Russian Hydra DarkNet Market Made Over $1.3 Billion in 2020

Russian-language dark web marketplace Hydra has emerged as a
hotspot for illicit activities, pulling in a whopping $1.37 billion
worth of cryptocurrencies in 2020, up from $9.4 million in
2016.

The “blistering growth” in annual transaction volumes marks a
staggering 624% year-over-year jump over a three-year period from
2018 to 2020.

“Further buoying Hydra’s growth is its ability—or its good
fortune—to remain running and unscathed against competitor attacks
or law enforcement scrutiny^[1]; its only downtime of
note occurred during a short time period at the beginning of the
COVID-19 global pandemic in late March 2020,” threat intelligence
firm Flashpoint said^[2]
in a report jointly published with blockchain analysis firm
Chainalysis.

Active since 2015, Hydra opened as a competitor to the
now-defunct Russian Anonymous Marketplace (aka RAMP), primarily
facilitating narcotics trade, before becoming a bazaar for all
things criminal, including offering BTC cash-out services and
peddling stolen credit cards, SIM cards, documents, IDs, and
counterfeit money, with the operators profiting as the intermediary
for every transaction conducted on the platform.

Hydra accounts for over 75% of darknet market revenue worldwide
in 2020, positioning it as a major player in the crypto crime
landscape in Eastern Europe, according to a report^[3]
by Chainalysis published in February 2021. This skyrocketing
cryptocurrency activity conducted through the marketplace can be
partly attributed to the demise of
RAMP^[4] in September 2017, which
resulted in a mass migration of cybercrime gangs to Hydra.

But effective July 2018, Hydra administrators have imposed
stringent requirements on sellers, mandating that outbound
withdrawals of cryptocurrency proceeds from their wallets are
routed through regionally-operated crypto exchanges and payment
services in order to exchange the funds into Russian fiat currency.
Also in place are limitations that disable seller withdrawals until
they either successfully complete more than 50 sales transactions
or maintain an account balance of at least $10,000.

“Upon completion of the buyer portion of the transaction, the
money trail goes dark as more veiled, in-region financial operators
and service providers manage the sellers’ finances and convert
cryptocurrency withdrawals into difficult-to-trace Russian fiat
currencies as the next step in the financial chain,” the
researchers said.

These withdrawal restrictions have also made Hydra seller
accounts a hot commodity on various underground forums, fostering a
new offshoot market where cybercriminals purchase an established
seller account to gain direct access to the marketplace and
entirely sidestep Hydra policies and enforcement controls.

What’s more, Hydra’s cash-out services^[5]
— which allow bitcoin to be converted into gift vouchers, prepaid
debit cards, Russian rubles, or even physical cash hidden at a
discreet location (aka “hidden treasure”) — have made crypto
laundering a lucrative way for criminals to exchange their bitcoin
haul without being identified and reported. DarkSide^[6], the ransomware gang
behind the Colonial Pipeline ransomware attack earlier this month,
sent 4% of its ill-gotten gains totaling $17.5 million to Hydra’s
operators to avail the service.

Another factor that appears to be working in Hydra’s favor is
the fact that it’s remained unaffected by takedowns and “competitor
chicanery,” which have affected other Russian-speaking
cybercriminal communities such as Joker’s Stash^[7], Verified, and Mazafaka^[8], raising the possibility
that the marketplace could be “more resilient to oscillating
geopolitics and law enforcement efforts.”

“Hydra’s expansion to other illicit trades may endanger more
industry sectors,” the researchers cautioned. “While Hydra
currently supports the selling of many illicit goods and services,
its strongest market, by far, remains narcotics sales. Should Hydra
continue to grow, its support of other cybercriminal trades will
likely expand along with it.”