Cybercrime Money Laundering Narco

Hydra Admins Doxed Maybe, Spotlighting Billions Minted from Bath Salts Trade

A scorned cyber-extortionist claims to have doxed personally-identifying information for two alleged operators of Hydra, Russia’s largest darknet market (DNM), according to Russian media reports. Founded in 2015, Hydra is also the longest-operating DNM in existence.

Since inception, Hydra has processed some $3.4 billion in illicit DNM transactions denominated in cryptocurrency. These black-market crypto transactions span everything from drugs, counterfeit banknotes, hacking services, counterfeit documents, and other contraband, according to cyber-fraud intelligence firm Gemini Advisory. Hydra has registered over 2.5 million members today.

In their 2021 ‘Crypto Crime Report‘, Chainalysis writes: “Hydra is a big driver of Eastern Europe’s unique crypto crime landscape. Eastern Europe has one of the highest rates of cryptocurrency transaction volume associated with criminal activity and, thanks to Hydra, is the only region with a criminal service as one of the top ten entities sending cryptocurrency value to the region.”

Hydra also reportedly has strong ties to major Russian organized crime, according to a Russian national and informant for the Federal Bureau of Investigation, who requested anonymity.

The source said that now-defunct World Exchange Services (WEX) crypto exchange, the Singapore-based resurrection of Russian crypto-laundromat BTC-e, “was created to be able to return money to the drug mafia” that controls Hydra.   

According to Andrei Barysevich, the chief executive of Gemini Advisory, which retraced the doxer’s investigation in a blog post, “Hydra has overtaken the Russian market of illicit drugs, becoming the dominant player in Eastern Europe.”

In a post they authored on the hydra.expert domain, the DNM doxer said they obtained identifying information about the DNM admins after conducting a distributed denial of service (DDoS) attack on the Hydra website.

The doxer said he initially attempted to extort money from the dark-web admins in exchange for not outing them to the public. The alleged Ukrainian admins, Bogdan Koliensniev and Alexander Dyriavin, reportedly did not pay the ransom, which led the extortionist to out them online.

This doxing campaign has become the talk of the Russian cyber-underworld, with the post recirculating on various dark web and Telegram channels.

Findings

Alleged Hydra admins Bogdan Koliensniev (top) and Alexander Dyriavin (bottom), source: Hydra.expert

The attacker said the DDoS exposed JavaScript code installed on Hydra, which contained email contact information that linked back to a forum admin using the handle “Askold Monarkhov,” according to Gemini’s blog post.

Leveraging open-source intelligence (OSINT), the doxer investigated further and identified Ukrainian citizens Koliensniev and Dyriavin as Hydra’s admins. Gemini retraced the doxer’s OSINT investigation and found the following:

  • A search for the email address cited by the doxer led to the GitHub page of “ASKOLDEX,” which also displays the name of Bogdan Kolesnev as an event bug fixer

  • A search for ASKOLDEX reveals a YouTube page that has video tutorials on creating Telegram bots and the management of QIWI panels, as well as other videos

  • Additional searches revealed a VK social media page for Askold Monarkhov

  • A Whois record search for the email indicated that it was used to register the domain name monarkhov[.]pro. The registrant’s name is listed as Bogdan Koliesniev

  • A search for Alexander Dyriavin revealed a profile for an individual with the same name on GitHub. This Github profile page also indicated that Dyriavin worked with ASKOLDEX

Response

In an email to news outlet Afisha Daily from a user purporting to be Kolesnev, the alleged DNM admin denied being involved with Hydra and said that the real admins had merely appropriated his GitHub code.

“They began to use my designs on order for purposes that were not reported to me. But even so, there my developments were used not in Hydra, but in some other projects, to which I have no relation,” said Kolesnev.

Dyryavin also denied any involvement in Hydra. The alleged Hyrda operator told Afisha Daily: “The data indicated in the article is taken from open sources. The fact that my registration is on some of the GitHub servers only proves that I am a developer, but not my involvement in the development of the drug trade portal. If you get access to the server that is listed in the article, then my words can be checked. I have nothing more to add.”

Assessment

Citing “significant evidence pointing to this individual related to shared infrastructure and linked contact information,” Gemini assessed with medium confidence that Koliesniev helped build Hydra market.

However, Gemini is less certain about Dyriavin, issuing a low-confidence assessment that the Ukrainian national was involved with the DNM. Regardless, Gemini still cautioned that Dyriavin “may be involved with Hydra, although likely at a lower level with indirect contributions to their operations.”

Ex-Russian cybercriminal Pavel Vrublevsky, who has recently devoted himself to the cause of combating transaction laundering in the Russian banking system, said chatter he has heard from Russia’s hacker community suggests the Hydra allegations are true.

Significance

The potential revelation of Hydra’s administrators is significant because this DNM is emblematic of a paradigm shift in the Eurasian narco-underworld. Before Hydra, the region’s dark-web, synthetic drug distributors were merely middle-men, importing and exporting drugs via now-shuttered markets like AlphaBay, Hansa, and RAMP.

But with Hydra rendering RAMP obsolete and monopolizing Russia’s dark web, DNM vendors in the country who deal in synthetics have vertically integrated with local manufacturers, according to a 2019 Lenta.ru investigation. Lenta identified Hydra’s competitive edge as a “precursor procurement system built over the years, a network of laboratories and professional chemists.”

According to Lenta, one unusually popular drug in Russia is mephedrone, or bath salts. In the U.S., recreational bath salts use has been linked to unprovoked acts of drug-induced violence. Psychiatric researchers also say that ingesting the drug can cause acute psychotic episodes.  

A Hydra Market posting for Pokemon Go-branded bath salts, source: Hydra

Despite this, Hydra put RAMP out of business by cornering the market for bath salts and ‘spice’ (synthetic marijuana) in small provincial cities, where their lower pricing made these drugs more accessible to young recreational consumers.

Meanwhile, Hydra-affiliated drug producers – like virtually all major drug trafficking organizations in the world – source their precursors from China – the traditional epicenter of the clandestine chemical trade, according to Lenta.

The Lenta investigation highlights drug and chemical-shipping routes that entail freight flights from Beijing and postal consignments from Hong Kong. These drugs are being increasingly smuggled into Russia “in containers under the guise of fertilizers, insect repellents, household and industrial chemicals.”

The Golden Triangle

Meanwhile, officials from the United Nations Office of Drugs and Crime said last month that the production of precursor chemicals like ephedrine and pseudoephedrine, which are used in the manufacture of methamphetamine, are increasingly migrating to Myanmar.

Myanmar forms the heart of the golden triangle, the lawless, militia-ruled region made famous by the opium trade. Over the last decade, meth and other synthetic drugs have become the primary cash crops there, as international drug trafficking syndicates like the Sam Gor have come to dominate the regional Asia-Pacific drug trade.

The Sam Gor has reportedly domiciled the bulk of its manufacturing operations in Myanmar’s Shan State, which is controlled by the Wa National Army militia group, according to the UNODC. The syndicate controls 40% – 70% of the APAC region’s $70+ billion wholesale meth market alone, according to the UNODC.

Still, one Western intelligence source based in Southeast Asia refutes the prevailing UNODC narrative that the Sam Gor is the hegemon, monopolizing the trade by paying WA Army soldiers to protect their operation.

“The Sam Gor is one of the many actors in the Golden Triangle. Not likely close to the largest as the Wa Groups are the biggest. Remember, the UNODC only talks with governments – and in English. So they get the narrative these groups present,” said the source.

Regardless, following the unlikely arrest of Tse Chi Lop, the alleged leader of the Sam Gor syndicate, in Amsterdam last month, the Myanmar military overthrew the recently re-elected government a week after his capture. It’s unclear what the coup means for regional synthetic drug and precursor production trends.

Tse Chi Lop mobbin’ somewhere in Southeast Asia, source: HK.appledaily.com

In addition to bribing the former-and-now-imprisoned president of Interpol, Meng Hongwei, according to a former Royal Canadian Mounted Police organized crime investigator, Tse was also named as a person of interest in a synthetic drug smuggling case in Poland. According to the Polish National Prosecutor’s office, this probe led back to Triad groups operating out of Macau.

Interpol did not confirm or deny that Tse and his alleged super syndicate had managed to corrupt the highest ranks of their organization.

Last year, DNMs recorded $1.7 billion in revenues, but most of the growth in dark-market activity is attributable to Hydra, according to Chainalysis. At the same time, crypto-friendly casinos and gaming entities are flourishing in Myanmar’s Karen State, which straddles the border with Thailand.

These gambling establishments and the broader urban developments in which they reside are largely being developed and financed by figures linked to the Triads and other Asian organized crime groups, according to the United States Institute for Peace, a think tank. This raises significant concerns about illicit crypto-finance as a vehicle for money laundering.

The UNODC recently published a report on the threat of darknet crime in Southeast Asia that asserts: An increasing number of criminals in Southeast Asia are likely using the dark web to “engage in the full range of illicit activities available on the Darkweb. This includes the buying and selling of drugs, cybercrime toolkits, fake passports, fake currency,” and other contraband.

“Darkweb-related arrests in Southeast Asia have helped focus attention on how transnational organized crime groups and syndicates operate in the region. Illegal transactions are typically cross-border, emphasizing the need for international cooperation, interoperability, and a mutual understanding of the threat,” wrote UNODC researchers.

Back in Russia, Hydra seems to operate with similar impunity. “Despite the illicit nature of its business, Hydra launched a successful Youtube and VK ad campaign in 2017 and 2018. The videos were quickly banned, but Hydra’s content still reached over 33-million viewers,” noted Barysevich.