Skip to content

Illustration by Security Management; iStock

Germany Seizes Hydra Market Servers and $25 Million in Bitcoin

German federal police seized server infrastructure and 543 bitcoins—worth more than $25 million—in a widespread operation Tuesday targeting the Dark Web market Hydra, which trafficked in illegal narcotics, data, forged documents, and digital services including money laundering.

According to a news release from Germany’s Bundeskriminalamt (BKA), the illegal marketplace was a Russian-language platform operating since at least 2015. Approximately 17 million customer accounts and 19,000 seller accounts were registered on the marketplace. Hydra Market’s sales in 2020 alone amounted to at least €1.23 billion ($1.34 billion). In 2021, Hydra accounted for around 80 percent of all darknet market-related cryptocurrency transactions. The platform’s “Bitcoin Bank Mixer” service obfuscated digital transactions and made cryptocurrency investigations difficult for law enforcement agencies. Hydra’s operators charged a commission for every transaction conducted on the marketplace.

The BKA coordinated the seizure with U.S. law enforcement partners in an investigation that dates back to August 2021. The Hydra marketplace enabled vendors to openly advertise illegal drugs such as cocaine, methamphetamine, LSD, heroin, and opioids. Vendors typically included photographs and descriptions of the controlled substances, and buyers could rate and review the sellers and their products.

Buyers could also search for false identification documents and filter or sort by the type of item or its price. According to a news release from the U.S. Internal Revenue Service (IRS), “many vendors of false information documents offered to customize the documents based on photographs or other information provided by the buyers.”

In addition, Hydra was also used to market and sell hacking tools or services.

“Hacking vendors commonly offered to illegally access online accounts of the buyer’s choosing,” the IRS noted. “In this way, buyers could select their victims and hire professional hackers to gain access to the victims’ communications and take over the victims’ accounts.”

The U.S Department of Justice announced criminal charges against Dmitry Olegovich Pavlov, 30, a Russian resident, for conspiracy to distribute narcotics and conspiracy to commit money laundering in connection with his alleged operation and administration of the servers used to run the market. The U.S. Treasury Department also sanctioned Hydra and the Moscow-based cryptocurrency exchange Garantex.

“The Hydra darknet site provided a platform for criminals who thought they were beyond the reaches of law enforcement to buy and sell illegal drugs and services,” said Chief Jim Lee of the IRS-Criminal Investigation, in the press release. “Our Cyber Crimes Unit once again used their cryptocurrency tracking expertise to help take down this site and identify the criminal behind it. Denying criminals a space to operate freely to conduct their nefarious activities is the first step in stopping this activity from happening altogether.”

Russian-language cybercrime has been under a spotlight recently, according to CyberScoop. In March, the FBI indicted a 23-year-old Russian for allegedly running a stolen data marketplace, and Russian authorities conducted a sting operation against the REvil gang in January.

Chris Olson, CEO of digital safety platform The Media Trust, said in a statement shared with Security Management that the shutdown of Hydra is a small win for cybersecurity. 

"Attackers who target consumers for credit card details and other personally identifiable information (PII) can’t use it directly without risking discovery and arrest; therefore, they sell this information on darknet markets instead. Without them, the incidence of cybercrime would undoubtedly decrease.

“Unfortunately, Hydra represents a miniscule drop in the bucket of global cybercrime, which will cost organizations (and therefore consumers) about $10.5 trillion per year by 2025,” Olson continued. “Cyber actors have perfected the pipeline from Web and mobile-based phishing attacks to darknet markets which we will not name, and new ones are opening all the time. In truth if past precedent is anything to go by—Hydra operators will likely take their digital assets and resurface in the near future under new identities and domains.”