Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named ‘Kraken,’ who claims to have hacked it on January 13, 2022.
The Tor site of Solaris currently redirects to Kraken, while blockchain monitoring experts at Elliptic report no movements in the cryptocurrency addresses associated with the site after January 13, 2022.
The Solaris marketplace emerged a few months ago, following the seizure of Hydra, attempting to capture a portion of the then-disturbed market. The new market quickly captured about 25% of the market and processed roughly $150,000,000 in illegal sales.
At the start of the year, a Resecurity report on the emergence of novel drug markets claimed that Solaris had received 60,000 new registrations since Hydra’s sudden demise, while Kraken only absorbed about 10% of that.
Taking down competitors
Solaris was a Russian-speaking platform reportedly affiliated with Killnet, a pro-Kremlin hacktivist group that launched several DDoS attacks against organizations in the western world in 2022.
Elliptic has traced several donations from Solaris to Killnet, amounting to more than $44,000 worth of Bitcoin. The DDoS group presumably used this money to purchase more firepower for launching disruptive attacks.
In December 2022, Ukrainian cyber-intelligence analyst Alex Holden claimed to have breached Solaris and stolen $25,000, which was donated to a humanitarian charity in Ukraine.
While Solaris disputed the claims about the hack and called out the lack of evidence, Holden later released more details and leaked source code and databases allegedly associated with the marketplace.
On Friday, January 13, 2023, Kraken announced they had taken over Solaris’ infrastructure, GitLab repository, and all project sources, thanks to “several huge bugs in the code.”
Kraken’s statement claims that it took them three days to steal the clear text passwords and keys stored in Solaris’ servers, access its infrastructure located in Finland, and then download everything without anyone stopping them.
Finally, the attackers said they disabled Solaris’ Bitcoin server, which aligns with Elliptic’s observations in the blockchain.
“The project has several huge bugs in the code, which to this day remain relevant, you can turn over and over again. Also, storing passwords and keys from your servers in clear text is an even bigger mistake, the lot of schoolchildren from the 5th desk,” claims a note on the Kraken marketplace seen by Elliptic.
“This event took us 3 days in a calm mode and we downloaded absolutely EVERYTHING that is supposed to be in such cases (and no one stopped us). PS We deliberately disabled the bitcoin server so that no one steals anything, but probably in vain).”
“Everything that is written above is a response to aggression in our direction in the amount of x10, we warned. The same applies to others.”
At this time, neither Killnet nor anyone from the Solaris core team has issued any announcement about the platform’s status and the validity of Kraken’s claims.
Kraken is also pro-Kremlin, so the motives of the hack are unlikely to be political.
Instead, they appear to be fueled by market interests, as taking over a competitor and redirecting their members to your platform is undoubtedly an effective way to achieve growth while also planting concern about the security of the breached market.