This investigation was prompted by a tip submitted to me anonymously by a reader and focuses on two IP addresses seemingly associated with the Russian darknet market Hydra – one of which IPs appears to allow to connect to Hydra directly.
2606:4700:3033::ac43:b8c6
51.68.122.44
The first one is an IPv6 address belonging to Cloudflare, with the following websites associated with it:
- www.proventhatjsh811[.]us – domain linked to spam distribution [source];
- vipsub.shjur[.]comĀ – domain linked to malware and malicious activity [source];
- karamanescortlar[.]comĀ
- mindfulnesstickets[.]com
- vipclass90[.]tk
- www.downloadroms[.]io
- hydra2web[.]cam – domain displaying a captcha and redirecting to what appears like a clearnet link to a mirror of Hydra DNM – http://hydraruzxpnew4af.onion/. However, note that the valid .onion address only appears in the link description in your browser tab and not in the URL field (which it should if a redirect was taking place). This does appear suspicious…
After connecting to https://www.hydra2web[.]cam/register/ through the Tor browser I was able to register several new accounts, but ultimately I could not log into the service with any of the freshly created credentials due to captcha not matching or the site “being busy”.
Interestingly, the subdomain for this website contains an admin login panel – not something one frequently encounters with real darknet marketplaces:
I reverted back to passive reconnaissance and took note of the fact that the above domain featured in some of the malicious files recently scanned by VirusTotal.
I used the passive DNS replication data to look at IP addresses that this domain previously resolved to, which brings us to the second IP address: 51.68.122.44.
I started by looking at this IP through Censys. Indeed, it belongs to the French hosting company OVH.
The first thing that drew my attention was the Apache server that was hosting a page with an unambiguous name: HYDRA Tor DarkNet 2021 | hydraruzxpnew4af onion.
… or was it?
To cross reference this finding I switched to Shodan and looked at the raw data for 51.68.122.44.
A couple of observations:
- There is a serious amount of unpatched vulnerabilities for the version of Apache server present on that IP address. Some as old as 2018.
- The source code contains a significant amount of keywords associated with Hydra, both in English and in Russian. Is it in case somebody was not convinced this was a genuine Hydra page?
- The SSL certificate is associated with a burner email address: eddiffebag-1288@yopmail[.]com (YOPmail is a free disposable email account provider). The SSL cert appears misconfigured.
- The actual URL associated with this IP address is: https://hydraruzxpnew4af-onion[.]legal/ – (yes, not .onion but .legal). This is a clearnet top level domain.
- I found another link to a sitemap: https://hydraruzxpnew4af-onion[.]legal/sitemap[.]xml. This page shows a decent number of what appear to be static links for products and profiles with timestamped creation dates going back to 2019 and 2020. Same unchanged links to illegal goods hanging on Hydra for over 2 years, you might ask?
Connecting to the site through the above .legal clearnet link or directly through the IP address bring us to the exact same landing page as the one screenshot above. The page looks identical as the Hydra darknet page accessible through http://hydraruzxpnew4af.onion/.
The obvious differences being:
- No security certificate, so http connection only.
- You can’t log into the bloody thing and proceed further, no matter how many times you try.
Conclusions
After the initial excitement of being onto something I realised that this was not a genuine mirror for the infamous Hydra darknet market and that neither of the IP addresses I looked into appear related to the real Hydra.
I can offer two the most plausible explanations, at least in my opinion:
- This is a phishing scam, targeting the less technical users of Hydra (although I think that you would have to try really hard to ignore several red flags and provide real login credentials to those sites).
- This is a honeytrap or a dummy server created for the purpose of pentesting practice (but I can’t be sure of that, so don’t try hacking into it by exploiting some of its vulnerabilities – doing so without an explicit permission from the owner might still be illegal).
To finish off: I want to say I’m really grateful for this reader tip and want to say that suggestions and tips from readers are always welcome. Nearly every single one of you people who contacted me have given me a lot of good ideas for content here.
So please, keep the messages coming.
Reach out via DM on Twitter or email me on mattaios@protonmail.com.