Ep.

31: Seagulls in the park

DINA TEMPLE-RASTON: A few years ago, this flashy ad started making the rounds on
Russian YouTube…

RUSSIAN AD: They say laughter prolongs life.

TEMPLE-RASTON: They say laughter prolongs life, it begins.

And there’s a picture of a happy looking guy in his thirties, all tousled hair and perfectly
trimmed beard.

And then an animated cloud appears over his head, one of those thought balloons from the
cartoons, and in it pops two things: some joints and a pile of weed.

Seconds later, there’s a photograph of him grinning ear-to-ear and giving a big thumbs up.

RUSSIAN AD: …the widest range of goods and services…

TEMPLE-RASTON: Snoop Dog appears next to him doing the same.

RUSSIAN AD: ….will not leave you indifferent. Go to hydra.

PATRICK SHORTIS: It's a very short advert, but it's, I think it's really beautifully made and
you don't really need to speak Russian to understand what it's advertising.

TEMPLE-RASTON: That’s Patrick Shortis, a darknet market expert.

And he says what it’s advertising — out in the open — is drugs.

The ad was part of a marketing blitz for a Russian darknet market called Hydra.

And it isn’t just any market, Hydra was the largest Russian-language darknet marketplace
in the world. It trafficked in illegal drugs.

RUSSIAN AD: Marijuana, cocaine, LSD….

TEMPLE-RASTON: And you may be thinking to yourself, darknet markets running ads on
YouTube?

How does that work?

Aren’t drug markets on the darkweb supposed to be secretive?

And you’d be right. That’s how these markets used to be, before Hydra changed everything.

[MUSIC]

TEMPLE-RASTON: I’m Dina Temple-Raston and this is Click Here, a podcast about the world
of cyber and intelligence.

Today, we pull back the curtain on Hydra, the biggest and longest lived darknet markets the
world has ever known.

It professionalized the illicit marketplace with things like codes of conduct, sophisticated
distribution systems and quality control.

It isn’t an exaggeration to say Hydra revolutionized the enterprise, making it something

completely unexpected: reliable.

So when authorities took its servers down last spring, it left people wondering: who or what
could possibly replace it?

Stay with us.

[MUSIC]

TEMPLE-RASTON: Hydra’s claim to fame is that it worked out novel approaches to solve
common dark market problems, like people taking money but not delivering any drugs, or
getting swept up in a police sting operation.

SHORTIS: There is a lot of work right now within the Russian darknet to professionalize.

TEMPLE-RASTON: That’s Patrick Shortis. He’s a PhD candidate at University of Manchester.

He’s a criminologist studying dark markets, and his area of focus has been Hydra.
SHORTIS: To improve, improve their knowledge of what to do when a policeman starts
driving down the other way.

TEMPLE-RASTON: One of the clever things Hydra’s administrators have done to avoid that is
set up a very creative last mile delivery system.

Dead drops have been around for a while. Hydra made it one better.

Instead of having to buy some illegal drugs on the darkweb and then waiting for a vendor to
go out and come back and then send you the dead drop address.

Hydra’s innovation was to pre-position things.

SHORTIS: What Hydra did was the invention of auto ships or instant, uh, treasures as, as it's
also referred to, um, what this means is that as a drug dealer, I can go out, I can drop, um,
deliveries of drugs all across the cities. and then I can come back and all the time I've been
working each, um, location that's uploaded to the site is instantly available for sale.

TEMPLE-RASTON: Like Amazon lockers all over Moscow and St. Petersburg that you just
have to drive to and unlock.

You send the money, they tell you where to go. immediately, without having to wait.

SHORTIS: There are thousands and thousands of packages of drugs strewn across the city,
waiting for someone to purchase their location and pick them up.

TEMPLE-RASTON: Someone like this guy.

[MUSIC]

NIKO VOROBYOV: So, hi. I'm Niko Vorobyov. Ugh. I’m a narcotics connoisseur.

TEMPLE-RASTON: Niko was traveling when we caught up to him. The internet was bad so we
made do with a cell phone connection.

VOROBYOV: I'm on my phone. Not too much battery left cuz you know, I haven't been at the
house till now.
TEMPLE-RASTON: Niko is kind of an expert in all things drug trade.

He wrote a pretty good book a few years ago. It was called Dopeworld.

He used to live in Moscow and he told us about a time when he found himself in a famous
Moscow park to, well, pick up a little something from Hydra.

VOROBYOV: So there was a couple of us, like there was me, this girl and these two other
guys who were quite experienced with this sort of thing.

TEMPLE-RASTON: This sort of thing, he means buying drugs in Russia.

VOROBYOV: You get the coordinates and you also get sent these pictures with like these
terribly drawn arrows in Microsoft paint, showing you where exactly like which tree or which
bench or which bin or which pipe they've hidden the stuff in. And then off you go.

TEMPLE-RASTON: Off you go on a treasure hunt.

[MUSIC]

VOROBYOV: So, we had to ride like a tram all the way to this park, and actually got to the
park. And it was like going up and down hills.

TEMPLE-RASTON: He was in Golosov Ravine. It's a park about a half hour tram ride away
from the center of Moscow.

VOROBYOV: With a little, with a little river running through it. There's a bunch of old
churches as well. Old Orthodox churches on the hill.

TEMPLE-RASTON: And he and two of his compatriots are in search of a package. They’re
looking for a particular tree.

VOROBYOV: the packet is actually buried, like on a little bit under the tree.
We’re standing by this tree, picking up bits of dead wood around this and just digging
frantically around this tree, trying to find it. It took us a while to dig like five or ten minutes.
All while this girl is standing on guard.
TEMPLE-RASTON: She’s watching for cops.

VOROBYOV: But yeah we found it in the end.

TEMPLE-RASTON: It takes them about 20 minutes to unearth what they’re looking for: a
small package of weed carefully swaddled in cling wrap.

VOROBYOV: We opened it up to make sure it was the real deal, cuz sometimes, you know,
sometimes there's a risk that you find something and it's actually like another package for
someone else.

TEMPLE-RASTON: That’s right. There are so many Hydra drops in Moscow and St.
Petersburg, and so many people hiding them that you can accidentally find the wrong thing.

VOROBYOV: If you're walking along, uh, path something, you see some snow tracks going in
an odd direction. Like, and if you keep doing that enough, like eventually you're gonna find
something because like, this is the standard way of hiding drugs in Russia.

TEMPLE-RASTON: There’s a whole vocabulary around this.

Patrick says someone who digs up and steals drugs that don’t belong to them is called a
seagull, like the bird.

SHORTIS: And when I asked a Russian friend, you know, is this actually the word Seagull?
They said, yes, yes. And I was like, so why do they call them that? And he said, because like
the seagull, they steal the chips from your mouth. And I was just like, okay, that's good
phrase.

TEMPLE-RASTON: Niko, our friend in the park said he may have been seagull’ed, if that can
be a verb.

And you might be surprised how it ended up.

VOROBYOV: Me and these Armenian guys, uh, tried to buy some cocaine and actually we
couldn't find the cocaine. and the dealer on Hydra gave us our money back cuz the cocaine
wasn’t there. So like that goes back to your question before, what happens if you find
something that's not yours? Well, this is what happens: Me and a couple of idiots waste like
20 minutes digging around the back of a parking lot.
TEMPLE-RASTON: Hydra responded the way any good business would. They made Niko, the
customer, happy. They got their money back.

[MUSIC]

TEMPLE-RASTON: So there’s a little dark web zeitgeist that Hydra has bought into, the use
of pirate language.

SHORTIS: In Hydra your drop is called your treasure, your klad. The person who drops it,
they’re called Kladmen and often they are women as well though. So you shouldn't really be
such a gendered term.

TEMPLE-RASTON: There are “master treasures” – which are large stashes of drugs, and
“warehousemen” who distribute the drugs to the Kladmen.

Who, it turns out, can actually go to Kladman School.

That’s a real thing.

SHORTIS: It's training school for droppers or various other services.

TEMPLE-RASTON: The vendors on Hydra were all independent, like they are on Amazon.
They pay a fee to have their shops on Hydra and they have to figure out how to get the
goods to their customers.

So they tend to hire local people. People who would naturally know where a really good
hiding spot would be.

And because treasures are such an integral part of what Hydra does, it trains people to do it
right.

They literally have training videos for drug drops.

SHORTIS: They would put you through a program and teach you how to make these drops
or treasures as they call them. And then, by the end of the program, you are then placed
with one of the top vendor groups or, or vendor networks on Hydra, so you have a
guaranteed job afterwards.
TEMPLE-RASTON: It’s like a career move.

[MUSIC]

TEMPLE-RASTON: Hydra also went next level on customer service. They don’t just provide
refunds, they actually guarantee quality.

It actually set up a testing service.

They do a random drug buy from the site, and then have a real chemist actually analyze the
drugs to see if they’re really what the vendor says they are.

They weigh them too to see if a vendor is being honest or shorting his customers.

And this isn’t something they just do internally. They actually write these vendors and their
shops up with ratings and reviews. And they kick people off the site who don’t meet their
standards.

And if you’re having some unusual reaction to whatever you bought from Hydra, they have
a solution for that, too.

SHORTIS: Hydra had its own health service where you were able to speak to a doctor, or get
general advice about safe use of drugs or in an emergency it had a telegram chat bot that
was used to triage, uh, people to see, you know, how serious the emergency was.

TEMPLE-RASTON: Aleksey Lakhov knows about this first hand.

ALEKSEY LAKHOV: I talked to a doctor, a substance abuse specialist from Hydra. He seemed
a true professional to me.

TEMPLE-RASTON: And it is a little funny because Aleksey is a substance abuse specialist. He

runs something called the Drug Map Project in St. Petersburg, Russia. And it never really
occurred to him that he’d end up working side by side with administrators from Russia’s
largest darknet drug site.
LAKHOV: When we found out about this darknet marketplace, we decided to contact them in
order to disseminate, uh, some harm reduction information, uh, to disseminate, uh, uh,
some information on our services.

TEMPLE-RASTON: He got in touch with Hydra admins and worked out a deal.

They said he could post information about the Drug Map Project and harm reduction right
there on the site.

LAKHOV: They even promoted us a little bit.

TEMPLE-RASTON: Were you surprised by that?

LAKHOV: Uh, at first I was surprised, but then I, uh, thought, uh, a little bit more about it
and I understood that they wanted their clients to be as healthy, uh, as possible and as long
as possible. [LAUGHS]

TEMPLE-RASTON: Because then they still buy drugs.

LAKHOV: Yeah, yeah. Definitely.

TEMPLE-RASTON: So in a weird way, did Hydra actually help save some lives?

LAKHOV: Yes, I believe so.

TEMPLE-RASTON: Just to be clear, this isn’t really benevolence, this is business.

[MUSIC]

TEMPLE-RASTON: So if you think about what it takes to do all that.

Media strategies, dead drops, kladmen training, customer service, quality assurance,
lawyers and doctors on staff.

This isn’t something that a shoestring operation would do, which is exactly the point.

Hydra isn’t a fly-by-night-shoestring operation.

Successful darknet markets in the West pull down — if they’re lucky — tens of millions of
dollars in commissions and subscription fees.

And typically they stay open for about two years before police shut them down.

Hydra? It was pulling down BILLIONS and managed to keep its virtual doors open for seven
years.

When we come back, Hydra expands its universe and then the authorities finally move in
and take it down.

Which made dark market scholars like Patrick, well, a little sad.

SHORTIS: At the time I had just actually ended a relationship, and I was speaking to my
mom that evening and she said, um, you know, are you okay? And I was just like, no, I'm
not. And she was like, oh, you're still thinking about, you know, your ex girlfriend. And I was
also like, no, no, no. I'm, I'm really upset hydra is closing.>>

TEMPLE-RASTON: Patrick’s Ph.D research just got a lot harder.

Stay with us.

[BREAK]

TEMPLE-RASTON: In some ways it was probably inevitable that Hydra would diversify.

Why stop at drug dealing when Russian-speaking customers were clamoring to use your
network to launder crypto currencies or buy stolen financial information and forged
documents?

And they were good at it.

The Justice Department says eighty percent of all dark web-market cryptocurrency
transactions from last year passed through Hydra. Eighty percent.

KIM GRAUER: Hydra is kind of like the heart. It’s like the lifeblood of these illicit networks.

TEMPLE-RASTON: Kim Grauer is the director of research at Chainalysis.

It provides compliance and investigation software to financial institutions and governments
so they can track crypto currency transactions.

And a lot of her investigations led back to Hydra.

GRAUER: We’ve been tracking Hydra for years. It’s doing more than selling drugs at this
point. At this point, it's doing money laundering. It's involved in ransomware attacks.

TEMPLE-RASTON: Kim said some $2 billion worth of crypto was laundered by Hydra last year
alone.

And 2022 was looking like another banner year as they became the launderer and mixer of
choice for Russian cyber criminals and other Russian-speakers trying to move big money

People, say, paying for the upkeep of their super yachts and their mistress’ apartment in
Paris.

TEMPLE-RASTON: Sort of like the Swiss bank of crypto?

GRAUER: Yeah. These networks are really good at moving large quantities of money for high
net work individuals in a way that doesn’t attract international attention, it does it in a kind
of quiet way.

TEMPLE-RASTON: Hydra did all this by building on the system they’d already created.

It involves two parties agreeing to exchange something for a particular price.

It can be a crypto-to-crypto trade – I will trade you this many Bitcoin for this much
Ethereum, for example.

Or, not so hypothetically speaking, I’ll trade you rubles for crypto or crypto for rubles. It was
like a drug deal without the drugs.

GRAUER: They also don't ask a lot of questions at times about who. Who the people are that
they're receiving funds from.

TEMPLE-RASTON: And that is it's exactly like a Swiss bank.

GRAUER: Yeah, exactly.

TEMPLE-RASTON: In a way.

KIM: In a way, right. In a way. So in a way, and they do it and they, they will take five, 10
percent off of, uh, of fee. Uh, that's the price of not asking questions.

TEMPLE-RASTON: And, not so coincidentally, after Russia invaded Ukraine in February,

Hydra was starting to convert a lot of rubles into crypto and the other way around.

Until this happened.

NEWSCASTER: US and German officials seize the world’s largest and most prominent
darkne market.

TEMPLE-RASTON: In April, working with U.S. law enforcement, the German federal police
office took down Hydra servers and some $25 million dollars in Bitcoin.

And now there is a name and a face connected to the marketplace.

The man allegedly behind Hydra, or at least managed its servers is Russian, 30-year-old
Dmitry Pavlov.

Russian police say they’ve arrested him and he’s in a Moscow prison now…

[MUSIC]

TEMPLE-RASTON: Which begs the question: now what? Who or what is going to pick up
where Hydra left off?

And Niko, the guy who wrote Dopeworld, says Hydra won’t easily be replaced.

Remember it was a billion dollar business that involved hundreds of people working
together to make things happen.

And now they have all been scattered to the wind.

VOROBYOV: Now there's like, um, three or four websites, uh, fighting, like competing
between each other for the, for a monopoly. One of them was called like OMG, OMG, OMG.

[MUSIC]

TEMPLE-RASTON: This is from an OMG ad.

VOROBYOV: This is gonna take a while to get, to get running. These, um, these doctors, like
the doctors that they had or neurologists, psychiatrists, whoever they had on their
payroll//nobody really knows each other in real life.

TEMPLE-RASTON: Right.

VOROBYOV: So I think it's gonna, I think it'll, I think it'll eventually come back, but it's gonna
take a while for all the relevant people to find each other in the, in the wilds of the internet.

TEMPLE-RASTON: This is Click Here.

[MUSIC]

Here are some of the top cyber and intelligence stories from the past week:

FBI and French cyber officials have traveled to Montenegro to help mitigate a massive
ransomware attack the country suffered last week. Among other things, the southern
European nation’s government-run transportation services and water and electricity
systems have been infected. Montenegro government officials called it the “most serious
challenge that Montenegro has faced in cyberspace so far.”

Experts from the French Agency for Information Systems Security and the FBI’s Cyber
Action Team are now in the country and Montenegro officials say that hackers associated
with the Cuba ransomware group used a combination of ransomware and denial of service
attacks to freeze up government agencies and critical infrastructure. The group is thought
to have some Russian members.

Researchers from the University of Cambridge and the University of Edinburgh, among
others, have found that the onslaught of cyber attacks experts expected to come in the
aftermath of the Russia invasion of Ukraine haven’t been that bad. After analyzing global
cyber attacks from the two months before and four months after the invasion they found
that Russia was the first nation to be attacked at scale, and Ukraine was in the crosshairs of
cyber attacks a few days later. The wave of attacks lasted around two weeks before they
returned to pre-war levels. The researchers said most of the attacks looked to be the work
of low-level criminals doing a lot of DDos operations.

And finally, one of the NFL’s most popular franchises and my hometown team – the San
Francisco 49ers – began sending out breach notification letters out last week. They say that
the BlackByte ransomware gang attacked the team’s systems the week before Super Bowl
Sunday and snagged personal information from inside the Niners operation. And may have
compromised information from a handful of fans’ too. The breach lasted six days. Where’s
Joe Montana when you need him?

TEMPLE-RASTON: Click Here is a production of The Record by Recorded Future. I’m Dina
Temple-Raston, your host, writer, and executive producer. Sean Powers is our senior
producer and marketing director, and Will Jarvis is our producer and helps with the writing.
Karen Duffin and Lu Olkowski are our editors. Darren akron is our fact checker, and Ben
Levingston composes our original music, and other music is from Blue Dot Sessions. Kendra
Hanna is our intern.

And a special thanks to you all. Click Here is now one of the top three tech-news podcasts in
America.

And we want to hear from you. Please leave us a review and rating wherever you get your
podcasts. And you can connect with us at “ClickHereShow dot com.”

We’ll be back on Tuesday.