Security news that informs and inspires

Hydra Market Takedown Indicative of ‘More Intense’ Law Enforcement Efforts


German authorities’ recent takedown of Hydra Market, the largest Russian-speaking darknet marketplace, highlights how global law enforcement agencies have intensified their efforts and built up the resources needed to tackle these illicit platforms.

Germany’s Federal Criminal Police Office (BKA) announced Tuesday it had secured Hydra’s infrastructure and seized approximately $25 million worth of bitcoin attributed to the marketplace. Also on Tuesday, the U.S. Department of the Treasury’s Office of Foreign Assets Control announced sanctions against Hydra in what it called "a coordinated international effort to disrupt proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site." Active since 2015, Hydra is primarily known for illicit narcotics sales, but has also facilitated the sale of stolen credit cards, SIM cards, counterfeit documents and IDs and more. Cybercriminals have also used the platform for money laundering and to obfuscate illegal digital transactions.

The operation is only the most recent in a string of darknet market takedowns, and follows the June 2021 announcement by the U.S. Department of Justice that the Slilpp marketplace, where over 80 million stolen credentials were offered, had been disrupted; as well as Europol’s January 2021 announcement of the takedown of DarkMarket, a marketplace with almost 500,000 users that was used to sell drugs, counterfeit money, stolen credit card details, SIM cards and malware.

“The transformation over the last decade [by authorities] has been significant in terms of international relations, increased efforts and more manpower,” said Jared Der-Yeghiayan, director of the Advanced Cybercrimes and Engagements team at Recorded Future. “Law enforcement has grown exponentially… the resources available 10 years ago is nothing compared to what they have now. The efforts, and capabilities, are also more intense.”

“In regards to the current takedown, it is likely that German and U.S. law enforcement will use the data obtained from Hydra servers to conduct further investigations into individuals of interest."

In a May 2021 joint report by Flashpoint and Chainalysis, Flashpoint analysts said that the market activity for Hydra “is on a blistering growth trajectory,” with its total transaction volumes exploding from $9.40 million in 2016 to more than $1.37 billion by the end of 2020. As of April, the darknet marketplace had around 17 million users. Part of this growth is due to Russian cybercrime users migrating to Hydra after dark web marketplace competitor RAMP was shut down in July 2017 by Russian law enforcement. Flashpoint analysts said that Hydra's takedown is part of a growing number of law enforcement activities overall in recent years, which has resulted from international cooperation.

This level of international coordination has taken time to organize and scale. Der-Yeghiayan, who previously worked on cybercrime cases as a special agent with the Department of Homeland Security - including acting as the lead case agent for the Silk Road darknet market takedown in 2013 - said that initially, law enforcement agencies had very little manpower before Silk Road was shut down. In comparison, the shutdown of Silk Road 2 in 2014 showed how countries had started to bolster their efforts and international partnerships around tackling these marketplaces. That takedown was part of a joint operation known as Operation Onymous that stemmed from cooperations between the FBI, Europol, and several other agencies.

“For these agencies to shift and change, a lot of it comes with understanding and knowledge,” said Der-Yeghiayan. “We spent an exponential amount of time training with international partners for how to overcome challenges or creating policies to address cryptocurrency. These countries have now been able to apply this to their own processes and feel comfortable taking these actions, and we’re seeing the resources come to bear.”

The collaboration between different jurisdictions and governments, whether it’s disparate countries, or authorities working together via the Five Eyes intelligence alliance or the European Cybercrime Center (Europol), is particularly necessary because the breadth of infrastructure behind these darknet marketplaces is sprawling and exists across several different locations worldwide. Separate agencies might have vital information to share, like an IP address or a moniker, which can lead to the takedown of a marketplace.

“You would think over time they would understand they are painting giant targets on themselves. They’re a ticking time bomb, and it’s only a matter of time.”

Now, the majority of law enforcement operations have involved the help of investigators and prosecutors from several jurisdictions. The investigations into the Hydra marketplace, which have been conducted since August, for instance, included several U.S. authorities, including the U.S. Department of Justice, FBI, Drug Enforcement Administration, Internal Revenue Service Criminal Investigation and Homeland Security Investigations. These joint investigations, disruptions or arrests, in turn, may unearth valuable information related to other cybercriminal activity. As part of its sanctions announcement, the U.S. government said it has identified over 100 virtual currency addresses associated with Hydra's operations that have been used to conduct illicit transactions, for instance.

“In regards to the current takedown, it is likely that German and U.S. law enforcement will use the data obtained from Hydra servers to conduct further investigations into individuals of interest,” said Andras Toth-Czifra, senior analyst on Global Intelligence at Flashpoint. “Threat actors are aware and afraid of this, based on conversations that Flashpoint analysts have identified in our datasets.”

At the same time, darknet marketplaces have also taken steps to better shield themselves from law enforcement. Hydra is one example of this: The marketplace was unique in that, unlike other platforms that tried to encourage registered users from selling products or services wherever possible, it imposed strict controls on its sellers, including a rule that transactions had to be made in difficult-to-track Russian fiat currencies. Hydra also leveraged a service for obfuscating digital transactions that made tracing cryptocurrency transactions extremely difficult for law enforcement agencies, according to the BKA.

“We saw this shift where these darknet marketplaces were trying to compartmentalize themselves and shield themselves from Western enforcement,” said Der-Yeghiayan. “Valhalla was all Finnish-based speakers, for example, and we saw Hydra take a similar model and focusing mostly on Russian speakers and sales.”

When darknet marketplaces have been shut down, typically cybercriminals will shift to another marketplace platform. According to Flashpoint analysts, though Hydra’s administrators reportedly have not acknowledged the takedown, the news of the operation has already led to discussions around its future and its potential replacement. While it’s a bit of a “whack-a-mole game,” Der-Yeghiayan said based on his experience, these darknet marketplace takedown efforts send marketplace users and administrators into “pure panic mode,” leaving them confused and scared.

“It’s always shocking to me that cybercriminals continue to create these big marketplaces,” he said. “You would think over time they would understand they are painting giant targets on themselves. They’re a ticking time bomb, and it’s only a matter of time.”