red 
[Update: This blog has been updated to reflect US sanctions announced against Hydra Market and Garantex Exchange on April 5th]
Earlier today, Germany’s Central Cybercrime Office (ZIT) and the Federal Criminal Police Office (BKA) announced that they had taken down the Russian-language darknet marketplace Hydra. Elliptic’s analysis shows that the platform – which was the largest such marketplace operating on the dark web – has facilitated over $5 billion in Bitcoin transactions since its launch in December 2015.
Furthermore, as part of its efforts to counter the threat of ransomware, the US Treasury’s Office of Foreign Assets Control (OFAC) today announced new sanctions against Hydra Market and an Estonian crypto exchange called Garantex. It also included more than 100 crypto addresses on OFAC’s sanctions list as part of the crackdown.
Hydra
Hydra quickly became the most prominent Russian-language darknet marketplace after a key competitor shut down in 2017. The platform specialized in selling drugs – although listings on the site also included forged documents, data (such as credit card details) and digital services. The products were advertised for sale in a number of countries such as Russia, Ukraine, Belarus and Kazakhstan.
Hydra Marketplace before capture
Hydra also had additional offerings – including a cryptoasset payout service – believed to have been used to launder funds from the 2016 hack of the Bitfinex exchange.
As detailed in OFAC press release with today’s announcement of sanctions, the agency said “approximately $8 million in ransomware proceeds that crossed Hydra’s virtual currency accounts, including the Ryuk, Sodinokibi, and Conti ransomware variants”.
After shutting down the site – believed to be based in Germany – authorities said they seized Bitcoin (BTC) currently worth $25.3 million. Elliptic’s blockchain analytics tool Forensics confirms that the seizure took place on April 5, 2022 in a series of 88 transactions worth 543.3 BTC.
According to a press release issued by the German authorities, the action against the platform’s operators and administrators has been ongoing since August 2021. Furthermore, it was conducted together with several American agencies.
Image from Elliptic Forensics
As part of the sanctions it took against Hydra, OFAC included more than 100 of Hydra’s crypto addresses on its list of Specially Designated Nationals and Blocked Persons. Sanctions prohibit US persons from dealing with Hydra – ensuring that individuals associated with Hydra cannot cash out the funds they continue to hold through US crypto exchanges.
Garantex
As detailed in OFAC press releaseGarantex is a crypto exchange registered in Estonia, but mainly operates in Russia. According to OFAC, the exchange facilitated “over $100 million in transactions” linked to illegal actors — including $6 million from the infamous Conti ransomware group. In February 2022, Garantex lost its license to operate in Estonia, after the country’s Financial Intelligence Unit identified links between the exchange and illegal activities.
Today’s actions mark the third time a virtual asset service provider has been fully sanctioned. OFAC’s press release highlights the connection between Garantex and previously approved exchanges – Suex and Chatex – which all operated from the same building in Moscow, Russia.
This action shows that the US government remains laser-focused on disrupting the Russian-linked cybercrime ecosystem, with a particular focus on ransomware-related activities.
As a consequence of the sanctions, US cryptoasset companies and financial institutions must ensure that they do not facilitate transactions with Garantex. Elliptical is recent identified more than 400 cryptoasset exchanges operate in Russia or offer ruble trading – most of which allow users to trade anonymously.
There will likely be more sanctions in the future against these high-risk exchange services that enable illegal Russian activity. Elliptic’s blockchain monitoring and cryptoasset exchange screening services allow our customers to ensure that they can identify transactions with these types of services.
Elliptical Analysis: The Fall of a Giant
The Hydra market was the largest darknet market – enabling $5 billion in transactions. In comparison, when Alphabay was seized, The FBI is evaluating that the market has enabled billion dollar transactions. Hydra’s reputation is built on several factors. It has been operating successfully since 2015 and has remained the market leader since 2017 – a reign other markets can only dream of. Also, for the past few years it has been the only major market serving a primarily Russian user base, with ads targeting multiple Eastern European countries.
Furthermore, Hydra had a dual purpose. Although this was primarily a drug market, it also provided the opportunity to launder funds using its cash disbursement sheets. As a result, funds from many areas of cybercrime, including ransomware, stolen credit cards, exchange hacks, CSAM, scams, ponzi schemes and scams were subsequently deposited into Hydra – potentially in order to cash those funds.
Today’s seizure of Hydra leaves a significant void in the dark web ecosystem. A press release issued by German law enforcement did not indicate that any arrests had been made at this stage, nor that key Hydra personnel had been identified, although it is possible that such actions were ongoing.
It remains to be seen how the Russian Dark Web community will respond to this significant loss. It is possible that Hydra administrators will seek to create a “Hydra 2.0”. However, reputation is difficult to maintain in the dark web ecosystem – even more difficult if there are questions about whether your account is now under police control. It’s possible they’re Hydra admins – or unrelated individuals – will seek to create a new market aimed primarily at Russian customers, although it may take some time to re-establish the status that Hydra has enjoyed for so long.
The seizure also comes at a time when darknet services, particularly those operating from Russia, are facing increasing turbulence. In the winter of 2021-22. there was a flurry of darknet markets that either voluntarily retired or were seized. Significantly, many of these seizures were carried out by Russian police, who wiped out half of the market for stolen credit cards on the dark web in less than a month.
There has been speculation about whether their interventions are part of intense diplomacy between Russia and the United States – who has long been critical of Russia’s lax approach to cybercrime – on the eve of the invasion of Ukraine. As their competitors were seized and others chose to voluntarily shut down before they could be brought to the attention of law enforcement, Hydra remained operational and popular.
While cybercrime issues played a role before and during the Russian invasion of Ukraine, it is unlikely that the Hydra takedown is related to these recent developments. The operation, the German law enforcement authorities note, was prepared for years – meaning it was not prompted by recent events. However, any individual who previously planned to use Hydra’s cryptocurrency payment services to circumvent Russia’s sanctions or economic isolation will find that their challenges have become even more difficult today.
Overall, today’s actions represent a significant success for law enforcement, demonstrating that cybercriminals operating in Russia and surrounding countries are not immune to law enforcement measures. Today’s news is likely to have a significant impact on the Russian cybercrime community, and law enforcement should be commended for such a significant success.
