Can Dark Web Trading Markets Be a Geopolitical Power Multiplier? A Look at Russia’s Hydra Trading Marketplace

Recently, Germany's largest tabloid, Bild, reported a major hacking attack on the German banking system from Russia and named "Russian state hackers from the 'Fancy Lazarus' group" as the culprit. If the attacks did happen - and so far there is no official confirmation - as usual, it would be hard to definitively blame Russian state actors, dubbed "Fancy Lazarus," even if cybersecurity experts blamed them cyber extortion group may have links to Russian, North Korean and other governments.

Because Russia has denied it, President Joe Biden had to be careful when he tried to draw a "red line" for Russian President Vladimir Putin at last month's summit, and he couldn't tell Putin directly to stop cyberattacks. Instead, he talked about not providing sanctuary to cyber criminals - a discussion Putin tried to deflect by saying Russia would consider handing over cyber criminals to the United States, but on a reciprocal basis. As a comprehensive system, this is a non-starter-theoretically only specific exchanges can be arranged.

On the one hand, the deniability of the Russian state's involvement in cyberattacks is stronger than its predatory behavior in Ukraine, for example. On the other hand, it seems nonsensical to anyone who knows anything about important Russian institutions: a dark web marketplace called Hydra, which is probably the largest in the world and could not exist anywhere else. In addition to serving as a major drug broker, it has helped create a network of hacked money laundering channels that are difficult for non-Russians to use.

The average lifespan of dark web marketplaces (online shopping sites on encrypted and anonymous networks like Tor) is estimated to be about eight months in 2018. They collapse under the weight of scams or fall victim to enforcement actions, sometimes enabled by competitors. It's a forest out there-and with customers and sellers accustomed to migrating to new venues, exceptions to the old guard on the dark web are extremely rare.

Hydra is an exception to end all exceptions. It started in 2015, had a turnover of about $9.4 million in its second year, managed to grow to $1.4 billion in 2020, and is still going strong. These figures come from a report by cybersecurity risk intelligence firm Flashpoint and cryptocurrency analytics firm Chainalysis, which also estimates that Hydra accounts for more than 75% of global dark web revenue.

All of that turnover is in cryptocurrencies. chainalysis puts the share of bitcoin traffic from illicit activity at a fraction of 1 percent, but, as the analyst firm writes in its 2021 "Cryptocurrency Crime Report," "what stands out above all is that Russia receives a disproportionately large share of dark web market funding, thanks largely to Hydra." And it's no wonder. In Moscow and other Russian cities, Hydra is the place to procure drugs, mostly distributed as "hidden treasure" by teams of young Kladmen who can earn thousands of dollars a month by hiding orders under park benches, buried under trees and glued to the bottom of mailboxes.

An illegal market as large and old as this is bound to be an entire ecosystem. It spawns a massive demand for money laundering services that can also be used to legitimize the proceeds of other types of cybercrime beyond the drug trade. Chainalysis and Flashpoint describe a major change in the way Hydra's funds are handled in 2018. In order to be able to withdraw funds from Hydra, sellers had to convert them to Russian rubles through a specific range of local providers. This hardly makes sellers happy, and according to the report, some drug sellers now prefer to settle in cash outside of Hydra, burying the currency like a drug "treasure." But the reliance on local services and rubles makes the money laundering path to Hydra "difficult and almost impossible to trace," according to the Flashpoint-Chainalysis report.

This, of course, makes Hydra's funding infrastructure valuable to a variety of local cybercriminals.Chainalysis' "Cryptocurrency Crime Report" includes a case study of a Russian OTC cybercurrency broker that, since becoming active in (perhaps coincidentally) 2018 since then, has received $265 million in cryptocurrency. A large portion of this money came from Hydra, but the rest came from various ransomware and scams. The OTC broker also helped clients convert their illegally acquired bitcoins into cash.

The U.S. Justice Department says it managed to recover some of the ransom paid to the hackers who attacked crippled Colonial Pipeline earlier this year - but by the time the bitcoin was recovered, the ransomware creators had been able to convert it into rubles using the very channels around Hydra from which the reliable amount of Hydra came.

In any conversation about Hydra, it's krysha, or protection, that is the elephant in the room. Putin's Russia is increasingly becoming a police state, with a great deal of power concentrated in the hands of law enforcement agencies. Legitimate businesses are routinely raided, seized or destroyed by these agencies. Yet, Hydra continues to thrive as if unaffected (and few, if any, are). Its creators once focused on international expansion, but seem to have given up, at least temporarily, apparently feeling safe in Russia. Their complete reliance on ruble-based financial infrastructure is proof of this. Quoting Flashpoint and Chainalysis.

The fact that law enforcement scrutiny and competitor shenanigans have affected Hydra so far may simply be a coincidence, or it may indicate that Hydra is more resilient to wavering geopolitical and law enforcement efforts. the longer Hydra operates without significant disruption, the more realistic the latter option becomes, with regional financial incentives for stakeholders being the only plausible explanation.

This is a prudent way of alleging that Hydra has powerful protectors at the highest levels of Russian institutions. Russia has repeatedly denied any official connection to the cyberattack. However, as Flashpoint and Chainalysis point out, the scale of the Hydra phenomenon would not be possible without some sort of semi-official protection.

Russia has few internationally competitive technology companies, but plenty of engineering talent, including the adventurous kind. The unique combination of corruption, cutting-edge technology and geopolitical stance that makes any attack on Western institutions somehow useful to the government makes Russia a major player in the cybercrime arena. Second only to Ukraine in the adoption of cryptocurrencies, Russia is building a technological capability that no other country seems to have the chutzpah to develop.

Is there anything Putin can do about this? That may not be the right question. So far, he has no real incentive to try to crack down, especially if the illegal business is transparent to those he knows and trusts, and thus available to the state in times of need. The threat of retaliatory action by the United States is not convincing enough. As things develop, Putin can make people like Hydra worry about that prospect. If they are crushed, others can take their place. Without resilience, the dark web will not have any problems.