Hydra’s Collapse Forces Cybercriminals to Regroup

Hydra’s takedown

On April 5, 2022, news broke that the largest and longest running illicit marketplace on the dark web, Hydra, had been disrupted in an international law enforcement operation. Hydra’s servers were located and seized by German authorities, along with approximately 25 million USD in Bitcoin. As a Russian hidden service boasting stability and turnover far greater than its closest Western competitors, the bust of Hydra sent shockwaves throughout the cybercriminal underground, not least due to the loss of a popular avenue for money laundering via its cryptocurrency exchange and mixer services. This blog focuses on how threat actors and dark web vendors are reacting to the takedown, where they are gathering and regrouping, and what they plan to do next.

Initial reactions

Dark web forum users began voicing concerns about Hydra on Tuesday, after the site had likely been down for several hours. Initially, some cybercriminals were hopeful Hydra would return, with several referencing a statement on Russian drugs forum LegalRC – an alleged founding force behind the market – which promised information on “the restoration of the project” by the end of April 5th. Others were confident the site’s administrators would have a contingency plan involving back-up servers, or were buoyed by the lack of arrests reported.

However, forum users and former Hydra vendors soon began to commiserate the fact that the marketplace may be gone for good. The next step, in their eyes, was to reconnect with business contacts from the site and find an alternative platform on which they could resume their illicit activities.

Regrouping

A notable feature of Hydra compared to other dark web markets, particularly its Western counterparts, was its self-contained nature. As well as providing cryptocurrency exchange and mixer services, Hydra also hosted a companion forum and chat system for buyers and vendors to communicate through. While many markets have tried to enact a similar policy of discouraging communication other than via market-approved channels, few experience the level of success Hydra did in keeping its users on-site. Conversely, when Hydra’s servers were seized, many users – buyers and vendors alike – possessed no details to contact their associates other than their Hydra username.

Hydra’s users have since flocked to dark web forums in search of their former employees, employers, customers and suppliers. The level of user flight is very noticeable; one Russian forum, previously garnering between 1,500 – 3,000 new posts per week, gained 42,000 new posts in the week following Hydra’s disappearance. Numerous threads have been created with users imploring former contacts to get in touch, as well as offering new positions on their team – suggesting they don’t anticipate the seizure to reduce buyer demand or the need to recruit new workers.

Reorienting

Where do Hydra’s users go from here? Recommendations for alternative markets on which cybercriminals can resume their dark web activities have been flooding Russian forums, along with urgent requests for links to these sites, which were previously dwarfed by the enormous scale of Hydra. It appears there are currently half a dozen established alternatives which function similarly to Hydra – a dark web market which hosts multiple vendors and sells a range of physical and digital illicit products – though there will likely be a wave of new sites aiming to imitate Hydra’s success in the near future.

Additionally, some vendors have expressed their intention to create their own independent storefront on Tor, known as a vendor shop, meaning we could see greater dispersal of Russian cybercrime actors across the dark web. Vendors have also alerted buyers they’re temporarily vending via Telegram, suggesting they are waiting for “the next Hydra” to become consolidated before fully re-committing the dark web market scene.