Cyber Incident Victim: Kraken
Date:
Jan 2022
Location:
Finland
Summary
A competitor darknet marketplace named Kraken hijacked a larger rival by exploiting critical vulnerabilities in its code, compromising infrastructure and gaining unauthorized access to servers located in Finland. The attackers stole sensitive data including cleartext passwords and cryptographic keys, subsequently redirecting the victim's Tor site to their own platform while disabling its Bitcoin payment server, halting all financial activity. The takeover was motivated by market expansion rather than political aims, leveraging the breach to absorb the rival's user base and undermine confidence in its security posture following a period of significant growth after another major marketplace's seizure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 13, 2022, the Solaris darknet marketplace, specializing in illegal drug sales, was compromised and forcibly taken over by its competitor Kraken. Kraken executed a technical attack exploiting critical vulnerabilities in Solaris’ codebase, gaining unauthorized access to its servers hosted in Finland. Over a three-day period, attackers exfiltrated clear text passwords, cryptographic keys, project source code from Solaris’ GitLab repository, and other critical infrastructure components. Kraken subsequently disabled Solaris’ Bitcoin payment server, effectively halting all financial transactions on the platform. Blockchain analytics firm Elliptic confirmed the cessation of cryptocurrency movements from Solaris-associated addresses after this date. The attackers then redirected Solaris’ Tor network site to Kraken’s own marketplace, ensuring all visitor traffic migrated to their platform.
Solaris had emerged months earlier following the seizure of the Hydra darknet market, rapidly capturing approximately 25% of the illicit drug market share with an estimated $150,000,000 in transactions. A Resecurity report indicated Solaris gained 60,000 new user registrations post-Hydra’s shutdown, dwarfing Kraken’s absorption of only 10% of that user base. The takeover eliminated a major competitor for Kraken while demonstrating operational weaknesses in Solaris’ security architecture. No remediation efforts by Solaris operators were documented following the infrastructure compromise. Market impacts included the immediate transfer of Solaris’ user traffic and the de facto consolidation of illicit sales under Kraken’s control. Kraken’s pro-Kremlin alignment suggested commercial rather than ideological motives, leveraging the breach to accelerate growth and undermine confidence in rival platforms’ security.