02/19/2021
Gemini analysts have found a post by an anonymous author on the hydra[.]expert domain claiming to have uncovered the true identities of the individuals running Hydra, one of the largest Russian-language dark web marketplaces for drugs. While formerly part of Hydra’s infrastructure, hydra[.]expert now appears to be solely dedicated to identifying Hydra’s operators. Gemini has translated and analyzed the investigation pointing to the identities of Hydra’s alleged operators, although we have not confirmed the entirety of the evidence. The post circulated among multiple dark web channels, including an anonymous image forum and a Telegram channel. It has also reached Russian-language media
Hydra
Hydra was founded in 2015, and gradually conquered the market for illegal goods. The platform has become one of the largest in the world and is the single largest platform for the sale of drugs in the Former Soviet Union (FSU). It serves as an intermediary between sellers and buyers; while it mainly focuses on the sale of drugs, it also has a section on counterfeit bank notes, hacking services, counterfeit documents, and other prohibited items. As of this writing, there are 2.5 million accounts registered on the platform and the number of accounts grows every month.
OperationsBlockchain analysis company Chainalysis examined the Bitcoin wallets associated with this market and estimated that over the lifetime of the shop, there were at least $3.4 billion worth of transactions. The Hydra market has also had $1,260,875 in transactions with three crypto currency exchanges. While only about $430,000 in direct exposure could be confirmed with one large international exchange, its indirect sending exposure was much larger – $1,875,000 USD. Such activities could indicate that the market’s operators were using legitimate exchanges to launder some of the illicit profits.
The Investigation
According to the post on hydra[.]expert, Bogdan Koliesniev (Kolesnev) and Alexander Dyriavin (Daryavin), both citizens of Ukraine, are responsible for Hydra’s operations. The post’s author claims to have conducted an analysis after a distributed denial-of-service (DDoS) attack hit Hydra, and purportedly uncovered JavaScript code installed on the marketplace. The author’s investigation included the following key points, only some of which Gemini has confirmed:
Blackmail
It is worth pointing out that this anonymous post began with the author claiming to have attempted to blackmail these individuals for monetary gain. According to the author, these individuals did not pay, so the author decided to reveal their identities. It is also worth noting that according to WaybackMachine, in 2018 hydra[.]expert used to be a mirror domain of the Hydra market on the surface web, however, it remains unclear if this was the official mirror of the actual Hydra market, which was primarily hosted in the dark web. Furthermore, according to Whois records, the domain hydra[.]expert was recently purchased, which could indicate that it was purchased for the sole purpose of posting this research.
It Wasn’t Me
On the same day as this post, on Telegra.ph, which is a Russian-language forum for anonymous posts, user “monarkhov” created a post claiming to be Bogdan Koliesniev (hxxps://telegra[.]ph/Kak-ya-stal-razrabotchikom-Gidry-bez-registracii-i-sms-02-19). The user monarkhov indicated that the investigation’s findings were incorrect and that they have nothing to do with Hydra. User monarkhov claimed that they create the framework for making Telegram bots and create admin panels to control Qiwi wallets. Additionally, monarkhov claimed that many of their source codes are available on Github and that anyone could have used them. This purportedly explains why Hydra used infrastructure linked to Koliesniev, although it does not explain why Hydra specifically chose Koliesniev’s code.
Based on an analysis of the anonymous author’s investigation, Gemini Advisory assesses with moderate confidence that Bogdan Koliesniev is likely one of the perpetrators behind the Hydra dark market due to significant evidence pointing to this individual related to shared infrastructure and linked contact information. However, Gemini assesses with low confidence that Alexander Dyriavin may be involved with Hydra, although likely at a lower level with indirect contributions to their operations.
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.