Hydra Shutdown: Where will Cybercriminals Flock to Next?

The German federal police BKA announced in early April that they seized Hydra’s German-based servers in a joint operation with the FBI, DEA, IRS Criminal Investigations, and U.S. Homeland Security Investigations. In the operation, they shut down the site and seized cryptocurrency assets, amounting to $25.3 million in bitcoin. 

The latest closure came after several dark web marketplaces for drugs have been taken down over the past few months, including Cannazon, White House Market, and Torrez. But the shutdown of Hydra, the largest Russian-language dark web market for narcotics products, may cause ripple effects that go far beyond the closing of a single site. This may affect the ability of cybercriminals to launder money and defraud victims across the globe as the site was widely used for money-laundering and cash-out services. But so far, we continue to see many examples that these activities continue to run smoothly across other platforms in the deep and dark web.

About Hydra

Hydra was a Russian dark web marketplace which was founded in 2015. It is considered to be one of the longest-running and most active marketplaces in the history of the dark web, with 19,000 seller accounts and more than 17 million customer accounts registered before it was seized.

The marketplace was primarily renowned for its drug sale, although listings on the site also included forged documents, stolen PIIs and leaked data such as credit card information, and some illegal digital services. Products on the marketplace were offered for sale in a number of countries like Russia, Ukraine, Belarus and Kazakhstan.

Let’s take a look beyond the drug trading activities Hydra offered.

Hydra’s crypto mixing services

Hydra offered several money-laundering services, including the sale of stolen credit cards, the sale of prepaid cards, and various exchange services that enabled cybercriminals to exchange their money for a lower currency than the one offered on the market. According to blockchain analysis firm Elliptic, Hydra’s crypto conversion service facilitated over $5 billion dollars in illicit cryptocurrency transactions since it launched in 2015.

The use of Hydra for untraceable money laundering

The recently closed dark web marketplace offered exchange services that allowed cybercriminals trade crypto proceeds from a variety of crimes for Russian Rubles as well as “mixing” services to launder crypto while making it harder to trace. In some cases, it has been reported that customers even exchanged cryptocurrency for cash bundles which were buried in the ground for later retrieval.

What is crypto mixing?

A cryptocurrency tumbler or mixing service offers to mix potentially identifiable or dirty cryptocurrency funds with other crypto coins, in order to mask the source of the funds. It enables users to pool together bitcoins and redistribute them, making it harder for anyone to trace the money trail. For example, using these services, 100 users are able to mix one bitcoin each and, by blending them together, it’ll be very hard to trace every transaction separately.

Below you can find a post in which a cybercriminal advertises a new bitcoin mixing service and asks users to test, score and give their feedback.

It is important to note that although Hydra is down, money laundering is still widespread on the dark web. It can be found on marketplaces, hacking forums, paste sites and other places.

Here are a few examples of posts related to money laundering services on the dark web.

Crypto mixing

In the next image, the link (marked with an arrow) leads to another page (seen in the image under it) which offers a crypto mixer for several crypto currencies such as Bitcoin, Ethereum and Litecoin. By using this page, the user can insert the account or address to which the money should be transferred, and set the intervals between each transfer (having 30 minutes as a minimum gap between transfers).

Exchange services – laundering crypto

The paste site V3 Paste (seen below) has been offering exchange services along with loaning and mixing services since 2014.

In the next images you can find a post from hacking forum cracked.io, where a dark web cybercriminal offers his services to a user who was looking for crypto exchange services.

Where will Hydra users go?

While more and more dark web marketplaces are seized and shut down, other dark web platforms and marketplaces quickly fill in the gaps left behind by providing cybercriminals with a platform for trading illegal goods, drugs, and leaked data.

Below you can find a few examples of these types of popular dark web marketplaces: Alphabay, Royal Market and Nemesis Market.

Alphabay

Alphabay was originally established in 2014 and since then has been closed and re-opened in 2022. The popular marketplace specializes in the sale of drugs and fraud methods.

Royal Market

Royal Market is a known and stable dark web marketplace that offers drugs for sale, prepaid cards as well as mixing and exchanging services.

Nemesis Market

Nemesis is a marketplace that trades in illegal drugs and hosts discussions on hacking and fraud methods.

These are only three examples of dark web marketplaces to which former Hydra users may choose to flock to in order to continue trading in drugs and cryptocurrencies.

Dark web marketplaces are the most common place for the trade of illegal products and data on the web. Monitoring these spaces is key to tracing the trade of stolen data, illegal hacking and financial services, and other illicit products.