Russia's Darknet Criminals Have Novel Crypto Cash-Out System: 'Buried Treasure'

A darknet ad flagged by the crypto sleuths at Elliptic says vendors will bury vacuum-packed physical cash “5-20 cm under the ground.”

AccessTimeIconMar 22, 2021 at 2:10 p.m. UTC
Updated May 9, 2023 at 3:17 a.m. UTC

Cybercriminals in Russia are going to extreme lengths to untraceably cash out cryptocurrency: The word used in online ads is “клад,” literally “buried treasure.”  

Cashing out crypto on Hydra, the sprawling Russian darknet marketplace, has evolved to include services that offer to hide large volumes of physical cash at a specified location, where the cash can be retrieved by the customer.

Ransomware, darknet markets and exchange thefts generate large volumes of cryptocurrencies such as bitcoin. The criminals behind this activity, however, face a challenge in terms of how to remove any link to identity when turning the proceeds into cash. Darknet users that are proficient in laundering crypto are willing to provide fiat off-ramps for a fee, according to new research from blockchain analytics firm Elliptic.

Russia’s illicit treasure hunts are not an entirely novel idea. The physical exchange of rubles for crypto using a GPS location is adapted from Hydra’s very sophisticated drug selling and delivery methods, which work like a secret gig economy based on reputation, courier vetting, potency testing and so on.

Hydra’s army of illicit sellers and buyers sometimes handle a bitcoin payment by topping up a prepaid debit card, or sending rubles to an online wallet service or bank account. 

But burying cash is increasingly seen as a fail-safe fiat off-ramp for criminals looking to avoid the long arm of cybercops (and analytics firms like Elliptic working on their behalf).

“It’s an interesting way of cashing out that people are starting to use,” Elliptic CEO Tom Robinson said in an interview. “It’s difficult to do at scale and requires that you are in Russia, but that’s where a lot of Hydra users are based.”

Outrunning AML

In the early days, when many crypto exchanges were not checking the provenance of customers closely and blockchain analytics tools were in their infancy, cashing in cryptocurrency proceeds of crime was less of a challenge. 

The situation today, involving global anti-money laundering (AML) regulators armed with blockchain sleuthing tools to trace and screen transactions is dramatically different, said Robinson.   

One of Hydra's payout options.
One of Hydra's payout options.

The darknet listing above advertises a service where, in return for a cryptocurrency payment, the vendor will bury vacuum-packed (all drugs and cash are vacuum packed to prevent dogs sniffing them out) physical cash “5-20 cm under the ground.”  

The service is costly, with fees of around 7% of the amount being exchanged, according to Elliptic. There are also other risks because thieves known as “seekers” sometimes trail the treasure men and steal the deliveries. 

Hydra is by far the biggest darknet marketplace to have ever existed, with about $125 million worth of transactions per week. (At its peak, Alphabay, the nearest rival, clocked between $50 million and $60 million per week.)

“I’m surprised Hydra hasn't had more coverage because it's absolutely huge,” Robinson said. “I think it's probably because it's Russian language that people don't really think about it as much as that Western problem.”

Russian darknet markets are all about innovation, said Patrick Shortis, an expert on such marketplaces from the University of Manchester, citing the continually updated rule book known as the Kladman’s (Treasure man’s) Bible. 

“Russian dark markets differ from their Western counterparts in that the postal service in Russia is not as reliable, and so the dead-drop method is preferred,” Shortis said in an interview. “Also, in the West we care a lot about using PGP (pretty good privacy) and cleaning our coins and using monero and whatnot. Whereas in Russia, they generally tend to be more relaxed when it comes to a threat from the state.”


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.