In our previous Russian darknet focused blog post, we discussed some of the tools and techniques the Russians were discussing and using in offensive cyber operations against US and international organizations. Russian criminals are also notorious for selling malicious software, e.g. digital goods, on darknet marketplaces that could be used in an attack against government and corporate networks and infrastructure,
e-mail lists for phishing, along with a myriad of illegal drugs and counterfeit.
A Historical Look Back
Russia’s presence on the Tor network is most well-known for the historical darknet forum & marketplace, RAMP -- Russian Anonymous Marketplace -- which was reportedly seized last July after a surprising effort by the Russian Ministry of Internal Affairs-which historically has turned a blind eye to online crimes.
Coincidently, the RAMP marketplace, active since September 2012, shut down around the same time as international authorities conducted Operation Bayonet, shutting down key centralized Tor marketplaces Alphabay and Hansa, amid concerns about possible law-enforcement’s use of denial of service attacks to expose the real IP address of the marketplace.
What Happened to the RAMP Community?
Similar to the after effects of shutting down AlphaBay and Hansa, the RAMP marketplace closure caused little disturbance to the Russian segment of darknet cryptomarkets. RAMP vendors successfully shifted to other key marketplaces while a hidden service called Consortium attempted to create an "ex-RAMP Verified Vendor Community" specifically for reconnecting with known verified RAMP vendors. DarkOwl Vision has successfully archived over 9,000 results from Consortium’s hidden service domains. Consortium was formed in late 2017 shortly after the RAMP marketplace closure, and active through May 2018. The Consortium hidden service featured 15,000 users, including more than 100 verified RAMP dealers who confirmed their identity with a PGP key. This archive provides an excellent investigative referential database for prominent darknet vendors and their aliases.
DarkOwl Vision Screenshot from Consortium Hidden Service Archive
When RAMP disappeared,
hydraclubbioknikokex7njhwuahc2l67lfiz7z36md2jvopda7nchid.onion legendary Russian marketplace, Hydra witnessed an increase in user registrations and vendor activity while and near clone of RAMP, called MEGA surfaced only earlier this year.
Hydra has been an active darknet marketplace catering to the Russian Tor community since the Silk Road days. It resurfaced with a new Tor URL in the summer of 2016, less two years after law enforcement claimed it had arrested and charged the 26 year old market admin and Hungarian resident in November 2014 as part of Operation Onymous. Hydra is a centralized marketplace featuring many individual vendor-shops similar to RAMP with offerings including drugs, digital goods, and even mobile phone SIM cards.
Hydra prefers serious Russian drug vendors, only allowing sellers who are willing to pay "rent" for their shops and requiring a monthly payment of over $100 USD for use of the service. This reduces the likelihood of vendors who are actually scammers or law enforcement utilizing the site for entrapment and exploitation.
MEGA has a wide range of illicit drug offerings in their market catalog including items ranging from marijuana to opiates with delivery across the Eastern Slavic language countries of Russia, Ukraine, and Belarus. Similar to other anonymous centralized markets, MEGA also supports vendors selling digital goods such as databases, carding and counterfeit related products, and ready to use hacking software. MEGA features a
hidden service layout very similar to RAMP, with over 200 links to unique vendor shops from the landing page and many of the same drug vendors that once traded on RAMP also advertise on MEGA.
For example, one drug vendor on MEGA who uses the moniker, Aeroflot openly states in their MEGA vendor profile that they were also active on RAMP.
Report this page