Germany’s biggest tabloid, Bild, has reported a major hacking attack from Russia on the German banking system and naming “the state Russian hackers from the ‘Fancy Lazarus’ group” as the culprits. If the attack really took place — there is no official confirmation so far — it will, as usual, be hard to pin definitively on Russian state actors, even if cybersecurity experts blame them. The group of cyber-extortionists known as “Fancy Lazarus” could just as easily be linked to China, North Korea or no government at all.
Because of this deniability, US President Joe Biden had to tread carefully when trying to draw “red lines” for Russian President Vladimir Putin at a summit last month: He couldn’t directly tell Putin to put an end to cyberattacks. Instead, he spoke of not providing refuge to cybercriminals — a line of discussion Putin tried to deflect by saying Russia would consider handing over cybercriminals to the US, but on a reciprocal basis. That’s a non-starter as a comprehensive system — only specific exchanges could theoretically be arranged.
The deniability of Russian state involvement in cyberattacks is, on the one hand, stronger than that of its depredations in Ukraine, for example. On the other hand, it seems threadbare to anyone who knows anything about an important Russian institution: a dark web marketplace called Hydra, which could be the biggest in the world and which couldn’t exist anywhere else. Apart from being a major drug intermediary, it has helped build up a network of money-laundering channels for hackers that are hard for non-Russians to use.
The average life span of a dark web marketplace, or dark market — an online shopping site on an encrypted and anonymized network such as Tor — was estimated in 2018 to be about eight months. They collapse under the weight of scams or fall victim to law enforcement action, sometimes prompted by competitors. It’s a jungle out there — and both customers and sellers are used to migrating to new venues. Older exceptions among dark markets are extremely rare.
Hydra is an exception to end all exceptions. It was started in 2015, had a turnover of some $9.4 million the following year, managed to grow it to $1.4 billion in 2020 and is still going strong. Those numbers come from a report by the cybersecurity risk intelligence firm Flashpoint and the cryptocurrency analytics firm Chainalysis, which also estimates that Hydra accounts for more than 75% of dark market revenue worldwide.
All of that turnover is in crypto. Chainalysis puts the share of Bitcoin flows from illegal activities at a small fraction of 1%, but, as the analytics firm wrote in its 2021 “Crypto Crime Report,” “the first thing that stands out is Russia’s receipt of a disproportionately large share off darknet market funds, which is mostly due to Hydra.” No wonder: In Moscow and other Russian cities, Hydra is the place to procure drugs, mostly distributed as “hidden treasures” by crews of young kladmen who can earn thousands of dollars a month hiding orders under park benches, burying them under trees, tacking them to the undersides of mailboxes.
An illicit market as big and as old as this is, of necessity, an entire ecosystem. It spawns a high demand for money-laundering services which can also be used to legalize proceeds from other kinds of cybercrime than the drug trade. Chainalysis and Flashpoint describe a major change that took place in Hydra’s money-handling practices in 2018. To be able to withdraw their money from Hydra, sellers must convert it into Russian rubles through a specific range of local providers. That hardly made sellers happy, and, according to the report, some drug sellers now prefer to settle in cash off Hydra, burying stashes of currency just like the drug “treasures.” But, according to the Flashpoint-Chainalysis report, the reliance on local services and rubles made money-laundering trails to Hydra “difficult, near impossible, to trace.”
This, of course, makes Hydra’s money infrastructure valuable to all kinds of local cybercriminals. Chainalysis’ “Crypto Crime Report” contains a case study of a Russian over-the-counter cybercurrency broker that has received $265 million in cryptocurrency since becoming active in — perhaps coincidentally — 2018. A significant part of the money came from Hydra, but other streams flowed in from various ransomware strains and scams. The OTC broker also helped customers convert their illicitly gained Bitcoin into cash.
The US Department of Justice says it managed to recover part of the ransom paid to the hackers who paralyzed the Colonial Pipeline earlier this year — but by the time the Bitcoin was recovered, the ransomware creators already could have converted it to rubles using channels that have sprouted around Hydra, fed by its reliable volumes.
In any conversation about Hydra, its krysha, or protection, is the elephant in the room. Putin’s Russia is, increasingly, a police state that has concentrated massive power in the hands of law enforcement agencies. Legitimate businesses are regularly raided, seized or ruined by these agencies. Yet Hydra prospers as have few, if any, other dark markets. Its creators, who have eyed international expansion but appear to have given up on it, at least temporarily, clearly feel safe in Russia. Their exclusive reliance on ruble-based financial infrastructure is proof of that. To quote Flashpoint and Chainalysis,
enforcement scrutiny and competitor chicanery have so far eluded Hydra. This may be a mere coincidence, or it could indicate that Hydra is more resilient to oscillating geopolitics and law enforcement efforts. The longer Hydra operates without major disruption, the more realistic the latter option becomes, with regional financially incentivized stakeholders the only plausible explanation.
That’s a cautious way of alleging that Hydra has powerful protectors at the very top of the Russian establishment. Russia has repeatedly denied any official connection with cyberattacks. Yet as Flashpoint and Chainalysis note, the scale of the Hydra phenomenon would be unlikely without some kind of semi-official sanction.
Russia has few internationally competitive tech companies but lots of engineering talent, including the adventurous kind. A unique amalgam of corruption, cutting edge expertise and a geopolitical stance that makes any attack on Western institutions useful on some level to the government makes Russia a major player in the cybercrime space. Second only to Ukraine in cryptocurrency adoption, Russia is building a tech competence no other country appears to have the chutzpah to develop.
Can Putin do anything about this? That’s likely not the right question to ask. So far, he has no real incentive to attempt a crackdown, especially if the illicit business were to be transparent to someone he knows and trusts and thus open to rendering services to the state when required. The threat of retaliatory action from the US isn’t compelling enough: As things strand, Putin can let the likes of Hydra worry about that prospect. And if they are crushed, others can take their place. The dark web is nothing if not resilient.
Bloomberg
