Cartels of the Darknet: How the world’s most violent war for the drug market unfolded in Russia
Note: this is a translation of a long read in Russian originally published by Lenta.ru.
There is a huge shadow market in Russia with millions of dollars in turnover. It covers thousands of cities and hundreds of thousands of people, but no newspapers are writing articles about it. The demand for its products is higher than for oil and gas.
This is the drug trade through the Internet. Today, this market has been taken over by the world’s largest darknet site, Hydra. We found out why there was a brutal war in Russia for the drug trade on the Internet and how Hydra became a monopolist in the multi-billion dollar market of psychoactive substances.
Part I: The Beginning
Once Upon a Time in Shushary
A Volvo truck was racing down a snow-covered road, cutting through the darkness with its headlights. Truck’s driver, Sergei, was in a hurry to finish his work in order to get home as soon as possible.
Before that, as usual, he picked up the cargo from Petrolesport, a port in the Northwestern region of Russia. The huge enterprise occupies an area of 122 hectares and annually receives and dispatches more than 50 million tons of cargo. On January 15, 2019, several hundred tons of containers with bananas were delivered to the driver on the Maersk Niamey shipment from Ecuador.
Sergei took the container and took it to a warehouse in Shushary. He got there in half an hour, but there was an unpleasant surprise — a long queue for unloading, which he went through only at night. The process was filmed by surveillance cameras.
Sergei moved back on his way but soon noticed that a dark minibus with a European license plate had followed him. The driver remembered that during the day the car was driving around the warehouse, but at that time it did not seem suspicious to him.
As soon as the truck was on the highway, the minibus dramatically increased its speed. When it reached the Volvo cab, a man from the car started shouting to Sergei to stop — allegedly the owner of the cargo had forgotten something valuable in the container.
But Sergei remembered that the container was empty, and he had heard of car thieves — Volvo trucks are considered to be one of the most powerful trucks on the sale of which one can make good money. Sergey hit the accelerator and rushed forward. The pursuers did not lag behind. The minibus hit the starboard side of the truck several times. In response, Sergei sharply turned the wheel to the right. A second later he saw in the rear-view mirror how the pursuers moved into the ditch. But a couple of minutes later the minibus got out of the snow and continued the chase.
Being an experienced driver, Sergei knew that there was a traffic police station ahead, and he was rushing there at full speed. The minibus gave up only a hundred meters before it. The police quickly explained to Sergei how lucky he was — the container he was taking to Shushary, according to operational information, had more than just bananas.
The police asked Sergei to go to another warehouse to retrieve the hidden cargo. It was not easy to do — on the way someone tried to stop the truck again. This time, it was the tough guys in the red Dodge Caravan. However, they did not decide to ram the truck.
When the police searched the container, they discovered that 50 kilograms of cocaine had arrived in Russia with the bananas. The market value of the secret cargo was 7,7 million US dollars.
The Banana Republic
Bananas are the most popular fruit in Russia. Almost 100% of their exports come from Ecuador, which is the birthplace of Edison Washington Prado Alava, nicknamed “Ecuadorian Pablo Escobar”. It was his 50 kilograms of cocaine that fell into the hands of St. Petersburg policemen, thanks to Sergei’s bravery.
In April 2017, Colombian law enforcement forces arrested Prado Alava on charges of drug trafficking, murder, and bribery. He was soon extradited to the United States at the request of the U.S. government. According to the Drug Enforcement Administration, he managed to import more than 250 tons of cocaine by sea into the U.S. territory in only two years. However, the arrest of the ringleader did not stop the cocaine cartel’s business or its delivery to St. Petersburg. In June 2019, a record shipment of 400 kilograms of cocaine from the Alava Cartel worth 60,7 million US dollars was seized at the St. Petersburg seaport.
Bananas are a tender fruit. They are taken across the ocean unripe, and this is a strict rule: one ripe fruit is enough to “infect” other bananas with ripening, and then, instead of a batch of saleable bananas, a yellow-brown porridge will reach the warehouse. Banana refrigerators keep a constant temperature at all stages of the journey, and they can not be opened — otherwise, the whole batch will be spoiled. This makes bananas an ideal cover for drug smuggling. The opening of a container is tantamount to deliberate damage to goods, which means that the owner of the cargo will be able to sue the Federal Customs Service (FCS) and demand compensation for damages.
The cargo can only be checked on the basis of operational information. If the cargo is commercial, its delay may become a reason for immediate appeal to the court.
Customs clearance of perishable goods (bananas or other fruits) is therefore fast-tracked. Port officers “marked” by the drug mafia usually know the numbers of incoming containers in advance and immediately register them as verified. A person at the port and at the cargo owner’s company tells them where to look for the exact container. An escort is then attached to the container, which at some point is loaded with goods arriving by sea.
— Former law enforcement officer
Destroying the monsters
But in 2016, the situation in Russia has changed. Several large customs brokers were arrested for illegal import of alcohol, machinery, and elite clothing through seaports.
In March 2016, the FSB detained Dmitry Mikhalchenko, one of St. Petersburg’s largest businessmen, who was closely associated with the then head of the Federal Protective Service (FSO), Evgeny Murov. Mikhalchenko’s main asset was the Bronka multi-profile transshipment complex in the Big Port of St. Petersburg. As it turned out later, this project started his downfall.
After the sanctions against Russia started in 2014, the volume of cargo transportation fell, and the construction of Bronka stopped. But ambitious Mikhalchenko couldn’t stop and began to withdraw more and more money from the construction and restoration to invest in the unprofitable Bronka. This is how he betrayed his patrons from the FSO and personally Murov. The last straw was Mikhalchenko’s desire to smuggle a batch of collectible wines and cognac into Russia in the midst of sanctions. He was arrested in Moscow on 15 March 2016 for smuggling sanctioned products. Two months later, Yevgeny Murov left the post of the head of the FSO.
In April 2017, the FSB came after Mikhalchenko, Russia’s largest customs broker and carrier and co-owner of ULS Global, Igor Khavronov. In the early 2000s, he was not the most influential smuggler under the protection of the Tambov criminal syndicate, but when the top of the syndicate was arrested in 2007, Khavronov realized that changes are coming. A year later, he met Mikhalchenko and his business went uphill. At the time, Khavronov was a co-owner of a small company, Sigma, which owned a truck fleet and a ferry. In 2009, Khavronov was lucky: Vladimir Putin harshly criticized the FSB for smuggling into the Cherkizovsky market, and security officers quickly defeated all his competitors. Therefore, when the Ust-Luga cargo port started operating in St. Petersburg in 2009, Sigma turned out to be a monopolist.
Then Khavronov established ULS Global, acquired several warehouses in Europe and two cargo planes, and after the sanctions were imposed in 2014, he gained control over the flow of goods from Turkey, from vegetables and fruits to clothing. He did not forget about Mikhalchenko — he supplied smuggled alcohol to his restaurants and smuggled Italian clothes for his boutiques.
This is exactly what interested FSB officers looking for approaches to Mikhalchenko. And without knowing it himself, Khavronov became a key character in the defeat of the Russian drug smuggling market.
The arrest of Mikhalchenko and Khavronov dealt a crushing blow to the supply of almost all of the country’s popular illegal substances. Field-tested people, well-functioning schemes and agreements with suppliers — after the arrest of two of the most powerful figures in the Russian cross-border trade, the entire system was paralyzed by fear. Drugs from Europe, which had previously been imported for sale in Russia, stopped going through ports.
Large sellers of imported drugs, such as hashish, MDMA, ecstasy, and stamps, were affected. Previously, supply corridors were stable and people at the points of sale were confident in themselves, but after the defeat of brokers, they began to worry and withdraw massively from the business.
It has become too risky to buy wholesale shipments delivered at the largest western sites of Alphabay and Hansa. But it was there where all major Russian drug dealers were buying. Moreover, Russians were the main clients and sources of profit from these platforms. Many drugs came to St. Petersburg thanks to the darknet, says a source close to smuggling psychoactive substances. Most of them were bought on Alphabay and Hansa. The source suggests that the creator of AlphaBay was murdered in a Thai prison so that he would not be extradited to the U.S. where he could give the names of major suppliers and producers of drugs. Such fears are understandable because Western intelligence agencies were directly involved in the closure of Alphabay and Hansa.
The closure of these sites has forced Russian drug traffickers to abandon the import of illegal substances and reorient themselves towards domestic production. The exception was cocaine. Coca is grown exclusively in South America, with the highest profit margins and stable demand among affluent elites, so large suppliers can afford higher risks. In contrast to cocaine, other drugs have been found to be easier and cheaper to grow (in the case of marijuana) or to produce locally from specialty precursor chemicals.
Thus, the collapse of the sea transportation channels marked the beginning of a new scheme of drug trafficking in Russia. Large dealers ceased to be resellers and became manufacturers or customers for whom people in Russia were contracted to produce substances.
It was 2016, the last year in the history of the FDCS — an agency that has been repeatedly accused of controlling drug trafficking instead of fighting it. The established cover-up schemes allowed drug dealers to feel relatively at ease. After both the cover-up and channels of supply had disappeared, it became clear that times are changing.
Part II: The Times Are Changing
Searching for alternatives
Left without seaports, drug dealers first tried to organize alternative deliveries from Europe — through the Baltic States, by cars and foot couriers. Sealed bags were hidden underneath the bottoms and sewn into the rear seats of cars. But the volumes of one-time transportation in the car did not exceed 200 kilograms, and the risks were significant, and they multiplied with each turn: familiar cars, anxiety, and constant need to find new human resources.
Large sellers selling imported drugs — hashish, MDMA, ecstasy, stamps — have suffered. Previously, the supply corridors were stable and people at the points were confident in themselves, but after the defeat of brokers, they began to worry and massively fled from the transit of goods.
Dutch and Belgian ecstasy, Czech amphetamine, Moroccan hashish imported through Spain, and marijuana from all over Europe soared in price. Usually, they were transported by trucks: “synthetics” and “cones” — through Latvia and Finland, hashish — also through Turkey. But when the authorities began to arrest brokers and inspect the cargo, the staff ceased to guarantee the safe transit of the goods.
Drug trafficking by land is still going on now — the press regularly publishes stories about hiding places in the back wall of the salon, refrigerators with seafood and double-bottomed vans, where unlucky drug dealers from Belarus and the Baltic States try to bring hashish to Russia. There are different parties — from 80 kg to 1.5 tons, some of them do not go further than the border control points.
Such news creates the appearance of a massive fight, which in reality, does not exist: one marine supply brings ten times more drugs than the motor vehicles and hundreds of times more than the couriers. Due to the lack of human factors, the containers were more successfully controlled and left no trace, unlike many people who go to jail and turn in their accomplices in exchange for reduced sentences. Therefore, foreign deliveries via the Baltic Sea were too risky and less profitable because of the long chain of intermediaries. Major Russian drug traffickers have decided that it is more profitable to organize full-cycle enterprises within the country.
The Synthetic Era Begins
The drug dealers quickly organized the cultivation of high-quality marijuana locally. But unlike most European countries, where the authorities are loyal to growing and storing marijuana, illegal grooming in Russia is punishable by serious fines and, more often than not, prison sentences. In addition, marijuana cannot be grown on an industrial scale due to lack of space and a strong smell during flowering — even the strongest filters cannot handle it. It also requires enormous consumption of electricity, which makes it easy to be tracked.
The drug dealers decided that Russia needs a new drug number one. The criteria are simple: its production should be inexpensive, and the effect should be long and strong. And the solution was found in mephedrone. Mephedrone turned out to cause the world’s largest drug war that has ever unfolded on the Internet.
The War for Web Markets
The life of Russian drug traffickers in the Darknet isn’t easy. If there is a demand for drugs, and they can be produced or smuggled into the country, then why are there so few shops in it? Because just like the tiger shark cubs, these small shops devour each other at the embryonic stage.
The history of drug trafficking through the Darknet began in 2011. Ross Ulbricht, a 27-year-old Texas-based libertarian, a physics graduate and unsuccessful entrepreneur, was completely disappointed in U.S. market regulation and created Silk Road, “a place where everyone can experience what it’s like to live in a world without government coercion.
Two years later, his ideas collapsed: in July 2013, Ulbricht (alias Horrible Pirate Roberts) was arrested for ordering the murder of six people, drug trafficking on a particularly large scale, and the use of false documents, which gave him away. By that time, the annual turnover of Silk Road was between 15 and 45 million US dollars. 70 percent of the goods on the site were drugs. In 2015, Ulbricht was got a life sentence. By that time, the Russian analog of Silk Road — Russian Anonymous Marketplace, or RAMP — had been operating in Russia for four years.
RAMP wasn’t a pioneer in the market: four months before it, R2D2 was launched as a place for hackers, technically trained crypto-anarchists, and other residents of the shadow web to communicate. A branch for trade with psychoactive substances spun off from the general forum, which soon became the main function of the site. And in 2011, the Way Away, a forum on the trade with synthetic drugs, in particular, “salts” and “spices”, which at the time enjoyed popularity in Russia, hid from the known Internet on the Darknet. Lesser-known platforms such as AmberRoad, Malina, and RuTor also appeared on the Darknet.
Little is known about the founder of RAMP, and much of this information goes back to his 2014 Wired interview. A year after the release of the material, the life of the founding father of the Russian darknet was cut short due to an overdose.
The drug market in the Darknet grew like any other structure that offers a popular product and has no regulator over it — the staff of the FDCS, a Russian Drug Enforcement Agency at the time, were not technologically advanced and did not even know the scale of the business that was going on in the Darknet. But by 2014, Darknet stores had stumbled upon a natural growth ceiling: almost all people who used a Tor-browser while using drugs had already been there.
The creator of RAMP, an unknown Russian programmer known by his username Darkside, and his colleague Orange, senior administrator of RAMP, were the principal opponents of wide advertising, which could increase their clientele, taking it away from offline dealers. It was even forbidden to discuss political topics in the forum, as political talk attracts unnecessary attention. The pledge of RAMP security — to lurk and work only for a limited number of consumers in the topic — has caused stagnation. There were a few options: accept or take away someone else’s piece. Darkside decided to go for the latter.
The Strongest Survives
The first confrontation was the skirmish between the RAMPers and the admin of R2D2, because of the latter’s bold behavior. His site was destroyed by a series of DDoS attacks. The administrators of AmberRoad and other sites, who stood up for a colleague, became the next victims.
“AmberRoad has been operating without customers for two years, hasn’t earned anything and has gone away when hosting ended”,— Orange bragged later. Malina was rumored to have been destroyed with the help of one of the hacker, who found out the names of the resource administrators and leaked them to the police.
While hackers were attacking opponents, Darkside and Orange were improving the business model. It differed from the classic one, adopted since Silk Road, where the site charged a commission on each transaction. RAMP did things differently. In fact, it was a scheme of the usual product market in any city in the country. The administration charged $300 a month for the opportunity to trade (for a place in the regional section); $400 to $800, depending on the type of goods — for each substance sold; $300 and $700, respectively, for a place on the home page and an advertising banner in the header of the site.
But here’s a problem — this scheme is not well scaled. One wholesaler could sell dozens of times more than a small retailer, and both were charged the same amount of money. In addition, after destroying each competitor’s website, RAMP had to lure the sellers to his place before the remaining competitors did it. And RAMP programmers made an extremely lucky move, which helped the site to get ahead of the rivals and increase the audience by spreading the word of mouth. They invented autoshops.
Autoshops have automated the buying process. It was enough to choose a ready-made “bookmark” in a convenient area, press the “pay” button— and after the confirmation of a transaction, the buyer can go to pick up the goods. The innovation has become a real consumer revolution. RAMP made autoshops free for those who paid for the dealer quota and people from other sites reached out to them. Autoshops provided automation and a feedback system that minimizes deception — no one needed to message dealers directly now. By the end of 2015, RAMP had subdued all the main competitors, except for two — Way Away and Legal RC, which specialized in synthetic cannabinoids and designer stimulants, which are called “salts” and “spices” in Russian slang.
RAMP did not sell these substances, and Way Away and Legal RC did not rely on traditional drugs. Theoretically, the remaining players could coexist peacefully for several more years. But their leaders were perceptive enough to understand two things: that RAMP had no reason to stop expansion and that the power of the smaller ones was in unity.
Part III: The War
In 2015, Way Away and Legal RC have merged into a new organization, calling themselves Hydra. The name may have encrypted another homage to mass culture — that was the name of the supervillains’ organization in the Marvel cinematic universe. Perhaps it was a symbol of resistance because in Greek mythology, for every head chopped off, the Hydra would regrow two heads. Hydra began an active advertising campaign on two sites-founders. Hydra also introduced autoshops.
Who knows how the two titans of the shadow market would coexist further, but one accident changed it all. After the elimination of channels of foreign drug trafficking, the main source of income shifted to mephedrone and other drugs produced locally.
Hydra had an advantage there — they had a well-established system of purchasing precursors, a network of undercover laboratories, and professional chemists. Over the years they have created a clear scheme for supplying precursors from China and established the production of “synthetics” in Russia. Disguised as fertilizers and insect pesticides, precursors were smuggled from China to Russia, right into Hydra’s hands.
RAMP, which was deprived of a chain of suppliers of Chinese precursors and Russian producers of “synthetics”, found itself in a vulnerable position. And now they really had something to fight over with their competitors. Historically, RAMP’s clients were middle-class Russians from large Russian cities and progressive young people who despised the provincial consumers of “spices” and “salts”. As a result, RAMP stores had a higher average receipt. Hydra, on the other hand, worked for another segment of consumers and began to capture the market of small provincial towns, where the “spices” and “salt” enjoyed great popularity because of their cheapness. RAMP’s administrator Orange believed that his project had a completely different audience, so RAMP banned the sale of “spices”. Hydra stores spent less on drug production, but also got fewer profits. To shift the balance of power, Hydra decided to change its business model.
The first battlefield was the Russian Far East, a region that received precursors from China. They were used for the production of mephedrone and “spices”. Suppliers of these substances were on-demand on both platforms, but very soon they had to choose sides: RAMP began demanding exclusive cooperation.
It all started because of the Far East. After the problems at customs started, RAMP tried to lure dealers with Hydra. They did it on a massive scale, and the existing shops were then prohibited working at two sites at once. Hydra responded with DDoS attacks, RAMP also organized a powerful DDoS — they even had to change the domain from .biz to .com. Then there was a little quiet, and now RAMP is attacked again every night.
— Existentia, former RAMP administrator, June 2017.
The second front of the trade war was the fight for wholesale producers and suppliers who made drugs in the country. RAMP operated with the old carrot-and-stick method: they prohibited cooperation with Hydra under the threat of a ban from the website but also gave profitable financial offers. Wholesalers were given discounts for working for RAMP in “hot” regions, where there were strong competitors. The administration couldn’t afford it, but Orange, the operating director of RAMP, still went for it. After all, the future of the business was at stake. However, those who had the courage to break the rules were publicly punished. This happened to Khimprom, one of the largest producers of synthetic drugs in Russia. The organization supplied amphetamine and mephedrone to many dealers of RAMP, but opened a parallel business on Hydra and began to blackmail RAMP, demanding more favorable working conditions. Instead, the RAMP administrator chose to hand over all Khimprom members to the police. The elimination of Khimprom was one of the most successful operations in all the years of the fight against drugs in Russia. Only in the Moscow region police seized more than 4 tons of “spice”. Law enforcement agencies have estimated Khimprom’s annual turnover at 27 million US dollars.
A little less was earned by Starbudz supplier, which also decided to open a store on Hydra. RAMP treated them even harsher: the owners of Starbudz stopped appearing online. A couple of weeks later, there were reports that they had been murdered by the RAMP security team.
The Turning Point
The RAMP administration has generally treated the users’ personal data quite loosely. The chief administrator tried convincing the stores to stay, claiming that the Hydra project is a fraud. Meanwhile, his subordinates did not hesitate to track the addresses of warehouses to understand the logistics of stores. They also read personal correspondence from sellers, suppliers, and customers to check their loyalty by analyzing posts in a closed forum section. But the stores were increasingly leaving for Hydra.
In addition, Hydra’s DDOS attacks on RAMP caused constant disruption — while the site was down, manufacturers and dealers were losing money. Store owners realized that this was not just a DDOS attack, but a targeted destruction of the site.
We’ve been ordered to fully develop the elimination of RAMP. Over the course of several months, we have been able to gather a lot of information, including some data of RAMP members and drug dealers. Everyone has seen the result.
— Denis (name altered), one of the RAMP elimination participants
Orange, a long-time admin, left RAMP in January 2017. The reasons for his actions are known only to him. However, there are rumors that Orange found out that Hydra had already found his real identity and ordered an assassination. The admin with the nickname Stereotype took the place of Orange. The largest drug resource on the Russian Internet had eight months to go.
The Stereotype rule started immediately with problems, although this time Hydra was not involved. In February, hackers from Anonymous hacked Freedom Hosting II — this hosting hosted 80% of darknet sites, including RAMP. Hosting was punished for hypocrisy: although the resource officially banned child porn, Anonymous found a lot of similar sites that hosted it. RAMP had to switch to Deep Hosting, but in July a lone hacker hacked it, too. It wasn’t just the hosters who had security problems. Hacked versions of software have been and are still being used on the entire darknet. But if the legal software has regular updates, where developers fix bugs and thus save users from potential attacks, hacked programs have been functioning with vulnerabilities for years. It’s a matter of time, skill, and desire to find one, and RAMP enemies had enough of that.
Another way in which RAMP was destroyed was classical social engineering. As long as there are people with weaknesses, there will be those who use them to their advantage. In this case, the weak link was the 20-year-old developer Vadim Mazepa. He did not take precautions and spoke openly about his work on RAMP. His identity was revealed, and his messages, including quarrels with his mother, were made publicly available. With the rumors of a break-in already spreading, this story was the last straw for many dealers who realized it was time to leave the site to save their business.
As a result, Lizard, the main moderator, left with the whole team to join Hydra — he was responsible for the feedback on the forum and customer communication on RAMP. Following him, several major dealers, including foreign suppliers and drug wholesalers left RAMP and joined Hydra.
Stereotype preferred not to explain anything and not to make excuses but instead tried to stabilize the decreasing income by promoting the services of the site as a guarantor of transactions when buying in instant stores. He came up with a plan of his own: he launched a chain of fake stores, which every day conned 600–700 customers. Presumably, the same person was behind them all. The demand for the guarantor’s services grew, but so did the users’ dissatisfaction. Now retail customers have started leaving RAMP for Hydra as well.
The next blow was coming to RAMP on July 25, 2017. On that day, at the request of the U.S. authorities in Greece, a Russian citizen, Alexander Vinnik, was arrested for laundering four billion dollars. Vinnik was considered by the FBI as the owner of the largest cryptographic exchange in Russia, BTCe. It stopped working 24 hours later, when law enforcement agencies seized its servers, and all the money in the accounts was frozen. According to several sources in law enforcement agencies, the location of Vinnik was reported to the FBI by Russian intelligence agencies. BTC-e also held part of the RAMP administration’s money — the insurance budget, which was used to reflect DDoS attacks and about 60 million US dollars of dealer deposits.
About 170 million US dollars were withdrawn from BTC-e in the last hours of its operation. According to the source, it was RAMP money. Immediately after Vinnik’s arrest, Stereotype learned of the imminent collapse of the stock exchange and used that time to take the bitcoins out and go underground. Moreover, back in April Stereotype had some negotiations about selling RAMP, but could not agree on a price. A month later, Stereotype allegedly realized his mistake and pointed to a vulnerability in the website engine to get a chance to hide with the money. It was the same vulnerability that caused RAMP to fall and not rise anymore.
At the time of RAMP’s death, the drug market in the Russian Darknet was over 270 million US dollars a month, with more than 27 million US dollars being sold at RAMP’s autoshops. The mass exodus of users resulted in the drug traffickers settling in Telegram. Since the summer of 2017, drugs were bought through secret chat rooms and chatbots. Today it is still possible to choose the location, weight, and name of the product in the chatbots, and then find out the area where the “bookmark” will be made. Payment can be made via bitcoins.
Later, Hydra administrators boasted that after the fall of RAMP their audience grew by a third. They’ve got all the wholesale drug dealers on the darknet. Hydra and her “parents” Way Away and Legal RC seized the entire drug market in Russia. All of Russia was now threatened by a drug plague.