On the dark web, the takedown of yet another cryptocurrency-based black market for drugs has become almost a semiannual routine, with plenty of competitors ready to fill the shoes of any market law enforcement manages to bust. But the seizure of the Russian-language dark-web site Hydra may have ripple effects that go further than most: It represents a disruption of not just the post-Soviet world’s biggest hub of online narcotics sales, but also of a cybercriminal money-laundering and cash-out service that had been used in crimes with victims across the globe.
German law enforcement agencies announced early Tuesday morning that German federal police known as the BKA—in a joint operation with the FBI, DEA, IRS Criminal Investigations, and Homeland Security Investigations in the US—seized Hydra’s Germany-based servers, shutting down the site and confiscating $25 million in bitcoins stored there. In doing so, they’ve put an end to, by some measures, the longest-running and most crowded black market in the history of the dark web, with 19,000 seller accounts and more than 17 million customer accounts, according to BKA. The US treasury simultaneously imposed new sanctions on the market and more than a hundred of its cryptocurrency addresses.
In total, Hydra facilitated more than $5 billion dollars in illicit cryptocurrency transactions since it launched in 2015, according to blockchain analysis firm Elliptic. The majority of those transactions, Elliptic says, were sales of illegal drugs, which were strictly limited to Hydra’s target market of former Soviet states. But Hydra also played a significant and more global role for cybercriminals: It offered “mixing” services designed to launder crypto and make it more difficult to trace, alongside exchange services that allowed clients to trade in the crypto proceeds from all manner of crime for Russian rubles—in some cases, even for cash bundles buried in the ground for customers to dig up later.
“It has this dual function of being a drugs market and a service for cybercriminals—and particularly Russian cybercriminals,” says Jess Symington, Elliptic’s research lead. “So it does impact more than just the drugs community, and it forces these individuals to now potentially reconsider how they’re going to launch their funds or cash out.”
Around half of the roughly $2 billion in transactions going into Hydra’s cryptocurrency addresses in 2021 and early 2022 were from illicit or “risky” sources, such as stolen funds, dark-web markets, ransomware, online gambling, scams, and individuals and organizations facing sanctions, according to cryptocurrency tracing firm Chainalysis. In other words, close to a billion dollars’ worth of the money entering Hydra over that time wasn’t clean money used to buy drugs or other contraband available for sale on the site, but rather dirty money that Hydra was helping to launder and exchange for rubles.
Chainalysis has so far tracked just over $200 million in stolen cryptocurrency going into the site’s coffers in 2021 and 2022. It has also tracked much smaller amounts linked to other crimes, with roughly $4 million from sanctioned sources, $5 million from fraud, and $4 million from ransomware. (Chainalysis saw close to $9 million in total ransomware payments funneled into Hydra over the market’s lifetime but says that relatively small number is a conservative estimate.) Another major chunk of the site’s incoming payments during that time, close to $310 million, were from dark-web markets—including some funds from Hydra recycled back into the site—as users sought to launder the proceeds from the sales of drugs and other illegal products and services and cash out.