Lead Machine Pink 160x1200

Lead Machine Pink 160x1200

iTWire TV 705x108notfunny

Friday, 12 August 2022 11:58

Release the kraken: The battle for the Russian-language darknet

By Flashpoint

COMPANY NEWS: Flashpoint, the globally trusted leader in actionable intelligence, has released intelligence related to the battle for the Russian-language darknet.

In 2 July 2022, WayAWay, a defunct narco forum, resurfaced on the Russian-language dark web after a long period of dormancy. While the return of a forum is not usually newsworthy, WayAWay was co-administered with LegalRC – two forums that partnered in 2015 to form what would become the largest darknet marketplace, Hydra.

Hydra marketplace was shut down by German and US law enforcement on 5 April 2022, leading to a competition for market share in the Russian language underground – which is quickly developing into a split between Russian and Ukrainian venues.

Hydra’s demise resulted in seismic shifts in the Russian-language underground, which have been forming for the past four years. Thousands of vendors and customers that relied on Hydra for cybercrime operations began congregating on the Russian-language forum RuTor.

This increased activity invited competitors to target RuTor, causing it to strike a partnership with marketplace Omgomg. This partnership was struck in opposition to WayAWay, which quickly associated itself with Kraken, a planned marketplace that has been advertised as Hydra’s successor.

The rivalry between RuTor/Omgomg and WayAWay/Kraken mirrors the Russia-Ukraine war, with RuTor/Omgomg viewed as pro-Ukraine and WayAWay/Kraken viewed as pro-Russia—demonstrating how geopolitical concerns have invaded a space formerly viewed as entirely financially motivated.

Background: The Russian-language underground
WayAWay and another narco forum, LegalRC, formed a partnership in 2015 and their cooperation led to the emergence of Hydra Market, which grew to be the dominant darknet market and an emerging cryptocurrency laundering hub between 2017 and 2022 when it was taken down by German and US law enforcement. According to statistics following the takedown, Hydra received US$5.2 billion ($7.3 billion) and accounted for 80% of darknet market related cryptocurrency transactions during its operation.

Hydra was vertically integrated, meaning that it offered multiple services for example, cryptocurrency mixing and cashout, as well as the sale of various goods and services. While RuTor is more of a forum than marketplace, Hydra’s users quickly flocked to its platform to organise and strategise next movements following the takedown. It was on RuTor where the first major marketplaces vying to take the place of Hydra started advertising almost immediately following the takedown.

Flashpoint initially assessed that other smaller marketplaces like Blacksprout, Omgomg, Mega, and Solaris would play a role in competing for Hydra’s market share with the competition characterised by the liberal use of DDoS attacks, breaches, and black PR. This came to pass, with the first wave of DDoS attacks directed at Omgomg, which had previously emerged as the dominant new marketplace. Then threat actors associated with Solaris, a new platform where unlike Hydra, all shops and vendors are directly associated with the marketplace, breached RuTor.

Along with this, marketplaces were busy accusing each other of unsafe security practices and association with law enforcement. Amid this conflict, RuTor formed a close cooperation with the marketplace Omgomg and integrated the marketplace into the forum.

WayAWay, a forum originally associated with the now-defunct Hydra, went dormant in 2019, but resurfaced on 2 July under a new domain, apparently in an attempt to challenge the dominance of RuTor.

In May, rumours had started to surface on RuTor about a replacement marketplace to Hydra called Kraken, which would be operated by its former administrators.

WayAWay, as it was set up in July, shows signs of association with both Kraken and Hydra, including a similar logo and registration process as Hydra and a built-in cryptocurrency mixer, which was one of the most popular features of Hydra. Additionally, the forum is only accessible from IP addresses inside Russia.

On 23 July 2022, WayAWay was breached. Threat actors associated with RuTor’s administrators posted screenshots of messages from the forum with commentary, criticising WayAWay’s data collection practices—alleging that the forum is putting users at risk—and sharing information suggesting that it was indeed Hydra’s management that set up the new platform.

Killnet and WayAWay
Writing on its Telegram channel, the pro-Kremlin cyber collective ‘Killnet’ openly rejoiced at the breach of RuTor, which they described as a narco forum controlled by the Ukrainian Security Service (SBU). While the forum is not overtly pro-Ukrainian, several users of RuTor had expressed support for Ukraine after the invasion. At the same time, Killnet has repeatedly declared support for WayAWay, indicating that it was probably opposed to RuTor not by its narcotics aspect as by its pro-Ukrainian leanings. An account seemingly associated with Killnet was also recruiting new members for the collective on WayAWay.

RuTor’s admins have also mentioned the Russia-Ukraine war. One of the admin’s comments on the WayAWay leaks compared the practices of that forum’s management—which apparently hired 40 administrators with no clear responsibilities—to hiring interns at Starbucks, which, the commenter pointed out, is not present in Russia anymore.

The fact that a politically motivated, pro-Russian hacktivist group is taking the side of WayAWay and Kraken will likely fuel further speculation that the former Hydra administrators are linked to Russian law enforcement. In parallel, some threat actors will likely avoid RuTor and Omgomg because it is seen as pro-Ukraine, for fear of the marketplace cooperating with the Ukrainian security services—which have strengthened their cooperation with Western law enforcement in recent years.

Even if the arguments referencing an ideological Russian and Ukrainian split is only a cover for a rivalry that is driven primarily by financial interests, the fact that these arguments are used at all confirms the deep splits in the Russian-speaking cybercriminal underground. In a space where, as recently as last year, transnational cooperation was not only commonplace but often the recipe for success, and where financial interests usually trumped political view, mutually hostile ecosystems seem to be emerging and some links may have been severed beyond repair.

Read 1268 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous



Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News