Unleash the kraken: the battle for the darknet in Russian language

CORPORATE NEWS: Flashpoint, the global leader in actionable intelligence, has released intelligence related to the battle for the darknet in the Russian language.

On July 2, 2022, WayAWay, a former narco forum, resurfaced on the Russian-speaking dark web after a long period of inactivity. While a forum comeback isn’t usually newsworthy, WayAWay was co-administered with LegalRC – two forums that joined forces in 2015 to form what would become the largest darknet marketplace, Hydra.

Hydra’s market was shut down by German and US law enforcement on April 5, 2022, leading to competition for market share in the Russian underground – which is rapidly turning into a split between the sites Russians and Ukrainians.

The disappearance of Hydra has led to seismic changes in the Russian-speaking subsoil, which have formed over the past four years. Thousands of vendors and customers who relied on Hydra for their cybercrime operations began congregating on the Russian-language forum RuTor.

This increased activity prompted competitors to target RuTor, leading it to enter into a partnership with the Omgomg marketplace. This partnership was made against WayAWay, which quickly teamed up with Kraken, a planned market that was announced as Hydra’s successor.

The rivalry between RuTor/Omgomg and WayAWay/Kraken mirrors the Russo-Ukrainian war, with RuTor/Omgomg seen as pro-Ukraine and WayAWay/Kraken seen as pro-Russia – demonstrating how geopolitical concerns have invaded a space once thought to be entirely motivated by money. .

Context: The Russian-speaking underground
WayAWay and another narco forum, LegalRC, formed a partnership in 2015 and their cooperation led to the emergence of Hydra Market, which became the dominant darknet market and an emerging center for cryptocurrency laundering between 2017 and 2022 when it was dismantled by German and US Law Enforcement. According to statistics following the takedown, Hydra received US$5.2 billion ($7.3 billion) and accounted for 80% of darknet market-related cryptocurrency transactions during its operation.

Hydra was vertically integrated, meaning it offered multiple services, for example cryptocurrency mixing and withdrawal, as well as selling various goods and services. While RuTor is more of a forum than a marketplace, Hydra users quickly flocked to its platform to organize and strategize for the next moves after the pullout. It was on RuTor that the first major markets vying to take Hydra’s place began advertising almost immediately after the withdrawal.

Flashpoint initially assessed that other smaller marketplaces like Blacksprout, Omgomg, Mega, and Solaris would play a role in competing for Hydra’s market share with competition characterized by the liberal use of DDoS attacks, breaches, and black public relations. This happened with the first wave of DDoS attacks directed against Omgomg, which had previously become the new dominant market. Then threat actors associated with Solaris, a new platform where, unlike Hydra, all stores and vendors are directly associated with the marketplace, breached RuTor.

Along with this, the markets were busy accusing each other of dangerous security practices and association with law enforcement. In the midst of this conflict, RuTor has formed a close cooperation with the Omgomg marketplace and integrated the marketplace into the forum.

WayAWay, a forum originally associated with the now-defunct Hydra, went dormant in 2019, but resurfaced on July 2 under a new domain, ostensibly in an effort to challenge RuTor’s dominance.

In May, rumors had started surfacing on RuTor about a replacement market for Hydra called Kraken, which would be operated by its former admins.

WayAWay, as it was created in July, shows signs of association with Kraken and Hydra, including a logo and registration process similar to Hydra and an integrated cryptocurrency mixer, which was one of Hydra’s most popular features. In addition, the forum is only accessible from IP addresses in Russia.

On July 23, 2022, WayAway was hacked. Threat actors associated with RuTor administrators posted screenshots of forum posts with comments, criticizing WayAway’s data collection practices – alleging the forum puts users at risk – and sharing information suggesting that it was indeed the management of Hydra who set up the new platform.

Killnet and WayAway
Writing on its Telegram channel, the pro-Kremlin cyber collective “Killnet” openly welcomed the breach of RuTor, which it described as a narco forum controlled by Ukraine’s Security Service (SBU). Although the forum is not openly pro-Ukrainian, several RuTor users had expressed support for Ukraine after the invasion. At the same time, Killnet repeatedly stated its support for WayAWay, indicating that it was likely opposed to RuTor not because of its narcotic aspect but because of its pro-Ukrainian leanings. An account apparently associated with Killnet was also recruiting new members for the collective on WayAWay.

RuTor administrators also mentioned the Russian-Ukrainian war. One of the admin comments on the WayAWay leaks compared the practices of that forum’s management – which apparently hired 40 admins with no clear responsibilities – to the hiring of interns at Starbucks, which, the commenter pointed out, no longer present in Russia.

The fact that a politically motivated pro-Russian hacktivist group is siding with WayAWay and Kraken will likely fuel further speculation that former Hydra administrators are linked to Russian law enforcement. At the same time, some threat actors are likely to avoid RuTor and Omgomg because they are seen as pro-Ukraine, lest the market cooperate with Ukraine’s security services, which have stepped up cooperation with law enforcement. Westerners in recent years.

Even if the arguments referring to an ideological split between Russia and Ukraine are only the cover of a rivalry mainly motivated by financial interests, the fact that these arguments are used confirms the deep splits in the Russian-speaking cybercriminal underground. . In a space where, as recently as last year, transnational cooperation was not only commonplace but often a recipe for success, and where financial interests generally trumped political views, mutually hostile ecosystems seem to be emerging and some links may have been broken beyond repair.

Sylvester L. Goldfarb