A major underground platform that caters primarily to Russian criminals is offline after a German police raid. The Hydra darknet market was taken down by the the Central Office for Combating Cybercrime (ZIT) and the German Federal Criminal Police Office (BKA); the agencies estimate it had an annual turnover of $1.35 billion, which would have made it the largest darknet market in the world prior to the raid.
Hydra darknet market out of business after “lengthy investigation”
The Hydra darknet market was a central forum for criminals to sell illicit drugs and offer money laundering services, with the majority of these services operating out of Russia. It had about 17 million users and 19,000 registered seller accounts prior to the bust. The investigators believe the Hydra darknet market has cleared over $5 billion in cryptocurrency since it was founded in 2015.
While more conventional crime was the focus of the forum, the Hydra darknet market also trafficked in cyber crime to some degree: the site had sections for the sale of stolen files, as well as hosting the advertisements of hackers and forgers seeking work. Transactions on the site were obfuscated by a bitcoin bank mixing service, presumably also seized by authorities.
German police were able to seize 543 bitcoins from the Hydra darknet market’s accumulated profits, an amount that equates to about $25 millio. Those that attempt to visit the site are now met with a BKA page indicating that the site’s infrastructure has been seized. Though the site appears to have been fully taken over by authorities, there has been no word yet from the investigating agencies about the identities of its operators. It appears that one has been charged by the US Department of Justice (DOJ) with conspiracy to distribute narcotics and engage in money laundering.
The agencies declined to say how long the investigation that led to the takedown of Hydra darknet market was, but did indicate that it was “lengthy.” They also indicated that it remained ongoing, most likely as the seized hardware and accounts are scoured for further leads.
Potentially devastating blow to organized crime in Eastern Europe
Drug trafficking in Russia and bordering Eastern European countries relied quite a bit on the Hydra darknet market, with criminal cartels arranging pickups at geotagged locations via the site. Those operations have suffered significant disruption at this point, not to mention whatever clues the authorities might pick up from the seized Hydra infrastructure that could lead to individual players.
The operation has also likely disrupted the preferred money laundering operations of many cyber criminals in the region. The Hydra darknet market services generally either exchanged cryptocurrency for rubles, or arranged geotagged dropoffs of various forms of cash similar to the way that drug sales worked.
The US Department of the Treasury’s Office of Foreign Assets Control announced that it has put sanctions on Russian cryptocurrency exchange Garantex, which has ties to the Hydra darknet market. It reports that it is investigating over 100 Garantex accounts thought to have done business through Hydra related to facilitating ransomware payments. Garantex was founded in Estonia in 2019 but primarily operates out of offices in Moscow’s Federation Tower, a location that has become notorious for headquartering various cyber crime operations. The company had its license to deal in virtual currencies taken away by Estonia in February of this year after an investigation by the country’s Financial Intelligence Unit determined that wallets it hosted were engaging in criminal activity.
The Hydra bust follows a 2021 Europol operation that shut down the DarkMarket site and led to the arrest of some 150 associates, some of whom were operating through a web hosting service called Cyberbunker that was located in Germany. Like the Hydra darknet market, DarkMarket primarily dealt in facilitating the sale of illegal drugs but operated throughout western countries. This included a major US operation headquartered in Houston. That site was a considerably smaller bust by comparison, however, with only about half a million users and 2,400 vendors working through it.
The raid puts an end to what was essentially the Amazon of underground markets, but history has shown that another will rise to meet the demand for these various illicit services. This dates back to Silk Road and Agora in the mid-2010s, which were followed by AlphaBay and Hansa just prior to Hydra taking the crown. As a new central market builds up, history also shows that there will be a lot of exit scams pulled on the hapless criminals that use them. In some cases these markets lasted as little as a few weeks before pulling the rug out from under users.
Chris Olson, CEO of The Media Trust, gives some perspective on the size of this market and the inevitability of the creation of a site that rivals Hydra in size (possibly involving some of its former operators that manage to evade arrest): “The shutdown of Hydra is a small win for cybersecurity, but a win nonetheless. Attackers who target consumers for credit card details and other personally identifiable information (PII) can’t use it directly without risking discovery and arrest; therefore, they sell this information on darknet markets instead. Without them, the incidence of cybercrime would undoubtedly decrease. Unfortunately, Hydra represents a miniscule drop in the bucket of global cybercrime, which will cost organizations (and therefore consumers) about $10.5 trillion per year by 2025. Cyber actors have perfected the pipeline from Web and mobile-based phishing attacks to darknet markets which we will not name, and new ones are opening all the time. In truth – if past precedent is anything to go by – Hydra operators will likely take their digital assets and resurface in the near future under new identities and domains.”