On April 5, 2022, the Office of Foreign Assets Control (“OFAC”) of the United States Department of the Treasury announcement sanctions against “the world’s largest and most important darknet market, Hydra Market” and Garantex, a virtual currency exchange registered in Estonia but operating in Moscow and St. Petersburg, Russia. The sanctions are part of a broader initiative targeting Russian cybercrime that spans multiple federal departments – including the US Department of Justice, Federal Bureau of Investigations, Drug Enforcement Administration, Internal Revenue Service Criminal Investigation and Homeland Security Investigations – and around the world – including international partners like the German Federal Criminal Police and the Estonian Financial Intelligence Unit. The penalties follow September and November sanctions from SUEX OTC, SRO and CHATEX, two virtual money changers operating out of Moscow that allegedly facilitated transactions for ransomware actors. SUEX was the first virtual currency exchange subject to OFAC sanctions (and the subject of a previous Publish).

Although seemingly focused on closing another avenue for ransomware vendors to profit from their wares, the sanctions may also cut off all types of cybercriminals who have found “safe haven” in Russia and used Hydra or Garantex.

Darknets and ransomware

A darknet is an “internet-based network” accessible through special software. Darknets reinforce anonymity. Marketplaces operating on darknets often offer illegal goods and services and facilitate payment almost exclusively through virtual currency. For example, in 2015, the The U.S. Attorney’s Office for the Southern District of New York successfully convicts Ross Ulbricht, the creator and alleged owner of Silk Road (a darknet market), on a number of criminal charges (including money laundering). The Silk Road sold everything from illegal drugs to fake IDs and hacking services. At the time, $1 million worth of Bitcoin had been seized. Some darknet marketplaces now facilitate the sale of “ransomware-as-a-service” (“RaaS”) whereby ransomware developers sell or license their ransomware to others.

Like us blogged Previously, ransomware was a top priority for OFAC and the Financial Crimes Enforcement Network (“FinCEN”). OFAC has recently focused on providing guidance to the virtual currency industry on how to manage sanctions risk and FinCEN has noted a concerning increase in suspicious activity reports (“SARs”) related to ransomware. It appears that OFAC has continued to focus not only on suspected cybercriminals, but also on entities that enable cybercriminals to profit from their activities and launder the proceeds. This orientation is evident with the designation of Hydra and Garantex.

Hydra

Hydra, launched in 2015, is the “largest Russian darknet market”. The goods and services offered range from ransomware and hacking services to stolen personal information to counterfeit currency and illicit drugs. Buyers often used virtual currency. Hydra’s profits increased significantly from 2016 to 2020, from $10 million to $1.3 billion. A Ministry of Justice press release estimated that the market had received around $5.2 billion in cryptocurrency since 2015. OFAC determined that the growth was “enabled by Hydra’s association with Russian illicit finance.”

According to the DOJ, Hydra’s “suppliers” “offered a wide range of money laundering and so-called ‘cash-out’ services” as well as an “in-house mixing service”. These services allowed users to convert virtual currency into cash or hide the source of virtual currency linked to illicit activity. The DOJ reports that “Hydra’s money laundering features were in such high demand that some users created fictitious vendor accounts for the express purpose of funneling money through Hydra’s bitcoin wallets as a laundering technique.” .

OFAC also determined that Hydra served as a major market for stolen Bitcoins and a hub for the proceeds of ransomware attacks, including Ryuk, Sodinokibiand Conti ransomware variants. OFAC calculated that approximately $8 million in ransomware passed through Hydra and that 86% of all Bitcoins stolen from Russian exchanges were sold on Hydra.

Following international efforts, Hydra’s servers in Germany were shut down and approximately $25 million in Bitcoin was seized. According to Elliptic, a blockchain analytics company, this seems to be the downfall of the darknet market leader. Elliptic estimates show that Hydra facilitated well over $100 million more in Bitcoin transactions per month than the second-largest darknet market. The Department of Justice also announced criminal charges against Dmitry Olegovich Pavlov, a Russian resident, for conspiracy to distribute narcotics and launder money by allegedly administering the hosting of Hydra’s servers, and thereby providing “the critical infrastructure that enabled Hydra to thrive in a competitive darknet market environment”.

Guarantee

Garantex, founded in 2019, is a virtual currency exchange operating out of Moscow and St. Petersburg that was previously licensed in Estonia. OFAC believes some operations were carried out at the Federation Tower in Moscow, the same location where SUEX and CHATEX allegedly operated. OFAC estimates that approximately $100 million of transactions on Garantex were linked to illicit actors and darknet markets. Of that $100 million, OFAC connected $6 million to the “Russian RaaS gang Conti” and $2.6 million to Hydra.

Although Garantex is still in operation, Estonia’s Financial Intelligence Unit (in coordination with the US Treasury Department) revoked its license after determining there were “critical AML/CFT deficiencies” and that “wallets were being used for criminal activity”. OFAC says Garantex “continues to provide service to customers through unscrupulous means.”

Highlighting the importance of AML to the virtual currency industry, the Treasury Department press release states:

Russia is a paradise for cybercriminals. Today’s action against Hydra and Garantex builds on recent sanctions against virtual currency exchanges SUEX and CHATEX. . . . The Treasury is committed to taking action against players who, like Hydra and Garantex, deliberately ignore Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) obligations and allow their systems to be abused by illicit actors. The willful disregard of regulations and compliance by those who operate virtual currency exchanges will be rigorously investigated and, if found, the perpetrators will be held accountable. Additionally, the United States urges the international community to effectively implement international AML/CFT standards in the area of ​​virtual currencies, particularly with respect to virtual currency exchanges. The virtual currency industry has a critical role to play in implementing appropriate AML/CFT controls and sanctions to prevent sanctioned persons and other illicit actors from exploiting virtual currencies to breach security of the United States and our partners.

Punishments

Hydra and Garantex have been designated by OFAC. The OFAC Specially Designated Nationals List (the “SDN List”) has also been update with over 100 new virtual currency wallet addresses. While a few addresses relate to Garantex, the vast majority relate to Hydra. According to OFAC, these addresses have been linked to “illegal transactions”.

It is unclear whether sanctions are ranked higher under the whole-of-government approach to ransomware announced by the White House on October 13, 2021 or if these sanctions are related in any way to the sanctions stemming from Russia’s invasion of Ukraine. Whether explicitly tied or not, these sanctions limit opportunities for illicit actors to profit from illicit activities through virtual currencies. It also deals a blow to the world’s largest darknet market and a third virtual Russian currency exchange. Both allowed users to convert virtual currency to fiat (and vice versa) and optionally spiritual funds outside of Russia and escape EU and US sanctions.