Here we go again with instability in the English language darknet markets

Hydra darknet marketplace, once the biggest of the Russian darknet markets chose to expand into the English speaking domain. What was the fraud threat?

Michał Barbaś

Intelligence Specialist
Vector

24 July 2020

Group

12 min read

Hydra darknet marketplace, the biggest Russian language darknet Marketplace (DNM), is growing a new head and is planning to expand into the English speaking realms. The threat of a rising, powerful, and experienced player should not be ignored despite the fact that the launch was postponed due to the COVID-19 outbreak. How serious is it and what is the danger here? Let’s dive in to understand the instability arising in English language darknet markets.

Instability in the darknet

Hydra darknet marketplace is currently the biggest Russian language darknet Market (DNM). It is also much older than any existing English language DNMs. In December 2019, the Hydra crew announced the creation of several new projects, the most important of which are Eternos and AspaNET. The former is a new DNM for English-speaking crooks. The latter is a new darknet that will be an alternative to TOR. The Hydra crew initially planned to launch new projects in September 2020, but in June they postponed it for an unspecified time because of the COVID-19 pandemic. Given the events in the English-speaking sphere of TOR during the last 18 months, current instability among DNMs and uncertainty among darknet users, it could be an opportune time for a new player to take the stage.

If the new Hydra darknet marketplace does indeed begin operations, it would become a significant part of the cybercriminal environment in the English language sphere. There is huge momentum behind the Hydra crew and the present moment is perfect to take over a large part of the illicit market on the darknets. Other cybercriminal groups will have to react somehow to the new competitor. Will they cooperate, compete, or go to war? It is also possible that these new projects won’t launch (or they will be operating only partially) and that Hydra’s Initial Coin Offering (ICO) was only a fraud targeting the darknet community.

What is Hydra darknet marketplace?

The Hydra darknet Marketplace was launched in 2015 as a market focused on drugs. At that time, the main Russian DNM was RAMP. Many Commonwealth of Independent States (CIS) citizens also used big Western DNMs: AlphaBay, Hansa Market and Dream Market. RAMP and Hydra’s peaceful competition stopped at the beginning of 2017 when both DNMs started to fight what is now referred to as “the DNM war.” To see a brief history of Darknet Markets and Hydra’s influence take a look at the infographic timeline we've created. It will also help you structure all the information that we're about to reveal.

In June and July 2017, AlphaBay and Hansa Market, the first and third biggest Western DNMs respectively, were seized by law enforcement during the law enforcement community’s Operation Bayonet. At the same time, Russian authorities seized RAMP, but it is not certain if it was part of the wider law enforcement action. Nevertheless, after the seizure of RAMP, Hydra became the biggest Russian DNM. According to the Hydra administrators’ statement and lenta.ru publications (more about lenta later) Hydra is one of the top 10 internet companies in Russia. Moreover, Hydra owners are so brazen that in the past they even bought ads on Youtube. It was removed after a short time, but it still can be found here

english-language-darknet-markets-for-investors-top-10-lenta

Part of the ICO announcement from the Hydra website. First underlined element is about ads on Youtube and in the lenta.ru publications. In the second underlined sentence Hydra claims to be in the TOP 10 of the largest Russian internet companies.

Currently, Hydra is well known as an illegal drug-focused DNM. They are especially well known for using secret GPS-marked hiding places as a delivery method. Russians call such drug caches закладка 1. A courier delivers items bought on Hydra to the secret drug caches, which could be located between some bricks in a building, under a park bench or another similar place. Then the courier writes down the GPS coordinates and the buyer receives it with a message that the package is ready pick-up. To be able to provide such a delivery method, merchants from Hydra have to maintain crews of couriers. That’s why this method is available only in Russia and CIS big cities.

On Hydra, one can buy not only illegal drugs-related merchandise, but also fraud-related: stolen credit cards (both dumps and fullz), sim cards, electronic money wallets, stolen accounts and counterfeit money. The number of their fraud product providers is much smaller than drugs suppliers, but they all are verified and trusted vendors. Because of this, there are almost no problems with fake merchants as is often the case on other DNMs.

Russia is a unique country with a strong power apparatus that gets involved in many shady initiatives. There are official US government statements where we can find out that Russian authorities are hiring cybercriminals and because of that they stay under state protection. Among the majority of both darknet researchers and Russian cybercriminals there are opinions that Hydra is supported by the Russian authorities, probably the intelligence services. Through the biggest marketplace they can control what is sold, benefit from profits, and get knowledge about who is who in this environment.

Hydra is the biggest Russian DNM, but it is not like all of the Russians cybercriminals love Hydra and use it. The Hydra crew call themselves aggressive and ready to counter every attack on their interests. Many crooks perceive them as too aggressive and don’t accept their connections with Russian authorities. Administrators from some Russian carding forums officially claim that they don't have anything in common with Hydra and aren’t interested in developing ties. There are even forums in the Russian darknet that ban topics with discussion about Hydra.

english-language-darknet-markets-no-connection

Experienced user on one Russian carding forum claimed that people there have nothing in common with Hydra, discussion about drugs are forbidden and the topic creator should go on the Hydra forum with questions about Eternos and AspaNET. The topic was closed by moderators not long after its creation.

What they are planning

In December 2019, the Hydra crew announced an Initial Coin Offering (ICO) to gather funds for launching several new projects. The most important is Eternos, which is a new DNM with global reach, and AspaNET, which would be an alternative to TOR. In only 5 days, Hydra wanted to sell 1,470,000 tokens, with each token priced at $100. After the Eternos launch owners of at least 101 tokens would get 0.00333333% of the monthly profit generated by the marketplace for every hundred tokens held in a wallet. Initially all of the new projects would start operating in September 2020. Obviously, taking part in this ICO was openly financing organized crime activity.

At first sight, Eternos is the core project here. For now, Hydra is a DNM dedicated to the CIS region (Azerbaijan, Belarus, Ukraine, Russia, etc.) and is available only in the Russian language. Eternos will be accessible in English and possibly in other popular languages. Their purpose is to create a large, stable, and secure DNM that will be an alternative for Western DNMs. The Hydra crew promises that the new DNM will be based on Hydra, but it will be enriched with many features: encrypted messages, a built-in cryptocurrency mixer, and as mentioned before, a delivery system based on the drug caches known as закладка. The last one could be the most innovative for western countries and the most troublesome in introduction. Eternos will have an international legal reference system which helps to assess risk in many states in conjunction with various illicit merchandises. A part of it will have services that help with logistics, advertising and data analysis.

The second core project, and maybe even more important than Eternos, is the new darknet–- AspaNET. The Hydra crew is probably powerful and rich enough to create their own darknet, as even smaller hacker organizations managed to do so. Eternos will be available on AspaNET, but it is uncertain if it will also be available on other darknets (like TOR and I2P) or if it will be an AspaNET exclusive. For trouble-free operations it should have infrastructure that will handle Eternos and other new projects. As the Hydra crew will be its operator, its maintenance budget will be coming from criminal activity. If Russian authorities have something to do with it, they would have the possibility of extending their surveillance with this network. So it is possible that it will be another international darknet, but probably made and controlled in cooperation with the Russian intelligence services. According to the announcement, AspaNET can bypass Internet censorship and filtering made by the Chinese Golden Shield Project and the Russian Sovereign Internet. They said also that this new darknet solves many known TOR problems and it has been successfully tested in China and Turkey. Right now there are almost no technical details about it, so it is hard to say more.

There will also be other projects launched that will work within AspaNET. Whisper will be a messenger that uses PGP and VPN to secure anonymity for users. ChangePoint will be a new cryptocurrency exchange. This is probably the first time where one group attempts to create such a complex service offering on the darknet. Criminals who would use only their services, would be concentrating their info in one place and sending it exclusively through their services. It would require a great deal of trust.

There are several unexpected things about the new projects announcement and how the community has reacted to it. There was little discussion about it on Russian forums. On some cybercriminal forums, the Hydra related topics were closed by moderators. An official Hydra representative said that the official ICO announcement is everything Hydra admins have to say at that moment. On most English language forums there was almost no discussion about it until May 2020, when the most important English website about darknet news wrote about these new projects---a full 6 months after the ICO. Another thing is that the Hydra announcement mentioned before has a provocative tone. They speak directly that they are aggressive, eager to fight with any adversaries that want to disturb their business and they are ready for global expansion in the darknet Market sector.

Is the timing right?

By looking at the timeline graphic we can see that the English language sphere of the darknet has been in flux since at least March 2019. Although the timeline is concentrated on the fuss among DNMs, it is not the whole story. Turmoil has affected other places. Perturbations were caused by law enforcement actions, scam exits, DDoS attacks and the disappearance of certain services and important figures. Probably the first were DDoS attacks on the main Western DNMs in January 2019. These attacks were one of the reasons why Dream Market, the biggest English DNM at the time, suspended its operations, never to return. After that, DDoS attacks were conducted against the biggest forum in the English language TOR. The threat actor responsible for the attack campaign in the first half of 2019 used the nicknames hereugo and hereugoagain. It is uncertain whether he/she worked alone or with a team, but proved that he/she can stop and begin attacks at will. In the middle of 2019, he put his DDoS attack method up for sale and was probably bought by another group(s), who was responsible for subsequent DDoS attacks on forums and the DNM in TOR.

english-language-darknet-markets-hereugoagain-ddos-tool

In May 2019 hereugoagain made a sale announcement for his DDoS tool. Its price was 50 BTC - at that time it was 288 320 USD.

As a part of the attacks mentioned above, there was the unexpected seizure of a popular news website on darknet by law enforcement agencies. Deepdotweb was the biggest and the most popular such site in the English language internet and besides news and tutorials it contained links to DNMs. The portal earned money from the DNMs for each buyer who came from links on Deepdotweb, which is why they were accused of complicity in money laundering. After that, other similar information portals shut themselves down over fears of arrest.

Another disturbing event was the disappearance of administrators of forums for criminals. Although some of them returned, not all could authenticate themselves by their private PGP key. One of the administrators lost his key, which meant that he couldn’t confirm his identity. Losing the main thing used by cybercriminals to authenticate themselves for the rest of society equals complete compromise and a lack of trust. The event in which another forum administrator went missing was described in a previous article.

Over the last 18 months, 15 English language darknet markets stopped operations. Some were busted (xDedic, Wall Street Market, Valhalla, Berlusconi Market); others stole their customers’ money and did an exit scam (Nightmare Market, Silk Road 3.1, Grey Market, Apollon Market, Europa Market, BitBazaar); the rest disappeared because of other or unknown reasons (Dream Market, CGMC, Cryptonia Market, Tochka Market, Samsara Market). Right now the oldest English language darkent market is Empire which is 3 years younger than Hydra. The rest of the DNMs are even younger.

At the same time, investigation materials on Hydra were published on the Russian language internet. In September 2019, the Russian pro-government information portal lenta.ru released a short series of articles and professional, entertaining videos via the Lenta Youtube channel. The videos talk about Hydra’s beginnings and its war with RAMP, the drug cache system and how human lives are destroyed by drugs. Although the message of the last one is clear and educational while watching the first two videos one may have the impression of looking at a Hydra advertisement. The videos are made in a spectacular, attractive style and give a feeling of an attempt at attractiveness. There are numbers which are exaggerated probably to make Hydra look even stronger and richer than it really is. For example, the given number of 80 criminal Telegram channels where Hydra adverts were published in 2017 is far too big. At that time cybercriminal environments on Telegram had only just started to emerge and there weren’t so many channels on illicit subjects. Also, the monthly pricing for sharing Hydra ads on the Telegram channel is enormously big.

english-language-darknet-markets-lenta

If you like hacker-style stuff don’t forget to have a look at the Lenta publication website (available only in Russian)

What if they succeed?

Given the instability in Western DNMs, both darknet vendors and customers will try Eternos. Even crooks who don’t speak Russian have heard about Hydra and their domination on the Russian TOR segment. The main obstacles to growth for Eternos could be their new darknet – AspaNET. History shows us that most crooks don’t want to use new, unknown darknets, especially if using them is complicated. Last year demonstrated a reverse trend: more and more illicit goods are sold on the Clearnet on alternative internet market platforms (like Shoppy), encrypted communicators (like Telegram and WhatsApp), internet forums and standard websites equipped with criminal vendor shops. Of course there are many problems with rippers (crooks who deceive other fraudsters) there, but the point is that many low-level crooks are lazy and often seek merchandise on the Clearnet. A lot depends on whether Eternos will also be available in TOR. If not, many lazy criminals won’t even try it, although advanced users will still want to test it.

The question is, how will the other players in the darknet react to the new competitor? The current main players in the English language darknet have a stable position and a good reputation. Eternos as the new brand in the English language sphere will have to gain trust. The Hydra background will certainly be an asset, but it may not be enough. At the outset, Eternos’ cooperation with the main forums and information portals could be very helpful to win the faith of the crooks. That’s why the Hydra crew should start a marketing campaign in the English language darknet to get more brand recognition. On the other hand, this is an area in which current dominant DNMs can attack the new Hydra project. They could bribe forum administrators and information portal owners to spread false information about Eternos problems, scams, dishonesty, security vulnerability, etc. Furthermore, they could make fake Eternos websites and spread links to them in order to phish Eternos clients credentials or damage their brand. The Hydra crew would certainly be notified about a disinformation attack and would attack back. That would be the beginning of the next Hydra war, this time with Western DNMs. What I described here is just speculation on how that could start. Subsequent events could go in many ways there is no way to predict which site would win.

Assuming there will not be a serious fight between Eternos and the other players and neither of Hydra’s new projects has serious technical problems, the new DNM probably will enjoy stable growth in all areas. It is a truism that no DNM lives forever. Every DNM eventually gets seized or goes exit scam. It was especially true last year among English language DNMs, where the average lifespan dropped. When one big DNM goes offline, vendors and buyers seek a new, attractive, trustworthy market. If Eternos maintains durability as Hydra does, most crooks use the new DNM. If Eternos indeed rises, there is a good chance for it to become one of the most prominent markets.

Could it be a scam?

We can’t be certain that these new projects will indeed be launched. The ICO mentioned at the beginning could be a scam targeting fraudsters. As this ICO was obviously a case of organized crime crowdfunding, there would be no recourse for defrauded investors. There are no official institutions to which one could complain. If the new projects do not start, the Hydra administrators would probably explain themselves by citing unpredictable technical problems or using some other well-crafted, ultimately meaningless explanations. Posts with cheated users’ lamentations would be deleted. In this scenario Hydra would certainly lose trust, but the question is does it really matter? Sure, trust is important on the darknet, but Hydra is currently the most important and strongest DNM player on Russian the scene. If somebody wants to use a Russian DNM, they will most likely eventually return there. If they ripped somebody who wasn’t their client before, they couldn’t care less. And there are several reasons that Hydra may opt for a scam scenario.

First of all, as previously mentioned, the ICO was planned to last for only 5 days, from the16th to the 20th of December. How much investment did they seek? They were selling 1,470,000 tokens for $100 each, to potentially raise the astronomical amount of $147,000,000. If anybody would acquire such a sum in 5 days of a crowdfund, it would certainly attract the attention of law enforcement agencies that deal with money laundering. But it’s not the case, because it is entirely opposite to money laundering. It is hard to believe that anyone would gather such an amount so quickly. Also, there are no clear reasons to limit the fundraiser time to only 5 days. The Hydra crew didn’t have investors, stock, or time pressure. Also they fixed the closing of the ICO in advance; they didn’t close it because the tokens sold out. It is a very suspicious scenario.

english-language-darknet-markets-how-many-tokens

User can check how many tokens he/she has in the balance section, where he can also check how many bitcoins s/he possesses in the market wallet. Currently there are no options to buy tokens. As the reader can see, we have neither bitcoin nor tokens.

The next thing is the закладка (drug caches) organization. Hydra claim that they want introduce this system, which works very well in the CIS area, to Europe and the rest of the world in order to revolutionize package delivery safety from DNMs. But if vendors from Hydra don’t have their own couriers in a city, they would like to use Hydra’s resources. Simultaneously launching drug caches systems in every major city in every European country is impossible for an illegal organization. It would be doable if they planned on gradually introducing this system into European cities over a longer period of time. But there is no information about the order of implementation of закладка in Europe. We don’t know in which countries and cities they will be available in first. закладка universal availability from the beginning is certainly an impossibility.

In June 2020, the Hydra crew quietly added a short sentence to their investors section, bypassing their news section. It said that they have postponed starting new projects due to the COVID pandemic, without providing a new date. Nor did they share any proof that they did anything to develop the new darknet and DNM. Perhaps this is the first omen heralding that this is indeed a scam?

english-language-darknet-markets-ico-statement

Ending part of the ICO announcement from Hydra website. Underlined sentences were added in June 2020. It means: “Attention: due to pandemic, Eternos start is postponed for indefinite time.”

Instability in English language darknet markets: Summary

Eternos and AspaNET should be launched in October 2020. Will Eternos become the market that makes DNMs great again? Will AspaNET become an alternative to TOR among cybercriminals? Or is this just a big scam in which only fraudsters were cheated? Or will it be just a big scam attempt, because almost nobody bought tokens during the ICO? We will see. In any case it is certainly worth continued observation.

The extract of this article was published on about-fraud.com.

    1. Although закладка in most cases is used in drug delivery, it could also be used for delivery of other small items.

 


    If you are interested in protecting your business from the threats of fraud which originate in darknet markets, our advanced fraud detection can help you. Let us show you how...

    Ready to detect fraud just like Azul?

    Ready to detect fraud just like Azul?

    Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

    Book a call