All posts by Daniella Coungeau

Hydra, the biggest Russian language darknet Market (DNM), is growing a new head and is planning to expand into the English part of the Darknet. The threat of a rising, powerful, and experienced player should not be ignored despite the fact that the launch was postponed due to the COVID-19 outbreak. How serious is it and what is the danger here? Let’s dive in.Darknet Markets Project Hydra

Hydra is currently the biggest Russian language darknet Market (DNM). It is also much older than any existing English language DNMs. In December 2019, the Hydra crew announced the creation of several new projects, the most important of which are Eternos and AspaNET. The former is a new DNM for English-speaking crooks. The latter is a new darknet that will be an alternative to TOR. The Hydra crew initially planned to launch new projects in September 2020, but in June they postponed it for an unspecified time because of the COVID-19 pandemic. Given the events in the English speaking sphere of TOR during the last 18 months, current instability among DNMs and uncertainty among darknet users, it could be an opportune time for a new player to take the stage.

If the new Hydra market does indeed begin operations, it would become a significant part of the cybercriminal environment in the English language sphere. There is huge momentum behind the Hydra crew and the present moment is perfect to take over a large part of the illicit market on the darknets. Other cybercriminal groups will have to react somehow to the new competitor. Will they cooperate, compete, or go to war? It is also possible that these new projects won’t launch (or they will be operating only partially) and that Hydra’s Initial Coin Offering (ICO) was only a fraud targeting the darknet community.

What is Hydra?
The darknet Market Hydra was launched in 2015 as a market focused on drugs. At that time, the main Russian DNM was RAMP. Many Commonwealth of Independent States (CIS) citizens also used big Western DNMs: AlphaBay, Hansa Market and Dream Market. RAMP and Hydra’s peaceful competition stopped at the beginning of 2017 when both DNMs started to fight what is now referred to as “the DNM war.” To see a brief history of Darknet Markets and Hydra’s influence on it look at the infographic timeline we’ve created. It will also help you structure all the information that we’re about to revail.

In June and July 2017, AlphaBay and Hansa Market, the first and third biggest Western DNMs respectively, were seized by law enforcement during the law enforcement community’s Operation Bayonet. At the same time, Russian authorities seized RAMP, but it is not certain if it was part of the wider law enforcement action. Nevertheless, after the seizure of RAMP, Hydra became the biggest Russian DNM. According to the Hydra administrators’ statement and publications (more about lenta later) Hydra is one of the top 10 internet companies in Russia. Moreover, Hydra owners are so brazen that in the past they even bought ads on Youtube. It was removed after a short time, but it still can be found here

Hydra1Part of the ICO announcement from the Hydra website. First underlined element is about ads on Youtube and in the publications. In the second underlined sentence Hydra claims to be in the TOP 10 of the largest Russian internet companies.

Currently, Hydra is well known as an illegal drug-focused DNM. They are especially well known for using secret GPS-marked hiding places as a delivery method. Russians call such drug caches закладка 1. A courier delivers items bought on Hydra to the secret drug caches, which could be located between some bricks in a building, under a park bench or another similar place. Then the courier writes down the GPS coordinates and the buyer receives it with a message that the package is ready pick-up. To be able to provide such a delivery method, merchants from Hydra have to maintain crews of couriers. That’s why this method is available only in Russia and CIS big cities.

On Hydra, one can buy not only illegal drugs-related merchandise, but also fraud-related: stolen credit cards (both dumps and fullz), sim cards, electronic money wallets, stolen accounts and counterfeit money. The number of their fraud product providers is much smaller than drugs suppliers, but they all are verified and trusted vendors. Because of this, there are almost no problems with fake merchants as is often the case on other DNMs.

Russia is a unique country with a strong power apparatus that gets involved in many shady initiatives. There are official US government statements where we can find out that Russian authorities are hiring cybercriminals and because of that they stay under state protection. Among the majority of both darknet researchers and Russian cybercriminals there are opinions that Hydra is supported by the Russian authorities, probably the intelligence services. Through the biggest marketplace they can control what is sold, benefit from profits, and get knowledge about who is who in this environment.

Hydra is the biggest Russian DNM, but it is not like all of the Russians cybercriminals love Hydra and use it. The Hydra crew call themselves aggressive and ready to counter every attack on their interests. Many crooks perceive them as too aggressive and don’t accept their connections with Russian authorities. Administrators from some Russian carding forums officially claim that they don’t have anything in common with Hydra and aren’t interested in developing ties. There are even forums in the Russian darknet that ban topics with discussion about Hydra.

Hydra2Experienced user on one Russian carding forum claimed that people there have nothing in common with Hydra, discussion about drugs are forbidden and the topic creator should go on the Hydra forum with questions about Eternos and AspaNET. The topic was closed by moderators not long after its creation.

What they are planning
In December 2019, the Hydra crew announced an Initial Coin Offering (ICO) to gather funds for launching several new projects. The most important is Eternos, which is a new DNM with global reach, and AspaNET, which would be an alternative to TOR. In only 5 days, Hydra wanted to sell 1,470,000 tokens, with each token priced at $100. After the Eternos launch owners of at least 101 tokens would get 0.00333333% of the monthly profit generated by the marketplace for every hundred tokens held in a wallet. Initially all of the new projects would start operating in September 2020. Obviously, taking part in this ICO was openly financing organized crime activity.

At first sight, Eternos is the core project here. For now, Hydra is a DNM dedicated to the CIS region (Azerbaijan, Belarus, Ukraine, Russia, etc.) and is available only in the Russian language. Eternos will be accessible in English and possibly in other popular languages. Their purpose is to create a large, stable, and secure DNM that will be an alternative for Western DNMs. The Hydra crew promises that the new DNM will be based on Hydra, but it will be enriched with many features: encrypted messages, a built-in cryptocurrency mixer, and as mentioned before, a delivery system based on the drug caches known as закладка. The last one could be the most innovative for western countries and the most troublesome in introduction. Eternos will have an international legal reference system which helps to assess risk in many states in conjunction with various illicit merchandises. A part of it will have services that help with logistics, advertising and data analysis.

The second core project, and maybe even more important than Eternos, is the new darknet–- AspaNET. The Hydra crew is probably powerful and rich enough to create their own darknet, as even smaller hacker organizations managed to do so. Eternos will be available on AspaNET, but it is uncertain if it will also be available on other darknets (like TOR and I2P) or if it will be an AspaNET exclusive. For trouble-free operations it should have infrastructure that will handle Eternos and other new projects. As the Hydra crew will be its operator, its maintenance budget will be coming from criminal activity. If Russian authorities have something to do with it, they would have the possibility of extending their surveillance with this network. So it is possible that it will be another international darknet, but probably made and controlled in cooperation with the Russian intelligence services. According to the announcement, AspaNET can bypass Internet censorship and filtering made by the Chinese Golden Shield Project and the Russian Sovereign Internet. They said also that this new darknet solves many known TOR problems and it has been successfully tested in China and Turkey. Right now there are almost no technical details about it, so it is hard to say more.

There will also be other projects launched that will work within AspaNET. Whisper will be a messenger that uses PGP and VPN to secure anonymity for users. ChangePoint will be a new cryptocurrency exchange. This is probably the first time where one group attempts to create such a complex service offering on the darknet. Criminals who would use only their services, would be concentrating their info in one place and sending it exclusively through their services. It would require a great deal of trust.

There are several unexpected things about the new projects announcement and how the community has reacted to it. There was little discussion about it on Russian forums. On some cybercriminal forums, the Hydra related topics were closed by moderators. An official Hydra representative said that the official ICO announcement is everything Hydra admins have to say at that moment. On most English language forums there was almost no discussion about it until May 2020, when the most important English website about darknet news wrote about these new projects—a full 6 months after the ICO. Another thing is that the Hydra announcement mentioned before has a provocative tone. They speak directly that they are aggressive, eager to fight with any adversaries that want to disturb their business and they are ready for global expansion in the darknet Market sector.

Is the time right?
By looking at the timeline graphic we can see that the English language sphere of the darknet has been in flux since at least March 2019. Although the timeline is concentrated on the fuss among DNMs, it is not the whole story. Turmoil has affected other places. Perturbations were caused by law enforcement actions, scam exits, DDoS attacks and the disappearance of certain services and important figures. Probably the first were DDoS attacks on the main Western DNMs in January 2019. These attacks were one of the reasons why Dream Market, the biggest English DNM at the time, suspended its operations, never to return. After that, DDoS attacks were conducted against the biggest forum in the English language TOR. The threat actor responsible for the attack campaign in the first half of 2019 used the nicknames hereugo and hereugoagain. It is uncertain whether he/she worked alone or with a team, but proved that he/she can stop and begin attacks at will. In the middle of 2019, he put his DDoS attack method up for sale and was probably bought by another group(s), who was responsible for subsequent DDoS attacks on forums and the DNM in TOR.

Hydra3In May 2019 hereugoagain made a sale announcement for his DDoS tool. Its price was 50 BTC – at that time it was 288 320 USD.

As a part of the attacks mentioned above, there was the unexpected seizure of a popular news website about darknet by law enforcement agencies. Deepdotweb was the biggest and the most popular such site in the English language internet and besides news and tutorials it contained links to DNMs. The portal earned money from the DNMs for each buyer who came from links on Deepdotweb, which is why they were accused of complicity in money laundering. After that, other similar information portals shut themselves down over fears of arrest.

Another disturbing event was the disappearance of administrators of forums for criminals. Although some of them returned, not all could authenticate themselves by their private PGP key. One of the administrators lost his key, which meant that he couldn’t confirm his identity. Losing the main thing used by cybercriminals to authenticate themselves for the rest of the society equals complete compromise and a lack of trust. The event in which another forum administrator went missing was described in a previous article.

Over the last 18 months, 15 English speaking DNMs stopped operations. Some were busted (xDedic, Wall Street Market, Valhalla, Berlusconi Market); others stole their customers’ money and did an exit scam (Nightmare Market, Silk Road 3.1, Grey Market, Apollon Market, Europa Market, BitBazaar); the rest disappeared because of other or unknown reasons (Dream Market, CGMC, Cryptonia Market, Tochka Market, Samsara Market). Right now the oldest English speaking DNM is Empire which is 3 years younger than Hydra. The rest of the DNMs are even younger.

At the same time, investigation materials on Hydra were published on the Russian language internet. In September 2019, Russian pro-government information portal released a short series of articles and professional, entertaining videos via the lenta Youtube channel. The videos talk about Hydra’s beginnings and their war with RAMP, the drug cache system and how human lives are destroyed by drugs. Although the message of the last one is clear and educational, while watching the first two videos one may have the impression of looking at a Hydra advertisement. The videos are made in a spectacular, attractive style and give a feeling of an attempt at attractiveness. There are numbers which are exaggerated probably to make Hydra look even stronger and richer than it really is. For example, the given number of 80 criminal Telegram channels where Hydra adverts were published in 2017 is far too big. In that time cybercriminal environments on Telegram had only just started to emerge and there weren’t so many channels on illicit subjects. Also, the monthly pricing for sharing Hydra ads on the Telegram channel is enormously big.

Hydra4If you like hacker-style stuff don’t forget to have a look at the lenta publication website (available only in Russian)

What if they succeed?
Given the instability in Western DNMs, both darknet vendors and customers will try Eternos. Even crooks who don’t speak Russian have heard about Hydra and their domination on the Russian TOR segment. The main obstacles to growth for Eternos could be their new darknet – AspaNET. History shows us that most crooks don’t want to use new, unknown darknets, especially if using them is complicated. Last year demonstrated a reverse trend: more and more illicit goods are sold on the Clearnet on alternative internet market platforms (like Shoppy), encrypted communicators (like Telegram and WhatsApp), internet forums and standard websites equipped with criminal vendor shops. Of course there are many problems with rippers (crooks who deceive other fraudsters) there, but the point is that many low-level crooks are lazy and often seek merchandise on the Clearnet. A lot depends on whether Eternos will also be available in TOR. If not, many lazy criminals won’t even try it, although advanced users will still want to test it.

The question is, how will the other players in the darknet react to the new competitor? The current main players in the English speaking darknet have a stable position and a good reputation. Eternos as the new brand in the English language sphere will have to gain trust. The Hydra background will certainly be an asset, but it may not be enough. At the outset, Eternos’ cooperation with the main forums and information portals could be very helpful to win the faith of the crooks. That’s why the Hydra crew should start a marketing campaign in the English speaking darknet to get more brand recognition. On the other hand, this is an area in which current dominant DNMs can attack the new Hydra project. They could bribe forum administrators and information portal owners to spread false information about Eternos problems, scams, dishonesty, security vulnerability, etc. Furthermore, they could make fake Eternos websites and spread links to them in order to phish Eternos clients credentials or damage their brand. The Hydra crew would certainly be notified about a disinformation attack and would attack back. That would be the beginning of the next Hydra war, this time with Western DNMs. What I described here is just speculation on how that could start. Subsequent events could go in many ways there is no way to predict which site would win.

Assuming there will not be a serious fight between Eternos and the other players and neither of Hydra’s new projects have serious technical problems, the new DNM probably will enjoy stable growth in all areas. It is a truism that no DNM lives forever. Every DNM eventually gets seized or goes exit scam. It was especially true last year among English speaking DNMs, where the average lifespan dropped. When one big DNM goes offline, vendors and buyers seek a new, attractive, trustworthy market. If Eternos maintains durability as Hydra does, most crooks use the new DNM. If Eternos indeed rises, there is a good chance for it to become one of the most prominent markets.

Could it be a scam?
We can’t be certain that these new projects will indeed be launched. The ICO mentioned at the beginning could be a scam targeting fraudsters. As this ICO was obviously a case of organized crime crowdfunding, there would be no recourse for defrauded investors. There are no official institutions to which one could complain. If the new projects do not start, the Hydra administrators would probably explain themselves by citing unpredictable technical problems or using some other well-crafted, ultimately meaningless explanations. Posts with cheated users’ lamentations would be deleted. In this scenario Hydra would certainly lose trust, but the question is does it really matter? Sure, trust is important on the darknet, but Hydra is currently the most important and strongest DNM player on Russian the scene. If somebody wants to use a Russian DNM, hydraclubbioknikokex7njhwuahc2l67lfiz7z36md2jvopda7nchid.onion they will most likely eventually return there. If they ripped somebody who wasn’t their client before, they couldn’t care less. And there are several reasons that Hydra may opt for a scam scenario.

First of all, as previously mentioned, the ICO was planned to last for only 5 days, from the16th to the 20th of December. How much investment did they seek? They were selling 1,470,000 tokens for $100 each, to potentially raise the astronomical amount of $147,000,000. If anybody would acquire such a sum in 5 days of a crowdfund, it would certainly attract the attention of law enforcement agencies that deal with money laundering. But it’s not the case, because it is entirely opposite to money laundering. It is hard to believe that anyone would gather such an amount so quickly. Also, there are no clear reasons to limit the fundraiser time to only 5 days. The Hydra crew didn’t have investors, stock, or time pressure. Also they fixed the closing of the ICO in advance; they didn’t close it because the tokens sold out. It is a very suspicious scenario.

Hydra5*User can check how many tokens he/she has in the balance section, where he can also check how many bitcoins s/he possesses in the market wallet. Currently there are no options to buy tokens. As the reader can see, we have neither bitcoin nor tokens. *

The next thing is the закладка (drug caches) organization. Hydra claim that they want introduce this system, which works very well in the CIS area, to Europe and the rest of the world in order to revolutionize package delivery safety from DNMs. But if vendors from Hydra don’t have their own couriers in a city, they would like to use Hydra’s resources. Simultaneously launching drug caches systems in every major city in every European country is impossible for an illegal organization. It would be doable if they planned on gradually introducing this system into European cities over a longer period of time. But there is no information about the order of implementation of закладка in Europe. We don’t know in which countries and cities they will be available in first. закладка universal availability from the beginning is certainly an impossibility.

In June 2020, the Hydra crew quietly added a short sentence to their investors section, bypassing their news section. It said that they have postponed starting new projects due to the COVID pandemic, without providing a new date. Nor did they share any proof that they did anything to develop the new darknet and DNM. Perhaps this is the first omen heralding that this is indeed a scam?

Hydra6Ending part of the ICO announcement from Hydra website. Underlined sentences were added in June 2020. It means: “Attention: due to pandemic, Eternos start is postponed for indefinite time.”

Eternos and AspaNET should be launched in October 2020. Will Eternos become the market that makes DNMs great again? Will AspaNET become an alternative to TOR among cybercriminals? Or is this just a big scam in which only fraudsters were cheated? Or will it be just a big scam attempt, because almost nobody bought tokens during the ICO? We will see. In any case it is certainly worth continued observation.

Dark Web Monitoring

Dark web marketplaces are online marketplaces where people can buy and sell illicit goods and services under the protection of the anonymity of the dark web. The goods and services on offer range from leaked credit card details, exploit kits and hackers for hire, to advertisements for hitmen services.

Because of the range of goods and services found for sale, as well as the conversations that occur around these sales, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are normally under intense scrutiny from law enforcement and security professionals alike.

5 Dark Web Marketplaces
People have been organizing illicit trades via the internet since the 1970s. Those early examples though were through closed networks and the actual exchanges of money and goods generally had to take place in person. With the advent of crypto-currencies, it became not only possible to complete trades online without leaving a money trail, but easy. As such, the trading of illegal goods online has become more commonplace and vast dark web marketplaces have been created.

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road. Silk Road was created by Ross Ulbricht in February 2011. Over the next two years, the Silk Road set the standard for darknet marketplaces. By the time it was shut down in October 2013, and Ross Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.

ToRReZ Market is a wallet-less market; which means you only send funds when making an order. The market currently supports four cryptocurrencies: Bitcoin, Monero, Litecoin, and Zcash. Both physical goods such as drugs, and digital goods such as software and hydraclubbioknikokex7njhwuahc2l67lfiz7z36md2jvopda7nchid.onion credit cards, are sold on ToRReZ Market.

Tor2door is a darknet marketplace that launched in June 2020. The market is built from scratch and has a unique design. Tor2door claims that security and usability are its main priorities. This market is one of the easiest to use and is very simple for inexperienced dark-net users.

Hydra is the largest marketplace in the darknet and most popular darknet marketplace in the Russian-speaking sphere. According to the Project news outlet, it is responsible for 64.7 billion rubles ($1 billion) in sales through its 5,000 shops between 2016 and 2019. Although a wide range of illicit goods and services are sold, the site also has a few rules, which are perhaps one of the reasons for its longevity and success. These rules include no fentanyl, no weapons, no sale of hitmen services, viruses, or porn.

Established in 2019, Versus quickly gained a reputation for a user-friendly UI and intuitive search options. It has gained a lot of users and become a popular marketplace due to its focus on security. Buyers can purchase a range of digital goods and services which include illicit drugs, software and malware, and services related to fraud. The marketplace has over 8,400 listings and 500 vendors who communicate in English and accept Bitcoin for transactions.

White House Market is a dark web marketplace that enforces the use of PGP (Pretty Good Privacy) encryption to just browse the site. The site goes into detail about its security on the About page and explains that it does not store Monero private keys on their servers, which can ease the mind of its users. Although White House Market is a smaller marketplace than the others on this list, it is possible that its ultra-security features and simple, easy-to-use UI will quickly attract more vendors.

Other markets include Icarus market, Dark0de Reborn, Canada HQ, Monopoly Market,, hydrauzxpnew4af.onion and more.

How to Keep Track of Evolving Darknet Marketplaces
There are various active dark web marketplaces. According to Webhose, one of our data providers, there are approximately 20 active leading dark web marketplaces and there are dozens of smaller additional marketplaces.

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons, for example, law enforcement might close them down, or perhaps to help avoid this fate they frequently change their domain address. It could even be because the admin implemented an exit scam, which is what happened with Empire Market, where the admin team is estimated to have made off with some $30 million worth of Bitcoin in August 2020.

Because of this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found, as such there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find the forums and marketplaces where the important and relevant is you will need to know what you’re looking for and how to look for it.

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to effectively gather usable intelligence. Doing this manually requires vast amounts of resources, however, you also can’t simply scrape the website as such activity can quickly get you banned from a site.

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The Role of OSINT tools when Monitoring the Dark Web
OSINT tools allow security professionals to effectively and efficiently monitor the surface deep, and dark web. Using Signal you can create targeted searches with Boolean logic, and then run the results through intelligent filters powered by our advanced AI. This process can be automated with real-time SMS and email alerting.

This reduces the need for skilled professionals to spend all their time manually monitoring the entirety of the web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted on without ever actually having to go onto the dark web or painstakingly gaining access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on auto-pilot, reducing costs while simultaneously increasing efficacy. As cyber-criminals embrace new technologies it’s becoming increasingly necessary for security professionals to do the same in order to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in realtime.

Fifty love letters sent from Leonard Cohen to Marianne sell for £700K

Love letters from Leonard Cohen to the woman who inspired his song So Long, Marianne have sold for £700,000 – five times their estimate.

The archive of 50 letters from the singer-songwriter to Marianne Ihlen chronicles their 1960s love affair and the blossoming of Cohen’s career from struggling poet to famous musician.

The collection were sold by Miss Ihlen’s family in an online auction by Christie’s.

Miss Ihlen died of leukaemia in Oslo in July 2016, aged 81. Cohen, (pictured) who was also suffering from leukaemia, died in Los Angeles after a fall that November, aged 82

Miss Ihlen died of leukaemia in Oslo in July 2016, aged 81.

Cohen, (pictured) who was also suffering from leukaemia, died in Los Angeles after a fall that November, aged 82

One letter from 1960, in which Cohen wrote about being ‘alone with the vast dictionaries of language’, was bought for £45,000 having been predicted to fetch just £8,000. Another, from 1964, in which Cohen states ‘I am famous and empty’, went for just under £30,000.

Cohen, pictured, and Norwegian-born Miss Ihlen met on the Greek island of Hydra in 1960 and she became his muse, inspiring songs, such as Bird on a Wire, Hey That’s No Way to Say Goodbye, hydraclubbioknikokex7njhwuahc2l67lfiz7z36md2jvopda7nchid.onion and 1967’s So Long, Marianne.

The pair split in the late 1960s but remained friends.

Miss Ihlen died of leukaemia in Oslo in July 2016, aged 81. Cohen, who was also suffering from leukaemia, died in Los Angeles after a fall that November, aged 82.