The U.S. Department of Treasury Imposes Sanctions on Russian Darknet Market Hydra and Crypto Exchange Garantex

On April 5, 2022, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) announced that it has sanctioned the world’s largest and most prominent darknet market place Hydra Market and Russia-linked crypto exchange Garantex. These sanctions form a part of the coordinated international effort to disrupt the proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through Russia-based sites. The news follows German authorities’ announcement that they have shut down Hydra after securing server infrastructure and seizing 543.3 BTC worth around $25 million. Additionally, the OFAC added more than 100 crypto addresses belonging to Hydra and Garantex to its SDN list.

Regarding ransomware-enabling crypto exchange Garantex, which operates primarily out of Moscow and St. Petersburg, OFAC has partnered with the Estonian government for sanctions issuance. According to stats published in the press release, approximately 86% of illicit bitcoin received directly by Russian crypto exchanges in 2019 came from Hydra. Garantex is not the first Russia-linked crypto exchange to be sanctioned by OFAC. Previously, crypto platforms SUEX and CHATEX were also sanctioned by OFAC for facilitating ransomware transactions. The sanctions against Garantex, CHATEX, and SUEX form a part of the U.S. government’s effort to disrupt the Russia-linked ransomware ecosystem. 

The U.S. Department of Treasury also highlighted that countering ransomware is a top priority of the U.S. government. It further added that the “sanctions against Hydra and Garantex support the Biden administration’s counter-ransomware lines of effort to disrupt ransomware infrastructure and actors in close coordination with international partners.”

In addition, on the same, The U.S. Department of Justice (DOJ) brought criminal charges against Russian resident, Dmitry Olegovich. The DOJ indicted Olegovich for committing conspiracy to distribute narcotics and perpetrate money laundering, in connection with his operation and administration of the servers used to run Hydra.

In the press release announcing the sanctions, the U.S. Department of Treasury Secretary, Janet Yellen issued a warning to illicit actors, stating that “our actions send a message today to criminals that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world. In coordination with allies and partners, like Germany and Estonia, we will continue to disrupt these networks.”

What are the darknet marketplaces and why was Hydra shutdown?

The darknet is a collection of websites hidden from normal search engines and web browsers. Users who want to access such marketplaces have to do it through browsers that hide their identities, for example, Hydra was accessible via the TOR network.

The U.S. Department of Treasury observed that marketplaces that reside on the darknet almost exclusively accept crypto as payment for a large range of illegal services and goods, including ransomware-as-a-service (RaaS). Under RaaS, anyone can hire a hacker to curate ransomware attacks or buy off-the-shelf ransomware from the darknet, and these services are usually paid for in crypto.

Illicit actors who transact on the darknet often incorrectly believe crypto to be an anonymous and untraceable means of exchange, noted the U.S. Department of Treasury. Using crypto to conduct illicit activities like facilitating ransomware payments can act as a double-edged sword. For instance, if the ransom is paid in crypto, blockchain analytics companies can trace the transaction on the public blockchain, which will lead them to the attached wallet address. 

The types of offerings bought and sold on Hydra Market include ransomware-as-a-service, hacking services and software, stolen personal information, counterfeit currency, stolen virtual currency, and illicit drugs. The OFAC’s investigation identified approximately $8 million in ransomware proceeds that transited Hydra’s crypto accounts, including from the Ryuk, Sodinokibi, and Conti ransomware variants. Attackers use sophisticated techniques incorporated in software such as Ryuk and Sodinokibi (REvil) to target specific enterprises. These particularly insidious ransomware variants deny users access to their device, system, or file until a ransom is paid. Conti is double extortion ransomware that steals and threatens to expose information as well as encrypt.

As per the press release, Hydra, which was launched in 2015, is the most prominent Russian darknet market and the largest darknet market left in the world. The U.S. Department of Treasury stated that the growth in Hydra’s profit is enabled by its association with Russian illicit finance. Further, according to the intelligence provided by the German authorities, at the time of closure, Hydra had approximately 17 million customers and more than 19,000 vendor accounts were registered on the marketplace. 

Sanctions issued against Garantex

As mentioned earlier, Garantex was designated a sanctioned entity for enabling ransomware. As per the press release, an analysis of known Garantex transactions showed that over $100 million in transactions are associated with illicit actors and darknet markets, including nearly $6 million from Russian RaaS gang Conti and approximately $2.6 million from Hydra. 

The U.S. Department of Treasury also stated that it is committed to taking action against actors like Hydra and Garantex who willfully disregard AML/CFT obligations and allow their systems to be abused by illicit actors. “Wanton disregard for regulations and compliance by persons that run crypto exchanges will be rigorously investigated, and where appropriate, perpetrators will be held accountable,” warned the U.S. Department of Treasury.

In February 2022, Garantex lost its license to provide crypto services in Estonia. Working closely with the U.S. Department of Treasury, Estonia’s Financial Intelligence Unit revealed Garantex’s critical AML/CFT deficiencies and found connections between it and wallets used for criminal activity. Despite losing its license, Garantex continued to provide services to customers through unscrupulous means.

Additionally, the U.S. government also urged the international community to put in place robust sanction controls and AML/CFT regime. These steps will prevent sanctioned persons and other bad actors from exploiting crypto to undermine the national security of the U.S. and its partners. 

The Biden Administration seeks to prioritize efforts to identify and mitigate illicit financing risks in the digital asset ecosystem. To this end, an updated National Strategy to Combat Illicit Finance will be published in the coming month.

Implication of Sanctions

A seizure banner was published on Hydra’s website. Further, the new sanctions prohibit U.S. persons from making or receiving any contribution or provision of funds, goods, or services to Hydra or Garantex. These sanctions block all property and assets located in the U.S. belonging to individuals and entities associated with Hydra Market or Garantex. They also block all transactions by U.S. persons that involve any property belonging to Hydra Market or Garantex.

How Can Merkle Science Help?

Merkle Science has a dedicated team to continuously monitor for sanctions announcements against Russia made by various governments around the world. As the situation continues to evolve and to eliminate any ambiguity, Merkle Science has made the decision to blanket tag all entities that are headquartered or operate in Russia.

These entities will be identified as "Sanctions" with the subtype "Entity in Sanctioned Country" on Compass. This would also mean that any incoming transactions that come indirectly from these entities will be flagged in your system. Hydra and Garantex will be added to the list of the entities Merkle Science has tagged. These entities include BChange, CoinStart, Summa, N-change, ExpoChange, Bitbong, Ferma, Xchange and now Hydra and Garantex.