Fraud Management & Cybercrime , Ransomware
US Sanctions Darknet Market Hydra, Crypto Exchange GarantexFollows Joint Operation by German, US Law Enforcement Agencies to Shutter Hydra
The U.S. Department of the Treasury has sanctioned Russian darknet marketplace Hydra and cryptocurrency exchange Garantex.
See Also: 2022 Unit 42 Incident Response Report
The news comes on the day after Hydra was shuttered in a joint operation by the German Federal Criminal Police Office - aka the Bundeskriminalamt or BKA - and U.S. law enforcement agencies. Garantex has been involved in ransomware and other cybercriminal activities targeting U.S. citizens and other entities in the country, the Treasury Department statement says.
The Sanctions and Their Implications
The Office of Foreign Assets Control of the U.S. Treasury Department has imposed expansive sanctions against certain Russian entities and individuals pursuant to E.O. 14024. The Treasury Department designated Garantex as being pursuant to this executive order and Hydra pursuant to E.O. 13694, which focuses on specific harms caused by significant malicious cyber-enabled activities.
Both of these entities have been added to OFAC's Specially Designated Nationals list and Blocked Persons List. The SDN List includes individuals and entities sanctioned due to their nexus to a targeted country, geographic region or regime. It also includes individuals, groups and entities - such as terrorists, narcotics traffickers and human rights abusers - designated under sanctions programs that are not jurisdiction-specific, according to Sanctions Compliance Guidance for the Virtual Currency Industry, which was issued by OFAC in October 2021.
According to this guidance, for list-based sanctions, target-specific, listed individuals and entities are:
- Blocked from all property and or interests in property within the United States or in the possession or control of a U.S. person, unless authorized by a general or specific license issued by OFAC, or exempt, and or;
- Prohibited from specific types of transactions and activities including the making of any contribution or provision of funds, goods or services by, to or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods or services from any such person with U.S. citizens.
Also, pursuant to OFAC's "50 Percent Rule," any entity owned, directly or indirectly, 50% or more, individually or in the aggregate, by one or more blocked persons, is also considered a blocked person - even if that entity does not itself appear on the SDN List. The same restrictions listed above also apply.
"This guidance in the form of Frequently Asked Question 1,021 makes clear that Treasury's expansive sanctions actions against Russia require all U.S. persons to comply with OFAC regulations, regardless of whether a transaction is denominated in traditional fiat currency or virtual currency," the Treasury Department says.
OFAC asks U.S. citizens, wherever located, and firms that process virtual currency transactions to be alert for attempts to circumvent its sanctions. It also asks them to check the online sanctions list on a regular basis.
Hydra's Ransomware Connection
The latest sanctions aim to disrupt the "proliferation of malicious cybercrime services, dangerous drugs and other illegal offerings available through the Russia-based site," the Treasury Department says.
Treasury Secretary Janet L. Yellen says that ransomware operators and those engaging in other cybercrimes were able to operate fearlessly from Russia and posed a potential threat to U.S. interests. This, she says, is one of the factors behind the sanction.
"The global threat of cybercrime and ransomware that originates in Russia and the ability of criminal leaders to operate there with impunity, is deeply concerning to the United States," Yellen says.
She adds that ransomware payments are often demanded in virtual currency due to their anonymous nature and untraceable means of exchange. "Countering ransomware is a top priority of the administration. Today's action supports the administration's counter-ransomware lines of effort to disrupt ransomware infrastructure and actors in close coordination with international partners."
The investigation by OFAC also found that more than $8 million connected to ransomware proceeds have moved through Hydra's virtual currency, or cryptocurrency, accounts, including transactions with the Ryuk, Sodinokibi and Conti ransomware gangs, among others. Citing a report from blockchain researchers, OFAC says that approximately 86% of all illicit Bitcoin received by Russian virtual currency exchanges in 2019 came from Hydra.
Due to this, the Treasury Department says, Hydra is being held responsible for having engaged in cyber-enabled activities originating from outside the United States that are "reasonably likely to result in a significant threat to the national security, foreign policy, economic health or financial stability of the United States."
Garantex is a virtual currency exchange that was founded in 2019 and is headquartered in Estonia. A joint operation between U.S. law enforcement agencies and their Estonian counterparts discovered that Garantex facilitated more than $100 million in transactions "associated with illicit actors and darknet markets." This sum included nearly $6 million from Russian ransomware-as-a-service gang Conti and another $2.6 million from Hydra, the Treasury Department says.
Upon this discovery and the revelation of certain critical AML/CFT deficiencies between Garantex and the wallets used for criminal activity, in February 2022, Estonia’s Financial Intelligence Unit revoked Garantex's license to provide virtual currency services, the Treasury Department says. "Garantex is being designated today pursuant to E.O. 14024 for operating or having operated in the financial services sector of the Russian Federation economy."
The Treasury Department recently took similar actions against two other virtual exchanges - Suex and Chatex - which were also allegedly facilitating illicit ransomware-related financial transactions and cybercriminal activities.
In addition to the sanctions on Hydra and Garantex, the Treasury Department has listed more than 100 addresses for BTC, Tether (USDT) and Ether (ETH) connected to Hydra and Garantex's operations. All these entities have been added to OFAC's Specially Designated Nationals list, which means that these assets are now blocked and U.S. citizens are generally prohibited from dealing with them.
Hydra's Money Laundering 'Underrated'
Hydra has been widely known for its darknet marketplace and the sale of illicit drugs and cybercriminal services on its platform.
Kim Grauer, director of research at blockchain data monitoring firm Chainalysis, tells Information Security Media Group that Hydra's money laundering services are an under-discussed and underrated part of the platform, especially given recent sanctions placed by several countries against Russia. A huge share of funds received by Hydra since 2020 have come from illicit sources, such as ransomware and scams, or risky sources, such as high-risk exchanges and mixers, she says.
According to Chainalysis research, since January 2020, Hydra has received $645 million worth of cryptocurrency from illicit addresses, mostly those connected to other darknet markets and stolen funds. The value received from scams, ransomware operators and sanctioned actors also numbers in the millions, Chainalysis says in a tweet.
Grauer posted on Twitter about the status of the cryptocurrency transactions associated with Hydra in the recent past.
Since mid-Feb, Hydra’s daily transaction history has mostly stayed stable, with between $2M and $5M worth of crypto sent and received each day. The recent plummet in value received and spike in value sent is likely related to today’s seizure. pic.twitter.com/3qLvlfhpTl— Chainalysis (@chainalysis) April 5, 2022
DOJ Indicts a Russian Connected to Hydra
The Department of Justice has revealed more information on the operational outreach and the profits made by Hydra over the years. "In 2021, Hydra accounted for an estimated 80% of all darknet market-related cryptocurrency transactions, and since 2015, the marketplace has received approximately $5.2 billion in cryptocurrency," the DOJ says in a statement.
And FBI Director Christopher Wray says in the same statement, "The successful seizure of Hydra, the world's largest darknet marketplace, dismantled digital infrastructures which had enabled a wide range of criminals - including Russian cyber criminals, the cryptocurrency tumblers and money launderers that support them and others, and drug traffickers."
The DOJ also announced criminal charges and the indictment of 30-year-old Russian citizen named Dmitry Olegovich Pavlov "for conspiracy to distribute narcotics and conspiracy to commit money laundering, in connection with his operation and administration of the servers used to run Hydra."
Pavlov, the DOJ says, operated a company called Promservice Ltd. - also known as Hosting Company Full Drive, All Wheel Drive and 4x4host.ru - which administered Hydra's servers. Pavlov allowed the market to operate as a platform used by thousands of drug dealers and other unlawful vendors to distribute large quantities of illegal drugs and other illicit goods and services to thousands of buyers and to launder billions of dollars derived from these unlawful transactions, the DOJ says.
According to an indictment filed by the department on Tuesday, as an active administrator of Hydra's servers, Pavlov conspired with the other operators of Hydra and added to its success by providing them critical infrastructure required to operate and thrive in the competitive darknet marketplace. "Pavlov is alleged to have facilitated Hydra's activities and allowed Hydra to reap commissions worth millions of dollars generated from the illicit sales conducted through the site."