The Fall of Hydra Market

…when one head was cut off, the place where it was severed put forth two others; for this reason The Hydra was considered to be invincible…

Hydra Market, the world’s largest Dark Net Market (DNM), was taken down by German law enforcement in early April. The market grew to a massive size after achieving monopoly status for in Russia and former Eastern Bloc countries.

The shuddering of such a dominant market sent ripples through the eastern DNM community. Though unsurprisingly, two new major markets have emerged from the ashes to replace Hydra.

In this report, we provide an overview of the last several months of events surrounding Hydra’s shutdown including:

• A review of Hydra’s history and profile prior to shutdown.
• Blender (the custodial TXO swap service) as collateral damage to the Hydra take down.
• Emergence and profiling of new markets relative to Hydra.
• Evaluating the relative pre and post-Hydra shutdown market activity.

The Growth of The Hydra

Hydra’s history is murky. Most sources claim Hydra was created in 2015, though the earliest reference we could find from the now seized deepdotweb, mentions a new multi-sig DNM named Hydra in an article from April 2014.

In November of 2014, the earliest attempt at a Hydra market was disrupted with the seizure of Hydra’s domain as a part of Operation Onymous. An alleged Hydra admin was arrested by Hungarian law enforcement as part of the operation.

Hydra was reborn in November of 2015 in a supposed collaboration between Russia’s two oldest darknet forums, Wayaway and LegalRC.

In 2017, Hydra began a major DDOS campaign against its main competitor, RAMP (Russian Anonymous Market Place). RAMP suffered significant disruptions, downtime, and loss of users as a result of the DDOS attacks. Later in 2017, Hydra launched several clearnet marketing campaigns across YouTube, Telegram, WeChat, and more.

In July 2017, RAMP was seized by Russian law enforcement, formally removing Hydra’s only significant competition. RAMP’s take down allowed Hydra to operate as an effective monopoly.

Obviously, Hydra saw an explosion in activity following the closure of its major competition. The figure below shows TXOs received by Hydra. This metric is a good approximation of individual purchases made on the market.

An initial spike in activity occurred in Hydra’s first wallet around the time of RAMPs seizure. From there Hydra rapidly gained in popularity. At its peak Hydra averaged over 20,000 incoming TXOs (purchases) per day. In late 2019, TXO inflow counts steadily declined leveling off around 6,000 per day in April 2022.

Hydra offered typical goods and services:

• drugs
• fake documents
• stolen credit cards and credentials
• and money laundering services dedicated to BTC and cash.

The market even sold benign products such as VPN subscriptions and SIM cards. Though widely used for privacy and security in the rest of the world, VPNs like usage of the tor network, are illegal in Russia. Hydra also had a focus on harm reduction, offering positions for chemists to evaluate the purity of drugs purchased on the platform.

To avoid tracking and seizure risks posed by the postal system, Hydra Market and its vendors made use of a dead drop delivery system. Dead drop delivery hides purchases in plain sight. “Treasure” is stashed in physical locations and after completing a purchase, the buyer is given GPS coordinates and a description of how the “treasure” is hidden. Packages are commonly hidden inside or around objects such as trees, drain pipes, and ordinary rubbish. For more on dead drops see this research piece (article, archive).

Without much competition, Hydra grew to a massive size. In late 2019, Hydra’s daily revenues were consistently above $3 million per day as shown in Figure 4 below.

In December 2019, Hydra likely encouraged by its massive revenues, began the process of launching an ICO, in an apparent attempt to crowd fund a westward expansion.

Hydra’s ICO project was announced when its average purchase size was around $200.

After the ICO plans, this statistic’s growth temporarily stalled as a result of the economic calamity caused by government response to the SARS-Cov-2 virus. Growth resumed later in 2020 before eventually spiking to over $600 per TXO in 2021.

Increases in the average purchase size may be indication of a transformation of the customer type dominant on the market. Larger purchases may allude to Hydra’s “money laundering services” or a growth in bulk purchases completed on the market.

The majority of the statistics included in this report are adjusted to remove “recycled” volumes . Recycled volumes is defined as a change TXO created by a cluster that is later re-spent by the same cluster. This effectively counts the TXOs volume twice. An example of this type of activity is shown in the figure below.

A comparison of Hydra’s lifetime revenues including and excluding recycled volumes are shown below. Including recycled volumes results in an artificial revenue inflation of approximately 35%.

In total Hydra’s adjusted revenues are a little over $5.2 billion. This revenue number has also been quoted by both the chain surveillance firms and the Department of Justice, when referencing the size of Hydra market’s activities.

Though details of how these numbers are calculated are not provided by “the authorities”, we have been able to confirm that these entities are in fact using the more appropriate recycled volume adjusted metrics.

The Fall of Hydra

On 5, April 2022, Hydra Market’s servers and the 543 BTC remaining in the markets wallet were seized by German law enforcement. Reports indicate that German investigators received a tip off about the location of the Hydra servers from US officials.

The seizure raised an immediate question.

Why would a Russian dark market operator select Germany as a location to host their server?

Speculation ranges from domiciling in a “high connectivity” location to a type of jurisdictional arbitrage between non-cooperative governments.

Shortly after the take down, Hydra was added to the OFAC SDN sanctions list, including over 100 BTC addresses. Typically, OFAC sanctions BTC addresses known to be controlled by the sanctioned entity. In this case, most of the sanctioned addresses are not directly clustered within Hydra’s main wallets or sent/received from Hydra wallet clusters.

So, how are these addresses related to Hydra? We don’t have an answer to this question.

Hydra Hosting Provider Indicted By Justice Department

Shortly after the take down and OFAC announcement, the Justice department followed with an indictment of the operator of Hydra Market’s hosting provider. The indictment news was followed shortly after by reports of the arrest of the hosting provider.

Additional details about Hydra’s operations are provided in the indictment. Hydra strictly limited vendor cash out methods. Fiat cash out methods were limited to approved virtual wallets such as Qiwi or cash drop service. Vendors could also withdraw to BTC, which Hydra provided special services for including a “Bitcoin Mixing Bank”.

Blender.io — Is that you “Bitcoin Mixing Bank”?

Blender.io the custodial TXO swap service, colloquially referred to as a “mixer”, was disrupted following the closure of Hydra. Along with Hydra’s ICO plans, the market had entertained creating its own mixer. It is unclear whether Blender was formally operated by Hydra or had informally been subsumed into Hydra due to its popularity and reliance on Hydra users for liquidity.

Almost immediately after the take down of Hydra, Blender’s domain displayed the following message.

Blender has been responsible for processing some of the largest outflows directly from Hydra market. Since at late 2019, the largest Blender flows have been forced through Wasabi Coinjoins in an effort to hide Blender’s activity on the bitcoin blockchain.

Blender’s tactics were effective, successfully fooling analysts at several corporate surveillance firms(1,2) leading to false interpretation and beliefs that the North Korean Hacking Group, Lazarus and its collaborators, were using Wasabi Coinjoins. These analysts are limited by their reductionist transaction graph tooling that misses additional clues provided by bitcoin wallet fingerprints.

OXT-R correctly identified Blender’s abuse of the Wasabi Coinjoins while detailing the aftermath of the 2020 Kucoin hack, which was later attributed to Lazarus. Though our report described Blender’s wallet fingerprint, its abuse pattern becomes more evident with OXT’s new transaction graph fingerprint mode. Blender’s pattern is highlighted in a re-creation of a figure from our report on the Kucoin hack below.

Blender’s telltale fingerprint (version number = 2, locktime = 0, and P2SH address format), are apparent on inspection of the inflow and outflows from Wasabi Coinjoins.

Last year’s Liquid Global hack was also attributed to Lazarus. Since the Liquid Global Hack, funds from Lazarus attributed thefts have followed a similar sequence. Funds typically flow through Tornado Cash, across the renBTC bridge, and through BTC tumblers before reaching exchanges.

The same pattern of Blender abuse noted during the attempted laundering of funds from the Kucoin hack is also present in observed flows from the Liquid Global hack, as shown below.

Due to its use in high profile hacks as well as use by ransomware gangs, Blender drew the attention of the US Treasury Department. On 6 May 2022, one month after Blender had gone offline, Blender was added to the OFAC Specially Designated Nationals (SDN) and Blocked Persons sanctions list. The Treasury alleges:

Blender was used in the laundering process for DPRK’s Axie Infinity heist, processing over $20.5 million in illicit proceeds. OFAC’s investigation also identified Blender’s facilitation of money-laundering for, among others, Russian-linked malign ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab.

Along with the announcement, the Treasury added 48 Blender deposit addresses to their sanctions list. The first 20 addresses added to the sanctions list are allegedly sourced from funds related to the Axie Infinity Heist.

The addresses received approximately 440 BTC in total, with the coins sourced from Huobi and FTX. This indicates that analysts were able to use fund flow tracking on the ethereum blockchain to identify the alleged DPRK exchange accounts. The exchanges then aided investigators by providing details on the identified account BTC withdrawals.

After Hydra’s shutdown, the Blender admin(s) attempted to cover their final tracks on the bitcoin blockchain. Apparently Blender hadn’t received the memo about their previous failures to hide their activity by using Wasabi coinjoins. After shutdown, Blenders remaining funds went through the following process:

• Failed mixing with Wasabi coinjoins
• Minting renBTC onto the ETH blockchain to an initial account.
• ETH outflows from this main account were later used to fund gas fees for auxiliary accounts. Each auxiliary account was used to process multiple renBTC mints.
• The renBTC from these accounts were burned back to fresh addresses on the BTC blockchain.

Despite this elaborate and costly process, these funds are easily traceable. Approximately 656 renBTC flowed through the associated main and peripheral ETH accounts back to the BTC blockchain.

At the time of writing this report, only 37 of the 656 BTC have been spent from their original burn destination. This may indicate that the Blender admin(s) still hold the keys to the associated coins. The largest spend, for approximately 23 BTC, may have been spent to entities associated with handling funds from the Axie Infinity Heist.

The timing of the Treasury’s OFAC sanctioning of Blender is odd, with sanctions taking place after Blender had closed services. The current addresses likely controlled by Blender after their attempted mixing process were not included in the OFAC sanctions list.

Rising from the Ashes

Hydra’s demise has lead to a predictable emergence of several new darknet markets. At least 10 markets and “catalogs” are available as replacements to Hydra. A list of some of the largest entities is provided in the table below.

The intent of this report is not to endorse any of these markets.

Most of these markets fail to enforce basic security features that are standard for western markets. Typically these markets: require JavaScript, have clearnet websites hosted by CloudFlare (which for can decrypt SSL traffic ie. usernames and passwords), do not support XMR, or enforce PGP encrypted communications.

Clusters attributed to the first 7 markets above have been annotated on OXT. Clicking on the market name will redirect to the respective cluster.

• Blacksprut
• Mega
• OMG
• Ramp
• Nova
• Matanga
• Shkaf

A few markets listed above had made forum announcements for official launches prior to Hydra’s demise. Some wallet clusters even show minor activity well before the take down of Hydra, but for the most part, these volumes were negligible compared to Hydra’s activity.

XMR adoption by eastern DNMs remains low. This is likely due to the ease and availability of instant exchange services that swap fiat from virtual bank accounts for BTC. The majority of these instant exchanges popular with DNM users do not support Monero. Despite this, two new markets created after Hydra’s downfall created after Hydra’s downfall, have both integrated support for XMR deposits.

On Clustering and Annotation

Bitcoin users have an unfortunate habit of posting addresses associated with their use of services on social media and other forums. These posts usually come in the form of how-to tutorials and are the main source of OXT’s cluster labels.

DNM users on the other hand, tend to have much better operational security than the average bitcoin user. DNM users generally avoid posting details about their illicit activity to social media. Without user provided or other public information linking an address to a real world entity, analysts are forced to directly interact with a DNM in order to identify its BTC address cluster.

Identifying a market’s wallet cluster is relatively easy and can be accomplished with the following steps:

1. Obtain reliable link to the service: Typically these are tor network onion addresses posted on forums or other DNM link lists.
2. Access the site: Onion services are constantly battling disruptive DDOS attacks that can make access difficult if not impossible for long periods of time.
3. An account: Account creation is easy enough as these market places typically only require a username, password, and occasional PGP key. No verification by email or SMS.
4. Funding an account: Most markets are fully custodial. Often a static BTC deposit address is used to keep track of user balance.
5. Observe future spending: The coins sent to the market need to be spent along with additional TXOs from the market for the opportunity to discover a cluster.

In our experience, very few markets are careful with their TXO management resulting in large static cluster’s similar to Hydra’s wallet clusters.

The single greatest way to prevent the development of a large static cluster is to eliminate address reuse.

Of the markets above, only “Green World” takes efforts to directly reduce the negative effects of address reuse by limiting single address use to a 24 hour window. This prevents the growth of a large static cluster, likely at the expense of increased support tickets from confused users who do not see their expected balance.

In addition, most markets do not require a minimum funding amount, a completed purchase, or escrowing of funds before the funding TXO is spent and clustered.

In other words, logging in to a DNM and sending the market a “dust” TXO and watching the TXO’s future spending is often all it takes for an active attacker to discover a DNM’s wallet cluster.

Post-Hydra Market Activity Profiles

Having established Hydra’s previous wallet profile, we now present the activity profiles for the new post-Hydra markets. Starting off with raw received BTC values for each market.

OMG, having existed in some small capacity prior to Hydra’s closure, saw immediate growth following Hydra’s shutdown. Blacksprut and Mega are clear leaders along with OMG. In the remainder of this report, we will refer to these markets by the acronym BMO, having solidified themselves as the Hydra market replacements.

The smaller markets, becoming active after the fall of Hydra are comparatively small, “only” averaging about 1 BTC per day in revenue.

With stacked relative volumes, the smaller markets become visible.

Blacksprut is clearly the dominant market, at times peaking around 60% of the noted volumes.

Despite its dominance in terms of BTC inflows, Blacksprut is lagging in incoming TXOs received (purchases).

OMG had a small existing userbase prior to Hydra’s shutdown. Its mid-April peak is likely a sign of the majority of previous Hydra users flocking to the already existing market.

Lower TXO inflows with higher revenues results in Blacksprut averaging around 10 times the USD Revenue per TXO (typical purchase size) of both Mega and OMG.

Blacksprut’s typical purchase size is on par with Hydra’s late 2021 to early 2022 volumes (see Figure 5, above) at around $600 to $700 per TXO.

Since we are largely interested in gauging how well the overall eastern DNM activity has fared after Hydra’s closure, we have aggregated the BMO+ market revenues after Hydra market’s shutdown. The last 90 days of aggregate BMO+ and Hydra activity is summarized in Figure 17.

Despite the numerous headwinds of market fragmentation, BMO+ aggregate volumes are approaching those of Hydra’s prior to its closure.

It is likely that a portion of the volumes have simply “gone dark” by moving to private deals via Telegram or other platforms such as the new “catalog” style markets. These markets do not provide a single wallet spendable with every vendor on the market, but instead require establishing wallets with each vendor. Observing the catalog market activity requires identifying the wallet of each vendor, a much more time consuming task than sending a single TXO to a single market/wallet. The result is a portion of Hydra’s activity not being picked up in the BMO+ wallet clusters.

In the last 90 days, the BMO+ volumes have averaged about 70% of Hydra’s pre-closure volumes. It’s likely that this roughly 30% loss in aggregate volumes has transferred to more personal deals.

Summary

• Prior to its closure Hydra’s daily revenues ranged from $3 to $4 million per day.
• Three new markets have largely filled the void left by Hydra: Blacksprut, Mega, and OMG.
• OMG, which had a small user base prior to Hydra’s shutdown, received the brunt of the immediate post Hydra activity.
• Mega’s profile is similar to OMG’s in terms of volume and TXOs received. The users of Mega and OMG tend to favor smaller purchases.
• Blacksprut’s average purchase size ($/TXO received) is on par with Hydra’s, elevated far above more typical purchase sizes. It is possible that “bulk” purchases represented the majority of Hydra’s activity, and this activity has moved to Blacksprut.

Closing

The closure of Hydra market, a dominant monopoly, has played out similarly to the closure of it’s legendary peers (Silk Road and AlphaBay). While some of Hydra’s USD revenues have disappeared from easy view, the void has largely been filled by the activity of just three markets: Blacksprut, Mega, and OMG.

A suitable replacement for the infamous “money laundering” services provided at Hydra seems to have been replaced not by another DNM, but rather by KYC exchanges that laundered the 543 BTC seized from Hydra on behalf of law enforcement. The seized coins flowed through two wallets before being laundered through major exchanges like FTX and Gemini, showing that Hydra’s most heinous crime was its failure to obtain a banking license.

A list of onion links noted during our analysis are provided below. Clearnet links have been deliberately omitted for privacy and security reasons.

Researchers should exercise caution and externally verify links before proceeding.

Mega
mega555kf7lsmb54yd6etzginolhxxi4ytdoma2rf77ngq55fhfcnyid
megacatkp55k5rtmloe3da7k7w7hp5l2da2kkmbc7lqdlm442wrxrqyd
megadmeovbj6ahqw3reuqu5gbg4meixha2js2in3ukymwkwjqqib6tqd
mega4aiges3rc5whyafevkjwrjtxxtngulzarlve67adjtyp6t2uatid
mega2226xhteoffdyiuyw6udqahbtepii7kwp6vn2y4cntm5llnnblqd
mega333mq5acolj7rw726jjy6g3ihgsmnhlfuuk6cd2267jbohhc4aqd

Matanga
matangapatoo7b4vduaj7pd5rcbzfdk6slrlu6borvxawulquqmdswyd
matangaxxuoxdlx7hqryrrlkcprwmf7zuuu5jfphmrib6o2x27kkimyd

Blackspurt
bsbotnetzdxficaz7uffowuclqr2unjvxufj7g7uqq72xzpl4cbvr6ad
bsbotnetifqt7xajyyi26pjynqtviomoofwf4m5aaw25sn2ocgv7beyd
bsbotnetbkbbd2vk54kbcbv7bu7ofpwun25imyzz3sthxdf2l2sltayd

RAMP
rampclub6l47j2oz3zr2lpzekgtw2zcjnbsqblaszvww5onsj6isdjyd

NOVA
novaltdu2fxbs7mvat6sixh2cmaorbz3bsn72ejzeenehmgbx7kfviad
novaltdnvvqxavs5bkqstlpf63xkpt3ln2f4fh3lmqiy7yxrhg7fsyyd

OMG
omgomgomg5j4yrr4mjdv3h5c5xfvxtqqs2in7smi65mjps7wvkmqmtqd

Shkaf
shkafweetddhz7ttgfh6z4zdeumdwmwr4p6fniz253i6znvaxsy2dlyd
shkafixz42ok6cdjwvxssr234c5lyomynvuubhpxssivnhs7kymr2uid
5xn4ufynogla2utylaztvydd4xxeqq5z62tywtrhmm7g65zsrf3fvuyd

Зелёный мир (Green world)
greenwxkjxpbujclupbukunm74sjyxa2237myxvchjwxdvsubnhlglid
greenwtc2may3bzvebf57ihzmno3poei7d6i552zqcfnzmm7cojrlzid
greenw6d7j4gikufqkniibud5ejgides6kaz4n332dfdx5qyrx4p37id
greenwsz4q55w5qmlgttw7gx4hq66abyzsfoeucmvdped7gejcmchmqd

Solaris
solaris6hl3hd66utabkeuz2kb7nh5fgaa5zg7sgnxbm3r2uvsnvzzad
solaris5ayosi2cpyisp2btt53c35fvrmmdn77biu3vezsuehulvhoad
solaris25mvojhsrdpwmwrmlokv57au7r3rcojarm53nhupyp6z6egqd

O3
o3shopdgo2t74jpwnaowiq6ms2z47udy774aznx5xakto4fexkvgykid