Document: Law Enforcement Seizure and Takedown of Two Major Cybercrime Forums

Alvaro Marañon
Tuesday, April 12, 2022, 11:52 AM

U.S. law enforcement annouced the seizure and takedown of Hydra Market and RaidForums.

Published by The Lawfare Institute
in Cooperation With

The Department of Justice announced two indictments this past week relating to the seizure and shutdown of two major cybercrime forums and marketplaces. Both operations were the result of extensive collaborations and efforts between numerous U.S. agencies and departments that included the DEA, FBI, IRS, Postal Inspection Service and several more. 

On April 5, the U.S. District Court for the Northern District of California announced the seizure of Hydra Market, “the world’s largest and longest-running darknet market” and an indictment against Dmitry Olegovich Pavlov, an alleged operator and administrator of the servers used to run Hydra. The seizure of the Hydra servers and cryptocurrency wallets with an estimated $25 million in Bitcoin were made in Germany by the German Federal Criminal Police, in coordination with U.S. law enforcement.

Hydra “accounted for an estimated 80% of all darknet market-related cryptocurrency transactions and since 2015, the marketplace has received approximately $5.2 billion in cryptocurrency.” Hydra operators, like the alleged Pavlov, would receive a commission for every transaction conducted on Hydra which included illegal drugs, stolen financial information, fraudulent identification documents and more. Hydra vendors also offered a comprehensive display of money laundering options that enabled their users to convert their Bitcoin into other forms of currency and this feature was “so-in-demand that some users would set up shell vendor accounts” for this service. 

Pavlov is alleged to have operated a company “starting in or about November 2015” that administered Hydra’s servers. Pavlov is also alleged to have conspired with other operators of Hydra to provide critical infrastructure to allow Hydar to operate and expand its services on the darknet. The grand jury charged the defendant with conspiracy to commit money laundering and distribute narcotics in relation to his activity with Hydra. 

On April 12, the U.S. District Court for the Eastern District of Virginia announced the seizure of the RaidForums website, “a popular marketplace for cybercriminals to buy and sell hacked data” and unsealed an indictment against Diogo Santos Coelho, the alleged founder and chief administrator of the site. 

U.S. authorities were able to obtain judicial authorization to seize three domains that hosted the RaidForums website. The seizure of this online marketplace disrupts “one of the major ways cyberminals profit from the large-scale theft of sensitive personal and financial information.” From its founding in 2015, Raidforum members were able to offer the sale of databases with stolen data that contained more than “10 billion unique records for individuals residing in the United States and internationally.” RaidForums also served as a platform for orchestrating and supporting various forms of electronic harassment, including “raiding” or “swatting.” RaidForums also had tiered pricing models for its members that included selling “credits” to privileged areas of the websites that granted access to various stolen financial information. Members could also earn credits through a variety of means that included “posting instructions on how to commit certain illegal acts.” 

Between Jan. 1, 2015 and Jan. 31, 2022, Coelho and his co-conspirators were alleged to have “designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband.” The grand jury charged Coelho with six counts—“conspiracy, access device fraud and aggravated identity theft in connection with his role as the chief administrator of RaidForums.”

You can read both the Pavlov and Coelho indictments here or below.



Alvaro Marañon is a former fellow in Cybersecurity Law at Lawfare. Alvaro is a graduate from the American University Washington College of Law and the University of New Hampshire.

Subscribe to Lawfare