Release the Kraken: The Battle for the Russian Language Darknet
Table Of Contents
On July 2, 2022, WayAWay, a defunct narco forum, resurfaced on the Russian-language dark web, after a long period of dormancy. While the return of a forum is usually not big news, WayAWay was co-administered with LegalRC. These two forums partnered in 2015 to form what would become the largest darknet marketplace, Hydra. The marketplace was shuttered by German and US law enforcement on April 5, 2022, leading to a competition for market share in the Russian language underground—which is quickly developing into a split between Russian and Ukrainian venues.
Hydra’s demise predictably resulted in seismic shifts in the Russian language underground, which have been forming for the past few years. Thousands of vendors and customers who relied on Hydra for their cybercrime operations found themselves congregating on the Russian language forum RuTor.
The increased activity invited competitors to target RuTor, causing it to strike a partnership with the marketplace OMGOMG. This partnership was struck in opposition to WayAWay, which quickly associated itself with Kraken, a planned marketplace that has been advertised as Hydra’s successor.
The rivalry between RuTor/OMGOMG and WayAWay/Kraken mirrors the Russia-Ukraine war, with RuTor/OMGOMG viewed as pro-Ukraine and WayAWay/Kraken viewed as pro-Russia—demonstrating how geopolitical concerns have invaded a space formerly viewed as entirely financially motivated.
Background: The Russian language underground
WayAWay and another narco forum, LegalRC, formed a partnership in 2015 and their cooperation led to the emergence of Hydra Market, which grew to be the dominant darknet market and an emerging cryptocurrency laundering hub between 2017 and 2022 when it was taken down by German and US law enforcement. According to statistics following the takedown, Hydra received $5.2 billion USD and accounted for 80% of darknet market related cryptocurrency transactions during its operation.
Hydra was vertically integrated, meaning that it offered multiple services, like cryptocurrency mixing and cashout, as well as the sale of various goods and services. Flashpoint and Chainalysis documented this rise in a white paper in 2021.
While RuTor is more of a forum than a marketplace, Hydra’s users quickly flocked to its platform to organize and strategize their next movements. It was on RuTor where the first major marketplaces vying to take the place of Hydra started advertising almost immediately following the takedown.
Flashpoint initially assessed that other smaller marketplaces, like Blacksprout, OMGOMG, Mega, and Solaris would play a role in competing for Hydra’s market share and that this competition would be characterized by the liberal use of distributed denial of service attacks, breaches and black PR. This indeed came to pass: the first wave of DDoS attacks were directed, in June, at OMGOMG, which had previously emerged as the dominant new marketplace. Then threat actors associated with Solaris, a new platform where unlike Hydra, all shops and vendors are directly associated with the marketplace, breached RuTor.
Along with this, marketplaces were busy accusing each other of unsafe security practices and association with law enforcement. Amid this conflict, RuTor formed a close cooperation with the marketplace OMGOMG and integrated the marketplace into the forum.
WayAWay, a forum originally associated with the now-defunct Hydra, went dormant in 2019, but resurfaced on July 2 under a new domain, apparently in an attempt to challenge the dominance of RuTor.
In May, rumors had started to surface on RuTor about a replacement marketplace to Hydra called Kraken, which would be operated by its former administrators.
WayAWay, as it was set up in July, shows signs of association with both Kraken and Hydra, including a similar logo and registration process as Hydra and a built-in cryptocurrency mixer, which was one of the most popular features of Hydra. Also, the forum is only accessible from IP addresses inside Russia.
On July 23, 2022, WayAWay was breached. Threat actors associated with RuTor’s administrators posted screenshots of messages from the forum with commentary, criticizing WayAWay’s data collection practices—alleging that the forum is putting users at risk—and sharing information suggesting that it was indeed Hydra’s management that set up the new platform.
Killnet and WayAWay
Writing on its Telegram channel, the pro-Kremlin cyber collective “Killnet” openly rejoiced at the breach of RuTor, which they described as a narco forum controlled by the Ukrainian Security Service (SBU). While the forum is not overtly pro-Ukrainian, several users of RuTor had expressed support for Ukraine after the invasion. At the same time, Killnet has repeatedly declared support for WayAWay, indicating that it was probably opposed to RuTor not by its narcotics aspect as by its pro-Ukrainian leanings. An account seemingly associated with Killnet was also recruiting new members for the collective on WayAWay.
RuTor’s admins have also mentioned the Russia-Ukraine war. One of the admin’s comments on the WayAWay leaks compared the practices of that forum’s management —which apparently hired 40 administrators with no clear responsibilities—to hiring interns at Starbucks, which, the commenter pointed out, is not present in Russia anymore.
The fact that a politically motivated, pro-Russian hacktivist group is taking the side of WayAWay and Kraken will likely fuel further speculation that the former Hydra administrators are linked to Russian law enforcement. In parallel, some threat actors will likely avoid RuTor and OMGOMG because it is seen as pro-Ukraine, for fear of the marketplace cooperating with the Ukrainian security services—which have strengthened their cooperation with Western law enforcement in recent years.
Even if the arguments referencing an ideological Russian and Ukrainian split is only a cover for a rivalry that is driven primarily by financial interests, the fact that these arguments are used at all confirms the deep splits in the Russian-speaking cybercriminal underground. In a space where as recently as last year transnational cooperation was not only commonplace but often the recipe for success and where financial interests usually trumped political view, now parallel, mutually hostile ecosystems seem to be emerging and some links may have been severed beyond repair.