SAN FRANCISCO–The takedown of the Hydra darknet market in April was hailed as a significant step forward in the effort to disrupt cybercrime infrastructure and the ransomware payment ecosystem, and two months later, it has had an even more disruptive effect than analysts expected at the time.
Hydra was the largest Russian underground market and had been in operation for seven years by the time authorities from Germany seized its infrastructure and about $25 million in cryptocurrency. Hydra was a major hub for buyers and sellers of drugs, but also offered cryptocurrency mixing and laundering services, as well as cash-out services for people who wanted to withdraw illegal funds. At the same time as the takedown, the Department of Treasury’s Office of Foreign Assets Control announced sanctions against the Hydra market. When the takedown and sanctions hit, experts said the operation would likely have a serious effect on a large section of the cybercrime underground and praised it as a major victory for law enforcement.
“The transformation over the last decade (by authorities) has been significant in terms of international relations, increased efforts and more manpower,” Jared Der-Yeghiayan, director of the Advanced Cybercrimes and Engagements team at Recorded Future, said at the time. “Law enforcement has grown exponentially… the resources available 10 years ago is nothing compared to what they have now. The efforts, and capabilities, are also more intense.”
In the months since the takedown, analysts who track the cybercrime underground and analyze blockchain transactions have seen a serious dropoff in activity. Growth in the volume of transactions on major cybercrime marketplaces has remained relatively steady over the past few years, but when Hydra was taken offline, that came to a screeching halt.
“This was a major disruption of darknet activity, it’s a huge event.”
“Absent major marketplace takedowns, we see consistent growth. Most of that growth was from Hydra, and there was a major fall off after the takedown,” Kimberly Grauer, a director at Chainalysis, said during a panel discussion on the takedown at the RSA Conference here Wednesday.
Chainalysis monitors and analyzes blockchain activity, both on legitimate marketplaces and exchanges and on illegitimate ones. By watching the funds flowing into and out of cryptocurrency wallets, analysts can follow the money in various ways and spot trends and anomalies. Chainalysis and Flashpoint Intelligence, which monitors underground cybercrime activity, published a whiye paper on Hydra in 2021, almost exactly a year before the takedown, and found that the market’s transaction volume had gone from $9.40 million in 2016 to more than $1.37 billion by the end of 2020. Hydra had been known to security researchers, blockchain analysts and law enforcement for several years, and given the rapid churn in underground markets of this kind, at seven years old, it was ancient.
One of the main theories about why the market’s administrators had been able to operate for so long without much in the way of interference was that the group was working with Russian law enforcement and funneling some of their revenue to them.
“I would say the Russian government was permissive. They wouldn’t interrupt it or arrest sellers. The theory is law enforcement was working closely with Hydra admins and sellers to get a cut,” said Vlad Cuiujuclu of Flashpoint.
Why the authorities chose April to take the forum down and impose the sanctions is another open question. Hydra was well known and had been on law enforcement radar for some time, so when the takedown occurred, it wasn’t a shock, but the timing was what puzzled some observers, given that it came soon after Russia invaded Ukraine,
“These theories were immediately circulating. The more mundane explanation was that Hydra was simply becoming annoying to the west. Hydra admins had been saying they’d like to expand to Europe and this was a preventive move,” said Andras Toth-Czifra of Flashpoint.
“Hydra was becoming a considerable problem even without the war.”
Whatever the proximate cause of the takedown was, the effect it’s had is clear.
“This was a major disruption of darknet activity, it’s a huge event,” Grauer said.