Crime

How Darknet Markets and Fraud Shops Fought for Users In the Wake of Hydra’s Collapse

2022 saw a decline in revenue from the previous year for darknet markets and fraud shops. Total darknet market revenue for 2022 ended at $1.5 billion, down from $3.1 billion in 2021.

Four of the top five highest-earning darknet markets in 2022 were conventional, drug-focused darknet markets, while just one, Brian Dumps, was a fraud shop. 

Hydra Market led the way once again as the highest-earning darknet market in 2022, even though it was sanctioned by OFAC and shut down in a joint U.S.-German operation in April — no other market beat the revenue lead it built up in those four months. As we’ll explore later, the three next-highest earning markets of the year — Mega Darknet Market, Blacksprut Market, and OMG!OMG! Market — all gained their initial market share in the wake of Hydra’s collapse, with on-chain data suggesting these markets made concerted efforts to attract former Hydra users and vendors.

Hydra’s closure prompted a sector-wide decline in darknet market revenues, with average daily revenue for all markets falling from $4.2 million just prior to its closure and to $447,000 immediately after. While drug markets’ collective revenue hasn’t recovered fully, it climbed slowly back toward previous levels in the second half of 2022.  Fraud shops, however, have continued to decline.

Fraud shops are a unique segment of darknet markets that sell stolen data such as   compromised credit card information and other forms of personally identifying information (PII) that can be used for fraudulent activity. This decline was triggered in part by the closure of prominent fraud shops like Bypass Shop, which was shut down in March. Brian Dumps, the biggest overall fraud shop for the year, also appears to have suffered a disruption as its revenue fell almost to zero in October, though it’s unclear exactly why. 

While darknet markets have largely recovered after Hydra’s closure and fraud shops have not, single vendor shops showed a different pattern. Single vendor shops are standalone shops set up by individual drug vendors who have typically gathered a large customer base on a larger, traditional darknet market. Setting up a single vendor shop allows those vendors to save on fees that would ordinarily go to the administrators of a traditional darknet market. 

Throughout 2022, we observed a negative relationship between funds sent to regular darknet markets and those sent to single vendor shops. For instance, we see single vendor shop revenue spike beginning around March, around the same time traditional darknet market revenue began to fall. Similarly, single vendor shop revenue fell concurrently with the recovery of traditional darknet markets from around June through end of year.

The battle for market dominance, post-Hydra takedown

Before law enforcement agencies shut down Hydra, it was the largest darknet market in the world. Prior to its demise, Hydra Marketplace captured 93.3% of all economic value received in the 2022 darknet market ecosystem. The Russia-based darknet market enabled drug sales and offered cybercriminals money laundering services. In the wake of Hydra’s collapse, several markets gained revenue, but three in particular dominated: Blacksprut, OMG!OMG! Market, and Mega Darknet Market. Interestingly, each of the three led the market at different times, though OMG’s period of dominance immediately following Hydra’s collapse was the strongest any of the three ever had.

Through most of April and May, OMG captured well over 50% of total market share, reaching a peak of 65.2% on April 23, and operated virtually unchallenged by competition, indicating its potential as a Hydra successor. In June, OMG suffered a distributed denial of service (DDoS) attack, which likely caused vendors and customers to migrate to Mega Darknet Market and Blacksprut Market around that time. Similarly, Blacksprut was hacked in late November, which coincides with its decline from its peak revenue share of 68.5% a few weeks prior. Given the illicit nature of darknet markets, it’s unsurprising that vendors and users would seek to leave a market that has suffered a data breach.

How drug buyers and illicit users migrated from Hydra to other darknet markets 

If we dig deeper into how Hydra’s three primary successor markets jockeyed for position following Hydra’s shutdown, we find that capturing the specific customers who previously relied on Hydra — both retail market customers and illicit users of Hydra’s money laundering services — was crucial to the battle. We can investigate this by using on-chain data to look at where former Hydra users migrated after the market was closed. For this analysis, we’ll split the remainder of 2022 after the April 5 Hydra shutdown into two time periods:

  • OMG dominance: The 50 day-period immediately after Hydra’s shutdown when OMG captured close to 100% of darknet market share.
  • Post-OMG dominance: The rest of 2022, when OMG became one of three sizable markets alongside Blacksprut and Mega.

The two charts below show which markets Hydra’s previous counterparties used the most in both of those two time periods. The color of the lines show the former Hydra users’ category of activity and the thickness of the lines show the proportion of their activity flowing to new markets after Hydra was shut down. 

Like the vast majority of all darknet market users, former Hydra counterparties across all categories — both retail drug buyers and criminal users — transacted almost exclusively with OMG during the OMG dominance period. In the post-OMG dominance period, OMG retained a number of those former Hydra counterparties, but lost a significant share of their illicit activity to the other two markets across all categories. 

There are two primary takeaways from this: first, signs point to these three markets having launched crypto money laundering services similar to what Hydra offered, which would explain why so many of Hydra’s criminal users migrated to those markets. The second takeaway is just how dominant OMG was amongst Hydra’s counterparties immediately following Hydra’s closure. This is especially interesting given the connections between OMG and Hydra that we’ll explore later.

There is direct evidence that two of the three markets in question offer money laundering services. In early January 2023, Blacksprut vendor RedBull Exchange made a post titled “Transfer from platform” that said users could withdraw Bitcoin with a 4% fixed commission fee and that funds would instantly transfer to their private wallets without going through any types of “checks or cleanings.” The image below shows a Blacksprut overview site indicating that the service offers internal exchanges for moving funds off market, and also recommending the Russia-based BestChange exchange aggregator service should those fail.

Similar posts on Mega Darknet Market confirm it offers these services, too. We don’t yet have confirmation of OMG offering money laundering services, but again, the on-chain data suggests it likely does. 

OMG, Blacksprut, and Mega Darknet markets show potential vendor and admin overlap with Hydra

Advertised as “the most advanced darknet market ever,” OMG primarily provides illegal drugs, but also offers products like hacking utilities, banking information, and more. The market has a peculiar history. It first became active in early July 2020, with deposit volumes so low it appeared to be less of a darknet market and more a personal operation. However, nearly as soon as Hydra shut down, OMG began seeing high inflows for the first time, more than half of which came from Hydra counterparties.

Blockchain analysis also reveals that several Hydra vendors migrated to OMG following Hydra’s shutdown. The Chainalysis Reactor graph below shows several personal wallets associated with known Hydra vendors subsequently transacting with OMG.

The migration of vendors, plus the timing and source of OMG’s initial revenue suggests that Hydra administrators may have been involved with the development of OMG. Additionally, the two markets show certain operational similarities. For instance, Hydra was unique from its competitors in that it offered location-based courier services. Upon account creation, the user would select their location and arrange “dead-drop”-style exchanges from vendor to buyer. Upon sale, the vendor would send the buyer geographic coordinates and a picture of where their well-hidden purchase could be found. OMG offers this same service, too.

Further blockchain analysis reveals an even more interesting connection: OMG’s central wallets send high volumes of cryptocurrency to the same group of deposit addresses at a high-risk exchange with a heavy presence in Russia. The overlap in deposit address usage suggests that those deposit addresses may be controlled by the same individuals, which would suggest further vendor overlap or possibly even administrator overlap. 

Both Blacksprut and Mega have also sent funds to deposit addresses on this exchange used previously by Hydra, but none as much as OMG. We can see this on the chart below, which shows the total amount sent by each market to shared deposit addresses.

We don’t have definitive evidence confirming that any of OMG’s creators or administrators were formally associated with Hydra. However, the deposit address overlap and instantaneous mass migration of Hydra users to OMG following Hydra’s shutdown suggests that it’s certainly possible.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.