Cybercrime , Fraud Management & Cybercrime
Hydra Aftermath: Where Do Criminals Lurk Now?Russian-Language Darknet Markets Replace Hydra and Surpass Its Popularity
Mere months after a multinational law enforcement team took down the world's largest darknet marketplace, a dozen others have taken its place.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
The new platforms collectively bring in more revenue than the very profitable, now-sanctioned and shuttered Hydra marketplace, which received more than $400 million during the first four months of 2022, before its demise in April.
Almost all the new forums operate in the Russian language, analysis from TRM Labs shows.
These platforms, also called crypto markets, offer identity obfuscation and anonymization networks to criminals and allow the use of encryption-focused cryptocurrency for payment. Their sellers offer illicit drugs, counterfeit money, stolen credit card details and anonymous SIM cards and malware. They also launder cryptocurrency.
Seller activity increased by 24% on the new marketplaces in the first five months of their existence compared to Hydra during the same relative period in 2015, TRM Labs says.
Four darknet marketplaces dominate approximately 80% of the market share, and each of them is part of the new wave of Russian-language sites that has emerged in the wake of Hydra. The largest Western bitcoin darknet marketplace, ASAP Market, accounts for less than 10% of global darknet market share.
Of the four, Blacksprut is the largest market. It has 28% of global share, followed by Mega Darknet with 22% and OMG!OMG! with 17%.
Law enforcement has historically found it challenging to take down darknet markets, and even when they do succeed, users simply migrate to the next available darknet market, said Alois Afilipoaie, threat intelligence and darknet market expert at TRM Labs. Darknet marketplaces are a firmly established form of online transnational criminal activity, making their disappearance very unlikely over the short and medium term, he told Information Security Media Group.
Their "combination of anonymizing technologies, cryptocurrencies and encryption is robust and resilient," according to Afilipoaie.
"Business leaders and cybersecurity executives should not celebrate too much the takedown of such a marketplace, as others will almost certainly appear in its place, with business resuming relatively quickly," he said.
Russia vs. the West
The new darknet markets are not necessarily based in Russia, but they are Russian-language sites that cater to a Russian user base. "Hydra, for instance, was Russian through and through - written in Russian, covering Russian cities, hosting Russian vendors. But its servers were discovered in Germany," Afilipoaie said.
Russian-language markets differ from their Western counterparts by having fewer operational security measures. Most Russian-language platforms support the use of bitcoins - not privacy coins such as monero that are popular in the West. And they reuse passwords in their cryptocurrency wallets. Russian-language darknet markets also look to establish monopolies, in contrast with their counterparts, who fear that would place them on law enforcement's radar.
The differences suggest that the criminals behind the darknet marketplaces are not very concerned about receiving attention from law enforcement, TRM writes.
"Implementing higher security and operational security is time-consuming, costly, and may make the user experience more difficult. If they don't need to do it because the threat is lower, then they obviously won't," Afilipoaie said.