30 January 2023

There’s a Wild Scramble for Control of the Dark Web Taking Place in Russia

Niko Vorobyov Max Daly

On New Year’s Eve people in Moscow spotted what looked like an up-and-coming tech startup projecting its logo onto the sides of various buildings. But in fact it was a guerrilla marketing stunt promoting OMG, a darknet marketplace selling heroin, mephedrone, marijuana, and everything else in between.

A fortnight earlier one of OMG’s main competitors, Kraken, parked a bus painted with its logo across two lanes of the Russian capital’s Novy Arbat thoroughfare, blocking traffic for over an hour before the authorities were able to remove it. This was not Kraken’s first PR stunt. In October it projected a hologram of its namesake, the mythical sea monster, holding the company logo in its tentacles, onto a Moscow business centre.

Darknet marketplaces are commercial websites accessed by an encrypted browser which operate on the dark web, functioning primarily as black markets for illegal activity or substances. The fact they were being advertised so publicly in Moscow was slightly bizarre.

But this very public advertising blitz stemmed from events that took place In April 2022, when the world’s biggest ever darknet market Hydra, which made most of its money selling drugs, was shut down and its alleged mastermind Dmitry Pavlov was arrested in Moscow. Yet, like the Hydra of Greek legend, whose heads multiply when they are severed, a new generation of darknet markets popped up to challenge for control of a market worth at least $1.37 billion, according to unofficial estimates.

And over the last 9 months, using a mix of publicity stunts and crippling cyber attacks on each other, OMG, Kraken and around 10 other darknet markets have been engaged in a tit-for-tat turf war for Hydra’s throne.

But amid the scramble for power and wealth, experts have told VICE World News that the huge profits being generated by these platforms are being fuelled by money from gangs involved in increasingly sinister crimes.

“Criminals increasingly rely on these new darknet markets for a variety of services beyond drug trafficking, such as money laundering, malware proliferation, and as a ‘town hall’ where they can connect and participate in ransomware and cyber attacks,” said Alois Afilipoaie, a blockchain intelligence analyst at TRM Labs, which monitors crypto crime.

Afilipoaie said analysis by TRM Labs shows a wide variety of criminal groups are laundering funds through these platforms, including those connected to non-drug related crimes, such as those selling credit card data and other personal information through fraud hubs, where people’s stolen identities are traded online.

He said the proceeds from ransomware attacks, as well as investment schemes, violent extremism and child sexual abuse material, are also being laundered through Russian darknet markets.

They’re also getting embroiled in global politics, and conflict. One darknet market has been closely tied to the Kremlin-affiliated hacking group KillNet, described by the US Cybersecurity & Infrastructure Security Agency (CISA) as a “significant threat to US critical infrastructure.”

KILLNET IS ALLEGED TO HAVE DONATED $280,000 TO ASSIST RUSSIA'S WAR EFFORT IN UKRAINE. IMAGE: KILLNET TELEGRAM.

A report published Wednesday by TRM Labs revealed KillNet, which has used crypto currency to raise up to $280,000 for the Russian war effort and launched a cyber attack on Elon Musk’s satellite comms operation Starlink as well as on multiple governments across the world, carried out cyber attacks against RuTor, a forum linked to the OMG market, and a rival of a pro-Kremlin market called Solaris. The report said Solaris, a platform which has since been hijacked by Kraken, had sent KillNet $50,000.

A decade after the world’s first mega darknet market Silk Road was taken down by the US government in 2013, four Russian-run darknet platforms – OMG, Kraken, Blacksprut and Mega – now dominate dark web markets.

TRM Labs calculated that in the eight months since Hydra had been shut down, the new cluster of darknet markets had amassed $820 million in crypto currency deposits. In the month of December they made $130 million. It said Russian-language darknet markets, which chiefly trade in Russia and countries of the former Soviet Union, accounted for 80 percent of the global market. By contrast, the English language ASAP market, the largest non-Russian darknet market, accounts for less than 10 percent of dark web sales.

Some of these sites have turned to influencers to boost their publicity campaigns. TikTok influencer Nekoglai (real name Nikolai Lebedev) who was arrested, allegedly tortured and deported back to his native Moldova after posting a video last month poking fun at Russian troops in Ukraine, began streaming on Twitch while wearing a T-shirt with Mega’s logo in December. Mega has its own YouTube channel. Earlier this month a Kraken employee told Russian news website Lenta.ru that the market had a dedicated PR department.

NIKO VOROBYOV03.27.20

But this isn’t just about PR games, it’s also a cyber war. Last July, in a notable example of darknet market drug warfare, Kraken’s forum WayAway and the now-defunct market Solaris warned their subscribers to withdraw any crypto currency they had on rival site OMG’s forum RuTor. Soon after RuTor was bombarded by cyber attacks, and was temporarily shut down. The attempt failed and it survived and re-opened soon after.

The following month RuTor retaliated, hacking WayAway and posting screenshots of the breach, arguing that WayAway’s security was too weak to be trusted. Days later RuTor was targeted for another round of cyber attacks, this time by Killnet. Amid the cyber warfare between those vying to succeed Hydra, Russia’s drug trade, most of it orchestrated via darknet marketplaces continues almost in plain sight.

Since the rise of online drug buying in the mid-2010s, people purchasing drugs in Russia do so via the “treasure trove” system of dead drops, where instead of meeting a dealer or receiving your order through the post, you are given the GPS coordinates of where the goods are hidden, in places such as street hedges, round the back of apartment blocks, electrical transformer boxes, near metro stations or local forests.

Teams of ‘droppers’ employed by the online shops are paid to secrete drug packages, rather than hand them over in person. This method was seen as less risky for buyers and sellers fearful of the heavy prison sentences handed out in Russia for drug crimes. Even so, opioids such as black market methadone are still being bought outside of darknet markets, predominantly either hand-to-hand or via the many human and automated drug dealers selling their wares on the encrypted messaging platform Telegram.

As of October 2022, the largest volume of drugs purchased at two large marketplaces – BlackSprut and Mega – were for cathinones such as mephedrone and alpha-PVP. These white, synthetic stimulant powders that mimic cocaine and MDMA are highly prevalent in Russia, eastern Europe and the Balkans because they’re cheap and easy to manufacture locally. Cannabis is also a popular drug bought on the Russian darknet.

SAM IRAVANI01.24.20

“Alex”, a drug dealer from Moscow who did not want to give his real name for fear of being identified by police, said since Russia’s invasion of Ukraine “MDMA, LSD, and ketamine are almost impossible to find. Everything from Europe is in short supply.”

But Russians fleeing the country since the war have still been able to buy drugs on the dark web. In Georgia, on its southern border, where more than 100,000 Russians have fled, there is Matanga, a local Russian-speaking darknet market offering the same “treasure hunt” buying system as back home.

Even in the occupied territories of Ukraine, Russian troops entering Mariupol were closely followed by Telegram bots offering hash, mephedrone and alpha-PVP, peddling their wares even before the ruined city had running water returned. It's not established yet how the drugs were brought to occupied Ukraine but the dealing network likely has some connection with Russian soldiers or non-combat staff.

It appears that, alongside Solaris, other darknet markets have supported Russia’s invasion. In an interview with Meduza, a now banned independent Russian news outlet no longer based in Russia, Alexey Milchakov, the leader of pro-Russian neo-Nazi paramilitary group Rusich, claimed that the group had received small crypto coin donations from Mega, Blacksprut and OMG. They spent the money on equipment and bulletproof vests. There is no proof this money was passed on willingly by the darknet markets – it may have been stolen from them – but Milchakov called his drug-dealing supporters “true patriots of Russia.”

However in December last year a Ukrainian-born hacker broke into the Solaris market’s crypto-wallets and donated $25,000 to a charity for Ukrainian refugees. Solaris’ misfortunes didn’t end there. On Friday the 13th of January, the WayAway team hacked Solaris, taking advantage of a weakness in its coding, and shut it down. Now those trying to access Solaris are redirected to its upstart rival, Kraken.

As Hydra did, many of these markets have continued the tradition of including drug harm reduction information for drug buyers, such as providing drug testing and medical advice. “The RuTor forum has launched a series of webinars on medical topics, including first aid and overdose scenarios,” said Aleksey Lakhov, of St. Petersburg-based drug project Drugmap.ru.

“On the WayAway forum at the Kraken marketplace, there’s a whole section titled ‘narcological service’. So we can say that the issues of harm reduction and preserving the health of people who use drugs have become an integral part of the Russian darknet.”

Over the last year, “Alex,” the drug dealer from Moscow, said a new genre of content has been growing on Russian Telegram profiles. “People are recording videos of themselves using drugs, talking about their lives, hanging out, collaborating with other bloggers.” Drug users have been chatting about their drug use on dedicated drug user internet forums for decades, but now a younger generation of drug users are doing so on video.

Some, such as Julia Finess, have become popular and also made a name for themselves on TikTok. “They show an affluent lifestyle with expensive apartments, luxury brands, but with a touch of illicit intrigue.” Many of Telegram’s Russian drug bloggers are most likely sponsored by new darknet drug shops. They often wear clothes with shop logos and publish price lists and post links.

As with the slaying by the DEA in 2013 of the first giant darknet market, Silk Road, the shutting down of Hydra has again completely failed to put a stop to an online method of buying drugs that, like its analogue street equivalent, appears to be super-adaptable, resourceful, and around for good.

No comments: