“It has this dual function of being a drugs market and a service for cybercriminals—and particularly Russian cyber criminals,” says Jess Symington, Elliptic’s research lead. “So it does impact more than just the drugs community, and it forces these individuals to now potentially reconsider how they’re going to launch their funds or cash out.”
Around half of the roughly $2 billion in transactions going into Hydra market’s cryptocurrency addresses in 2021 and early 2022 were from illicit or “risky” sources such as stolen funds, dark web markets, ransomware, online gambling, scams, and individual and organizations facing sanctions, according to cryptocurrency tracing firm Chainalysis. In other words, close to a billion dollars worth of the money entering Hydra over that time wasn’t in fact clean money used to buy drugs or other contraband available for sale on the site, but rather dirty money that Hydra was helping to launder and exchange for rubles.
All of that makes clear that Hydra wasn’t merely a Silk Road for the post-Soviet world, but a significant player in the financial services of a more far-reaching cybercriminal economy—one that’s now been abruptly yanked offline. “I’m going to be following this really closely because it’s going to be really impactful on the ecosystem, ” says Kim Grauer, director of research at Chainalysis. “It’s a major disruption.”
As a cashout service, Hydra didn’t function like a normal exchange, in which users could trade cryptocurrency for traditional dollars or euros in a bank account, or vice versa. Instead, according to Russian-speaking analysts at threat intelligence firm Flashpoint, the market offered services in which customers could spend cryptocurrency to buy rubles from vendors on the site, which were then sent to the buyer with payment services like QIWI, Tinkoff, or Yandex.Money (which has since rebranded as YooMoney). Users who sought to leave even less of a digital trail could also use so-called klad or “hidden treasure” services, a dead drop system where rubles they purchased with crypto are buried in bundles underground by a courier. A few hours later, the service would share the location of the buried cash with the buyer, who could then dig it up and retrieve it.
Due to the risk of discovery or theft, those dead drop services cost a hefty commission—as much as 15 percent, according to Flashpoint—but they may have been worth the cost for paranoid users holding cryptocurrency connected to serious crimes. “Basically you take the tracing part out of the equation,” says Vlad Cuiujuclu, an analyst at Flashpoint. “Paying a couple more percent is preferable to being traced and endangering yourself.”
Whether Hydra is really offline for good or will resurface in the near future remains an open question. Germany’s BKA, after all, didn’t announce any arrests in its takedown operation. In keeping with its many-headed name, a joint report from Flashpoint and Chainalysis last year counted at least eleven administrators and operators who have run the market under pseudonyms like Ironman, Deus, Handsome Jack, Glavred, Fatality, and Satoshi Nakamoto.
But even if the Hydra operators have escaped law enforcement, they may still face suspicion from their dark web peers if Hydra reappears online, argues Elliptic’s Symington: Users may now fear that the Hydra admins have quietly been compromised by law enforcement. “We’ve seen other markets struggle when they pop back up as version two,” she says. “They never really do as well as the original sites. And there’s always questions around the authenticity of the claims of the administrators.”
After a decade of demonstrating its resilience to law enforcement, however, there’s little doubt that the larger cryptocurrency black market will produce another operation to fill the same Russian-language niche. Even if Hydra is gone for good, the dark web’s illicit economy will no doubt be ready to grow another head to replace it.