{"id":1743,"date":"2021-03-27T23:02:30","date_gmt":"2021-03-27T23:02:30","guid":{"rendered":"https:\/\/osintme.com\/?p=1743"},"modified":"2021-03-27T23:06:37","modified_gmt":"2021-03-27T23:06:37","slug":"hydra-darknet-market-on-a-server-in-france","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2021\/03\/27\/hydra-darknet-market-on-a-server-in-france\/","title":{"rendered":"Hydra darknet market on a server in France?"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"1743\" class=\"elementor elementor-1743\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-48da2c1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"48da2c1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-cc048d3\" data-id=\"cc048d3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0a77d11 elementor-widget elementor-widget-image\" data-id=\"0a77d11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"190\" height=\"161\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-27-at-12.41.25.png?fit=190%2C161&amp;ssl=1\" class=\"attachment-medium_large size-medium_large wp-image-1748\" alt=\"Hydra DNM OSINT\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-796258f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"796258f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a27a0b6\" data-id=\"a27a0b6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f4c69e5 elementor-widget elementor-widget-text-editor\" data-id=\"f4c69e5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>This investigation was prompted by a tip submitted to me anonymously by a reader and focuses on two IP addresses seemingly associated with the Russian darknet market Hydra &#8211; one of which IPs appears to allow to connect to Hydra directly.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6a3d440 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6a3d440\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e049fe6\" data-id=\"e049fe6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b2a5087 elementor-widget elementor-widget-text-editor\" data-id=\"b2a5087\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>2606:4700:3033::ac43:b8c6<\/p><p>51.68.122.44<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-59ab7a1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"59ab7a1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5f6f876\" data-id=\"5f6f876\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eccce9d elementor-widget elementor-widget-text-editor\" data-id=\"eccce9d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The first one is an IPv6 address belonging to <a href=\"https:\/\/who.is\/whois-ip\/ip-address\/2606:4700:3033::ac43:b8c6\">Cloudflare<\/a>, with the following websites associated with it:<\/p><ul><li>www.proventhatjsh811[.]us &#8211; domain linked to spam distribution [<a href=\"https:\/\/www.virustotal.com\/gui\/url\/35cdf885a2f967b539262c918e3a341fed52a2e2acc93922736438b22765deb0\/detection\">source<\/a>];<\/li><li>vipsub.shjur[.]com\u00a0 &#8211; domain linked to malware and malicious activity [<a href=\"https:\/\/www.virustotal.com\/gui\/domain\/vipsub.shjur.com\/detection\">source<\/a>];<\/li><li>karamanescortlar[.]com\u00a0<\/li><li>mindfulnesstickets[.]com<\/li><li>vipclass90[.]tk<\/li><li>www.downloadroms[.]io<\/li><li>hydra2web[.]cam &#8211; domain displaying a captcha and redirecting to what appears like a clearnet link to a mirror of Hydra DNM &#8211; <a href=\"http:\/\/hydraruzxpnew4af.onion\/\">http:\/\/hydraruzxpnew4af.onion\/<\/a>. However, note that the valid .onion address only appears in the link description in your browser tab and not in the URL field (which it should if a redirect was taking place). This does appear suspicious&#8230;<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c5b7175 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c5b7175\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d2eb4e3\" data-id=\"d2eb4e3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-149ba20 elementor-widget elementor-widget-text-editor\" data-id=\"149ba20\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>After connecting to https:\/\/www.hydra2web[.]cam\/register\/ through the Tor browser I was able to register several new accounts, but ultimately I could not log into the service with any of the freshly created credentials due to captcha not matching or the site &#8220;being busy&#8221;.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9b0f27a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9b0f27a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-eb8a016\" data-id=\"eb8a016\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b69a7f8 elementor-widget elementor-widget-image\" data-id=\"b69a7f8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"690\" height=\"881\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-27-at-13.17.42.png?fit=690%2C881&amp;ssl=1\" class=\"attachment-medium_large size-medium_large wp-image-1749\" alt=\"Hydra DNM OSINT login\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-27-at-13.17.42.png?w=690&amp;ssl=1 690w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-27-at-13.17.42.png?resize=235%2C300&amp;ssl=1 235w\" sizes=\"(max-width: 690px) 100vw, 690px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-69892ce elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"69892ce\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6f2200d\" data-id=\"6f2200d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3be6f47 elementor-widget elementor-widget-text-editor\" data-id=\"3be6f47\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Interestingly, the subdomain for this website contains an admin login panel &#8211; not something one frequently encounters with real darknet marketplaces:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2ef4136 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2ef4136\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bf1da03\" data-id=\"bf1da03\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f0f618c elementor-widget elementor-widget-image\" data-id=\"f0f618c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"659\" height=\"538\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-27-at-13.31.30.png?fit=659%2C538&amp;ssl=1\" class=\"attachment-large size-large wp-image-1750\" alt=\"\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-27-at-13.31.30.png?w=659&amp;ssl=1 659w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-27-at-13.31.30.png?resize=300%2C245&amp;ssl=1 300w\" sizes=\"(max-width: 659px) 100vw, 659px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d44aeb6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d44aeb6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c90d8fc\" data-id=\"c90d8fc\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-748968d elementor-widget elementor-widget-text-editor\" data-id=\"748968d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>I reverted back to passive reconnaissance and took note of the fact that the above domain featured in some of the malicious files recently scanned by <a href=\"https:\/\/www.virustotal.com\/gui\/domain\/hydra2web.cam\/relations\">VirusTotal<\/a>.<\/p><p>I used the passive DNS replication data to look at IP addresses that this domain previously resolved to, which brings us to the second IP address: 51.68.122.44.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-98dd7cf elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"98dd7cf\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1ff4946\" data-id=\"1ff4946\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2285894 elementor-widget elementor-widget-text-editor\" data-id=\"2285894\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>I started by looking at this IP through <a href=\"https:\/\/censys.io\/ipv4\/51.68.122.44\">Censys<\/a>. Indeed, it belongs to the French hosting company OVH.<\/p><p>The first thing that drew my attention was the Apache server that was hosting a page with an unambiguous name: HYDRA Tor DarkNet 2021 | hydraruzxpnew4af onion.<\/p><p>&#8230; or was it?<\/p><p>To cross reference this finding I switched to Shodan and looked at the <a href=\"https:\/\/www.shodan.io\/host\/51.68.122.44\/raw\">raw data for 51.68.122.44<\/a>.<\/p><p>A couple of observations:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3f1e40c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3f1e40c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3ae556e\" data-id=\"3ae556e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-525356a elementor-widget elementor-widget-text-editor\" data-id=\"525356a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>There is a serious amount of unpatched vulnerabilities for the version of Apache server present on that IP address. Some as old as 2018.<\/li><li>The source code contains a significant amount of keywords associated with Hydra, both in English and in Russian. Is it in case somebody was not convinced this was a genuine Hydra page?<\/li><li>The SSL certificate is associated with a burner email address: eddiffebag-1288@yopmail[.]com (YOPmail is a free disposable email account provider). The SSL cert appears misconfigured.<\/li><li>The actual URL associated with this IP address is: https:\/\/hydraruzxpnew4af-onion[.]legal\/ &#8211; (yes, not .onion but .legal). This is a clearnet top level domain.<\/li><li>I found another link to a sitemap: https:\/\/hydraruzxpnew4af-onion[.]legal\/sitemap[.]xml. This page shows a decent number of what appear to be static links for products and profiles with timestamped creation dates going back to 2019 and 2020. Same unchanged links to illegal goods hanging on Hydra for over 2 years, you might ask?<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-20cd606 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"20cd606\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-332c44b\" data-id=\"332c44b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1851f61 elementor-widget elementor-widget-text-editor\" data-id=\"1851f61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Connecting to the site through the above .legal clearnet link or directly through the IP address bring us to the exact same landing page as the one screenshot above. The page looks identical as the Hydra darknet page accessible through <a href=\"http:\/\/hydraruzxpnew4af.onion\/\">http:\/\/hydraruzxpnew4af.onion\/<\/a>.<\/p><p>The obvious differences being:<\/p><ul><li>No security certificate, so http connection only.<\/li><li>You can&#8217;t log into the bloody thing and proceed further, no matter how many times you try.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fc02f3a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fc02f3a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2f694d9\" data-id=\"2f694d9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5ee0f11 elementor-widget elementor-widget-image\" data-id=\"5ee0f11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"413\" height=\"135\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/hydra3.png?fit=413%2C135&amp;ssl=1\" class=\"attachment-large size-large wp-image-1757\" alt=\"hydra DNM osint login\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/hydra3.png?w=413&amp;ssl=1 413w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2021\/03\/hydra3.png?resize=300%2C98&amp;ssl=1 300w\" sizes=\"(max-width: 413px) 100vw, 413px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b1e036c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b1e036c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1aabd8b\" data-id=\"1aabd8b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a392ea1 elementor-widget elementor-widget-heading\" data-id=\"a392ea1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Conclusions<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2382633 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2382633\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ddec50b\" data-id=\"ddec50b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-32baf19 elementor-widget elementor-widget-text-editor\" data-id=\"32baf19\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>After the initial excitement of being onto something I realised that this was not a genuine mirror for the infamous Hydra darknet market and that neither of the IP addresses I looked into appear related to the real Hydra.<\/p><p>I can offer two the most plausible explanations, at least in my opinion:<\/p><ol><li>This is a phishing scam, targeting the less technical users of Hydra (although I think that you would have to try really hard to ignore several red flags and provide real login credentials to those sites).<\/li><li>This is a honeytrap or a dummy server created for the purpose of pentesting practice (but I can&#8217;t be sure of that, so don&#8217;t try hacking into it by exploiting some of its vulnerabilities &#8211; doing so without an explicit permission from the owner might still be illegal).<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4b049da elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4b049da\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ee10a0b\" data-id=\"ee10a0b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-75dbcba elementor-widget elementor-widget-text-editor\" data-id=\"75dbcba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>To finish off: I want to say I&#8217;m really grateful for this reader tip and want to say that suggestions and tips from readers are always welcome. Nearly every single one of you people who contacted me have given me a lot of good ideas for content here.<\/p><p>So please, keep the messages coming.<\/p><p>Reach out via DM on <a href=\"https:\/\/twitter.com\/osintme\">Twitter<\/a> or email me on <a href=\"mailto:mattaios@protonmail.com\">mattaios@protonmail.com<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>After an anonymous tip off from a reader I investigated two IP addresses seemingly associated with the Russian darknet market Hydra. What happened next might surprise you&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[93],"tags":[19,43,80,99,130,34,71,79],"class_list":["post-1743","post","type-post","status-publish","format-standard","hentry","category-my-investigations","tag-dark-web","tag-darknet","tag-domain","tag-drugs","tag-hydra","tag-investigation","tag-russia","tag-website"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/1743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=1743"}],"version-history":[{"count":22,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/1743\/revisions"}],"predecessor-version":[{"id":1769,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/1743\/revisions\/1769"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=1743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=1743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=1743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}