Hydra Market, one of the dark web’s oldest and largest marketplaces, was taken offline yesterday. A joint operation by US and German law enforcement agencies saw the servers that ran the market seized along with $25m in cryptocurrencies.
Founded in 2015 in Russia, Hydra had 17 million users at the time of closure, and has been the largest market on the dark web since the closure of RAMP, the Russian Anonymous Marketplace, in 2017. Its annual transaction volumes skyrocketed from $9.4m in BTC in 2016 to $1.37bn in 2020, according to a report by cybersecurity company Flashpoint, which says the market’s focus was on trading in illegal narcotics, data, forged documents and digital services.
Officials in the US and Germany hope that closing down Hydra will send a clear message to cybercriminals that they can no longer hide their illicit activities on the dark web. “Our actions send a message today to criminals that you cannot hide on the dark net or its forums, and you cannot hide in Russia or anywhere else in the world,” said US Treasury Secretary Janet L Yellen. “In coordination with allies and partners, like Germany and Estonia, we will continue to disrupt these networks.”
Hydra’s removal will disrupt cybercrime across the globe, albeit temporarily. Criminals will be scrambling to find new places to buy and sell information, experts told Tech Monitor.
How Hydra was shut down
The sting was the culmination of an operation which began in August last year, and saw Hydra’s servers in Germany seized, taking the marketplace offline. The law enforcement agencies also announced the termination of a currency exchange called Garantex, which was a key money laundering site for cybercrime, particularly ransomware. More than $100m in transactions on Garantex have been linked with illicit actions and dark markets, including $6m from the notorious Conti ransomware gang, the US Treasury said.
Now that these services have been shut down, law enforcement agencies will be looking to identify the “unknown operators and administrators” of Hydra, who were operational on the marketplace. Already the US Treasury’s Office of Foreign Assets Control has added over 100 digital currency addresses from Hydra and Garantex to the specially designated nationals list, which details foreign nationals suspected of criminal activity who are barred from doing business with any US citizen. However, as of yet, there have been no arrests.
How will Hydra’s closure affect the cybercrime landscape?
Seizing Hydra is a significant step in the fight against cybercrime, says Louise Ferrett, threat intelligence analyst at Searchlight Security. “I think it’s definitely sending a message that these crackdowns, which have been coming pretty frequently in the last couple of years, are going to continue,” she says. “They’re not going for small targets or easy ones. They are going for the large institutions because, if they see a player as big as Hydra getting taken down, that shakes everyone’s faith in the whole ecosystem.”
The closure of Hydra could deter people who are considering turning to online criminal activities, particularly those impacted by the war in Ukraine, argues Etay Maor, senior director of security strategy at Cato Networks. “I think we’re going to see a rise in the number of people participating in [cybercrime] because of the situation in Ukraine and Russia,” he says. “Some of the people in Ukraine are talented, they have lost their homes, and need to provide for their families.”
He continues: “If you are an IT guy and you know how to do some of this stuff, maybe you’ll be inclined to move a little bit to the darker side of security. With inflation, prices are going up, and this kind of uncertainty can push regular people into these areas. If [the takedown of Hydra] serves as a deterrent to that, then I am extremely happy,” he says.
Will a new dark web marketplace replace Hydra?
The closure of Hydra is likely to disrupt the selling of illicit malware used in ransomware attacks, continues Ferrett, meaning a temporary lull in the number of cyberattacks being attempted could follow. “They were selling a lot of malware and that sort of thing so there will be a slight lull in that for a time, definitely,” she says. “That might affect [the volume of cyberattacks] if there’s difficulty in buying certain types of malware.”
But any lull in the number of cyberattacks is likely to be short-lived, Ferrett adds. “It’s almost inevitable that there will be a new source to purchase those things from,” she says. “These people are well-connected – they will seek out other places and probably be able to find them.”