Unleash the Kraken: The Battle for the Russian-Language Darknet

On July 2, 2022, WayAWay, a former narco forum, resurfaced on the Russian-speaking dark web, after a long dormant period. While a forum comeback isn’t usually big news, WayAWay was co-administered with LegalRC. These two forums combined in 2015 to form what would become the largest darknet market, Hydra. The market was shut down by German and US law enforcement on April 5, 2022, leading to competition for market share in the Russian-speaking underground, which is quickly turning into a split between sites. Russians and Ukrainians.

The disappearance of Hydra predictably led to seismic changes in the basement of the Russian language, which have formed over the past few years. Thousands of vendors and customers who relied on Hydra for their cybercrime operations found themselves on the Russian-language forum RuTor.

The increased activity prompted competitors to target RuTor, leading it to enter into a partnership with the OMGOMG marketplace. This partnership was made against WayAWay, which quickly teamed up with Kraken, a planned market that was announced as Hydra’s successor.

The rivalry between RuTor/OMGOMG and WayAWay/Kraken mirrors the Russo-Ukrainian war, with RuTor/OMGOMG seen as pro-Ukraine and WayAWay/Kraken seen as pro-Russia, demonstrating how geopolitical concerns have invaded a space once seen as entirely motivated by financial considerations. .

Context: the underground Russian language

WayAWay and another narco forum, LegalRC, formed a partnership in 2015 and their cooperation led to the emergence of Hydra Market, which became the dominant darknet market and an emerging center for cryptocurrency laundering between 2017 and 2022 when it was dismantled by German and US Law Enforcement. According to statistics following the takedown, Hydra received US$5.2 billion and accounted for 80% of darknet market-related cryptocurrency transactions during its operation.

Hydra was vertically integrated, meaning it offered multiple services, like cryptocurrency mixing and withdrawal, as well as selling various goods and services. Flashpoint and Chainalysis documented this rise in a white paper in 2021.

While RuTor is more of a forum than a marketplace, Hydra users have quickly flocked to its platform to organize and strategize for their next moves. It was on RuTor that the first major markets vying to take Hydra’s place began advertising almost immediately after the withdrawal.

Flashpoint initially assessed that other smaller marketplaces, such as Blacksprout, OMGOMG, Mega, and Solaris, would play a role in competing for Hydra’s market share and that this competition would be characterized by the liberal use of malware attacks. distributed denial of service, violations and black public relations. This is indeed what happened: the first wave of DDoS attacks was directed, in June, against OMGOMG, which had previously become the new dominant market. Next, threat actors associated with Solaris, a new platform where, unlike Hydra, all stores and vendors are directly associated with the marketplace, breached RuTor.

Along with this, the markets were busy accusing each other of dangerous security practices and association with law enforcement. In the midst of this conflict, RuTor has formed a close cooperation with the OMGOMG market and integrated the market into the forum.

Image: RuTor activity over the past year. Hydra’s business, which mainly served the former Soviet Union, began to decline in February following the invasion of Ukraine. RuTor experienced a massive increase in activity after the takedown of Hydra on April 5, 2022. Beginning in June, distributed denial of service attacks were actively carried out on RuTor domains, limiting overall activity on the forum .

WayAWay, a forum originally associated with the now-defunct Hydra, went dormant in 2019, but resurfaced on July 2 under a new domain, ostensibly in an effort to challenge RuTor’s dominance.

In May, rumors had started to surface on RuTor about a replacement market for Hydra called Kraken, which would be operated by its former administrators.

Image: Rumors about Kraken have started to sprout on file-sharing sites like Turbo.

WayAWay, as it was created in July, shows signs of association with Kraken and Hydra, including a logo and registration process similar to Hydra and an integrated cryptocurrency mixer, which was one of Hydra’s most popular features. In addition, the forum is only accessible from IP addresses in Russia.

Image: The WayAWAY homepage with the Kraken logo in the top left corner. The Kraken logo is likely meant to mimic the Hydra logo.

On July 23, 2022, WayAway was hacked. Threat actors associated with RuTor administrators posted screenshots of forum posts with comments, criticizing WayAway’s data collection practices – alleging the forum puts users at risk – and sharing information suggesting that it was indeed the management of Hydra who set up the new platform.

Killnet and WayAway

Writing on its Telegram channel, pro-Kremlin cyber collective “Killnet” openly welcomed the breach of RuTor, which they described as a narco forum controlled by Ukraine’s Security Service (SBU). Although the forum is not openly pro-Ukrainian, several RuTor users had expressed support for Ukraine after the invasion. At the same time, Killnet repeatedly stated its support for WayAWay, indicating that it was likely opposed to RuTor not because of its narcotic aspect but because of its pro-Ukrainian leanings. An account apparently associated with Killnet was also recruiting new members for the collective on WayAWay.

RuTor administrators also mentioned the Russian-Ukrainian war. One of the admin comments on the leaked WayAWay compared the practices of that forum’s management – which apparently hired 40 admins with no clear responsibilities – to the hiring of interns at Starbucks, which the commenter pointed out , is no longer present in Russia.

The fact that a politically motivated pro-Russian hacktivist group is siding with WayAWay and Kraken will likely fuel further speculation that former Hydra administrators are linked to Russian law enforcement. At the same time, some threat actors are likely to avoid RuTor and OMGOMG because they are seen as pro-Ukraine, for fear that the market will cooperate with Ukraine’s security services, which have increased their cooperation with law enforcement. Westerners in recent years.

Even if the arguments referring to an ideological split between Russia and Ukraine are only the cover of a rivalry mainly motivated by financial interests, the fact that these arguments are used confirms the deep splits in the Russian-speaking cybercriminal underground. . In a space where, as recently as last year, transnational cooperation was not only common but often the recipe for success and where financial interests generally trumped political views, now parallel and mutually hostile ecosystems seem to be emerging. and some links may have been broken beyond repair.

Sylvester L. Goldfarb