On Tuesday, the German government took down the world’s largest dark web marketplace, Hydra, with U.S. law enforcement’s assistance. Additionally, the U.S. Department of Treasury placed sanctions on Hydra.
Hydra, which is Russian language-based, was founded in 2015. On Hydra, users could purchase all types of drugs, fake passports, IDs, cybercriminals’ services, fraudulent COVID-19 vaccination cards, weapons, SIM cards, etc. According to the U.S. Department of Treasury, Hydra did $1.3 billion in sales in 2020. Most transactions on Hydra were done using Bitcoin or Monero, both cryptocurrencies. Before authorities shut it down, Hydra had an estimated 17 million customers.
Using open-source intelligence (OSINT), analysts identified possible locations where Hydra sellers and buyers could end up next to continue their illicit activities.
A Brief Overview of the World’s Largest Dark Web Marketplace — Hydra
Our research shows that Hydra had over 19,000 vendors. While many dark web vendors mail their products through traditional channels, Hydra used a dead drop system. Customers purchasing “treasures” (What Hydra calls its products) would pick them up in obscure locations. Hydra provided its services in Russia, Belarus, Ukraine, Kazakhstan, Azerbaijan, Armenia, Kyrgyzstan, Uzbekistan, Tajikistan, and Moldova. Hydra imitated a legitimate business model, with round-the-clock support for its customers.
Leveraging Russian Dark Web Marketplace Forum Rutor to Connect the Dot
After Hydra shut down, we kept our eyes peeled for evidence of where its buyers and sellers would move.
On Rutor, analysts identified a thread titled: “Search for employees with the outage of Hydra.”
Our analysts identified posts on the thread where users attempt to reconnect with those they worked with at Hydra.
An April 4, 2022, post on the forum from user loki999 reads, Top Shop (Hydra Market) highest pay.
Rutor Deputy Administrator, WD, replies to loki999’s post, saying he has checked the shop, which indicates that loki999 is a verified vendor.
Analysts also located posts where users were considering working together to set up a new storefront.
In a post from April 4, 2022, user Artemja1337 writes, “Comrades, we need a partner on the site, help in creating a store.” SND_VOS replies, “Lets work together.”
Users also suggested that Hydra vendors and customers migrate to an already established dark web market.
Rutor member Supp.shkaf provided the darknet URL to Shkaf, writing that the market has been active since 2017 and has 30,000 users.
There is another dark web marketplace that Hydra users could decide to use is OMG! OMG!
On April 4, 2022, user OMG!OMG! said they run the most advanced dark web marketplace.
Possible Locations of a New Leading Dark Web Marketplace
As we continued our research, we identified two other Russian dark web marketplaces, Matanga and Blacksprut. Based on research conducted, OMG!OMG! currently appears to have the most support as a Hydra alternative from Rutor users.
There is also extensive discussion about Rutor that Hydra could return. However, any return of Hydra would likely be a rebranding with a new name, as German and U.S. law enforcement shut down its servers.
The disruption of Hydra also led to many people who relied on the marketplace losing their jobs. Vendors are offering jobs on Rutor to take advantage of this. In one example, on April 4, 2022, user Sports Service wrote on Rutor, “Guys, the hydra seems to be f***** up, this is of course bad news, but life goes on, if you need work, write to the PM, or by contacts, we will employ.”
Additional review of the comments from Sport Service shows that his post led to connecting with people needing “work” in Russian St. Petersburg, Belgorod, and Nizhny Novgorod.
Aside from encrypted communication apps like Telegram and Wicker, Rutor appears to be the main location for Hydra vendors and customers to rebuild their illicit business and infrastructure.
On April 5, 2022, user Drug Free, thanked Rutor for “getting everyone together,” and made suggestions on what vendors should do next.
User Drug Free wrote, “What should shops do? The first is obviously to try to get everyone together. Thank you Ruthor for this! Second. The most important thing is your customers. They will look for you the way ordinary people look for a circle embroidery site. In search engines and telegram.”
“Therefore, the second thing you have to do is create one-time stub sites in the usual clearnet, at least on garbage construction sites like wix and the like, in Yandex Zen, and so on. Create a telegram channel with the name of your shop.”
“Third. Set up an official branch of your shop here on the forum and redirect people from clearnet sites here or to telegrams. Also activate offline work on advertising.”
Other Rutor users discussed how the marketplace that vendors choose to go to should have improved security compared to Hydra.
OUR ASSESSMENT
We assess that Hydra users and customers will most likely migrate to an established dark web market like OMG!OMG!, Matanga, Blackspurt, or pool their resources, setting up infrastructure for a new version of Hydra. Hydra vendors will use channels like Telegram to solicit their goods and services, using the platform as a gateway for customers to go from the open web to dark web storefronts.
While there may be a noticeable disruption in criminal activity from Hydra users and customers, its duration will only last until vendors restore their storefronts and clients. Law enforcement authorities will likely target these vendors but could find their operations increasingly difficult if there are additional security measures on the market they investigate.
Overwatch note: We did not include any URLs to Rutor in this brief, as it is a dark web forum rife with criminal activity.