Darknet News

Historical Darknet Markets: Hydra

The tale of Hydra, the world’s largest and longest-running darknet market, is truly epic. Its origins are largely shrouded in mystery, though we do know that it first opened for business in 2015. The story ends with the market’s takedown in a joint effort by German and US investigators in early April 2022, culminating with the arrest of its suspected principal operator in Russia the following week.

This article takes an extensive look at the inner-workings of this “mother-of-all-darknet-markets,” providing some context for its path to domination, as well as exploring where things might be headed in the wake of its fallout.

For most of its existence, Hydra suffered very little downtime, closing for only a brief period during the peak of COVID’s effects in 2020. According to Dread forum admin Paris, the market used a highly-sophisticated implementation of Tor that allowed it to remain online through the fiercest of DDOS attacks. It has been suggested that it benefited from high-up connections in the Russian government, perhaps helping to explain its longevity, though this has never actually been proven.

Thought to be responsible for 80% of all darknet market transactions during its last couple of years in operation, Hydra is estimated to have had around 17 million registered users and 19,000 active vendors, or “shops” as they were referred to on the market. Hydra managed to take in over $5 billion in cryptocurrency across the course of its lifetime, which was slightly less than seven years. This makes it indisputably the biggest darknet market of all-time.

Hydra wasn’t just the largest darknet market the world has ever seen (by a lot), it was also the baddest. We don’t necessarily mean “bad” in the traditional sense, but it was ruthless in its quest for domination, going to great lengths to quash their competitors. Hydra was also responsible for mediating more illegal activity than any other darknet market. This is not only due to its scale of sales volume of illegal items (mainly drugs), but also because it acted as a sizable conduit for money laundering operations from all around the globe. It was, in effect, a multi-headed criminal organization that resembled a modern-day cyber mafia.

For many cyber criminals in Russia and surrounding CIS countries, Hydra was largely indispensable as a crypto laundering service. Users could not only cash out crypto anonymous for rubles through exchangers like QIWI, Tinkoff or Yandex.money, but could also pick it up physically in pre-disclosed locations where it had been buried or hidden using a dead drop system known as klad, or “treasures.” This system was also used for a large portion of drug sales conducted on the market and is continued today by Hydra’s successors (though now primarily for drugs only).

A Russian-language market, Hydra served not only those in Russia but also Ukraine, Belarus, Kazakhstan, Azerbaijan, Armenia, Kyrgyzstan, Uzbekistan, Tajikistan, and Moldova. It accepted only Bitcoin as a payment method, though it did allow cashouts to a number of money processing services. Despite its reputation as being ruthless, Hydra shops operated under a rather morally-conscious terms of service which forbade the sales of weapons, poisons, contract killings, explosives, carding, “secret state information,” fentanyl, pornographic materials, viruses, and “other tools to commit criminal activities through cyberattacks.”

The Meaning of ‘Hydra’

The name Hydra refers to a mythical monster that takes the shape of a serpent and lives in the water. It also has many different heads, which was supposed to represent the idea that even if part of the market was taken down, the rest of it could regroup and live on. This was an especially pertinent ethos during Hydra’s early days, signifying strength in a sort of immortality of spirit. Although this ultimately proved not to be the case, it’s a near certainty that some of Hydra’s former admins and staff have moved on to newer darknet market projects.

After the Dutch market Utopia was taken offline by local authorities in Feb. 2014, one of the moderators of the Silk Road forum described the takedown as “a serious blow to the darkweb marketplace community,” rallying his community with the words:

Show them that you, we, are a hydra—cut off one head and ten more spring up.”

Since then, the Hydra has been an embodiment of the darknet market ethos, symbolizing to law enforcement and other detractors that market operators would not give up. It has also been the name of a couple other darknet markets in other parts of the world, as well.

Statue of the mythical Hydra.

After the closure of Hydra in early April 2022, several other Russian-language darknet markets sprung into existence or stepped up their game to fill the former giant’s shoes, hoping to land some of the estimated hundred million dollars in business Hydra saw on a monthly basis. While these operations have already encountered some success in this regard, it is likely that no other darknet market – of Russian or any other language – will ever rival the size of Hydra and its sheer domination of the DNM landscape.

RAMP

Considered to be one of the original Russian-language darknet markets, RAMP (Russian Anonymous Marketplace) was founded sometime in 2012 and lasted all the way until Sept. 2017. The trading of drugs on Russian darknet sites dates back to 2009, when discussions on forums led to private deals done through encrypted messages.

At least one darknet market predates RAMP, known as R2D2, which opened in May 2012. It was soon followed by Amber Road, Malina, and most notably, RuTor. However, these sites – for the most part – were not well-maintained, and quickly fell at the hands of a formidable competitor, which was RAMP. Because of RAMP, R2D2 was taken down by a series of crippling DDOS attacks, Malina’s admins were doxed to Russian law enforcement, and Amber Road’s vendors simply left to re-establish on RAMP.

The RAMP logo

The chief administrator of RAMP went by the name DarkSide (also known as Big Boss and Maharaja), who used a picture of a bruised Edward Norton as his avatar. The market is estimated to have made an average of $5.5 million a year. Instead of collecting commissions on each sale, RAMP charged vendors for opening a shop on their site and for each item they listed. They also collected revenue from banner advertisements displayed on the market homepage, as well.

For the first couple years of the darknet market explosion in Russia, item dead drop locations were provided via the encrypted messaging app, Jabber. In early 2014, RAMP revolutionized the drop process by introducing the concept of “auto-shops.” Instead of having to coordinate placement and pickup of orders off-market, buyers could simply choose from a selection of pre-stashed items (often known as “readymade treasures”), receiving its exact coordinates for pickup immediately after paying for the order in Bitcoin. Auto-shops were a smash hit for RAMP, leading to a massive uptick in its userbase.

The Great Russian Darknet Market War

By mid-2015, only two significant competitors of RAMP remained: WayAway and Legal RC. Both markets specialized in the manufacture and selling of synthetic compounds, such as the THC alternative “spice.” Fearing they were next in line to be crushed by RAMP, the two markets teamed forces under a new name: Hydra. While RAMP dominated the major metropolitan areas of Russia, servicing customers who could afford higher-quality drugs, Hydra appealed to those in rural regions with less money to spend.

These circumstances turned out to be a blessing to Hydra as a series of arrests of corrupt customs officials in 2016 dealt a serious blow to the drug import channels RAMP shops had relied upon to service their customers. The lack of imported drugs led to a rise in local drug production as hundreds of marijuana farms, along with clandestine drug labs to produce methamphetamine and mephedrone, sprung up across the country.

Russian territories dominated by RAMP (red) vs. Hydra (blue) in 2015. Source: Lenta.ru

The import of chemical precursors from China – an activity dominated by Hydra at the time – became increasingly important to RAMP’s survival, who then tried to poach old trade routes by bribing Legal RC’s former manufacturers. The tactic ultimately failed, motivating those allied with Hydra to work against RAMP by initiating a series of intense DDOS attacks against their competitor. By early 2017, several major RAMP shops were forced into retirement; their supply lines cut off, with no way to get more product. The market’s downfall was accelerated by the departure of its co-admin, Orange, who believed that Hydra had compromised his identity and was perhaps even considering putting a hit out on him.

The market’s newly-appointed co-admin, Stereotype, strictly forbade RAMP shop owners from cooperating or associating with Hydra in any way, threatening those who disobeyed with not only getting locked out of the site, but their details turned over to law enforcement, as well. The latter punishment was indeed given to one particular shop; the arrest of its vendors becoming a high-profile news item in Russia. This event crushed the spirit of RAMP’s remaining sellers who were already facing difficulty with sales due to the site’s constant DDOS-driven downtime.

By mid-2017, a mass exodus of RAMP’s chemical manufacturers and wholesalers to Hydra was underway, soon followed by smaller shops, and then customers. The final blow to any political influence RAMP may have had was the July 2017 arrest of entrepreneur Alexander Vinnik, a Russian citizen who was the owner BTC-E: a cryptocurrency exchange on which RAMP held a significant portion of funds (including $60 million in customer deposits). Vinnik had been arrested while vacationing in Greece at the request of US officials, who had suspected him of using the exchange to enable the laundering of stolen or otherwise illicitly-obtained cryptocurrency.

Alexander Vinnik leaving a Greek courthouse in Oct. 2017. Source: AP News

RAMP was finally taken completely offline two months later, in Sept. 2017, when its servers were dismantled by Russia’s Ministry of Internal Affairs. In Sept. 2019, it was revealed that Darkside, the market’s original architect, had likely died of a heroin overdose in Aug. 2015, and that Orange had been secretly operating RAMP on his behalf for its final two years. Evidence to this theory was supported by the fact that Darkside was an avid gamer but had stopped logging into his game-related accounts around the time of his supposed death.

When RAMP was shut down because of its team’s low qualification, we had no competitors left. And from the very beginning, RAMP and Hydra differed like television and internet.” – ‘Satoshi Nakamoto’, Hydra executive

Other Russian-language markets that competed with both RAMP and Hydra include Iklad, Blackmarket, Solaris, and RuSilk.

The Rise and Rise of Hydra

With RAMP out of the way, Hydra effectively had created a monopoly over the darknet market industry in Russia. Its tentacles reached far and wide, into several different areas of operation. Such areas included sophisticated public relations and marketing campaigns on the clearweb. Part of this even included a few highly-successful video advertisements posted for the market on YouTube under an official channel managed by Hydra itself. When they were taken down, new ones simply popped up, sometimes under other channels to take their place.

When Hydra’s YouTube channels were finally banned, the market moved to Russian video hosting service VKontakte, where their videos garnered tens of millions of additional views. Hydra also invested heavily in email spam campaigns, then took to spamming messaging services like WhatsApp and Viber, seemingly unafraid of garnering the attention of any entity which might want to have it destroyed.

The crown jewel of Hydra’s social media campaigns was its Telegram channel, in which it poured millions of dollars over the course of its existence. Starting in July 2017, Hydra had purchased posts on popular Russian language Telegram channels, but having its own channel had the benefit of providing a base for other media operations. They used it to feature extensive articles about drugs, market-related memes, and even special deals by auto-shops, which were the market’s main source of revenue.

By 2018, Hydra was already bigger than all other darknet markets combined. Source: Chainalysis

Hydra also benefitted by having a streamlined administrative system, in which the head admin (who went by the apt name of Admin) oversaw six highly-loyal moderators, all responsible for settling disputes, moderating reviews, and communicating with VIP-status customers. Moderators reported directly to the forum administrator, Resident, who was assisted by a deputy admin named Burning Man. Hydra also had a lead developer who reported to Admin, as well as PR director. The market also had two other executive-level personnel – Observer and Satoshi Nakamoto – who held no official role but advised Admin on key issues.

Having a strict, military-style chain-of-command contributed greatly to Hydra being able to reach the level of success that it did. Aside from those recruited to hide drugs for the dead drops (“kladsmen”) – for whom facing jailtime was a near eventual certainty – times were good for Hydra’s administrators, moderators, manufacturers, wholesalers, and shop owners. So long as everyone was making money, there was little to quarrel about, and having monopolistic powers meant that any potential competition was easily stamped out or swept into obscurity.

In the first half of 2019, Hydra saw a massive swell in visitors from all across Russia. By July, some regions were sending 10-fold more traffic to the market than they were at the beginning of the year. It is estimated that over 13,000 dead drops were being retrieved by buyers on a daily basis by October, representing about $3.5 million in drug purchases. The market was recording about 800,000 visitors per day at this time. By 2020, Hydra accounted for 75% of all cryptocurrency funds flowing to darknet markets. It was also the sixth biggest cryptocurrency service in Eastern Europe that year; in no other region of the world did a darknet market crack its top 10 cryptocurrency services.

Source: Bitcoin.com News

The Darknet’s First Contract Killing

Not everything during this time was rosy for Hydra, however. In late March 2019, it came to light that the murder of a high-ranking police investigator in Russia the previous year was the result of a contract killing; the position having been advertised in a wanted ad on Hydra’s forum. A hacker by the name of Yaroslav Sumbaev who had been under investigation for electronic and bank fraud since 2014, when a number of his colleagues were arrested by the investigator.

Sumbaev had apparently defrauded thousands of tourists out of millions of rubles and was subsequently forced into hiding. In 2018, he began selling drugs on Hydra, placing an advertisement for the investigator’s killing in September. A 19-year-old by the name of Abdulaziz Abdulazizov responded, placing his own wanted ad on the forum for an assistant, which was answered by a forum member who was 17-year-old at the time. The two then coordinated the murder of the investigator, for which Sumbaev would pay one million rubles, or approx. $15,000, to be split between them.

Abdulazizov and the murder target, agent Yevgeniya Shishkina. Source: BBC News

On Oct. 9, 2018, Abdulazizov traveled to Krasnogorsk, a wooded region outside Moscow near the home of the target, where he retrieved a stashed, modified weapon that had been prepared and left for him by his hired companion. He then traveled to the investigator’s home and, after briefly losing his nerve, fired two shots at the target at close range, which would leave her dead within a matter of minutes.

Though Abdulazizov used his attendance at a local concert as an alibi and the reason behind his travels, his story would be unraveled as it was proven that he had used an app to hire a taxi to flee the scene of the murder. He remained on the run until his arrest in Mar. 2019. Sumbaev had been identified as the crime’s architect and arrested by Georgian authorities in Nov. 2018, who eventually turned him over to Russia in Oct. 2019. The event proved to be catastrophic for Hydra’s reputation with the general public, which was already suffering due to the market’s enabling of a nation-wide drug addiction problem.

Hydra’s Final Days

In late 2019, Hydra made another darknet market first by being the first market to conduct an ICO, in which they managed to raise $146 million for the purposes of expanding to a Western audience. According to an ICO sales pitch hosted on the market, Eternos would “start a new era in the West” in darknet markets, of which “the scale of expansion is hard to imagine.”

The Eternos project was initially slated to launch on Sept. 1st, 2020, but development was postponed earlier in the year, with delays attributed to COVID. After the launch date passed, chatter about Eternos came to a near halt, and the project never saw the light of day.

Around the same time as the Eternos ICO, Lenta.ru published a jaw-dropping exposé on Hydra and its battle with RAMP, which earned it several awards. This prompted the Russian government to approve a bill calling for stricter drug laws in the country, ultimately leading to the arrest of several Hydra shop owners in the following months.

In 2021, a wave of cybercrime gripped much of the world, further putting the spotlight on Hydra after it was found that a large portion of ransomware-generated proceeds were flowing through the market, laundered through the traditionally-untouchable payment processors it utilized. 2021 proved to be Hydra’s biggest year in terms of revenue, as malware attacks became more profitable and lucrative than ever before.

Hydra revenue by year. Source: Elliptic

Luck would soon run out for the darknet giant, however, as a joint operation in international law enforcement culminated in sanctions against the market by the US Treasury Department and its servers taken offline in Germany on Apr. 5, 2022. For the first few weeks after the takedown, it was assumed by many in the darknet market community that Hydra would simply come back to life under a new URL, but this proved not to be the case, and the reality soon set in that Hydra had been finally slain.

Somewhat interestingly, no arrests were made by German authorities in the takedown of the market’s servers in that country. However, Hydra’s alleged admin, Dmitry Pavlov, was arrested in Russia the following week, shortly thereafter telling BBC News in an interview that the charges were false. “We are a hosting company and have all the necessary communications licenses,” he said. “We don’t administer any sites but only provide servers for rent as intermediaries.” He currently remains in custody while awaiting trial in Moscow.

Russian-Language Markets in the Post-Hydra Era

The disappearance of Hydra opened an extremely lucrative hole which several competitors near-immediately attempted to fill. For the first few months following its demise, Russian language markets OMGOMG and Solaris were poised to capture large shares of Hydra’s former user base, but internal squabbles and lengthy DDOS attacks against each other knocked them largely out of competition. Newer Russian-language markets remain divided in their allegiances between old factions within the Hydra administration, having lost the spirit of unification that led to the market’s initial successes.

Instead, the replacement market to emerge has been a previous dark horse in the race known as Mega. Having been around in one form or another since 2016, Mega’s operators are experienced in the art of keeping a darknet market afloat without attracting too much negative attention to it from any potential adversary. Mega uses the similar vendor shop structure that was first perfected by Hydra but offers many advancements over the former market, including support for privacy coin Monero (XMR), a cleaner and more intuitive browsing experience, and more sophisticated order purchase options.

Screenshot of the Mega darknet market homepage.

As a result of its ability to withstand attacks from rivals and demonstrate a level of professionalism indicative of good business practice, Mega has grown extremely fast in the months following Hydra’s closure, currently sporting close to 20,000 listings offered by over 6,400 shops. Though these numbers pale in comparison to Hydra, Mega seems to be the go-to market for ex-Hydra vendors and customers, at least for now. It is unknown whether Mega is in the race to be Russia’s new darknet market of choice for the long-haul, but for now they seem intent on carrying Hydra’s former mantle.

Leave a Reply

Your email address will not be published.