Flashpoint threat intelligence and Chainanalysis blockchain forensics firms reported that the Russian dark web marketplace Hydra witnessed a 624% growth between 2018 to 2020. This record growth has led to the illegal darknet market processing about $1.37 billion worth of cryptocurrencies in 2020.
The high annual transaction volumes made the marketplace a key player in 2020 up from $9.4 million in 2016. Consequently, Hydra accounts for more than three-quarters of darknet market revenues globally.
Consequently, Hydra has emerged as a hotspot for illegal crypto transactions in Eastern Europe, where cryptocurrency adoption is high.
The marketplace has attracted high-profile cybercriminals, including the DarkSide gang responsible for the Colonial Pipeline ransomware attack. The threat actors sent $17.5 million or 4% of their earnings to Hydra for cashout, according to The Hacker News.
Hydra darknet market thrives despite the pandemic
Although the number of darknet purchases fell during the pandemic, total revenues rose by 23% to $1.75 billion in 2020. Hydra made a $1.37 billion profit during the pandemic in 2020, up from 9.4 million in 2016.
Hydra attributes its growth to resilience against competitors’ attacks, law enforcement crackdowns, and abuse by traders. Flashpoint and Chainanalysis noted that the darknet market only went offline temporarily during the COVID-19 onset in late March.
Uniquely sophisticated operations give Hydra a competitive advantage
Developed as a narcotic trading platform in 2015, the darknet marketplace diversified its products to include all criminal activities.
Operated by an 11-member gang, the site acts as the intermediary for providing Bitcoin cash-out services for stolen credit cards, fake currency, stolen identities, SIM cards, among others.
Hydra also provides physical cash withdrawal methods known as “Hidden Treasure” that provides criminals with readily accessible hard currency in hidden public locations.
“This physical withdrawal technique calls upon customer buyers to hire designated couriers (‘kladmen’) to bury cash underground in vacuum-sealed bags within specific agreed-upon locations for the sellers to dig up later,” the report explained.
Once the cash is secured, the sellers could bury the drugs in the same location or ship them using other means. These “Uber-like” Hydra operations reduce the risks associated with drug shipments and payments, making the platform the preferred exit point for laundered drug money.
The growth of the Hydra darknet market was also the result of the demise of the Russian Anonymous Marketplace (RAMP). Hydra started as a less-antagonistic competitor for RAMP in 2015. Most RAMP members migrated to the Hydra darknet marketplace after the former shut down.
Draconian regulations prevent seller-abuse and crackdown by authorities
Hydra also thrives because of the draconian regulations that the darknet marketplace operators imposed on sellers.
Since July 2018, the site requires that outbound cryptocurrency withdrawals from sellers’ wallets occur through selected regional crypto exchanges in “Russian-friendly Eastern European countries,” before conversion into Russian fiat currency. This strategy makes tracing by law enforcement authorities difficult.
“Upon completion of the buyer portion of the transaction, the money trail goes dark as more veiled, in-region financial operators and service providers manage the sellers’ finances and convert cryptocurrency withdrawals into difficult-to-trace Russian fiat currencies as the next step in the financial chain,” the researchers noted.
Similarly, sellers can only withdraw their loot upon completing 50 transactions and maintaining a minimum account balance of about $10,000. These rules guarantee that only vetted and reliable sellers trade on the forum. The operators justify these restrictions claiming that they protect users from account takeover attacks.
However, these regulations also led to the sale of Hydra’s seller accounts in other darknet market forums, allowing new traders to circumvent regulations.
Hydra darknet market possibly colludes with Russian authorities
The researchers suggested that possible Collusion with Russian authorities was another reason for the success of the Hydra darknet market.
“When it comes to the question about Hydra’s connection to the Russian government, we can only speculate,” Flashpoint team lead Vlad Cuiujuclu said. “However, the fact that Hydra has been untouched by Russian law enforcement for the past six years likely suggests that Russian politicians or law enforcement operatives benefit from Hydra’s operations in one form or another.”
Ilia Kolochenko, Founder, CEO, and Chief Architect of ImmuniWeb, says that cybercriminals became more prudent after authorities shut down several darknet marketplaces. He added that the publicly accessible darknet marketplaces were just the tip of the iceberg.
“Professional cyber mercenaries do not advertise their services, silently selling stolen data to trusted customers from organized crime or governments,” Kolochenko said. “They lawfully rent AWS or similar infrastructure to host their communication centers, fully encrypted and protected, and totally inconspicuous from the outside.
He noted that their activities are usually “untraceable and uninvestigable” and highly accessible platforms were made for novices. “The mercenaries have access to banking institutions, lawyers, and offshore companies to silently cash out their loot in any currency and in any form, including gold and real estate. While public forums in Russian, that offer conversion of payments into gift cards or cash in rubles, are mainly oriented for beginners.”