Hydra
Pointing in this direction is the fact that analysts have observed shops previously active on Hydra relocating their activities exclusively to Telegram. Decentralized, Telegram-based marketplaces uniting several sellers are another possibility. Televend, a recently closed service, did exactly this. However, due to the existence of the aforementioned networks that helped Hydra grow into the largest dark web market, this disintegration is certainly not a done deal.
Detect, prioritize, and mitigate cyber risks with Flashpoint
Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo or free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.