top of page

How Cybercriminals Have Adjusted After the Shutdown of Hydra Darknet Market

One year after the seizure of Hydra Market, the largest darknet market and the largest marketplace for online narcotics in countries of the former Soviet Union, Flashpoint published its key findings on how threat actors have adapted to fill Hydra's void and fuel their illicit aims.

According to the report, the closure of Hydra created a seismic shift in the Russian-language darknet marketplace landscape. Flashpoint observed a considerable decrease in the volume of money being handled by crypto wallets linked to dark web markets, and new markets have aggressively vied to take Hydra's place. As of today, five markets—Mega, Blacksprut, Solaris, Kraken, and OMG!OMG! Market—have emerged as the biggest players based on the volume of offers and the number of sellers. However, these developments do not mean a complete departure from darknet markets, as long as these actors avoid arrest.

The takedown of Hydra market caused a significant rupture in the Russian darknet market ecosystem. In its wake, the US has also sanctioned several mixers and risky exchanges that handled stolen funds and which had exposure to Hydra wallets. Among them are Bitzlato, Garantex, Chatex, and Blender. Nonetheless, threat actors adapted, with many choosing to move to the "RuTor" forum for communications and to decentralized platforms such as Telegram-based shops for drug advertisements, as well as offline sales.

Since the summer of 2022, the aforementioned markets have waged war against each other, involving the spreading of rumors, the doxxing of administrators and staff members, distributed denial of service attacks, and breaches. Cryptocurrency cash-out services nested on Hydra could, by definition, not move offline, unlike narcotics sellers. For these services, the cost incurred after the Hydra takedown has been associated with reestablishing themselves on new platforms, often under new names. These sellers offer virtually the same kind of services as their predecessors on Hydra.

Due to the concerted law enforcement action (and successive sanctions) against Hydra, cryptocurrency cash-out services are often wary of running under the same name as they did on the now-defunct market. However, they are still interested in regaining their former clientele. This suggests some continuity in the financial infrastructure of funds leaving darknet vendors following the takedown. However, the sanctions effect has caused disruptions for these services. As long as these actors are not apprehended, the market seems to be able to heal itself and adapt.



bottom of page