On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down.

On its website, the Federal Criminal Police Office (BKA) stated it had secured and closed Hydra’s server infrastructure. Bitcoins amounting to about $25 million were seized, which were attributed to the Hydra marketplace.

At the same time, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Hydra. This was a coordinated effort involving multiple U.S. federal authorities and the German Federal Criminal Police.

What is Hydra?

According to the U.S. Department of the Treasury, Hydra was launched in 2015. It is the most prominent Russian darknet market and the largest darknet market in the world. Hydra trades in Ransomware-as-a-Service, breach services and software, stolen personal information, counterfeit currency, stolen virtual currency and illicit drugs. Following a sale, Hydra’s vendors anonymously distributed illicit goods to physical locations. After Hydra received payment, typically in cryptocurrency, buyers would receive location coordinates.

The Treasury press release states, “According to blockchain researchers, approximately 86% of the illicit bitcoin received directly by Russian virtual currency exchanges in 2019 came from Hydra. Before today’s action, Hydra’s revenue had risen dramatically from under $10 million in 2016 to over $1.3 billion in 2020. This growth in profit is enabled by Hydra’s association with Russian illicit finance.”

Affiliated virtual currency exchanges sanctioned

In addition to sanctioning Hydra, OFAC found over 100 virtual currency addresses used to conduct illicit transactions. These addresses are also connected with the Hydra gang.

For example, look at Garantex, a virtual currency exchange founded in 2019 and first registered in Estonia. The Treasury states that known Garantex transactions show over $100 million connected with illicit actors and darknet markets. These transactions include nearly $6 million from the Russian Ransomware-as-a-Service gang Conti and about $2.6 million from Hydra.

Massive takedown

According to BKA, the Hydra network amassed 17 million customer accounts and over 19,000 registered sellers. In 2020, the group had a global turnover of $1.34 billion. Enforcement agencies noted that Hydra affiliates made the investigation extra challenging. For example, Bitcoin Bank Mixer hid digital transactions provided by the platform.

Mixers scramble up bitcoin in private pools before dividing them up among their recipients. Mixing coins together makes it much more difficult to trace transactions. Analysts may only see that someone sent coins to the mixer while the final recipient and amounts remain obscured.

Now that Hydra has closed, visitors will only find a takedown banner.

Takedown banner. Source: BKA 

Prosecution underway

Prosecutors are now charging Hydra operators and administrators with running a criminal trading platform, participating in the unauthorized purchase and sale of narcotics and commercial money laundering.

More from Threat Hunting

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today