Hydra takedown merely shifts cyber criminal problem elsewhere

The seizure and closure of the Russian-language Hydra dark web marketplace by German authorities is to be rightly celebrated, but enthusiasm should be tempered by the certainty that, like the hydra of ancient mythology, new ‘heads’ will emerge to take its place.

Hydra has been operating since 2015 and hosted 17 million customers and 19,000 seller accounts. The operation against it was the culmination of a multinational investigation, including American law enforcement, that has been going on since 2021.

Its closure was announced on 5 April by the Frankfurt-am-Main Public Prosecutors Office, the German Central Office for Combating Cybercrime (ZIT) and the Federal Criminal Police Office (BKA), following an operation that saw its servers seized and bitcoin worth approximately €23m (£19.2m/$25.1m).

An ongoing investigation continues to target the market’s previously unknown operators and admins on suspicion of operating a criminal trading platform, and money laundering and drug trafficking offences.

The takedown of Hydra marks the end of what was widely regarded as the largest dark web marketplace, which was particularly favoured by ransomware operators for laundering the proceeds of their cyber attacks.

According to the US Treasury’s Office of Foreign Asset Control (Ofac), investigators identified $8m in ransomware proceeds that transited through Hydra at some stage, including payments made to the Conti, REvil/Sodinokibi and Ryuk gangs. Blockchain specialists believe that approximately 86% of the illicit bitcoin received directly by Russian virtual currency exchanges in 2019 came through Hydra, and said its revenues in 2020 topped $1.3bn.

“The global threat of cyber crime and ransomware that originates in Russia, and the ability of criminal leaders to operate there with impunity, is deeply concerning to the United States,” said US treasury secretary Janet Yellen.

“Our actions send a message today to criminals that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world. In coordination with allies and partners, like Germany and Estonia, we will continue to disrupt these networks.”

Chris Olson CEO of The Media Trust, a digital security platform, commented: “The shutdown of Hydra is a small win for cyber security, but a win nonetheless. Attackers who target consumers for credit card details and other personally identifiable information [PII] can’t use it directly without risking discovery and arrest; therefore, they sell this information on darknet markets instead. Without them, the incidence of cyber crime would undoubtedly decrease.

“Unfortunately, Hydra represents a miniscule drop in the bucket of global cyber crime, which will cost organisations, and therefore consumers, about $10.5tn per year by 2025. Cyber actors have perfected the pipeline from web and mobile-based phishing attacks to darknet markets and new ones are opening all the time.

“In truth – if past precedent is anything to go by – Hydra operators will likely take their digital assets and resurface in the near future under new identities and domains.”

However, according to Flashpoint analysts, who have been following the story overnight, reaction on the dark web has been rather more fatalistic than one might usually expect.

It reported that users of several underground Russian-language forums seemed very concerned about what the future might hold, even as Hydra’s admins sought to reassure them.

Most thought Hydra was over and done with, although a minority adopted a wait-and-see approach on the basis that it is not yet known if the admins have lost access to any backups they may have made. There are also concerns being voiced that the authorities may use the takedown to set up fake, honeypot versions of Hydra to lure them in.

Most forum members tended to express the view that a large number of smaller markets would take Hydra’s place. Already, said Flashpoint, a number of small shops active on Hydra seem to have relocated to the decentralised Telegram platform.