Russian-language dark web marketplace Hydra has emerged as a hotspot for illicit activities, pulling in a whopping $1.37 billion worth of cryptocurrencies in 2020, up from $9.4 million in 2016, marking a staggering 624% year-over-year jump over a three-year period from 2018 to 2020.
“Further buoying Hydra’s growth is its ability—or its good fortune—to remain running and unscathed against competitor attacks or law enforcement scrutiny; its only downtime of note occurred during a short time period at the beginning of the COVID-19 global pandemic in late March 2020,” threat intelligence firm Flashpoint said in a report jointly published with blockchain analysis firm Chainalysis.
Active since 2015, Hydra opened as a competitor to the now-defunct Russian Anonymous Marketplace (aka RAMP), primarily facilitating narcotics trade, before becoming a bazaar for all things criminal, including offering BTC cash-out services and peddling stolen credit cards, SIM cards, documents, IDs, and counterfeit money, with the operators profiting as the intermediary for every transaction conducted on the platform.
Hydra accounts for over 75% of darknet market revenue worldwide in 2020, positioning it as a major player in the crypto crime landscape in Eastern Europe, according to a report by Chainalysis published in February 2021. This skyrocketing cryptocurrency activity conducted through the marketplace can be partly attributed to the demise of RAMP in September 2017, which resulted in a mass migration of cybercrime gangs to Hydra.
A second contributing factor, according to the research, is the stringent requirements imposed on sellers. Effective July 2018, the guidelines mandate that outbound withdrawals of cryptocurrency proceeds from sellers’ wallets are routed through regionally-operated crypto exchanges and payment services in order to exchange the funds into Russian fiat currency.
Also in place are limitations that disable seller withdrawals until they either successfully complete more than 50 sales transactions or maintain an account balance of at least $10,000.
Flashpoint said the policy changes have likely benefited Hydra administrators and sanctioned sellers, entities, and service providers, who can still operate and fulfill transactions under these stricter e-wallet restrictions, consequently contributing to the “blistering growth” in annual transaction volumes.
“Upon completion of the buyer portion of the transaction, the money trail goes dark as more veiled, in-region financial operators and service providers manage the sellers’ finances and convert cryptocurrency withdrawals into difficult-to-trace Russian fiat currencies as the next step in the financial chain,” the researchers said.
These withdrawal restrictions have also made Hydra seller accounts a hot commodity on various underground forums, fostering a new offshoot market where cybercriminals purchase an established seller account to gain direct access to the marketplace and entirely sidestep Hydra policies and enforcement controls.
What’s more, Hydra’s cash-out services — which allow bitcoin to be converted into gift vouchers, prepaid debit cards, Russian rubles, or even physical cash that’s concealed at a discreet location (aka “hidden treasure”) — have made crypto laundering a lucrative way for criminals to exchange their bitcoin haul without being identified and reported.
DarkSide, the ransomware gang behind the Colonial Pipeline ransomware attack earlier this month, sent 4% of its ill-gotten gains totaling $17.5 million to Hydra’s operators to avail the service.
Another element that appears to be working in Hydra’s favor is the fact that it’s remained unaffected by takedowns and “competitor chicanery” which have impacted other Russian-speaking cybercriminal communities such as Joker’s Stash, Verified, and Mazafaka, raising the possibility that the marketplace could be “more resilient to oscillating geopolitics and law enforcement efforts.”
“Hydra’s expansion to other illicit trades may endanger more industry sectors,” the researchers cautioned. “While Hydra currently supports the selling of many illicit goods and services, its strongest market, by far, remains narcotics sales. Should Hydra continue to grow, its support of other cybercriminal trades will likely expand along with it.”