German federal police said Tuesday they had shut down the dark web Hydra market, which trafficked in illegal narcotics and helped launder money for criminals worldwide.
Authorities seized “server infrastructure” within Germany and 543 bitcoins worth more than $25 million total as of Tuesday morning’s exchange rate, according to a news release from the BKA agency.
U.S. authorities assisted in the case, which began in August 2021, BKA said. Later Tuesday the U.S. Treasury Department sanctioned Hydra as well as the Moscow-based cryptocurrency exchange Garantex. The Treasury Department said the FBI, Drug Enforcement Administration and Internal Revenue Service participated in the Hydra investigation.
Experts have said the Russian-language Hydra, launched in 2015, was the world’s largest dark web market, with sales of more than $1 billion in 2020 alone. German prosecutors said the site had about 17 million user accounts and more than 19,000 seller accounts, according to the Associated Press.
“Our actions send a message today to criminals that you cannot hide on the dark net or their forums, and you cannot hide in Russia or anywhere else in the world,” Treasury Secretary Janet Yellin said in a news release.
In handling large volumes of cryptocurrency, Hydra also ran a “mixer” service that assisted in money laundering and “made crypto investigations extremely difficult for law enforcement agencies,” the BKA said.
Researchers have said that among the mixer’s customers were people associated with the theft of $4.5 billion in cryptocurrency from the virtual exchange Bitfinex in 2016. Heather “Razzlekhan” Morgan and Ilya “Dutch” Lichtenstein were arrested in February and accused of conspiring to launder those digital coins. The DarkSide ransomware gang — known for the 2020 attack on Colonial Pipeline — also laundered some of its ill-gotten funds through Hydra, researchers have said.
The U.S. Treasury said the proceeds from the “Ryuk, Sodinokibi, and Conti ransomware variants” were among the funds handled by Hydra.
In addition to the narcotics trade, Hydra users also sold illegal goods like “forged documents” and “digital services,” the BKA said. The cybercrime unit of the Frankfurt prosecutor’s office also assisted in the case, police said.
The takedown has stirred up a lot of “heated discussions” among Russian-speaking cybercriminals, researchers at Flashpoint said Tuesday. “The administrators of Hydra reportedly claim that the market is undergoing ‘technical works’ and have not acknowledged the takedown,” the company said.
Russian-language cybercrime networks have been under continued pressure from law enforcement lately:
• In March, the FBI indicted a 23-year-old Russian for allegedly running Marketplace A, which specialized in stolen data.
• Before Russia invaded Ukraine, Russian law enforcement cracked down on Sky Fraud and other cybercrime marketplaces.
• Russian authorities also conducted a sting against the REvil gang in January. A REvil member was extradited by U.S. law enforcement and accused in March of the July 2021 hack of IT company Kaseya.
• The Ukraine invasion caused upheaval in Eastern Europe’s cybercrime underground, as hackers and crooks adjusted their priorities and allegiances, particularly after the leak of thousands of internal documents from the Conti group.
Garantex sanctions
Treasury’s moves against the Garantex exchange stem directly from U.S. efforts to sanction the Russian financial system because of the Ukraine invasion. The cryptocurrency business was founded in Estonia in 2019 but lost its license to operate there and “continues to provide services to customers through unscrupulous means,” Treasury said.
Analysis of the transactions on the exchange show more than $100 million associated with “illicit actors and darknet markets,” Treasury said, including Hydra and Conti.
“The majority of Garantex’s operations are carried out in Moscow, including at Federation Tower, and St. Petersburg, Russia, where other sanctioned virtual currency exchanges have also operated,” Treasury said.
Estonian authorities coordinated with U.S. agencies as part of the sanctions process, Treasury said.
Updated 4/5/22: to add information from U.S. Treasury announcement.
