Hydra Aftermath and the Future of Dark Web Marketplaces - SOCRadar® Cyber Intelligence Inc. (2024)

By SOCRadar Research

Russian-speaking Hydra Market was the biggest amongdarknet markets, with a$1B turnoverin 2020. It was also the largest narcotic market among the countries of the former USSR.

With the operation started by German and US law enforcement in 2021, Hydra’s Germany-based servers were taken down in April 2022. In this operation,$25M worth of Bitcoinwas also seized. More than a drug bust, this takedown dealt a massive blow to the malicious Russian-speaking dark web ecosystem.

• Until its shutdown, Hydra hosted 80% of dark web activity.

After the Hydra servers were shut down, most Hydra users organized in theRuTor forum. But they soon suspected law enforcement might launch a hunt with Hydra clones. The initial fear of users came with the capture of Hydra’s co-founder,Dmitry Pavlov. They suspected that internal correspondence and transactions might also have leaked. Still, they thought western authorities would keep this information private from Russian officials due to the currentRussia-Ukraine war.

• Hydra market had 19,000 seller accounts and more than 17 million customers.

Again, although there may be developments on this subject in the coming days, no major event has yet to emerge. However, what has been seen so far is the rapid emergence of new Dark Web Markets and the new big 5 dividing the dark market.

Dark Web Marketplaces

Dark Web Markets (DWMs)are the markets on the dark web that are used to access illegal products and services. Users can access illicit products, such as drugs, unregistered firearms, fake ID cards, credentials, and data sets in DWMs. These illegal shopping platforms, which gained popularity in the dark web in 2011 withSilkroad, which we call the first modern DWM, have increased their activity until today. After the Silkroad closed with the FBI operation in 2013, big names such asRAMP,one of the longest-lived dark web markets, and Hydra emerged and were later taken down. The closure of these illegal markets resulted from the operations carried out a significant blow to the dark web activities. Still, it caused the emergence of other underground markets as well.

Cyber Criminals on DWMs

Although up to the majority of the products in DWMs are drugs. One should remember cyber threat actors also take place in these markets. So, data, a tool, or a service can occur in theseblack markets. EvenStealer as a service (SaaS), one of the most recent cyber attack vectors, has taken its place in black markets. However, the most striking ones regarding cybercrime in terms of numbers areDDoS for hire services, RDP accesses, and credentials. In terms of value, data such as VIP credentials and databases stand out.

Besides, DWMs may not only appear as drug markets but can also be interpreted as nesting spots for cyber threats.

As of the beginning of 2023, the main markets that pose a cyber threat are as follows:

• Russian Market
• Genesis Market
• 2easy

Various credentials, stolen data, and credit cards are the main items in these markets.

Cryptocurrencies and Crypto Laundry

Another topic in modern DWMs is the transactions made withcryptocurrencyand the concept of crypto laundry. DWMs, where most of these transactions are made withBitcoin, are said to be one of the mechanisms that keep the crypto market alive, according to some researchers. Hydra Market alone reached a$5B trading volumefrom 2015 to 2022. Just in 2021, the total black market transactions added $2.1B to the crypto market volume.

Althoughblockchainprovides anonymity for the wallet owner, the fact that crypto wallets are traceable assets can damage thisanonymity. Many cryptocurrencies are built on blockchain technology, and this providesdecentralization. Therefore, cryptocurrencies are considered anonymous and untraceable. However, these transfers are held by distributed ledgers and are publicly available. For this reason, it also makes it traceable with tools such as Bitcoin explorer. For this,crypto money laundryis done with various methods. These methods are:

• Nested services,
• Gambling platforms,
• Mixers,
• Non-compliant exchanges,
• Services headquartered in high-risk jurisdictions.

Vacuum Left by Hydra

It took almost no time for the void left by Hydra to be filled, and dozens of new illicit markets emerged. These DWMs, mostly Russian-speaking, have repopulated80% of the entire illegal ecosystem. According to TRM Labs’s research, these markets reached 24% more volume than the previous year of Hydra within the first five months of Hydra’s shutdown.

Although more than 70 DWMs were observed at the end of last year, the four big Russian markets divide80%of the total volume among them, while the western bitcoin-based marketASAPcomes in 5th place with 7%. All the remaining DWMs have only 13% of the total market volume.

Infinity: A Black Market under a Hacker Forum

In addition to dark web markets, hacker forums are one of the dark web platforms where sales are made. The recent Ukraine-Russia war was reflected in the cyber world, and nationalist Russian threat actors came together in some forums.

TheInfinity Forumlaunched in January 2023 as a forum founded by Killmilk, the former leader of theKillNetthreat group, and comprised of members of Russian hacktivists and threat actors. Infinity, which researchers traced back to November of the previous year, was aTelegram group. The forum brings together many Russian hacker groups and the cyber underground world. Although it has similarities with other Russian-speaking forums and markets, Infinity members are discussing and making operational decisions in line with their political views.

The part that highlights the Infinity forum as a dark web market and creates a cyber threat is theHack Shopsection. In addition to sharing and selling many tools and exploits, it is among the products sold in DDoS, frequently used by Russian hacktivist groups.

Infinity Forum will target NATO and Western countries with its ideological aims throughout the Russian-Ukrainian war. So it may remain one of the threats to watch out for throughout 2023, especially with the sale of services such as DDoS, which is both a gathering place for cybercriminals and a high damage capacity even in the hands of threat actors that have not yet been well-seasoned.

At the end of February 2023, there was a change in the management of the Infinity Forum.KillMilkput the Infinity Forum up for sale for unknown reasons, which may be good news that the forum may be disbanded, but KillNet has since relaunched its Telegram forum. KillNet’s Telegram forum is a different form created by managing multiple chat groups from the same hand; this forum also includes a market that offers the same services.

This outcome may be due to the threat actors being unable to profit from the Infinity Forum or achieve as much growth as they would like. At the same time, KillNet’s return to the Telegram forum system seems to support the new dark web system based on Telegram for Russian-speaking threat actors. As a result, the forum is still active, but its future may seem uncertain. These seasoned threat actors will continue their activities under a different name.

Top Dark Web Marketplaces

• BlackSprut Market
• Mega Darknet Market
• OMG! OMG! Market
• Solaris Market
• ASAP Market

  Other dark web marketplaces:

What The Future Holds

Researchers, on the other hand, follow a specific threat. We could see a new DWM called Kraken Market, which several DWMs will prepare as the real successor of Hydra in the next year.

WayAWay, an old dark web forum, has been re-observed on the dark web. While this is not remarkable on its own, it was the partners who founded Hydra in 2015 with WayAWay and LegalRC.

With the shutdown of Hydra, cybercriminals gathered in the RuTor forum, but the presence of many competitors led RuTor to partner with the OMGOMG marketplace. However, this partnership faced opposition from WayAWay and led them to associate itself as Kraken. At the same time, researchers claim that the RuTor/OMGOMG and WayAWay/Kraken competitions also mirror the Russian-Ukrainian war. The researcher also said that RuTor’s pro-Ukraine and Kraken’s pro-Russia stance showed us once again that geopolitical issues are also taking place in cyberspace.

Effect of the Russia-Ukraine War on the Dark Web

Since the war began, geopolitical dynamics have changed, and its reflection can be seen on the dark web. Especially the fact that Russian-speaking countries make up a massive part of the dark web population made this even more visible.

In the dark web, Russian-speaking criminals tended not to take actions that would harm or target former Soviet Union countries. However, this situation changed with the start of the war, especially Conti’s declaration of total loyalty to Russia set an excellent example for this situation.

DWMs have also become one of the battlegrounds. Ukraine-born cyber intelligence expert Alex Holden claimed to have hacked the Solaris DWM and siphoned the 1.6 Bitcoin transaction, and donated it to a Kyiv Charity.

Threats to Watch Out For

Considering the recent growth, Dark Web Markets will likely reach larger transaction volumes. In addition to illegal products such as drugs, these black markets, which are marketed in data sets, data leaks, malware, and exploits, pose a significant danger to every institution.

Like hacker forums, critical data such as VIP credentials, employee data, and espionage information are sold in dark web markets as well.

Moreover, threat actors offer ransomware and stealers “as a service” in these markets.

Using SOCRadar Extended Threat Intelligence, when you have leaked or stolen data about your organization on the dark web and black markets, it can be detected automatically and take proactive measures.

Subscribe to our newsletter and stay updated on the latest insights!