Russian-speaking dark web bazaar Hydra has dominated the illicit marketplace since 2018, thanks in part to the demise of a rival business as well as its imposition of restrictive policies on sellers, according to research published Tuesday.
Hydra administrators have made transactions on the site more difficult to track by forcing users to transact in difficult-to-track Russian currencies, along with regional financial operators and service providers, according to the research. Dark web markets have typically relied on a variety of methods for withdrawing funds, from ATMs to escrow services.
It adds up to a headache for law enforcement, potential competitors and other entities with an interest in disrupting Hydra, concludes the joint report by dark web intelligence firm Flashpoint and cryptocurrency-watching software company Chainalysis. Hydra specializes in narcotics sales.
“Money laundering trails to Hydra are difficult, near impossible, to trace,” the companies said. “While the illicit trade of narcotics is problematic in and of itself, the lack of transparency in financial transactions and forced fiat conversions via regional and more veiled payment processors present further challenges for monitoring and combating cybercrime on Hydra.”
That might help explain why the DarkSide ransomware gang— infamous for its role in the recent attack on Colonial Pipeline — has turned to Hydra, sending 4% of its gains from a bitcoin wallet there for cash-out services, according to Elliptic, another cryptocurrency-tracking firm.
It’s been a meteoric rise for Hydra, especially over the last few years. The marketplace saw just $9.4 million in revenue in its first year in 2015, but in 2020, that figure leaped to nearly $1.4 billion. In just the last three years, transaction volume rose by 624%, the report observed. In 2020, Hydra revenue accounted for 75% of dark web marketplace activity, a prior report from Chainalysis determined.
As of 2019, a Russian investigative news site had tallied 2.5 million registered Hydra accounts.
That rise overlaps with a Russian law enforcement operation to take down competitor RAMP, which was notorious for using tactics like reporting rivals’ IP addresses to authorities. After RAMP went down in 2017, cybercriminals migrated to Hydra, according to Flashpoint and Chainalysis.
Russian officials have shown no real interest in taking down Hydra that Flashpoint has seen, said Andras Toth-Czifra, senior analyst at the company. Hydra has ultimately proven resilient amid hits to other dark web forums, like Joker’s Stash, following a law enforcement operation.
That relative good fortune could be a coincidence, or Hydra could have a knack for withstanding “oscillating geopolitics and law enforcement efforts,” the report theorized.
“The longer Hydra operates without major disruption, the more realistic the latter option becomes, with regional financially incentivized stakeholders the only plausible explanation,” the report states.
Some downtime that began in late March appeared to affect revenues for a couple months, a blockchain analysis seemed to confirm, but Hydra was back on the rise by May.
Hydra’s restrictions on sellers include conditions on how they can withdraw earnings, the joint report notes. Before taking their money, sellers must record more than 50 transactions on Hydra, and retain digital wallet balances that are the equivalent of $10,000 in U.S. currency.
The precautions have had two effects: Established sellers enjoy more power, and it creates incentives for cybercriminals to try to gain and sell access to those influential seller accounts.
Hydra users also have had to navigate increased security and identification requirements by cryptocurrency exchanges. It’s led some of them to increasingly rely — literally — on buried treasure.
“This physical withdrawal technique calls upon customer buyers to hire designated couriers (‘kladmen’) to bury cash underground in vacuum-sealed bags within specific agreed-upon locations for the sellers to dig up later,” the report states. “Once the physical cash is secured in the physical hands of the seller, they then complete the narcotics sale, either burying the sold products or shipping them out as has been done historically.”
Hydra keeps feinting at plans to go global. As of today, no global expansion has materialized following a September announcement. But that doesn’t look to dim Hydra’s future, Toth-Czifra said. Flashpoint predicted that while Hydra is strongest in narcotics sales, it could expand in other directions to include more cybercriminal trades.