A Ukrainian says that he broke into the Solaris drug market’s master wallet and diverted its funds to a Ukrainian humanitarian charity.
This Christmas, Ukrainian cyber intelligence expert Alex Holden is giving back to his homeland. The Mequon, Wisconsin resident is playing dark web Robin Hood: His team at Hold Security has hacked into one of Russia’s largest online drug markets, dubbed Solaris, and diverted crypto due to dealers and the site’s owners to a charity, Enjoying Life, which provides humanitarian aid across Ukraine.
Holden, who left Kyiv as a teenager in the 1980s amidst fallout of the Chernobyl nuclear disaster, declined to reveal how he did it, but said he was able to take control of much of the internet infrastructure powering Solaris, a number of administrator accounts running the illicit bazaar, website source code and a database of its users, as well as drop off locations for drug deliveries. For a brief time, his team also had control over Solaris’ “master wallet.” This wallet was used by buyers and dealers to deposit and withdraw funds, acting as the site’s cryptocurrency exchange.
Holden showed Forbes multiple screenshots of access to Solaris admin accounts and the master wallet, and a Ukrainian cybersecurity expert confirmed the screenshots did indeed appear to show access to backend Solaris accounts.
With money quickly going in and out of the wallet, it rarely contained more than 3 bitcoin, worth $50,000, Holden said. That meant there wasn’t a huge amount for him to siphon off, though he did manage to grab 1.6 bitcoin, worth $25,000, and sent it to Enjoying Life. Hold Security is also making a separate donation of $8,000.
Enjoying Life cofounder Tina Mikhailovskaya confirmed the nonprofit had received the donation, saying all contributions went direct to the elderly, families and internally displaced persons who suffered because of Russia’s war.
Holden is now sitting on a substantial cache of information on Solaris’ users and operations, which he believes could be used to identify the whereabouts of any Russian cybercriminals who’re using the site to fuel their operations. He’s also kept control over various parts of the market, so far without being detected. By going public via Forbes, he wants to spook the owners into closing the site. There’s a political edge to the attack too. “Maybe Russians without their drugs would soberly look at their country and do something,” he said. “Maybe the Kremlin won’t defend their country’s drug trade and fix the drug problems instead of invading Ukraine.”
The Killnet connection
The attacks could have an impact beyond the dark web drug trade in Russia. It may disrupt one of Solaris’ associates: a hacking crew known as Killnet. Emerging at the start of the year, Killnet first offered to take down websites for a fee by flooding them with traffic, commonly known as a distributed denial of service (DDoS) attack. But after Russia invaded Ukraine, Killnet became a patriotic mercenary hacking crew, promising to target Ukrainians and their supporters. It went on to target U.S. airport websites, the National Geospatial-Intelligence Agency and various state government websites with DDoS attacks. Amongst its European targets were the Eurovision song contest, the Estonian government and the Italian National Health Institute, according to reports. While those attacks were able to slow down or prevent access to the targeted organizations’ websites, they had minimal impact in comparison to Ukraine’s IT Army, which has targeted various big-name Russian organizations, including Sberbank and the Moscow stock exchange, with its own DDoS attacks.
Holden is keen to stymie Killnet in any way he can, and his infiltration of Solaris offers one path because the exchange has numerous ties to the Russian hacking group. Over the summer, the latter carried out DDoS attacks on Solaris’ main rival Rutor, which had become Russia’s underground drugs market leader after another bazaar, Hydra, was shut down in March. Analysts at U.S. cybersecurity firm ZeroFox said earlier this year it appeared Solaris was paying for Killnet’s DDoS services.
Killnet’s own leadership has been vocal about its support from Solaris too. In an October interview with Russian publication RT, a Killnet founder known as KillMilk said his gang had “huge support” from Solaris’ “daring and strong team.” After pledging to hack American government agencies in response to U.S. support for Ukraine, he said he’d known the Solaris team “for a very long time.”
Andras Toth-Czifra, an analyst at cyber intelligence company Flashpoint, has been tracking Killnet’s operations over the last year. He noted that shortly after the RT interview, the hackers said in a Telegram post that they had received financial contributions from Solaris. “It was basically an ad placed on Killnet’s channel,” Toth-Czifra said.
Holden, believing Killnet is funded by Solaris’ drugs money, added that “maybe severing this connection will remove some fuel from the Killnet garbage fire.”
Read More: news.google.com