Hostile Takeover: Kraken Hacks Rival Darknet Market Solaris

Since Hydra Market Got Shuttered by Police, Russian Rivals Battle for Market Share
Hostile Takeover: Kraken Hacks Rival Darknet Market Solaris
Some of the 3,480 virtual shops at now-defunct darknet drug market Solaris (Image: Resecurity)

Competition between Russian-language darknet markets remains fierce following the takedown of market leader Hydra last April by a multinational law enforcement operation.

See Also: Value Drivers for an ASM Program

At stake is market share that can add up to billions of dollars for whichever platform is able to facilitate the flow of everything from illegal drugs and malware to fake ID and stolen payment card data. Hydra alone earned more than $1.3 billion in 2020, due in part to money laundering services it offered.

Rivalry promises to be intense - if the latest development with darknet market Solaris, which controlled an estimated 25% of the darknet drug trade, is anything to go by. Last week, it experienced the dark web equivalent of a hostile takeover: It got hacked.

Relative newcomer Kraken - no affiliation with the legitimate cryptocurrency exchange of the same name - claims Solaris' poor "operational security" made it easy to hack in the space of just 72 hours, reports blockchain intelligence firm Elliptic.

On Jan. 13, Solaris users attempting to access the market "were met with a redirect to Kraken, with a notice announcing that it had successfully taken over Solaris' cyber infrastructure, GitLab repository and project sources," reports Eray Arda Akartuna, a senior crypto threat analyst at Elliptic. "Many Kraken-affiliated vendor groups on the WayAway Forum" - affiliated with Kraken - "have been vying to recruit former Solaris vendors of illicit goods and services."

In retrospect, the writing was on the wall for Solaris on multiple fronts.

Solaris attempted late last year to shut out competition by telling its 3,480 virtual shop owners that it would blacklist anyone who also sold on WayAway and Kraken, cybersecurity firm Resecurity reported. A subsequent "enemies of Solaris" list added rival markets OMG!OMG! and Rutor to the banned list, presaging some type of showdown.

Ties With KillNet

Solaris' troubles also stem indirectly from its association with hacktivist group KillNet, which launched at the beginning of 2022 and has been tied to pro-Kremlin distributed denial-of-service attacks.

KillNet has been tied to 84 known attacks, reports CyberPeace Institute, an independent and neutral nongovernmental organization. Targets have included the EU Parliament, U.S. airport websites, Ukraine and its allies and even the Eurovision song contest.

But KillNet also appears to have gone after the Rutor drug market on behalf of Solaris, ZeroFox Intelligence reported last October.

"KillNet attacks Solaris' competitors, and Solaris most likely pays KillNet for the services provided," ZeroFox said. Attempting to spin its actions, at various times KillNet has claimed Rutor was being run by Ukraine's Security Service, the SBU - a completely unsubstantiated claim - and also that it was targeting Rutor for selling illegal drugs to Russians. "KillNet has also claimed that 50% of the revenue it received from the Rutor admin was sent to help orphanages in the Russian Federation," ZeroFox said. Evidence to support that claim hasn't been published.

There's more than anecdotal evidence of ties between the two groups. Elliptic reports that bitcoin funds worth more than $44,000 have flowed from Solaris to KillNet's wallets, apparently for DDoS attacks.

Last October, KillNet publicly thanked Solaris for its "huge support." That remark came when Russian government propaganda outlet RT interviewed the founder of KillNet, who goes by "Killmilk."

Killmilk said of Solaris: "I don't know where they are from, but I've known these professionals for a long time. Thanks for their attention to us, KillNet is moving full steam ahead."

KillNet Suffers Infiltration

The connections between KillNet and Solaris drove Wisconsin-based cybersecurity expert Alex Holden, a Ukrainian who left Kyiv in his teens, to try and disrupt the darknet market. Holden says he successfully infiltrated Solaris last summer and began looking for weaknesses, to gain access to administrator-only parts of its infrastructure (see: During a War, Cyber Intel Firm Opens Ukraine Office).

Last month, Holden made his first public move against Solaris, when he used his access to divert 1.6 bitcoins - then worth about $25,000 - from a wallet owned by the darknet market's operators. He sent the bitcoin to a Ukrainian humanitarian aid charity called Enjoying Life, together with $8,000 of his own money, Forbes first reported.

"We are proud of another great step in our fight with cybercrime and KillNet," Hold Security tweeted last month. "Via insider access Russian drug platform - Solaris, we were able to get most of their data. We were also able to divert money from the drug proceeds to a charity in Ukraine."

In response, Solaris administrators "took down much of its infrastructure" for what they claimed would be "a major upgrade," Hold Security says. "They did their best to deny the Forbes story - except for the money transfer - assuring their customers that their new version would be bigger and better. This was all a lie."

To further highlight connections between KillNet and its darknet drug market partner, as well as "to call attention to its still vulnerable platform," on Jan. 12 Holden dumped extensive amounts of data he'd gathered from infiltrating Solaris.

The dumped data includes server deployment scripts and SSH keys, Onion Hidden Service Keys for its Tor-based sites, source code for the "AntiDDoS Solaris Guard system," SQL databases for a number of shops with cryptocurrency wallet information excised, and a MongoDB data dump containing public and private communications from the market, he says.

Then Solaris was taken over by Kraken, which claimed its three-day hack attack - culminating just 22 days after the Forbes report came out - had gone unnoticed by Solaris administrators, Elliptic reports.

The December 2022 revelations that Solaris' systems had been breached by a cybersecurity researcher no doubt led rivals to probe the market's systems themselves for exploitable vulnerabilities, the better to seize its market share, Elliptic's Akartuna says.

Solaris' disappearance is a reminder that all seems to remain fair not just in love and war, but also in Russian-language darknet market rivalries.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.