Hydra market’s servers, $25M in bitcoin seized by German police in dark web sting

Narcotics trafficking and money laundering were the main business for Hydra, which researchers say was the largest dark-web market.
German police
A police vehicle in Munich in February during the city's annual Security Conference. (Photo by Alexandra Beier/Getty Images)

German federal police said Tuesday they had shut down the dark web Hydra market, which trafficked in illegal narcotics and helped launder money for criminals worldwide.

Authorities seized “server infrastructure” within Germany and 543 bitcoins worth more than $25 million total as of Tuesday morning’s exchange rate, according to a news release from the BKA agency.

Later Tuesday, the U.S. Department of Justice announced an indictment of Russian resident Dmitry Olegovich Pavlov, 30, who allegedly operated the servers used to run the Russian-language Hydra. He was charged with conspiring to distribute narcotics and conspiring to commit money laundering.

Pavlov allegedly ran a company called Promservice Ltd. — also known as Hosting Company Full Drive, All Wheel Drive and — that administered Hydra’s servers, U.S. officials said.


The U.S. Treasury Department also sanctioned Hydra on Tuesday as well as the Moscow-based cryptocurrency exchange Garantex. U.S. officials said the FBI, Drug Enforcement Administration, Internal Revenue Service and Postal Inspection Service participated in the international Hydra investigation, which began in August 2021.

Drug sales and ‘mixer’ services

Hydra, launched in 2015, was known as the world’s largest dark web market, with sales of more than $1 billion in 2020 alone. German prosecutors said the site had about 17 million user accounts and more than 19,000 seller accounts.

“Hydra vendors offered a variety of illicit drugs for sale, including cocaine, methamphetamine, LSD, heroin and other opioids. The vendors openly advertised their drugs on Hydra, typically including photographs and a description of the controlled substance,” the U.S. Department of Justice said. “Buyers rated the sellers and their products on a five-star rating system, and the vendors’ ratings and reviews were prominently displayed on the Hydra site.”

In handling large volumes of cryptocurrency, Hydra also ran a “mixer” service that assisted in money laundering and “made crypto investigations extremely difficult for law enforcement agencies,” the BKA said.


Researchers have said that among the mixer’s customers were people associated with the theft of $4.5 billion in cryptocurrency from the virtual exchange Bitfinex in 2016. Heather “Razzlekhan” Morgan and Ilya “Dutch” Lichtenstein were arrested in February and accused of conspiring to launder those digital coins. The DarkSide ransomware gang — known for the 2020 attack on Colonial Pipeline — also laundered some of its ill-gotten funds through Hydra, researchers have said.

The U.S. Treasury said the proceeds from the “Ryuk, Sodinokibi, and Conti ransomware variants” were among the funds handled by Hydra.

“Our actions send a message today to criminals that you cannot hide on the dark net or their forums, and you cannot hide in Russia or anywhere else in the world,” Treasury Secretary Janet Yellin said in a news release.

In addition to the narcotics trade, Hydra users also sold illegal goods like “forged documents” and “digital services,” the BKA said. The cybercrime unit of the Frankfurt prosecutor’s office also assisted in the case, police said.

The takedown has stirred up a lot of “heated discussions” among Russian-speaking cybercriminals, researchers at Flashpoint said Tuesday. “The administrators of Hydra reportedly claim that the market is undergoing ‘technical works’ and have not acknowledged the takedown,” the company said.


Russian-language cybercrime networks have been under continued pressure from law enforcement lately:

• In March, the FBI indicted a 23-year-old Russian for allegedly running Marketplace A, which specialized in stolen data.

• Before Russia invaded Ukraine, Russian law enforcement cracked down on Sky Fraud and other cybercrime marketplaces.

• Russian authorities also conducted a sting against the REvil gang in January. A REvil member was extradited by U.S. law enforcement and accused in March of the July 2021 hack of IT company Kaseya.

• The Ukraine invasion caused upheaval in Eastern Europe’s cybercrime underground, as hackers and crooks adjusted their priorities and allegiances, particularly after the leak of thousands of internal documents from the Conti group.


Garantex sanctions

Treasury’s moves against the Garantex exchange stem directly from U.S. efforts to sanction the Russian financial system because of the Ukraine invasion. The cryptocurrency business was founded in Estonia in 2019 but lost its license to operate there and “continues to provide services to customers through unscrupulous means,” Treasury said.

Analysis of the transactions on the exchange show more than $100 million associated with “illicit actors and darknet markets,” Treasury said, including Hydra and Conti.

“The majority of Garantex’s operations are carried out in Moscow, including at Federation Tower, and St. Petersburg, Russia, where other sanctioned virtual currency exchanges have also operated,” Treasury said.

Estonian authorities coordinated with U.S. agencies as part of the sanctions process, Treasury said.


Updated 4/5/22: to add information from U.S. Treasury announcement and U.S. indictment.

Latest Podcasts