Hydra is a Russian dark web marketplace originally set up to sell illegal narcotics. It has since expanded its remit to cover stolen credit cards, SIM cards, counterfeit documents, stolen user credentials and other items. To hide the volume of illegal transactions, it has created its own methods of obfuscating payments.
Flashpoint Intelligence and Chainanalysis teamed up to expose how Hydra hides cryptocurrency payments. Their research “Hydra: Where The Crypto Currency Money Laundering Trail Goes Dark” (registration required) reads, in places, like a TV script (more later). What is more important is that in 2020, the two companies note that transaction volumes on Hydra reached US$1.37 billion. It’s a 30% increase on 2019 and shows how Hydra is booming.
Hydra is not just a marketplace. It is a strictly controlled environment where you either play by its rules or don’t play at all. For example, if you want to withdraw funds into a fiat currency, you are restricted to Russian Roubles. More importantly, you can’t go anywhere to do that. Hydra dictates which regional exchanges and payment services you can use.
There are also strict controls on what you must do to gain access to funds. You must have completed > 50 transactions on the Hydra platform. Additionally, you must have the equivalent of at least $10,000 in your eWallet.
Despite all of this, there is no shortage of cybercriminals wanting to take advantage of Hydra’s services.
Hydra’s hidden treasure -is art imitating life?
Cryptocurrency exchanges are being pressured to behave like other financial institutions. That means regulations like Know Your Customer (KYC) and money laundering are being applied. To avoid this, cybercriminals using Hydra are resorting to a new approach.
That approach will be familiar to pirate lovers and aficionados of the TV series The Blacklist. It uses a technique called “Hidden Treasure” or “klad” in Russian.
Cybercriminals hire couriers (kladsmen) to bury vacuum-packed bundles of cash. The cybercriminal gets the geolocation for the cash, has it retrieved and then either buries the sellers drugs or ships them as normal. The Blacklist episode Captain Kidd saw criminals doing exactly this. Art imitating life?
Being a kladsman is profitable. Cybercriminals earn 30,000 roubles ($400) per day, although it can be cheaper to hire by the week.
Cybercrime, organised crime and spycraft
The effectiveness of Hydra means that it is likely to be used by far more than the traditional cybercriminals. Organised crime also has money to be laundered, and it wants ways to trade that authorities cannot trace. What Hydra offers with klad fits that bill. It also fits with tradecraft that one would expect from those in intelligence agencies around the world.
According to Bruce Snell, Global VP, Security Strategy and Transformation at NTT Ltd: “Hydra represents an interesting take on the modern cybercriminal. I would not be surprised at all to see ties between Hydra and organized crime as they combine modern components like cryptocurrency with elements of spycraft (in the form of dead drops) to execute what boils down to old fashioned money laundering.
“Running their exploits from Russia is a smart move as it keeps them off the radar of other national law enforcement agencies that may be more inclined to break up their operations. I am a bit concerned though, that Hydra’s operations could lead to more restrictions on cryptocurrency resulting from law makers focusing on illicit goods being purchased with crypto. Hydra’s increasing growth could lead to its eventual collapse as it makes itself a more appealing target for global law enforcement agencies.”
Money laundering trails to Hydra are near impossible to trace
Hydra has been very effective in laundering money. More importantly, it has been exceptionally good at hiding its role in money laundering. That means that it makes it impossible to trace what happens to the cash and whom it goes to.
The report notes: “While Hydra currently supports the selling of many illicit goods and services, its strongest market, by far, remains narcotics sales. Should Hydra continue to grow, its support of other cybercriminal trades will likely expand along with it.”
It’s a warning that has to be taken seriously. The rise in ransomware and data theft has led to increasing numbers of companies paying out. The risk for the criminal is that the marketplace they use gets compromised and their cryptocurrency lost or seized.
Hydra seems to operate without any threat from Russian authorities at all. That makes it attractive to cybercriminals. It also suggests that it could see an increase in stolen data and ransomware payments. The report authors warn that Hydra should be watched in case this happens.
Enterprise Times: What does this mean?
Illegal marketplaces continue to thrive despite attempts to shut them down. In the case of Hydra, it has so far proven it can avoid the attentions of law enforcement. It has also established a set of rules that it is able to enforce and which are respected by cybercriminals.
Perhaps its biggest success has been in controlling the money laundering of cryptocurrency. It will take more than a few cryptocurrency exchanges implementing KYC and AML rules to stop it. It has already shown an ability to provide alternative ways of exchanging goods and money, one that will evade any compliance controls. The question now, is what next?
Will we see a significant move to hosting and selling data from breaches? Can Hydra become the payment mechanism for ransomware as other platforms come under attack? Will it stay purely Russian, or will it look for other currencies to trade in? The latter is unlikely as long as it doesn’t come under attack from Russian law enforcement.