SOCRadar® Cyber Intelligence Inc. | Hydra Aftermath and the Future of Dark Web Marketplaces
Home

Resources

Blog
Jan 19, 2023
11 Mins Read

Hydra Aftermath and the Future of Dark Web Marketplaces

By SOCRadar Research

Russian-speaking Hydra Market was the biggest among darknet markets, with a $1B turnover in 2020. It was also the largest narcotic market among the countries of the former USSR. 

With the operation started by German and US law enforcement in 2021, Hydra’s Germany-based servers were taken down in April 2022. In this operation, $25M worth of Bitcoin was also seized. More than a drug bust, this takedown dealt a massive blow to the malicious Russian-speaking dark web ecosystem.

Hydra Market before it's taken down.
Hydra Market before it’s taken down.
  • Until its shutdown, Hydra hosted 80% of dark web activity. 

After the Hydra servers were shut down, most Hydra users organized in the RuTor forum. But they soon suspected law enforcement might launch a hunt with Hydra clones. The initial fear of users came with the capture of Hydra’s co-founder, Dmitry Pavlov. They suspected that internal correspondence and transactions might also have leaked. Still, they thought western authorities would keep this information private from Russian officials due to the current Russia-Ukraine war

  • Hydra market had 19,000 seller accounts and more than 17 million customers. 

Again, although there may be developments on this subject in the coming days, no major event has yet to emerge. However, what has been seen so far is the rapid emergence of new Dark Web Markets and the new big 5 dividing the dark market.

Dark Web Marketplaces 

Dark Web Markets (DWMs) are the markets on the dark web that are used to access illegal products and services. Users can access illicit products, such as drugs, unregistered firearms, fake ID cards, credentials, and data sets in DWMs. These illegal shopping platforms, which gained popularity in the dark web in 2011 with Silkroad, which we call the first modern DWM, have increased their activity until today. After the Silkroad closed with the FBI operation in 2013, big names such as RAMP, one of the longest-lived dark web markets, and Hydra emerged and were later taken down. The closure of these illegal markets resulted from the operations carried out a significant blow to the dark web activities. Still, it caused the emergence of other underground markets as well. 

SOCRadar Extended Threat Intelligence platform automatically detects organization or employee data in black markets and alerts relevant users. Hydra Aftermath and the Future of Dark Web Marketplaces

SOCRadar Extended Threat Intelligence platform automatically detects organization or employee data in black markets and alerts relevant users.

Cyber Criminals on DWMs 

Although up to the majority of the products in DWMs are drugs. One should remember cyber threat actors also take place in these markets. So, data, a tool, or a service can occur in these black markets. Even Stealer as a service (SaaS), one of the most recent cyber attack vectors, has taken its place in black markets. However, the most striking ones regarding cybercrime in terms of numbers are DDoS for hire services, RDP accesses, and credentials. In terms of value, data such as VIP credentials and databases stand out. 

DRP Configuration, VIP Protection

DRP Configuration, VIP Protection

Besides, DWMs may not only appear as drug markets but can also be interpreted as nesting spots for cyber threats. 

As of the beginning of 2023, the main markets that pose a cyber threat are as follows: 

Various credentials, stolen data, and credit cards are the main items in these markets.

Russian market
Russian market

Cryptocurrencies and Crypto Laundry 

Another topic in modern DWMs is the transactions made with cryptocurrency and the concept of crypto laundry. DWMs, where most of these transactions are made with Bitcoin, are said to be one of the mechanisms that keep the crypto market alive, according to some researchers. Hydra Market alone reached a $5B trading volume from 2015 to 2022. Just in 2021, the total black market transactions added $2.1B to the crypto market volume.

Transferred amounts of crypto. Almost all transactions are made with Bitcoin. (Source: CrystalBlockChain)
Transferred amounts of crypto. Almost all transactions are made with Bitcoin. (Source: CrystalBlockChain)

Although blockchain provides anonymity for the wallet owner, the fact that crypto wallets are traceable assets can damage this anonymity. Many cryptocurrencies are built on blockchain technology, and this provides decentralization. Therefore, cryptocurrencies are considered anonymous and untraceable. However, these transfers are held by distributed ledgers and are publicly available. For this reason, it also makes it traceable with tools such as Bitcoin explorer. For this, crypto money laundry is done with various methods. These methods are: 

  • Nested services, 
  • Gambling platforms, 
  • Mixers, 
  • Non-compliant exchanges, 
  • Services headquartered in high-risk jurisdictions. 

Vacuum Left by Hydra

It took almost no time for the void left by Hydra to be filled, and dozens of new illicit markets emerged. These DWMs, mostly Russian-speaking, have repopulated 80% of the entire illegal ecosystem. According to TRM Labs’s research, these markets reached 24% more volume than the previous year of Hydra within the first five months of Hydra’s shutdown.

Top DWMs by Market Share. (Source: TRMLabs)

Although more than 70 DWMs were observed at the end of last year, the four big Russian markets divide 80% of the total volume among them, while the western bitcoin-based market ASAP comes in 5th place with 7%. All the remaining DWMs have only 13% of the total market volume. 

Infinity: A Black Market under a Hacker Forum

In addition to dark web markets, hacker forums are one of the dark web platforms where sales are made. The recent Ukraine-Russia war was reflected in the cyber world, and nationalist Russian threat actors came together in some forums.

The Infinity Forum launched in January 2023 as a forum founded by Killmilk, the former leader of the KillNet threat group, and comprised of members of Russian hacktivists and threat actors. Infinity, which researchers traced back to November of the previous year, was a Telegram group. The forum brings together many Russian hacker groups and the cyber underground world. Although it has similarities with other Russian-speaking forums and markets, Infinity members are discussing and making operational decisions in line with their political views.

Correlation between hacker groups and their members that came together under Infinity. (Source: Yarix)
Correlation between hacker groups and their members that came together under Infinity. (Source: Yarix)

The part that highlights the Infinity forum as a dark web market and creates a cyber threat is the Hack Shop section. In addition to sharing and selling many tools and exploits, it is among the products sold in DDoS, frequently used by Russian hacktivist groups.

Infinity Forum will target NATO and Western countries with its ideological aims throughout the Russian-Ukrainian war. So it may remain one of the threats to watch out for throughout 2023, especially with the sale of services such as DDoS, which is both a gathering place for cybercriminals and a high damage capacity even in the hands of threat actors that have not yet been well-seasoned.

KillNet and its aliases' target countries. (Source: SOCRadar)
KillNet and its aliases’ target countries. (Source: SOCRadar)

At the end of February 2023, there was a change in the management of the Infinity Forum. KillMilk put the Infinity Forum up for sale for unknown reasons, which may be good news that the forum may be disbanded, but KillNet has since relaunched its Telegram forum. KillNet’s Telegram forum is a different form created by managing multiple chat groups from the same hand; this forum also includes a market that offers the same services. 

This outcome may be due to the threat actors being unable to profit from the Infinity Forum or achieve as much growth as they would like. At the same time, KillNet’s return to the Telegram forum system seems to support the new dark web system based on Telegram for Russian-speaking threat actors. As a result, the forum is still active, but its future may seem uncertain. These seasoned threat actors will continue their activities under a different name.

Top Dark Web Marketplaces

  • BlackSprut Market
  • Mega Darknet Market
  • OMG! OMG! Market
  • Solaris Market
  • ASAP MarketOther dark web marketplaces:
Tor2door Market Nova Market Abacus Market Vice City Market Archetyp Market Bohemia Market
Incognito Market Psycellium Flugsvamp 4.0 Mega Darknet Market Cypher Market Revolution Market
WeTheNorth Market Kerberos Market Royal Market Cocorico Market MGM Grand Nemesis Market
Cannabia TorZon Market Kingdom Market Black Pyramid Market Tor Market Ares Market
Exolix Exchange Majestic Bank FixedFloat Elude Exchange Kraken Market Russian Market

What The Future Holds

Researchers, on the other hand, follow a specific threat. We could see a new DWM called Kraken Market, which several DWMs will prepare as the real successor of Hydra in the next year. 

WayAWay, an old dark web forum, has been re-observed on the dark web. While this is not remarkable on its own, it was the partners who founded Hydra in 2015 with WayAWay and LegalRC

With the shutdown of Hydra, cybercriminals gathered in the RuTor forum, but the presence of many competitors led RuTor to partner with the OMGOMG marketplace. However, this partnership faced opposition from WayAWay and led them to associate itself as Kraken. At the same time, researchers claim that the RuTor/OMGOMG and WayAWay/Kraken competitions also mirror the Russian-Ukrainian war. The researcher also said that RuTor’s pro-Ukraine and Kraken’s pro-Russia stance showed us once again that geopolitical issues are also taking place in cyberspace. 

Effect of the Russia-Ukraine War on the Dark Web 

Since the war began, geopolitical dynamics have changed, and its reflection can be seen on the dark web. Especially the fact that Russian-speaking countries make up a massive part of the dark web population made this even more visible. 

In the dark web, Russian-speaking criminals tended not to take actions that would harm or target former Soviet Union countries. However, this situation changed with the start of the war, especially Conti’s declaration of total loyalty to Russia set an excellent example for this situation. 

DWMs have also become one of the battlegrounds. Ukraine-born cyber intelligence expert Alex Holden claimed to have hacked the Solaris DWM and siphoned the 1.6 Bitcoin transaction, and donated it to a Kyiv Charity. 

Threats to Watch Out For 

Considering the recent growth, Dark Web Markets will likely reach larger transaction volumes. In addition to illegal products such as drugs, these black markets, which are marketed in data sets, data leaks, malware, and exploits, pose a significant danger to every institution. 

Under the SOCRadar Digital Risk Protection suite, your organization’s data automatically gets detected when leaked on the dark web.

Under the SOCRadar Digital Risk Protection suite, your organization’s data automatically gets detected when leaked on the dark web.

Like hacker forums, critical data such as VIP credentials, employee data, and espionage information are sold in dark web markets as well. 

Moreover, threat actors offer ransomware and stealers “as a service” in these markets.

Using SOCRadar Extended Threat Intelligence, when you have leaked or stolen data about your organization on the dark web and black markets, it can be detected automatically and take proactive measures.