Darkweb Hydra drug market taken offline by German police – Naked Security

German police have located and closed the servers of Hydra, allegedly one of the largest underground online stores in the world.

Investigators from the Bundeskriminalamt (BKA – the Federal Criminal Police Office) claim that the Russian-language Hydra website, accessible via the Tor network, had around 17 million customer accounts (many individual buyers could have multiple accounts, although sure) and more. over 19,000 seller accounts by the time they closed it.

As you would probably expect from a darkweb marketplace, the main commodities traded online were illegal drugs, but the site also apparently offered a money laundering “coin tumbler” service aimed at creating transaction records of hard-to-trace cryptocurrency, and made rapid trade in fake IDs.

According to a report from the BBC, locating the actual servers used to run Hydra was no easy task (the site has been online since at least 2015), but German police said they started following a tip in mid-2021 that suggested that the servers were actually hosted in Germany.

This led to the shutdown on Tuesday 2022-04-05, with the site’s main page changed to look like this:

Click on the image to see it in context on the original BKA page.

What makes a Tor teardown difficult?

Tracking clients and servers back to their source on the Tor networkwhich was deliberately designed to protect privacy and resist takedown, is much more complex than conventional network traffic tracking.

Regular network packets en route to a destination contain a source IP number (network location) which designates the first known device in the traffic chain, and a destination address which determines the IP number to which they are supposed to be sent.

But source IP numbers do not always identify the exact computer originating the request, as there may be an intermediate server handling the traffic on behalf of that computer, although source IP addresses often identify a device related that might help to trace the true origin.

In a typical home network, for example, your router poses as the source address for all your outgoing network traffic, so the rest of the world sees your entire network as a single device, with a single IP number.

Your router keeps track of which reply packets belong to which internal devices and redirects the necessary data internally when the replies come back.

This prevents law enforcement from immediately identifying exactly which device inside your home was responsible for a specific network connection, but your router’s IP number usually and very easily identifies your home address, given that your router’s IP number is assigned to your connection. by your ISP.

Your ISP can, and almost certainly will, respond to legally authorized requests from investigators by identifying the household associated with your IP address, whether your router is the origin (for example, you are visiting suspicious locations) or the destination (for example, example, you are running a server accepting suspicious connections) of apparently illegal activity.

Likewise, if you use a vpn (virtual private network), all your network traffic appears to come from one of the VPN provider’s servers, often in a different country.

The VPN provider effectively becomes both your router and your ISP, and while it may be easy to track you to the VPN itself, law enforcement may have difficulty getting the VPN tell them where you live, especially because the VPN operator may be in a difficult situation. different jurisdiction and may not even know your true identity.

However, the VPN provider can identify your IP number while you’re connected, because without it they wouldn’t be able to forward traffic to you – you’d be able to send packets, but not receive any replies.

Some VPNs claim to keep no logs of past connections and therefore claim that it is impossible for the police in their country or anywhere else to trace old traffic, as no records of IP numbers are kept.

But there are plenty of cases where “no-logs” VPN providers have been found not only to keep logs anyway, but also to have suffered data breaches that leaked that “non-existent” information to third parties.

In fact, the problem with using a VPN provider as your primary means of maintaining your anonymity is that you must have complete confidence in the technical capabilities and ethics of the provider and all of its staff.

What if you can’t trust the person in the middle?

Tor aims to ameliorate the “what if you can’t trust the person in the middle” problem by bouncing anonymized traffic through three different randomly chosen “routers” in succession.

When you create a Tor connection, your client software randomly selects three nodes from a pool of approximately 7,000 different Tor nodes run by volunteers around the world, and directs your traffic to those three nodes, like this:

  Client -> Tor Node 1 -> Tor Node 2 -> Tor Node 3 -> Server

Also, and this is the smart part, the identity of Server is encrypted with the public key of the Tor3 node, and this encrypted blob is then encrypted with the public key of Tor2which is then encrypted with the public key of Tor1.

So the routing details of your network traffic are encrypted in multiple layers, like an onion, which is why Tor’s full name is The onion router.

Therefore the Tor1 The node knows your IP number and can use its private key to decrypt the outer layer of the onion to find the IP number of theTor2 knot, at which it passes over the remaining layers of the onion.

But Tor1 can’t peek deeper into the encrypted onion and find out the identity of Tor3 or the Server you want to finish.

Likewise, the Tor3 knot can remove the last layer of the onion, which reveals the innermost secret of the Server you want to visit, but it can only trace your traffic up to Tor2and therefore has no idea where Tor1 is, let alone where Client the computer is.

the Tor2 node in the middle is there to add another layer of anonymity protection, as it keeps Tor1 and Tor3 a part.

This means, if Tor1 and Tor3 These happen to be “volunteer” nodes working with law enforcement teams or intelligence agencies, they cannot agree directly to match your traffic patterns and unmask your identity in this way.

In other words, to unmask an individual connection, an attacker would have to monitor all Tor nodes chosen for that connection and keep a careful and detailed record of each relay connection on each node.

(Tor also works against collusion by periodically “rewiring” durable connections, typically rebuilding each virtual circuit automatically every 10 minutes, and creating a new circuit with new nodes for each new connection.)

Hide the server

If the Server you connect to in the diagram above is a regular server on the internet, then your network connection emerges from Tor for all to see after Tor3so that the content of your traffic to Serverand the physical location of this online server, are also prominently displayed.

But if the end server is itself a darkweb server on the Tor network, identified by one of those mysterious URLs ending in .onion instead of a normal top-level domain name, your traffic never leaves Tor once it enters the Tor network through the Tor1 node.

Basically, in a real darkweb connection, the final connection to the server is handled as a fourth hop in the Tor chain, which pretty neatly adds anonymity at both ends.

A Tor-only “four-hop” connection not only means that the server doesn’t know your IP number and therefore can’t reveal it even if it wanted to, but also means that you never know the server’s IP number.

In other words, even if you yourself are monitored or arrested, your browsing activity and logs will not and cannot reveal the likely physical locations of the darkweb services you have used.

So ISPs that don’t care what kind of customers they serve and don’t tell the truth when faced with search warrants or other “know your customer” requests can, in theory , surreptitiously operating services known in the jargon as bulletproof hostseven if they are themselves in a country with strict know-your-customer rules and powerful lawful interception provisions.

Thanks to the multi-hop “onion cipher” of an anonymization service such as Tor, clients and servers can come into contact without revealing where the other end is on the Internet, which makes servers of this type much more difficult to locate, and therefore much more difficult to dismantle.

Track and trace nonetheless

In this case, Tor was not enough to prevent the location of suspected Hydra servers from being tracked and “reused” by law enforcement, as happened when the BKA replaced the page of welcome to Hydra by the site entry message shown above.

By the way, we noticed that the handcuffs in the picture very unusually have three identical wrists, which seems redundant, given that almost all humans have at most two arms, and dangerous, given that, if these restraints were applied at a two-armed suspect, the loose cuff could be swung around by the arrested person as an improvised weapon.

So we can’t help but wonder if these triple headlines are a visual metaphor that refers to the three-node basis of Tor connections.

Perhaps the three interconnected cuffs are there to remind us that with good intelligence and technical determination, even three seemingly unconnected and anonymous Tor Relays can be linked together in obvious ways and break the anonymity of the system?

(Note that Tor does not claim to guarantee your anonymity or to be able to immunize your connection against takedown no matter what, so if you have a legitimate reason for using Tor, be sure to read the project guidelines before you begin, and remember Tor’s own advice that “[g]In general, it is impossible to have perfect anonymity, even with Tor.)

After that ?

Following the German takedown, in which approximately $25,000,000 worth of cryptocurrency was seized, the United States justice department (DOJ) and the Treasury Department Foreign Assets Control Office (OFAC) issued press releases on the American follow-up to the intervention.

As OFAC notes:

In addition to sanctioning Hydra, OFAC identifies more than 100 virtual currency addresses associated with the entity’s operations that have been used to conduct illicit transactions. The Treasury agrees to share additional illicit virtual currency addresses as they become available.

The DOJ added:

Along with the shutdown of Hydra, announced criminal charges against Dmitry Olegovich Pavlov, 30, a resident of Russia, for conspiracy to distribute narcotics and conspiracy to launder money, in connection with his exploitation and administration of the servers used to run Hydra.

Russia, like many other countries, does not extradite its own citizens, even in peacetime, so it is unclear whether these criminal charges will have any effect.

Nevertheless, as the metaphor of the three-armed handcuffs reminds us, as the Tor project itself carefully and explicitly states, and as this multinational takedown operation shows, it is impossible to have perfect anonymity on the Internet.


James R. Rhodes