Hydra, the world's largest dark web marketplace, has been taken down by German law enforcement. It’s a significant coup for the authorities given that nature of business transacted on this website included narcotic sales, stolen data, illicit goods and services including cyberattack tools, forged documents and more.

The takedown operation started last year and included cooperation from American authorities. The investigation found that Hydra had 17 million customer accounts and more than 19,000 registered sellers, with a global turnover of $1.34 billion just in 2020.

Since Hydra launched its estimated the marketplace pulled in around $5 billion in Bitcoin. During the take down the authorities also seized approximately $25 million (€23 million) in illicit funds.
  • Hydra launched in 2015 selling drugs, hacked materials, forged documents and illegal digital services such as Bitcoin-mixing, which cyber-criminals use to launder stolen or extorted digital coins. The site was written in Russian, with sellers located in Russia, Ukraine, Belarus, Kazakhstan and surrounding countries.
  • Hydra specialised in same-day 'dead drop' services, where drug dealers (sellers) hide packages in public places before informing customers of the pick-up location.
The shutdown of Hydra began with a tip-off, believed to be from US cyber law enforcement, which pointed to the possibility that the website infrastructure might be hosted in Germany. The deeper the Germans dug the more they uncovered until they identified a so-called 'bullet-proof hosting' company in the country.

A bullet-proof hosting company is one that does not audit the websites or content it is hosting, and will host criminal websites and avoid police requests for information on customers.

Going down

The demise of Hydra follows a pattern over recent years in which dark web marketplaces trading in illicit goods and services have taken a fall.

Given their status as lynchpins of the dark web underground economy for cybercriminals and narcotics traders alike, international authorities have ramped up efforts to dismantle underground markets.
  • A recent win for authorities was the dismantling of the Joker’s Stash dark web marketplace in late 2020. It was a popular cybercriminal destination that specialized in trading in payment-card data, offering millions of stolen credit and debit cards to buyers. Anyone purchasing this information can create cloned cards to physically use at cash machines or at in-store machines that aren’t chip-enabled. Or they can simply use the information to buy things online.
  • Last year Europol announced the takedown of DarkMarket which served as a marketplace for cybercriminals to buy and sell drugs, counterfeit money, stolen or counterfeit credit card data, anonymous SIM cards and malware. According to Europol, DarkMarket had almost 500,000 users and more than 2,400 sellers at the time it was taken down.
“It’s bad for my health”

Some dark web marketplaces have also closed down voluntarily with criminals choosing to gradually bring their operations to a close and disappear with their riches.

In January of this year those behind the UniCC dark web marketplace, which sold stolen credit card details, retired, citing health reasons. It was probably getting a little too hot to continue operating.

Voluntary closures also ended the White House Market in October 2021.
  • The administrators posted a short ‘resignation’ letter on the website. It simply said White House Market had “reached our goal” and that “now, according to plan,” the site was shutting down. “Thanks everybody for your business, trust, support and of course for placing decent amounts of money in our pockets.”
Hardly a month later one of the biggest cannabis dark web markets Cannazon went offline for a week due to a DDoS attack. A week later it briefly came back online to announce its retirement.

Whack a dark web marketplace

ToRReZ Market quickly filled the gap that was left by White House Market. It operated like an Amazon and eBay-like market, allowing users to register on the site as buyers or sellers. The site, which claimed to have had more than 160,000 registered users, was primarily known for selling narcotics but also listed products such as malware, data dumps, counterfeiting, and other illegal services.

It's operators also decided to the take the money and run.
  • “After 675 days of presence on the darknet, we have decided to close our door for good,” the ToRReZ administrator, an individual known as MrBlonde, wrote in a message posted on the site’s homepage.
You might think these busts and voluntary closures signal the demise of dark web marketplaces trading in stolen data and illicit goods. Not at all. At the time of writing we know of at least 29 marketplaces and shops currently trading on the dark web in dubious goods and services.