In 2 July 2022, WayAWay, a defunct narco forum, resurfaced on the Russian-language dark web after a long period of dormancy. While the return of a forum is not usually newsworthy, WayAWay was co-administered with LegalRC – two forums that partnered in 2015 to form what would become the largest darknet marketplace, Hydra.
Hydra marketplace was shut down by German and US law enforcement on 5 April 2022, leading to a competition for market share in the Russian language underground – which is quickly developing into a split between Russian and Ukrainian venues.
Hydra’s demise resulted in seismic shifts in the Russian-language underground, which have been forming for the past four years. Thousands of vendors and customers that relied on Hydra for cybercrime operations began congregating on the Russian-language forum RuTor.
This increased activity invited competitors to target RuTor, causing it to strike a partnership with marketplace Omgomg. This partnership was struck in opposition to WayAWay, which quickly associated itself with Kraken, a planned marketplace that has been advertised as Hydra’s successor.
The rivalry between RuTor/Omgomg and WayAWay/Kraken mirrors the Russia-Ukraine war, with RuTor/Omgomg viewed as pro-Ukraine and WayAWay/Kraken viewed as pro-Russia—demonstrating how geopolitical concerns have invaded a space formerly viewed as entirely financially motivated.
Background: The Russian-language underground
WayAWay and another narco forum, LegalRC, formed a partnership in 2015 and their cooperation led to the emergence of Hydra Market, which grew to be the dominant darknet market and an emerging cryptocurrency laundering hub between 2017 and 2022 when it was taken down by German and US law enforcement. According to statistics following the takedown, Hydra received US$5.2 billion ($7.3 billion) and accounted for 80% of darknet market related cryptocurrency transactions during its operation.
Hydra was vertically integrated, meaning that it offered multiple services for example, cryptocurrency mixing and cashout, as well as the sale of various goods and services. While RuTor is more of a forum than marketplace, Hydra’s users quickly flocked to its platform to organise and strategise next movements following the takedown. It was on RuTor where the first major marketplaces vying to take the place of Hydra started advertising almost immediately following the takedown.
Flashpoint initially assessed that other smaller marketplaces like Blacksprout, Omgomg, Mega, and Solaris would play a role in competing for Hydra’s market share with the competition characterised by the liberal use of DDoS attacks, breaches, and black PR. This came to pass, with the first wave of DDoS attacks directed at Omgomg, which had previously emerged as the dominant new marketplace. Then threat actors associated with Solaris, a new platform where unlike Hydra, all shops and vendors are directly associated with the marketplace, breached RuTor.
Along with this, marketplaces were busy accusing each other of unsafe security practices and association with law enforcement. Amid this conflict, RuTor formed a close cooperation with the marketplace Omgomg and integrated the marketplace into the forum.
WayAWay, a forum originally associated with the now-defunct Hydra, went dormant in 2019, but resurfaced on 2 July under a new domain, apparently in an attempt to challenge the dominance of RuTor.
In May, rumours had started to surface on RuTor about a replacement marketplace to Hydra called Kraken, which would be operated by its former administrators.
WayAWay, as it was set up in July, shows signs of association with both Kraken and Hydra, including a similar logo and registration process as Hydra and a built-in cryptocurrency mixer, which was one of the most popular features of Hydra. Additionally, the forum is only accessible from IP addresses inside Russia.
On 23 July 2022, WayAWay was breached. Threat actors associated with RuTor’s administrators posted screenshots of messages from the forum with commentary, criticising WayAWay’s data collection practices—alleging that the forum is putting users at risk—and sharing information suggesting that it was indeed Hydra’s management that set up the new platform.
Killnet and WayAWay
Writing on its Telegram channel, the pro-Kremlin cyber collective ‘Killnet’ openly rejoiced at the breach of RuTor, which they described as a narco forum controlled by the Ukrainian Security Service (SBU). While the forum is not overtly pro-Ukrainian, several users of RuTor had expressed support for Ukraine after the invasion. At the same time, Killnet has repeatedly declared support for WayAWay, indicating that it was probably opposed to RuTor not by its narcotics aspect as by its pro-Ukrainian leanings. An account seemingly associated with Killnet was also recruiting new members for the collective on WayAWay.
RuTor’s admins have also mentioned the Russia-Ukraine war. One of the admin’s comments on the WayAWay leaks compared the practices of that forum’s management—which apparently hired 40 administrators with no clear responsibilities—to hiring interns at Starbucks, which, the commenter pointed out, is not present in Russia anymore.
The fact that a politically motivated, pro-Russian hacktivist group is taking the side of WayAWay and Kraken will likely fuel further speculation that the former Hydra administrators are linked to Russian law enforcement. In parallel, some threat actors will likely avoid RuTor and Omgomg because it is seen as pro-Ukraine, for fear of the marketplace cooperating with the Ukrainian security services—which have strengthened their cooperation with Western law enforcement in recent years.
Even if the arguments referencing an ideological Russian and Ukrainian split is only a cover for a rivalry that is driven primarily by financial interests, the fact that these arguments are used at all confirms the deep splits in the Russian-speaking cybercriminal underground. In a space where, as recently as last year, transnational cooperation was not only commonplace but often the recipe for success, and where financial interests usually trumped political view, mutually hostile ecosystems seem to be emerging and some links may have been severed beyond repair.