Russia’s Darknet Criminals Have Novel Crypto Cash-Out System: ‘Buried Treasure’

By: Ian Allison

Russia's Darknet Criminals Have Novel Crypto Cash-Out System: 'Buried  Treasure'

Cybercriminals in Russia are going to extreme lengths to untraceably cash out cryptocurrency: The word used in online ads is “клад,” literally “buried treasure.”  

Cashing out crypto on Hydra, the sprawling Russian darknet marketplace, has evolved to include services that offer to hide large volumes of physical cash at a specified location, where the cash can be retrieved by the customer.

Ransomware, darknet markets and exchange thefts generate large volumes of cryptocurrencies such as bitcoin. The criminals behind this activity, however, face a challenge in terms of how to remove any link to identity when turning the proceeds into cash. Darknet users that are proficient in laundering crypto are willing to provide fiat off-ramps for a fee, according to new research from blockchain analytics firm Elliptic.

Russia’s illicit treasure hunts are not an entirely novel idea. The physical exchange of rubles for crypto using a GPS location is adapted from Hydra’s very sophisticated drug selling and delivery methods, which work like a secret gig economy based on reputation, courier vetting, potency testing and so on.

Hydra’s army of illicit sellers and buyers sometimes handle a bitcoin payment by topping up a prepaid debit card, or sending rubles to an online wallet service or bank account.  But burying cash is increasingly seen as a fail-safe fiat off-ramp for criminals looking to avoid the long arm of cybercops (and analytics firms like Elliptic working on their behalf).

“It’s an interesting way of cashing out that people are starting to use,” Elliptic CEO Tom Robinson said in an interview. “It’s difficult to do at scale and requires that you are in Russia, but that’s where a lot of Hydra users are based.”

Outrunning AML

In the early days, when many crypto exchanges were not checking the provenance of customers closely and blockchain analytics tools were in their infancy, cashing in cryptocurrency proceeds of crime was less of a challenge. 

The situation today, involving global anti-money laundering (AML) regulators armed with blockchain sleuthing tools to trace and screen transactions is dramatically different, said Robinson.   

The darknet listing above advertises a service where, in return for a cryptocurrency payment, the vendor will bury vacuum-packed (all drugs and cash are vacuum packed to prevent dogs sniffing them out) physical cash “5-20 cm under the ground.”  

The service is costly, with fees of around 7% of the amount being exchanged, according to Elliptic. There are also other risks because thieves known as “seekers” sometimes trail the treasure men and steal the deliveries. 

Hydra is by far the biggest darknet marketplace to have ever existed, with about $125 million worth of transactions per week. (At its peak, Alphabay, the nearest rival, clocked between $50 million and $60 million per week.)

“I’m surprised Hydra hasn’t had more coverage because it’s absolutely huge,” Robinson said. “I think it’s probably because it’s Russian language that people don’t really think about it as much as that Western problem.”

Russian darknet markets are all about innovation, said Patrick Shortis, an expert on such marketplaces from the University of Manchester, citing the continually updated rule book known as the Kladman’s (Treasure man’s) Bible. 

“Russian dark markets differ from their Western counterparts in that the postal service in Russia is not as reliable, and so the dead-drop method is preferred,” Shortis said in an interview. “Also, in the West we care a lot about using PGP (pretty good privacy) and cleaning our coins and using monero and whatnot. Whereas in Russia, they generally tend to be more relaxed when it comes to a threat from the state.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s