On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down.

On its website, the Federal Criminal Police Office (BKA) stated it had secured and closed Hydra’s server infrastructure. Bitcoins amounting to about $25 million were seized, which were attributed to the Hydra marketplace.

At the same time, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Hydra. This was a coordinated effort involving multiple U.S. federal authorities and the German Federal Criminal Police.

What is Hydra?

According to the U.S. Department of the Treasury, Hydra was launched in 2015. It is the most prominent Russian darknet market and the largest darknet market in the world. Hydra trades in Ransomware-as-a-Service, breach services and software, stolen personal information, counterfeit currency, stolen virtual currency and illicit drugs. Following a sale, Hydra’s vendors anonymously distributed illicit goods to physical locations. After Hydra received payment, typically in cryptocurrency, buyers would receive location coordinates.

The Treasury press release states, “According to blockchain researchers, approximately 86% of the illicit bitcoin received directly by Russian virtual currency exchanges in 2019 came from Hydra. Before today’s action, Hydra’s revenue had risen dramatically from under $10 million in 2016 to over $1.3 billion in 2020. This growth in profit is enabled by Hydra’s association with Russian illicit finance.”

Affiliated virtual currency exchanges sanctioned

In addition to sanctioning Hydra, OFAC found over 100 virtual currency addresses used to conduct illicit transactions. These addresses are also connected with the Hydra gang.

For example, look at Garantex, a virtual currency exchange founded in 2019 and first registered in Estonia. The Treasury states that known Garantex transactions show over $100 million connected with illicit actors and darknet markets. These transactions include nearly $6 million from the Russian Ransomware-as-a-Service gang Conti and about $2.6 million from Hydra.

Massive takedown

According to BKA, the Hydra network amassed 17 million customer accounts and over 19,000 registered sellers. In 2020, the group had a global turnover of $1.34 billion. Enforcement agencies noted that Hydra affiliates made the investigation extra challenging. For example, Bitcoin Bank Mixer hid digital transactions provided by the platform.

Mixers scramble up bitcoin in private pools before dividing them up among their recipients. Mixing coins together makes it much more difficult to trace transactions. Analysts may only see that someone sent coins to the mixer while the final recipient and amounts remain obscured.

Now that Hydra has closed, visitors will only find a takedown banner.

Takedown banner. Source: BKA 

Prosecution underway

Prosecutors are now charging Hydra operators and administrators with running a criminal trading platform, participating in the unauthorized purchase and sale of narcotics and commercial money laundering.

More from Threat Hunting

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today